Data Privacy

Personally Identifiable Information (PII) Data Explained

DataGrail, September 8, 2022

Although companies are prime marks for cyberattacks, the hackers often don’t want anything to do with the business itself. Their target isn’t the company, but its customers—namely, their PII (personally identifiable information). 

Each year, billions of records of personal information are stolen in data breaches. Just recently, a hacker stole the personal data of more than 1 billion Chinese citizens. 

For business owners, there are many common data privacy issues to be aware of. But protecting your customer’s PII data is not just a recommended best practice; it’s required by law. All it takes is a single data breach to threaten your business’ reputation and ability to operate. 

But to create an effective PII management policy and abide by consumer data protection laws, you first need to know what is PII data. 

What Is Personally Identifiable Information? 

Your online presence and all the details that are (waves hands vaguely in the air) you, are what’s known as PII. Basically, it’s any type of information that can identify or be used to identify a specific individual. For example, the US government defines PII data meaning in the Code of Federal Regulations 2 CFR § 200.79 as: 

“Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” 

One of the unfortunate consequences of the rise of digitalism is that whenever you go online, pieces of yourself are caught up in the virtual web. 

Think about every time you purchase or sign up for an activity online. At the very least, you’ll likely provide your home and billing address, contact information, and credit card details. Now, multiply that across countless websites, newsletters, signups, and social media platforms.

Although some of this information is publicly available, certain information is restricted. Regardless, whenever customers give their personal information, they’re entrusting businesses to safeguard it and only use it for business-related purposes. 

Failure to do so could result in serious consequences, including fines, penalties, and reputational damage.

Sensitive PII vs Non-Sensitive PII

It’s important to note that PII is typically sorted into one of two categories of data classification, sensitive and non-sensitive information. The list above contains a mixture of both. 

Distinguishing one from the other isn’t black and white. 

Admittedly, there is some gray area with certain types of information bleeding into either category, especially since non-sensitive data could feasibly be combined with sensitive data to perform identity theft. 

Experian makes the following distinction between the two: “Sensitive data includes anything that has legal, contractual, or ethical requirements for restricted disclosure. Non-sensitive PII is information that is public record (in phone books and online directories, for instance).” 

How can you tell the difference? 

You can distinguish one from the other by asking whether the leak or loss of that information could result in significant personal embarrassment (e.g., health condition), personal safety risk (e.g., frequented location), or some other financial, reputational or emotional harm (e.g., consequenced from economic discrimination, identity theft etc). If so, it’s sensitive PII, meaning heightened technical and organizational protections are needed to ensure lawful, safe and responsible use. As an example, this can mean severely limiting who in your organization has access to the data, setting policy to require a privacy impact assessment before the data can be used, and tightening contractual restrictions with service providers who may handle the data. It’s not just about sound security.

What Is Personally Identifiable Information (PII) in Privacy Law? 

Protecting customer data is not just good business; it’s also the law. Depending on your region or industry, you may be handling comprehensively protected or specially regulated types of consumer data. Comprehensive laws include Europe’s GDPR and California’s CCPA/CPRA among others. Specialized laws include HIPAA and COPPA among others. 

Whether broadly applicable or specific to certain kinds of data, these privacy regimes create obligations and requirements you need to manage against.

Let’s look at these four examples:



The General Data Protection Rule (GDPR) is a comprehensive data privacy law recently created to protect EU residents from data privacy breaches and the potential misuse of their data through strengthened privacy rights and expanded obligations for Europe-facing organizations. 

The GDPR defines “personal data” as “any information relating to an identified or identifiable natural person (‘data subject’)”. In turn, a data subject is “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The GDPR also defines sensitive data. ‘Special category’ data is that which reveals and individual’s 

  • Racial or ethnic origin 
  • Political opinions 
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data or biometric data that uniquely identifies a natural person
  • Health and ailment information
  • Data concerning a natural person’s sex life or sexual orientation

The GDPR’s definitions set a global benchmark. The law redefines ‘PII’ for the digital economy by making it clear that what is ‘personal’ is contextual, and what is ‘identifiable’ is a down to technical capability.  


The California Consumer Privacy Act (CCPA) is a recently enacted state law partially modeled after the GDPR. The CCPA borrows much from Europe’s concept of “personal data” to go beyond the traditional notion of ‘PII’. It also goes one step further in a way that is uniquely Californian: it brings households into the mix.

The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”

The California Privacy Rights Act, a ballot initiative that expands the CCPA and brings California’s privacy regime closer to Europe’s, introduces the state’s own version of ‘special category’ data. 

The CPRA defines “sensitive personal information” as information that “reveals a consumer’s”:

  • Social Security Number, driver’s license or another government-issued ID
  • Financial account or payment card information when combined with authentication information
  • Racial or ethnic origin
  • Religious or philosophical beliefs
  • Union membership
  • Communication contents (with some exceptions); 
  • Genetic and biometric information in a uniquely identifiable way; 
  • Health and ailment information
  • Sex life or sexual orientation information

We can clearly see where the GDPR and CCPA/CPRA overlap in their comprehensive definitions of standard and sensitive data.

Specific data


As a healthcare user you are likely to hear health information referred to as Protected Health Information or PHI, but what is considered PHI under HIPAA? And how does this relate to personal data (or ‘PII’)?

The US Health Insurance Portability and Accountability Act is a federal law that creates national standards for protecting sensitive patient health information. Organizations subject to HIPAA cannot disclose healthcare and medical insurance related information without the patient’s knowledge or authorization. Organizations are also required to follow the HIPAA Privacy Rule and the HIPAA Security Rule to ensure patient rights and data are protected.

So what is PHI? We can think of it as a specialized subset of personal information that specific kinds of organizations need to mind. Generally, if patient information is associated with one or more of the below identifiers, the resulting data sets are PHI.

HIPAA identifiers that make health information PHI are:

  • Names
  • Dates, except year
  • Telephone numbers
  • Geographic data
  • FAX numbers
  • Social Security numbers
  • Email addresses
  • Medical record numbers
  • Account numbers
  • Health plan beneficiary numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers including license plates
  • Web URLs
  • Device identifiers and serial numbers
  • Internet protocol addresses
  • Full face photos and comparable images
  • Biometric identifiers (i.e. retinal scan, fingerprints)
  • Any unique identifying number or code

Once again, context matters but with HIPAA the context is more prescribed.


The US Children’s Online Privacy Protection Act (COPPA) protects the privacy of children under the age of 13 when they use child-directed websites, apps or platform services, including online and mobile games.  COPPA creates obligations for businesses targeting websites, apps, games and services to children. Notably, children’s data cannot be collected, used or shared without prior parental consent.

COPPA defines children’s personal information as “individually identifiable information about an individual collected online, including: 

  • A first and last name
  • A home or other physical address including street name and name of a city or town
  • Online contact information as defined in this section
  • A screen or user name where it functions in the same manner as online contact information, as defined in this section
  • A telephone number
  • A Social Security number
  • A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. (e.g. customer ID, cookie, IP address, device ID etc) 
  • A photograph, video, or audio file where such file contains a child’s image or voice;
  • Geolocation information sufficient to identify street name and name of a city or town; or 
  • Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition.

Like protected health information, protected children’s information can be viewed as a subset of personal information (or ‘PII’ if you like).

What Qualifies as Personally Identifiable Information? 

As we illustrated above different laws define the notion of ‘PII’ differently, but there are many similarities. 

All in all, personal information concerns an identified or identifiable individual. Whether the person can be identified directly or indirectly is largely a question of context and technological ability. 

DataGrail A Privacy Control Center for Your Business 

To comply with the GDPR, CCPA and other privacy regulations, you need to first know what kinds of personal data you collect, store, share or otherwise use across your business.

Fortunately, there are powerful tools that make the complicated process of data mapping easy. At DataGrail, we offer a platform that is very easy to use and connects to over 1400 common systems. Our robust integration network negates the need to scour complicated contracts to figure out what personal data is processed, and avoids risky business practices like allowing access to user email inboxes. 

DataGrail helps you build an understanding of your personal data (PD/PI/PII) processing ecosystem, so that you could conduct more transparent, accountable business.

If you want to gain control of your data, automate data subject requests, and enjoy a privacy solution that scales with your business, request a demo today. 


Intersoft: General Data Protection Regulation

HIPAA Journal: What is Considered PHI Under HIPAA?

Federal Trade Commission: Kid’s Privacy (“COPPA”)

CalPrivacy: Californians for Privacy Rights Act

Office of the California Attorney General. California Consumer Privacy Act (CCPA).