Personally Identifiable Information (PII)
Any data that can be used to identify a specific individual, either alone or when combined with other information reasonably available to the data holder.
What Is PII?
Personally identifiable information (PII) is any information that, alone or in combination, can identify a specific natural person. Definitions vary across legal regimes — U.S. federal agencies, state laws, and international regulations each use slightly different formulations. The GDPR uses the broader term personal data, which is generally interpreted to include any information relating to an identified or identifiable natural person.
Categories of PII
- **Direct identifiers**: name, Social Security number, driver's license number, passport number, email address, biometric data - **Indirect identifiers** that become PII when combined: date of birth, ZIP code, gender, IP address, device identifier - **Sensitive personal data** receiving heightened protection: health information, financial account numbers, race, religion, sexual orientation, genetic data, precise geolocation - **Quasi-identifiers** that can re-identify pseudonymized data: behavioral patterns, browsing history, purchase records
Legal Treatment
Different statutes protect different categories of PII. HIPAA covers protected health information (PHI); the Gramm-Leach-Bliley Act covers financial information; the California Consumer Privacy Act and California Privacy Rights Act cover personal information of California residents broadly; the Children's Online Privacy Protection Act (COPPA) covers data of children under 13. State data breach notification laws require notice to affected individuals (and often regulators) when defined categories of PII are compromised. Businesses handling PII should map their data flows, minimize collection, implement reasonable security measures, and maintain incident response plans.