Personally identifiable information (PII) and personal data are two classifications of data that often cause confusion for organizations that collect, store and analyze such data.
PII is used in the US but no single legal document defines it. The legal system in the United States is a blend of numerous federal and state laws and sector-specific regulations. They all define and classify different pieces of information under the PII umbrella.
On the other hand, personal data has one legal meaning, which is defined by the General Data Protection regulation (GDPR), accepted as law across the European Union (EU).
Both terms cover common ground, classifying information that could reveal an individual’s identity directly or indirectly.
But why is all that so important? As a website admin, app creator or product owner, you need to be aware that the traces visitors and users leave behind could be of a sensitive nature. These traces might enable you to identify individuals, so you need to handle such data with the utmost caution. From a legal standpoint, it could be a matter of breaches and violations with serious consequences. Grasping the bigger picture is crucial for your organization’s security and legal compliance.
- What is personally identifiable information (PII)?
- What pieces of information are considered PII?
- What is non-PII?
- What is personal data?
- What is non-personal data?
- How PII differs from personal data
- Staying up to date on data privacy regulations
PII is often referenced by US government agencies and non-governmental organizations. Yet the US lacks one overriding law about PII, so your understanding of PII may differ depending on your particular situation.
The most common definition is provided by the National Institute of Standards and Technology (NIST).
It says that:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
However, the line between PII and other kinds of information is blurry. As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.
According to NIST, PII can be divided into two categories: linked and linkable information.
Linked information is more direct. It could include any personal detail that can be used to identify an individual, for instance:
- Full name
- Home address
- Email address
- Social security number
- Passport number
- Driver’s license number
- Credit card numbers
- Date of birth
- Telephone number
- Owned properties e.g. vehicle identification number (VIN)
- Login details
- Processor or device serial number*
- Media access control (MAC)*
- Internet Protocol (IP) address*
- Device IDs*
NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.
Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person.
Here are some examples of linkable information:
- First or last name (if common)
- Country, state, city, zip code
- Non-specific age (e.g. 30-40 instead of 30)
- Job position and workplace
Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person.Examples of non-PII include, but are not limited to:
- Aggregated statistics on the use of product / service
- Partially or fully masked IP addresses
However, the classification of PII and non-PII is vague. Moreover, NIST doesn’t reference cookie IDs and device IDs, so many AdTech companies, advertisers, and publishers consider them as non-PII. As we’ll see, this is in contrast to the definition of personal data, which treats such digital tackers as information that could identify an individual.
Personal data is a legal term that the GDPR defines as the following:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition applies not only to a person’s name and surname, but to details that could identify that person. That’s the case when, for instance, you’re able to identify a visitor returning to your website with the help of a cookie or login information.
Under the GDPR you can consider cookies as personal data because according to Recital 30:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
And the definition of personal data covers various pieces of information such as:
- transaction history
- IP addresses
- browser history
- posts on social media
Basically, it’s any information relating to an individual or identifiable person, directly or indirectly.
Following the GDPR provisions, non-personal data is data that won’t let you identify an individual. The best example is anonymous data. According to Recital 26 of GDPR:
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Other examples of non-personal data include, but are not limited to:
- Generalized data, e.i. age range e.g. 20-40
- Information gathered by government bodies or municipalities such as census data or tax receipts collected for publicly funded works
- Aggregated statistics on the use of a product or service
- Partially or fully masked IP addresses
To learn more about data anonymization, read our other blog posts:
As we’ve already mentioned, in certain contexts the differences between these two types of data seem quite vague. If we need to draw a clear line here, then we would apply the legal framework and whom this data applies to.
All rules and responsibilities regarding personal data are set out by the GDPR, which aims to strengthen and unify data collection from EU residents. This also means that there is a more unified approach to enforcement, which has been steadily increasing since May 2018, when GDPR entered into force.
It’s much harder to define a single piece of legislation that controls PII because of the lack of a single federal law governing its use. However, among the various laws that do govern the collection and usage of PII, the most prominent are:
- The U.S. Privacy Act, which governs how to collect, maintain, use and disseminate PII
- The Health Insurance and Portability Act (HIPAA) governing patient privacy
- The Children’s Online Privacy Protection Act (COPPA), designed to protect the personal information of children under the age of 13
Furthermore, both governmental and non-governmental organizations regulate the proper use of PII, including:
- The Federal Trade Commission (FTC) and its Department of Consumer Protection
- Local Departments of Consumer Affairs
- The Federal Communications Commission (FCC)
- The National Institute of Standards and Technology (NIST)
- The Network Advertising Initiative (NAI), a self-regulatory organization
Since personal data is strictly connected to the GDPR, it concerns all residents and citizens of the member states of the European Economic Area – the 28 Member States of the EU plus Iceland, Liechtenstein, and Norway. We’ll refer to this group as EU residents, for short.
Still, the scope of the GDPR is not really limited to the EU. It impacts not only EU-based entities, but virtually every business dealing with the data of EU residents.
By contrast, it’s much more difficult to determine the jurisdictions where PII is applicable.
Even in the US, where PII is certainly applicable, how it’s applied varies both from state to state and from sector to sector. Several legal documents and industry standards have their own opinion about what PII is.
As a result, determining who PII applies to and how is quite difficult.
The broad definitions of PII and personal data are evolving to cover more and more kinds of data. The differences between the two are also becoming less distinct. The legal requirements are getting stricter on both sides of the Atlantic.
Those changes will bring new challenges. For organizations of all kinds, this means taking a closer look at the data they collect and keeping up with the changing legal landscape to stay compliant.
We hope that our blog post has answered at least some of your questions regarding PII and personal data. But if you want to learn more, feel free to contact us anytime. Our experts will be happy to fill you in!