Back to blog

What Is PII, non-PII, and personal data?

Data privacy & security

Written by ,

Published January 5, 2018 · Updated September 16, 2020

What Is PII, non-PII, and personal data?

In recent years, many people have become more concerned about their online data privacy and what companies know about them, their web history, and their personal information.

While it’s true that data is collected each time a user accesses a web site, interacts with a post on social media, or makes an online purchase, there are different types of user data being tracked — some of it can be used to identify an individual person (known as PII) and some of it can’t.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is a term regularly used in Ad Tech and MarTech, but it expends well past these two industries.

In fact, PII is often referenced by US government agencies, such as the National Institute of Standards and Technology (NIST).

NIST provides the following definition of PII:

PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

What Pieces of Information are Considered PII?

PII can be divided into two categories: linked information and linkable information.

Linked information
is any piece of personal information that can be used to identify an individual and includes, but is not limited to, the following:

  • Full name
  • Home address
  • Email address
  • Social security number
  • Passport number
  • Driver’s license number
  • Credit card numbers
  • Date of birth
  • Telephone number
  • Log in details
  • Device IDs
  • Cookies
  • IP address

Linkable information,
on the other hand, is information that on its own may not be able to identify a person, but when combined with another piece of information could identify, trace, or locate a person.

Here are some examples of linkable information:

  • First or last name (if common)
  • Country, state, city, postcode
  • Gender
  • Race
  • Non-specific age (e.g. 30-40 instead of 30)
  • Job position and workplace

PII vs Personal Data (Cheat Sheet INCLUDED!)

Learn how to recognize PII and Personal Data to stay away from privacy issues.

Download FREE Guide

What is Non-PII?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person.

Examples of non-PII include, but are not limited to:

  • Aggregated statistics on the use of product / service
  • Partially or fully masked IP addresses

What’s the Difference Between PII and Personal Data?

While PII is a commonly recognized term, there is another term that many people may be familiar with — personal data.

The difference between PII and personal data can be explained by the following:

Personally Identifiable Information (PII) is a term used mainly within the USA.

Personal Data is considered to be the European equivalent of PII; however, it doesn’t completely correspond to the PII definition popular in the US. The new EU data privacy law – General Data Protection Regulation (GDPR) defines Personal data as the following:

Article 4(1): personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Important note! GDPR states that even cookies can be considered personal data. This is detailed in Recital 30 of the new law:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The Future of PII

The line separating PII and non-PII is becoming thinner with every passing year and the online advertising and marketing industries have already seen government organizations shift their stance on what constitutes PII and what doesn’t — the FTC and Art. 29 WP being two prime examples.

The Federal Trade Commission (FTC)

In a follow-up post to her speech at the 2016 NAI summit in San Francisco, Jessica Rich, the Director of Bureau of Consumer Protection from the Federal Trade Commission (FTC), addressed the topic of persistent identifiers:

…We [the FTC] regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.

The post went on to say that the Commission has modified the definition of personal information to include persistent identifiers, including, but not limited to:

  • A customer number held in a cookie
  • An Internet Protocol (IP) address
  • A processor or device serial number
  • A unique device identifier

The Article 29 Data Protection Working Party (Art. 29 WP)

This recent revelation from the FTC follows a similar movement from the European Union (EU) started a few years ago when the Article 29 Data Protection Working Party (Art. 29 WP) suggested that IP addresses should be viewed as personal data.

The implications of these two movements are substantial, especially for the Ad Tech and MarTech industries.

PII vs Personal Data (Cheat Sheet INCLUDED!)

Learn how to recognize PII and Personal Data to stay away from privacy issues.

Download FREE Guide

For starters, it now means there is a disconnect between the NAI’s Code of Conduct and the definition of personal information from government organizations such as the FTC and EU, which makes it hard for companies to comply with privacy standards and best practices.

In addition, if organizations like the FTC and EU continue creating a broader definition of PII and personal data, then we could see emerging areas of Ad Tech, such as device fingerprinting that rely on collecting persistent identifiers, being hit hard against new privacy regulations.

That’s it. We hope that our blog post has answered at least some of your questions regarding PII and personal data. But if you want to learn more, feel free to contact us anytime. Our experts will be happy to fill you in!

Contact us


Michael Sweeney

Head of Marketing at Clearcode

See more posts of this author


Karolina Lubowicka

Content Marketer

Content Marketer and Social Media Specialist at Piwik PRO. An experienced copywriter who takes complex topics of data privacy & GDPR and makes them understandable for all. LinkedIn Profile

See more posts of this author