Go Back
[UPDATE] What Is PII, non-PII, and Personal Data?

[UPDATE] What Is PII, non-PII, and Personal Data?

Date January 5, 2018 Author Category Data Privacy & Security

This blog post was originally published on September 7, 2016.

In recent years, many people have become more concerned about their online data privacy and what companies know about them, their web history, and their personal information.

While it’s true that data is collected each time a user accesses a web site, interacts with a post on social media, or makes an online purchase, there are different types of user data being tracked — some of it can be used to identify an individual person (known as PII) and some of it can’t.

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is a term regularly used in Ad Tech and MarTech, but it expends well past these two industries.

In fact, PII is often referenced by US government agencies, such as the National Institute of Standards and Technology (NIST).

NIST provides the following definition of PII:

PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

What Pieces of Information are Considered PII?

PII can be divided into two categorizes: linked information and linkable information.

Linked information is any piece of personal information that can be used to identify an individual and includes, but is not limited to, the following:

  • Full name
  • Home address
  • Email address
  • Social security number
  • Passport number
  • Driver’s license number
  • Credit card numbers
  • Date of birth
  • Telephone number
  • Log in details

Linkable information, on the other hand, is information that on its own may not be able to identify a person, but when combined with another piece of information could identify, trace, or locate a person.

FREE Guide: Avoid Privacy Risks and Prepare for GDPR

Learn how GDPR will change web analytics and data collection practices:

download FREE guide

Here are some examples of linkable information:

  • First or last name (if common)
  • Country, state, city, postcode
  • Gender
  • Race
  • Non-specific age (e.g. 30-40 instead of 30)
  • Job position and workplace

What is Non-PII?

Non-personally identifiable information (non-PII) is data that cannot be used on its own to identify, trace, or identify a person, so basically the opposite of PII.

Examples of non-PII include, but are not limited to:

  • Device IDs
  • IP addresses
  • Cookies

What’s the Difference Between PII and Personal Data?

While PII is a commonly recognized term, there is another term that many people may be familiar with — personal data.

The difference between PII and personal data can be explained by the following:

Personally Identifiable Information (PII) is a term used mainly within the USA.

Personal Data is considered to be the European equivalent of PII; however, it doesn’t completely correspond to the PII definition popular in the US. The new EU data privacy law – General Data Protection Regulation (GDPR) defines Personal data as the following:

Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Important note! GDPR states that even cookies can be considered personal data. This is detailed in Recital 30 of the new law:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The Future of PII

The line separating PII and non-PII is becoming thinner with every passing year and the online advertising and marketing industries have already seen government organizations shift their stance on what constitutes PII and what doesn’t — the FTC and Art. 29 WP being two prime examples.

The Federal Trade Commission (FTC)

In a follow-up post to her speech at the 2016 NAI summit in San Francisco, Jessica Rich, the Director of Bureau of Consumer Protection from the Federal Trade Commission (FTC), addressed the topic of persistent identifiers:

“…We [the FTC] regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

The post went on to say that the Commission has modified the definition of personal information to include persistent identifiers, including, but not limited to:

  • A customer number held in a cookie
  • An Internet Protocol (IP) address
  • A processor or device serial number
  • A unique device identifier

The Article 29 Data Protection Working Party (Art. 29 WP)

This recent revelation from the FTC follows a similar movement from the European Union (EU) started a few years ago when the Article 29 Data Protection Working Party (Art. 29 WP) suggested that IP addresses should be viewed as personal data.

The implications of these two movements are substantial, especially for the Ad Tech and MarTech industries.

For starters, it now means there is a disconnect between the NAI’s Code of Conduct and the definition of personal information from government organizations such as the FTC and EU, which makes it hard for companies to comply with privacy standards and best practices.

In addition, if organizations like the FTC and EU continue creating a broader definition of PII and personal data, then we could see emerging areas of Ad Tech, such as device fingerprinting that rely on collecting persistent identifiers, being hit hard against new privacy regulations.

FREE Guide: Avoid Privacy Risks and Prepare for GDPR

Learn how GDPR will change web analytics and data collection practices:

download FREE guide

Author:

Michael Sweeney, Content Marketer

Copywriter at Clearcode

See more posts of this author
 Free Practical Guide: Avoid Privacy Risks and Prepare for GDPR

Share