The classification “non-PII” doesn’t mean data falls outside privacy regulations. This is one of the most common misunderstandings in digital analytics, creating legal risk for organizations that assume “non-PII” equals “no privacy obligations.”
What is non-PII?
Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace or identify a specific person. This type of information is typically collected and used for purposes such as analytics, research, or advertising targeting without directly revealing individuals’ identities.
Examples of non-PII
Non-PII includes:
- Aggregated statistics on the use of products or services
- Partially or fully masked IP addresses
- Types of devices (such as smartphones, tablets, and desktops)
- Cookies or anonymous identifiers
- Time spent on a website or app
The GDPR complication
Organizations make a critical mistake when they assume that because data doesn’t directly identify someone, it falls outside privacy regulations. Under GDPR, the relevant concept isn’t “personally identifiable information” – it’s “personal data,” which has a broader definition.
GDPR considers something personal data if it relates to an identified or identifiable natural person. The key word is “identifiable.” Even if a single data point doesn’t identify someone, if it could be combined with other information to identify them, it’s personal data under GDPR.
Scenarios where “non-PII” still requires consent:
- Cookie identifiers that track behavior over time, even if not linked to names
- Device fingerprints that can distinguish one user from another consistently
- IP addresses, even when partially masked, in jurisdictions that consider them personal data
- Pseudonymous identifiers that could theoretically be re-identified
Compliance requirements
While non-PII doesn’t directly identify individuals, there can still be significant privacy concerns associated with its collection, storage, and usage – especially when combined with other data sources or when certain patterns can lead to indirect identification.
Organizations that collect non-PII need privacy policies and procedures to safeguard this information and ensure compliance with relevant regulations. The classification as “non-PII” doesn’t automatically exempt you from consent requirements, data processing agreements, or breach notification obligations.
Questions to ask about your “non-PII”:
- Could this data be combined with other information (either that we have or that others have) to identify individuals?
- Does this data enable persistent tracking of individuals, even if we don’t know their names?
- In the most privacy-protective interpretation of relevant regulations, would this qualify as personal data?
If the answer to any of these questions is “yes” or “maybe,” treat it as personal data for compliance purposes.
Here you’ll find the full comparison of personally identifiable information, non-personally identifiable information and personal data: What is PII, non-PII, and personal data? [UPDATED]
