Personally Identifiable Information (PII)


Personally Identifiable Information (PII) is information and data about an individual that is maintained by an agency and used to identify someone. It is typically directly provided by the individual and data such as the person’s name, social security number, or date. It’s information linked to a person that can be used to trace their identity.

What is PII data?

Let’s start with a definition of PII (Personally Identifiable Information). This term refers to information and data about an individual that is used to identify someone, either directly or indirectly. It is typically directly provided by the individual and includes data such as the person’s name, social security number, address, telephone number, IP address, or email address. It’s information linked to a person that can be used to trace their identity.

These data points can be combined with indirect identification, such as gender, race, birth date, or geographic indicators. PII can be recorded electronically, on paper, or using other types of media.

What’s the difference between PI vs PII data?

Personally identifiable information (PII) is a subset of personal information (PI). PII uses certain types of collected data to link the information to a specific individual or household. PI, on the other hand, can include a wide range of information already connected to a specific identity. It’s a much more generalized category of data that can be tracked.

The California Consumer Privacy Act (CCPA) has its own version of PII. The CCPA’s definition of PII includes any information that can either identify you or your household or provide a reasonable link. PII data includes an individual’s name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.

The General Data Protection Regulation (GDPR) has a slightly different take on what PII consists of, defining personal data as “any information relating to an identified or identifiable natural person (data subject), directly or indirectly, in particular by reference to an identifier.”

Essentially, while the CCPA protects the personal information that relates to a consumer or household, the GDPR focuses on the personal data of an individual.

What types of data are considered PII?

PII includes things like employee records, political affiliations, criminal records, health information, religious beliefs, sexual orientation, IP addresses, and even trade union memberships. Further examples of PII include:

  • Name: full name, maiden name, mother’s maiden name, or alias
  • Personal identification numbers: social security number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, financial account number, or credit card number
  • Personal address information: street address or email address
  • Personal telephone numbers
  • Personal characteristics: photographic images (particularly of face or other identifying characteristics), fingerprints, or handwriting
  • Biometric data: retina scans, voice signatures, or facial geometry
  • Information identifying personally owned property: VIN number or title number
  • Asset information: Internet Protocol (IP) or Media Access Control (MAC) addresses that consistently link to a particular person

Other types of Sensitive Data

There are several other types of sensitive data that marketers need to know how to manage:

Sensitive Personal Information (SPI) is a new term under the California Privacy Rights Act that refers to information related to an individual but not necessarily identifying; however, if the data were to be made public, it could cause harm. SPI includes things like social security numbers, driver’s license numbers, passwords, geolocation, and genetic data.

Nonpublic Personal Information (NPI) refers to any private information provided to a financial institution or information from a transaction. 

In addition to California’s privacy definitions, international marketers need to understand the Global Data Protection Regulation (GDPR) standards that apply to European citizens. Clear consent must be received before any marketing materials can be sent. You must also send out an immediate notice if there has been a data breach. 

How is PII used by marketers?

PII data can be used by marketers if consent is given by the person. While it depends on the data received, it used to be the case that certain industries were held under more scrutiny than others when using sensitive data (such as financial institutions). These days, every industry needs to be careful to not expose their customer data with extensive security solutions. This extends to marketing, and the tools marketers use when running campaigns.

Marketing Tools & PII Compliance

Using the right PII marketing tools makes compliance much easier while also building trust with your customer list by keeping their data safe. A customer engagement platform like MessageGears connects marketing infrastructure directly to your PII-filled database without replicating and letting that information sit in a third-party cloud infrastructure. When it’s time to send a message, your marketing data is safe behind your firewall. This warehouse-native approach keeps PII data secure, retaining any data privacy protections and processes your company has in place and eliminating additional risk.