What is Personally Identifiable Information (PII)?

Some things are priceless, and PII is one of them.

By
&
Aliza Vigderman
Gabe TurnerChief Editor
Last Updated on Jun 28, 2021
By Aliza Vigderman & Gabe Turner on Jun 28, 2021

If you’ve read anything about identity theft, you’ve probably come across the term “PII.” If someone steals your PII, it’s the same as stealing your identity, but what is PII? In this article, we’ll define PII and tell you how to protect it and prevent identity theft.

What Is PII?

PII stands for “personally identifiable information,” and it refers to any information that can identify or trace an individual either directly (direct identifiers) or when paired with other information (indirect identifiers). Here are some examples of each:

Direct Identifiers

  • Name
  • Address
  • Social Security number (SSN)
  • Other identifying number or code
  • Phone number
  • Email address

Indirect Identifiers

  • Gender
  • Race
  • Birthdate
  • Geographic indicators

PII also includes any information that allows someone to contact an individual, whether in person or online. PII is stored on paper and electronically,1 from filing cabinets at dentists’ offices to Facebook’s data servers around the world.

Who Can Access PII?

From 2019 to 2020, identity theft increased by 67 percent, according to our identity theft study. As of 2021, over a third of adults in the United States have been victims of identity theft. Why? Identity theft happens because PII gets into the wrong hands. Many different people and organizations handle other people’s PII. Here are some examples:

  • Companies: Have you heard about all of the data that tech companies have? Social media companies like Facebook and Twitter, along with search engines like Google, maintain a ton of personal information, as do companies that make the IoT products we love so much. Learn more about what PII companies keep in our privacy guide.
  • Governments: Obviously, governments hold PII about their citizens, which is necessary for them to file their taxes, register to vote, and more.
  • Credit bureaus: In order to track your credit activity and create credit reports, credit bureaus like Experian, TransUnion, and Equifax hold everyone’s PII. That’s why monitoring your credit with credit reporting services is a good way to prevent identity theft. You are entitled to a free credit report once a year. If you see any errors or signs of identity theft, you can dispute your credit report. However, even the best credit monitoring services can’t completely prevent identity theft, as data breaches can occur. Unfortunately, data breaches are pretty common and have involved about a third of Americans, according to our data breach report.
  • Employers: Obviously, employers hold a lot of their employees’ (and customers’) PII, so businesses have unique responsibilities to protect this data, but we’ll get to that in a bit.

Sensitive vs. Non-Sensitive PII

Not all PII is considered sensitive PII (SPII). SPII is PII that, in the wrong hands, could cause the person:

  • Substantial harm
  • Unfairness
  • Inconvenience
  • Embarrassment

Some data is considered to be SPII on its own, while other data is considered to be SPII only in combination with other information. Here are some examples of information that is SPII on its own:

  • SSNs
  • Driver’s license or state ID numbers
  • Passport numbers
  • Alien registration numbers
  • Financial account numbers
  • Biometric identifiers

The following information is SPII when used in combination with other PII:

  • Citizenship/immigration status
  • Medical information
  • Ethnic/religious affiliation
  • Personal email address
  • Account passwords
  • Last four digits of SSN
  • Date of birth
  • Criminal history
  • Mother’s maiden name

Not all PII is sensitive, however. These are some examples of non-sensitive PII:

  • List of people who attended a public meeting
  • Stakeholders who subscribe to email lists2
  • List of people on a softball team
Protect Personal Information
Protect Personal Information

What Isn’t PII?

Of course, not all information is PII in the first place. If it won’t put people at risk of identity theft or compromise their privacy, like someone’s favorite color, it’s not PII.3

How the GDPR Defines Personal Data

The General Data Protection Regulation is the European Union’s data protection law, but since it applies to any website with visitors from the E.U., even U.S.-based websites must comply. Unlike the U.S., which has no federal data protection legislation outside of the health and financial industries, the GDPR aims to increase consumers’ digital safety, defining personal data as any information relating to an identified or identifiable natural person, or data subject. Under the GDPR, personal data includes:

  • Names
  • ID numbers
  • Location data
  • Online identifiers with one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a person

Like PII, personal data can be processed either electronically (automated), or as written records (non-automated as part of a filing system). It comes in many forms, including videos, audio recordings, and photographs. But note that this legislation only applies to living people, not those who have died. The GDPR also doesn’t cover data about companies, just people.4

What Is Non-Personal Data?

Just like not all information is PII, not all data is personal data. Non-personal data is any data that’s anonymized or pseudonymized, meaning it’s given fake names.5

PII vs. Personal Data

So, what is the difference between PII and the GDPR-defined personal data?

Legal Differences

The U.S. government defines PII much more narrowly than the E.U. defines personal data. While PII only refers to a specific name, address, birthdate, Social Security, or financial information (such as credit card or bank account numbers), personal data covers more types of data, like social media posts, lifestyle preferences, transaction histories, and IP addresses. So, while all PII is personal data, not all personal data is PII.6

NOTE: Since the GDPR applies to any websites with visitors from the E.U., every U.S.-based website with E.U. visitors must comply.

Personal Data
Personal Data

Your Rights Surrounding PII

While the E.U. certainly has stronger data protection regulations than the U.S., the U.S. government covers data protection at both the federal and state levels.

Federal

Federally, the U.S. has data protection regulations that apply to the health and financial industries only. For example, the Health Insurance Portability and Accountability Act only applies to “covered entities” that store “protected health information,” while the Financial Services Modernization Act applies only to security firms, banks, insurance companies, and any other company that provides financial services or products. These companies must protect customers’ financial information under the Safeguards Rule. Outside of the health and financial industries, data protection is handled at the state level.

State

Each state has slightly different laws on protecting customer data and notifying customers of data breaches. California has the strongest data privacy laws, including the Online Privacy Protection Act, which makes businesses post privacy policies conspicuously on their websites. However, most states have weak or no data privacy regulations aside from data breach notification laws. To learn about the data protection laws in your state, read our article on data privacy laws by state.

GDPR

If your website has any visitors from the E.U., then they’re guaranteed certain rights. The GDPR covers these areas:

  • Accuracy: People have the right to correct inaccurate or incomplete information.
  • Data portability: Companies must store data in a way that’s easy to share and understand, with a straightforward and accessible privacy policy. If any designated third party requests the privacy policy, the company must give it to them, even if it’s a competitor.
  • Right of access: Users can access their personal data.
  • Right to be informed: People have the right to know how data is processed, including:
    • The source of the personal data
    • Why it was processed
    • How long it will be held
  • Right to erasure: People have the right to be forgotten and can delete information from websites, with some exceptions, such as if the data is necessary to comply with legal rulings.
  • Right to object: Unless the company has a legitimate basis for using it, like a contract or legal obligation, people can object to the processing of their data.
  • Right to restrict processing: Users can also limit the way companies process their data, such as when the data is inaccurate or the processing is unnecessary or unlawful.
  • Transparency and communication: Companies must explain clearly how they process data and make it easy for users to request erasures, responding in a quick and adequate manner.

Can Hackers Get Around the GDPR To Gain PII?

If you’ve ever had a hacked phone, you know that not even an antivirus can ward off hackers 100 percent. Even iPhones can be hacked, contrary to popular belief. Hackers can circumvent the GDPR and utilize hacking methods like these:

  • Brute force: In brute-force attacks, hackers guess at passwords, which is why creating long, complicated passwords is essential to your digital security.
  • Data breaches: Again, businesses and credit bureaus can have data breaches, exposing customers’ PII.
  • Man-in-the-middle attacks: Hackers intercept data packets when they’re traveling between the sender and the receiver to get passwords.
  • Phishing: In phishing scams, hackers use social engineering to gain login credentials, like sending people fake emails with illegitimate login pages.
  • Physical access: If a filing cabinet or data server center is compromised, hackers can access PII, which is why physical as well as digital security is necessary to protect consumers’ data.
  • Programming-based hacking: Perhaps the most advanced hacking method, programming-based hacking means that hackers find and exploit system vulnerabilities to gain administrative privileges.

Reporting Data Breaches

How much time you have to report data breaches depends on your state’s data breach notification laws, detailed below.

State Is there a data breach notification law? Maximum amount of time to notify customers of a data breach
Alabama Yes As soon as possible
Alaska Yes As soon as possible
Arizona Yes 45 days
Arkansas Yes *If it affected over 1,000 people and had a “reasonable likelihood of harm” As soon as possible
California Yes *If it affected over 500 residents As soon as possible
Colorado Yes 30 days
Connecticut Yes *If the breach will likely result in harm 90 days
Delaware Yes 60 days
Florida Yes *If it affected 500 people or more 30 days
Georgia Yes As soon as possible
Hawaii Yes As soon as possible
Idaho Yes 1 day
Illinois Yes As soon as possible
Indiana Yes As soon as possible
Iowa Yes *If it affected over 500 residents 5 business days
Kansas Yes As soon as possible
Kentucky Yes As soon as possible
Louisiana Yes 60 days
Maine Yes As soon as possible
Maryland Yes 45 days
Massachusetts Yes 10 business days
Michigan Yes 3 business days
Minnesota Yes *Only applies to government agencies As soon as possible
Mississippi Yes As soon as possible
Missouri Yes As soon as possible
Montana Yes As soon as possible
Nebraska Yes As soon as possible
Nevada Yes As soon as possible
New Hampshire Yes As soon as possible
New Jersey Yes As soon as possible
New Mexico Yes 45 days
New York Yes As soon as possible
North Carolina Yes As soon as possible
North Dakota Yes *If it affects 250 or more residents As soon as possible
Ohio Yes 45 days
Oklahoma Yes As soon as possible
Oregon Yes *If it affects 250 or more residents 10 days
Pennsylvania Yes As soon as possible
Rhode Island Yes As soon as possible
South Carolina Yes *If it affects 250 or more residents 3 days
South Dakota Yes 60 days
Tennessee Yes 45 days
Texas Yes *If it affects 250 or more residents 60 days
Utah Yes 20 days
Vermont Yes 45 days
Virginia Yes As soon as possible
Washington Yes *If it affects 500 or more residents 30 days
West Virginia Yes As soon as possible
Wisconsin Yes 45 days
Wyoming Yes As soon as possible

How To Comply With the GDPR

Finally, we’re answering the question of how American companies can adhere to the GDPR with minimal effort.

For U.S. Companies

If you’re a U.S. company, the GDPR states that you must do the following in order to comply:

  1. Audit your information for “personal data,” as defined by the GDPR.
  2. Inform customers of why you’re processing their data.
  3. Assess how you process data and improve data protection.
  4. Make data processing agreements with vendors.
  5. Appoint a data protection officer (perhaps).
  6. Designate a representative in the E.U.
  7. Familiarize yourself with your state’s data breach laws.
  8. Comply with cross-border transfer laws.7

How To Keep Up With Data Privacy Regulations

You’ll be happy to know that there are automated tools to help U.S. companies comply with GDPR requirements. The marketing company HubSpot, for example, has a list of the best GDPR compliance software to protect consumer data.8

How To Protect Your PII

Of course, businesses aren’t the only ones responsible for protecting PII. Here are the steps you can take at the individual level to protect your PII and prevent identity theft:

  1. Use identity theft protection. The best identity theft protection services scan multiple criminal and financial areas for your PII. Most services have identity restoration and fraud detection; there are even identity theft protection services for seniors as well as identity theft protection for families to prevent child identity theft.
  2. Don’t answer unknown numbers. If you see an unknown number on your phone, don’t answer it, and if you accidentally answer it, don’t mention any of your PII. Your best bet is to register for the National Do Not Call Registry to avoid these types of calls as much as possible.
  3. Clear your mailbox. Mail contains a lot of PII, so you should check and take out your mail every day. To secure your home while you’re on vacation, have a neighbor take out your mail when you’re gone.
  4. Destroy documents with PII. Even after you’ve brought them home and looked at them, before you throw out any documents with your PII, shred or tear them up. This includes any paper trails of transactions, like receipts.
  5. Avoid phishing attempts. Along with ignoring random phone calls, avoid opening random emails, text messages, or attachments, as these could be attempts at social engineering.
  6. Install antivirus software. While antivirus software isn’t a one-stop shop for protecting PII, it can detect most cyberattacks and network threats, greatly reducing your chances of identity theft.
  7. Use password managers. If you’re using the same password for all of your online accounts, then if a hacker knows one login, they know them all. Instead, create unique and complicated passwords for all of your accounts and store them with a password manager, our most essential password security tip.
  8. Protect your devices with passwords. Along with your online accounts, make sure to lock your devices with passwords or passcodes. That way, if you lose a device, the person who finds it won’t be able to open anything with your PII and steal your identity.
  9. Use your SSN sparingly. Anyone who’s ever lost their Social Security card knows the stress of having your SSN out in the open, but it’s not just the physical card you have to worry about. It’s normal for companies to request your SSN, but ask if just the last four digits will do, and check their privacy policy before handing it over.
  10. Be careful with e-commerce. If you shop online, check out the company on the Better Business Bureau website before typing in your sensitive payment information.
  11. Perform software updates. Software updates contain fixes to security vulnerabilities, so even though they’re annoying, perform them as soon as possible.
  12. Use VPNs on public networks. If you’re on a public Wi-Fi network (e.g., surfing the web at a Starbucks), use a VPN to hide your device’s IP address along with your web activity, as this information could leave you vulnerable to hacking.
  13. Add authentication. Finally, add two- or multi-factor authentication to prevent unauthorized access to your online accounts.

TIP: To minimize the paper mail you get, subscribe to paperless billing whenever it’s available. This is also better for the environment — a win-win!

The Consequences of Not Protecting Your PII

The biggest consequence of not protecting your PII is identity theft, which can lead to difficulty getting jobs, loans, and leases along with financial losses. Again, our 2021 research told us that 32 percent of U.S. adults have had their identities stolen, which amounts to over 66 million people. While the consequences of identity theft are vast, these are some common ones:

  • Emotional distress: According to the Federal Trade Commission, which processes identity theft reports, three-quarters of victims were severely distressed over the misuse or attempted misuse of their PII. In some cases, they had physical reactions as well as emotional ones.
  • Inability to open accounts: While 38 percent of victims found it harder to get new credit cards, 24 percent found it hard to obtain loans, and 16 percent couldn’t open checking or savings accounts.9
  • Loss of money: In 2020, losses from identity fraud totaled $56 billion in the U.S., with a $1,100 average loss per victim.10

Not sure if you’re a victim? Check if your identity is stolen.

Recap

As in life in general, there’s only so much you can control about your PII. The truth is that data breaches are common, and companies aren’t always so careful with customer data. Even under GDPR guidelines, hackers can still obtain people’s PII and steal their identities. That being said, by utilizing best practices, you can lower your risk of identity theft and keep your PII to yourself.

Frequently Asked Questions

Given identity theft’s recent increase, we’ve fielded a ton of questions about how to protect your PII, and what it is in the first place. We’ve answered the questions we got the most below.

Citations
  1. U.S. Department of Labor. Guidance on the Protection of Personal Identifiable Information.
    dol.gov/general/ppii

  2. U.S. Department of Homeland Security. (2017). Handbook for Safeguarding Sensitive PII.
    dhs.gov/sites/default/files/publications/dhs%20policy%20directive%20047-01-007%20handbook%20for%20safeguarding%20sensitive%20PII%2012-4-2017.pdf

  3. FWS. PII and Email Communications.
    fws.gov/irm/bpim/docs/pii_and_email.pdf

  4. GDPR.EU What is considered personal data under the EU GDPR?
    gdpr.eu/eu-gdpr-personal-data/

  5. U.S. National Library of Medicine. (2018). European Journal of Human Genetics – Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation.
    ncbi.nlm.nih.gov/pmc/articles/PMC5838983/

  6. LinkedIn. (2016). GDPR: The difference between Personally Identifiable Information (PII) and Personal Data.
    linkedin.com/pulse/gdprthe-difference-between-personally-identifiable-jim-seaman/

  7. GDPR.EU. GDPR compliance checklist for US companies.
    gdpr.eu/compliance-checklist-us-companies/

  8. HubSpot. Top GDPR Compliance Software.
    blog.hubspot.com/marketing/gdpr-compliance-software

  9. Identity Theft Resource Center. Identity Theft: The Aftermath 2017. ftc.gov/system/files/documents/public_comments/2017/10/00004-141444.pdf

  10. Javelin. 2021 Identity Fraud Study: Shifting Angles.
    javelinstrategy.com/content/2021-identity-fraud-report-shifting-angles-identity-fraud