What is Personally Identifiable Information (PII)?
Some things are priceless, and PII is one of them.
If you’ve read anything about identity theft, you’ve probably come across the term “PII.” If someone steals your PII, it’s the same as stealing your identity, but what is PII? In this article, we’ll define PII and tell you how to protect it and prevent identity theft.
What Is PII?
PII stands for “personally identifiable information,” and it refers to any information that can identify or trace an individual either directly (direct identifiers) or when paired with other information (indirect identifiers). Here are some examples of each:
- Social Security number (SSN)
- Other identifying number or code
- Phone number
- Email address
- Geographic indicators
PII also includes any information that allows someone to contact an individual, whether in person or online. PII is stored on paper and electronically,1 from filing cabinets at dentists’ offices to Facebook’s data servers around the world.
Who Can Access PII?
From 2019 to 2020, identity theft increased by 67 percent, according to our identity theft study. As of 2021, over a third of adults in the United States have been victims of identity theft. Why? Identity theft happens because PII gets into the wrong hands. Many different people and organizations handle other people’s PII. Here are some examples:
- Companies: Have you heard about all of the data that tech companies have? Social media companies like Facebook and Twitter, along with search engines like Google, maintain a ton of personal information, as do companies that make the IoT products we love so much. Learn more about what PII companies keep in our privacy guide.
- Governments: Obviously, governments hold PII about their citizens, which is necessary for them to file their taxes, register to vote, and more.
- Credit bureaus: In order to track your credit activity and create credit reports, credit bureaus like Experian, TransUnion, and Equifax hold everyone’s PII. That’s why monitoring your credit with credit reporting services is a good way to prevent identity theft. You are entitled to a free credit report once a year. If you see any errors or signs of identity theft, you can dispute your credit report. However, even the best credit monitoring services can’t completely prevent identity theft, as data breaches can occur. Unfortunately, data breaches are pretty common and have involved about a third of Americans, according to our data breach report.
- Employers: Obviously, employers hold a lot of their employees’ (and customers’) PII, so businesses have unique responsibilities to protect this data, but we’ll get to that in a bit.
Sensitive vs. Non-Sensitive PII
Not all PII is considered sensitive PII (SPII). SPII is PII that, in the wrong hands, could cause the person:
- Substantial harm
Some data is considered to be SPII on its own, while other data is considered to be SPII only in combination with other information. Here are some examples of information that is SPII on its own:
- Driver’s license or state ID numbers
- Passport numbers
- Alien registration numbers
- Financial account numbers
- Biometric identifiers
The following information is SPII when used in combination with other PII:
- Citizenship/immigration status
- Medical information
- Ethnic/religious affiliation
- Personal email address
- Account passwords
- Last four digits of SSN
- Date of birth
- Criminal history
- Mother’s maiden name
Not all PII is sensitive, however. These are some examples of non-sensitive PII:
- List of people who attended a public meeting
- Stakeholders who subscribe to email lists2
- List of people on a softball team
What Isn’t PII?
Of course, not all information is PII in the first place. If it won’t put people at risk of identity theft or compromise their privacy, like someone’s favorite color, it’s not PII.3
How the GDPR Defines Personal Data
The General Data Protection Regulation is the European Union’s data protection law, but since it applies to any website with visitors from the E.U., even U.S.-based websites must comply. Unlike the U.S., which has no federal data protection legislation outside of the health and financial industries, the GDPR aims to increase consumers’ digital safety, defining personal data as any information relating to an identified or identifiable natural person, or data subject. Under the GDPR, personal data includes:
- ID numbers
- Location data
- Online identifiers with one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of a person
Like PII, personal data can be processed either electronically (automated), or as written records (non-automated as part of a filing system). It comes in many forms, including videos, audio recordings, and photographs. But note that this legislation only applies to living people, not those who have died. The GDPR also doesn’t cover data about companies, just people.4
What Is Non-Personal Data?
Just like not all information is PII, not all data is personal data. Non-personal data is any data that’s anonymized or pseudonymized, meaning it’s given fake names.5
PII vs. Personal Data
So, what is the difference between PII and the GDPR-defined personal data?
The U.S. government defines PII much more narrowly than the E.U. defines personal data. While PII only refers to a specific name, address, birthdate, Social Security, or financial information (such as credit card or bank account numbers), personal data covers more types of data, like social media posts, lifestyle preferences, transaction histories, and IP addresses. So, while all PII is personal data, not all personal data is PII.6
NOTE: Since the GDPR applies to any websites with visitors from the E.U., every U.S.-based website with E.U. visitors must comply.
Your Rights Surrounding PII
While the E.U. certainly has stronger data protection regulations than the U.S., the U.S. government covers data protection at both the federal and state levels.
Federally, the U.S. has data protection regulations that apply to the health and financial industries only. For example, the Health Insurance Portability and Accountability Act only applies to “covered entities” that store “protected health information,” while the Financial Services Modernization Act applies only to security firms, banks, insurance companies, and any other company that provides financial services or products. These companies must protect customers’ financial information under the Safeguards Rule. Outside of the health and financial industries, data protection is handled at the state level.
Each state has slightly different laws on protecting customer data and notifying customers of data breaches. California has the strongest data privacy laws, including the Online Privacy Protection Act, which makes businesses post privacy policies conspicuously on their websites. However, most states have weak or no data privacy regulations aside from data breach notification laws. To learn about the data protection laws in your state, read our article on data privacy laws by state.
If your website has any visitors from the E.U., then they’re guaranteed certain rights. The GDPR covers these areas:
- Accuracy: People have the right to correct inaccurate or incomplete information.
- Right of access: Users can access their personal data.
- Right to be informed: People have the right to know how data is processed, including:
- The source of the personal data
- Why it was processed
- How long it will be held
- Right to erasure: People have the right to be forgotten and can delete information from websites, with some exceptions, such as if the data is necessary to comply with legal rulings.
- Right to object: Unless the company has a legitimate basis for using it, like a contract or legal obligation, people can object to the processing of their data.
- Right to restrict processing: Users can also limit the way companies process their data, such as when the data is inaccurate or the processing is unnecessary or unlawful.
- Transparency and communication: Companies must explain clearly how they process data and make it easy for users to request erasures, responding in a quick and adequate manner.
Can Hackers Get Around the GDPR To Gain PII?
If you’ve ever had a hacked phone, you know that not even an antivirus can ward off hackers 100 percent. Even iPhones can be hacked, contrary to popular belief. Hackers can circumvent the GDPR and utilize hacking methods like these:
- Brute force: In brute-force attacks, hackers guess at passwords, which is why creating long, complicated passwords is essential to your digital security.
- Data breaches: Again, businesses and credit bureaus can have data breaches, exposing customers’ PII.
- Man-in-the-middle attacks: Hackers intercept data packets when they’re traveling between the sender and the receiver to get passwords.
- Phishing: In phishing scams, hackers use social engineering to gain login credentials, like sending people fake emails with illegitimate login pages.
- Physical access: If a filing cabinet or data server center is compromised, hackers can access PII, which is why physical as well as digital security is necessary to protect consumers’ data.
- Programming-based hacking: Perhaps the most advanced hacking method, programming-based hacking means that hackers find and exploit system vulnerabilities to gain administrative privileges.
Reporting Data Breaches
How much time you have to report data breaches depends on your state’s data breach notification laws, detailed below.
|State||Is there a data breach notification law?||Maximum amount of time to notify customers of a data breach|
|Alabama||Yes||As soon as possible|
|Alaska||Yes||As soon as possible|
|Arkansas||Yes *If it affected over 1,000 people and had a “reasonable likelihood of harm”||As soon as possible|
|California||Yes *If it affected over 500 residents||As soon as possible|
|Connecticut||Yes *If the breach will likely result in harm||90 days|
|Florida||Yes *If it affected 500 people or more||30 days|
|Georgia||Yes||As soon as possible|
|Hawaii||Yes||As soon as possible|
|Illinois||Yes||As soon as possible|
|Indiana||Yes||As soon as possible|
|Iowa||Yes *If it affected over 500 residents||5 business days|
|Kansas||Yes||As soon as possible|
|Kentucky||Yes||As soon as possible|
|Maine||Yes||As soon as possible|
|Massachusetts||Yes||10 business days|
|Michigan||Yes||3 business days|
|Minnesota||Yes *Only applies to government agencies||As soon as possible|
|Mississippi||Yes||As soon as possible|
|Missouri||Yes||As soon as possible|
|Montana||Yes||As soon as possible|
|Nebraska||Yes||As soon as possible|
|Nevada||Yes||As soon as possible|
|New Hampshire||Yes||As soon as possible|
|New Jersey||Yes||As soon as possible|
|New Mexico||Yes||45 days|
|New York||Yes||As soon as possible|
|North Carolina||Yes||As soon as possible|
|North Dakota||Yes *If it affects 250 or more residents||As soon as possible|
|Oklahoma||Yes||As soon as possible|
|Oregon||Yes *If it affects 250 or more residents||10 days|
|Pennsylvania||Yes||As soon as possible|
|Rhode Island||Yes||As soon as possible|
|South Carolina||Yes *If it affects 250 or more residents||3 days|
|South Dakota||Yes||60 days|
|Texas||Yes *If it affects 250 or more residents||60 days|
|Virginia||Yes||As soon as possible|
|Washington||Yes *If it affects 500 or more residents||30 days|
|West Virginia||Yes||As soon as possible|
|Wyoming||Yes||As soon as possible|
How To Comply With the GDPR
Finally, we’re answering the question of how American companies can adhere to the GDPR with minimal effort.
For U.S. Companies
If you’re a U.S. company, the GDPR states that you must do the following in order to comply:
- Audit your information for “personal data,” as defined by the GDPR.
- Inform customers of why you’re processing their data.
- Assess how you process data and improve data protection.
- Make data processing agreements with vendors.
- Appoint a data protection officer (perhaps).
- Designate a representative in the E.U.
- Familiarize yourself with your state’s data breach laws.
- Comply with cross-border transfer laws.7
How To Keep Up With Data Privacy Regulations
You’ll be happy to know that there are automated tools to help U.S. companies comply with GDPR requirements. The marketing company HubSpot, for example, has a list of the best GDPR compliance software to protect consumer data.8
How To Protect Your PII
Of course, businesses aren’t the only ones responsible for protecting PII. Here are the steps you can take at the individual level to protect your PII and prevent identity theft:
- Use identity theft protection. The best identity theft protection services scan multiple criminal and financial areas for your PII. Most services have identity restoration and fraud detection; there are even identity theft protection services for seniors as well as identity theft protection for families to prevent child identity theft.
- Don’t answer unknown numbers. If you see an unknown number on your phone, don’t answer it, and if you accidentally answer it, don’t mention any of your PII. Your best bet is to register for the National Do Not Call Registry to avoid these types of calls as much as possible.
- Clear your mailbox. Mail contains a lot of PII, so you should check and take out your mail every day. To secure your home while you’re on vacation, have a neighbor take out your mail when you’re gone.
- Destroy documents with PII. Even after you’ve brought them home and looked at them, before you throw out any documents with your PII, shred or tear them up. This includes any paper trails of transactions, like receipts.
- Avoid phishing attempts. Along with ignoring random phone calls, avoid opening random emails, text messages, or attachments, as these could be attempts at social engineering.
- Install antivirus software. While antivirus software isn’t a one-stop shop for protecting PII, it can detect most cyberattacks and network threats, greatly reducing your chances of identity theft.
- Use password managers. If you’re using the same password for all of your online accounts, then if a hacker knows one login, they know them all. Instead, create unique and complicated passwords for all of your accounts and store them with a password manager, our most essential password security tip.
- Protect your devices with passwords. Along with your online accounts, make sure to lock your devices with passwords or passcodes. That way, if you lose a device, the person who finds it won’t be able to open anything with your PII and steal your identity.
- Be careful with e-commerce. If you shop online, check out the company on the Better Business Bureau website before typing in your sensitive payment information.
- Perform software updates. Software updates contain fixes to security vulnerabilities, so even though they’re annoying, perform them as soon as possible.
- Use VPNs on public networks. If you’re on a public Wi-Fi network (e.g., surfing the web at a Starbucks), use a VPN to hide your device’s IP address along with your web activity, as this information could leave you vulnerable to hacking.
- Add authentication. Finally, add two- or multi-factor authentication to prevent unauthorized access to your online accounts.
TIP: To minimize the paper mail you get, subscribe to paperless billing whenever it’s available. This is also better for the environment — a win-win!
The Consequences of Not Protecting Your PII
The biggest consequence of not protecting your PII is identity theft, which can lead to difficulty getting jobs, loans, and leases along with financial losses. Again, our 2021 research told us that 32 percent of U.S. adults have had their identities stolen, which amounts to over 66 million people. While the consequences of identity theft are vast, these are some common ones:
- Emotional distress: According to the Federal Trade Commission, which processes identity theft reports, three-quarters of victims were severely distressed over the misuse or attempted misuse of their PII. In some cases, they had physical reactions as well as emotional ones.
- Inability to open accounts: While 38 percent of victims found it harder to get new credit cards, 24 percent found it hard to obtain loans, and 16 percent couldn’t open checking or savings accounts.9
- Loss of money: In 2020, losses from identity fraud totaled $56 billion in the U.S., with a $1,100 average loss per victim.10
Not sure if you’re a victim? Check if your identity is stolen.
As in life in general, there’s only so much you can control about your PII. The truth is that data breaches are common, and companies aren’t always so careful with customer data. Even under GDPR guidelines, hackers can still obtain people’s PII and steal their identities. That being said, by utilizing best practices, you can lower your risk of identity theft and keep your PII to yourself.
Frequently Asked Questions
Given identity theft’s recent increase, we’ve fielded a ton of questions about how to protect your PII, and what it is in the first place. We’ve answered the questions we got the most below.
What are examples of PII?
These are some examples of PII:
- Driver’s license number
- Email address
- Phone number
- Social Security number
What is the best definition of personally identifiable information?
The best definition of personally identifiable information, according to the U.S. Department of Labor, is any information that either identifies someone directly or lets someone identify an individual when it’s combined with other data.
Is a birth certificate PII?
While the birth certificate itself is not PII, which only refers to pieces of data, the data on birth certificates, like the person’s name and birthdate, is PII.
What is not considered to be personally identifiable information (PII)?
Some information not considered to be PII is the members of a softball team or a group email list.
U.S. Department of Labor. Guidance on the Protection of Personal Identifiable Information.
U.S. Department of Homeland Security. (2017). Handbook for Safeguarding Sensitive PII.
FWS. PII and Email Communications.
GDPR.EU What is considered personal data under the EU GDPR?
U.S. National Library of Medicine. (2018). European Journal of Human Genetics – Rules for processing genetic data for research purposes in view of the new EU General Data Protection Regulation.
LinkedIn. (2016). GDPR: The difference between Personally Identifiable Information (PII) and Personal Data.
GDPR.EU. GDPR compliance checklist for US companies.
HubSpot. Top GDPR Compliance Software.
Identity Theft Resource Center. Identity Theft: The Aftermath 2017. ftc.gov/system/files/documents/public_comments/2017/10/00004-141444.pdf
Javelin. 2021 Identity Fraud Study: Shifting Angles.