What is Personally Identifiable Information and Why is PII Protection Important? 

Each of us has data points assigned to us starting at birth that are used to create a profile. This is our Personally identifiable information. It includes our names, birthdates, Social Security numbers, addresses, and other information. As we travel through life this information follows us when we create bank accounts, attend school, buy a home, get a car loan, get married, and use health insurance. The result is PII meaning the most valuable, unique information in a person’s life.

These data points can be valuable to advertisers as well as to thieves. Drug, apparel, and retail companies spend $200 billion per year on data.

But the answer to the legal question "What is PII and PII data?" remains blurry, even when it’s more specific to sensitive PII and non-sensitive PII.

What Is Personally Identifiable Information (PII)

Personally Identifiable Information (PII) refers to data that can identify a specific individual. PII examples include names, birthdates, Social Security numbers, and addresses. Sensitive PII, such as financial information and medical records, requires strict protection, while non-sensitive PII, like ZIP codes, is less critical. In the context of PII cyber security, it is crucial to implement measures to protect PII and prevent data breaches. Understanding the difference between PII vs. personal data is also important, as PII specifically identifies individuals, whereas personal data is a broader term that includes any related information.

Why Is Pii Protection Important? 

Have you had the experience of talking to a friend about a trip, and suddenly you’re receiving advertisements for backpacks, cameras, and all-inclusive resorts? It could be data brokers spying on your plans. Even if you’ve tried to remove personal information from Google, there are plenty of places where your data has been distributed by a variety of brokers.

Now that you know the meaning of PII, you understand how important it is to protect it. In the past, using our Social Security numbers for our driver’s license numbers was no big deal. On that one card was our photo, full name, signature, date of birth, address, and Social Security number. That would be a goldmine for thieves these days, but fortunately, the practice was discontinued. Now, we know to protect some of that information, but it’s not easy. Along with cookies on our computers that collect information during our web browsing activities, other data is available through public records, and our banks, pharmacies, and medical plans also sell information about us.

Cookies from websites we visit track us and collect information on everything we do online. This is where the PII vs. personal data question arises. The effort to gather as much data as possible has morphed into apps that scour our phones, collect information about all of our contacts, and monitor our locations, to provide just a few PII examples. And they have made PII almost priceless, making PII protection more difficult.

The danger is obviously that we will lose control of our PII over time. PII cyber security and two-factor authentication won’t hold up forever.

Thieves who capture our personally identifiable information with fake applications, through email phishing and data breaches, can stitch together enough information (often for sale on the Dark Web) to impersonate us. It doesn’t take much searching for them to find information about a person who will complete a dossier of stolen data. That allows them to use our identities to apply for loans, use our health insurance, or steal our banking information.

A wider threat is social engineering. Governments with nefarious motives may collect the PII of a large number of people and launch a disinformation campaign designed to destabilize a government or influence voting or purchasing. For instance, Russian operatives tried to influence the 2016 American presidential election, partly through misinformation spread on social media.

By reducing the amount of personally identifiable information available, we avoid being victims of legal and illegal targeting.

Risks of PII Exposure

Major data breaches by telecom companies, email providers, healthcare providers, and even credit bureaus have exposed the PII data of millions of people, proving that PII cyber security is not as strong as it should be. While we try to change passwords to protect ourselves, there’s no way to get those data points back once the information has been hacked or leaked. The only real defense to guard against illegal use of our sensitive PII is to freeze credit reports so no activity can take place (no loans or even “hard pull” inquiries). Changing passwords is also important so that any small-time impersonators cannot hack individual accounts to drain our bank balance or get control of our phone numbers. Other safeguards include:

  • checking credit reports regularly for unauthorized activity
  • signing up for alerts for activity on bank accounts and credit cards
  • using two-factor authentication

Pii Meaning

Legal and Regulatory Implications

The legal implications of identity theft are complex. Police, the FBI, and other law enforcement don’t have enough people or time to stay ahead of hackers and identity thieves. They have rarely, if ever, caught the perpetrators of major data breaches, and in the United States, there is no significant national law protecting the identity of citizens as Europe, Japan, and other countries do. When Equifax was breached, and the sensitive PII of 147 million people was exposed, the organization was fined $575 million and required to create a public fund to help those whose data was leaked.

The value of this data is evident in recent data ransom episodes. In these PII examples, companies and institutions like healthcare providers are targeted by bad actors who launch malware and trojans into the company’s data systems. This malware locks up access to accounts until a ransom is paid. Authorities have struggled to identify and prosecute those responsible because they can hide behind aliases in other countries and take the ransom money through untraceable cryptocurrency.

As a result of several large data breaches, many states proposed or enacted enhanced laws that require companies to report breaches in a timely manner and to make clients whole if they are harmed by a breach. However, there is disagreement over the meaning of PII, and there is no appetite for stronger federal PII protection laws in the U.S. Laws in the U.S. don’t even agree, and therefore, theft and misuse are not punished as severely as in other countries. Sensitive PII and non-sensitive PII are not different in Europe, which has significant PII protection laws called the GDPR. In 2023 officials fined Facebook/Meta $1.8 billion for moving the data of Europeans to US servers without appropriate protections.

Trust and Reputation

As a result of many repeated data breaches, Americans have no faith in PII cyber security and are resigned to the likelihood that leaks of personally identifiable information will happen to them. While corporate reputations may be tarnished, real repercussions are minimal. Data theft and breaches have become a fact of daily life in grocery stores, gas stations, phone companies, email providers, and banks. Few people have the time or energy to change accounts to a new company every time data is exposed. In addition, we know that social media exists to take our data, but we can’t stop using it.

How PII is Collected and Used

All forms of PII are exceptionally valuable. Lots of advertisers and retailers pay for vast troves of data collected legally through apps and cookies (if below the radar of most users of the “free” internet and popular social media websites).

Data brokers also use public records search to gather information about your home purchase, car registration, income, family size, and profession. In addition, retail sites like Amazon and credit card companies sell customer information to data brokers.

This data, while anonymized, can be sorted to create a profile of the user that is very accurate and used to advertise products as well as to design algorithms for channeling specific information to the person.

Collection Methods

Every time we access websites or apps, we leave “breadcrumbs” of data that are collected in addition to the information the app gathers through our use of it and via permissions embedded in the fine print. Social media sites Facebook and Instagram collect the most data, although users are generally unaware of it. Amazon is another big data collector. Data from social media includes information about who you associate with, your recreational interests, locations you frequent, where you live, the content of photos you post, and videos you watch. Amazon, of course, has your shopping and inquiry history, allowing them to profile your age, demographics, income, and lifestyle.

Purpose of Collection

Data brokers collect every part of our personally identifiable information they can get, as well as information about our purchases, viewing habits, political views, and friends because it’s incredibly valuable. Data can help companies tailor advertising, do research on products, get insight into target audiences, and predict best-selling future products.

Thieves collect our data on the Dark Web to impersonate us, open new accounts, buy cars, and wreak havoc on our lives.

Ethical Considerations

Data collection is supposed to adhere to ethical standards, including:

  • Anonymizing personally identifiable information so it does not identify individuals
  • Not collecting data from those under the age of 18
  • Disclosing which data points are collected and how it is used
  • Not overstepping limits to data collection
  • PII protection from breaches and hacking through encryption, secure servers, and other processes

PII Examples

Some of the data collected is personal, like the time of day you go online and your browsing habits. Text and email messages sent through the largest cell service providers and email platforms are not safe from data collectors.

But data collection from your devices doesn’t stop at your YouTube channel, it includes your age, your education, and your online searches, whether that’s medical symptoms or finding a divorce attorney. It’s said that advertisers are the first to know when a person is pregnant because they study the data. To manage some of this data collection, it’s important to clear your browsing data regularly, especially on platforms like YouTube. For instance, you can clear YouTube cache on iPhone to ensure your device runs smoothly and prevent unnecessary storage buildup.

Other non-sensitive PII examples include:

  • Where you travel (including using your GPS)
  • Your profession and highlights of your career
  • Milestones for your family (new pets, graduations)
  • Purchases of all kinds (eyeglasses, vehicles, food, sporting goods, event tickets, home furnishings)
  • Information about the extended family network

Sensitive PII

Sensitive data like medical information is more difficult to get and therefore more valuable. It should be protected at a higher level, including end-to-end encryption as personally identifiable information should be. But that doesn’t stop insurers from selling it, along with pharmacy prescriptions and other purchases, to drug companies and other buyers. Companies differentiate between PII and personal data when information is anonymized, but data points can be matched to create a profile of an individual.

Non-Sensitive PII

Does your family drink Gatorade or Powerade? This is a non-sensitive datapoint that companies may use to target ads to you on social media or via email. They can learn which drink you prefer from your photos, online shopping habits, and even from scouring your email and texts. It seems inconsequential but the data collection is creeping, blurring the line separating PII vs personal data.

In the past, even this level of data collection felt intrusive, but now it’s commonplace. We are no longer shocked to learn that our banks sell information about our savings and spending, our loans, and defaults. This dilution of importance makes PII meaning lose importance – we aren’t surprised and don’t demand better treatment when our information is breached or mishandled. Perhaps PII vs personal data is a veil that allows data sellers and companies to misuse our information freely without being obvious about it. 

Pii Meaning

PII vs Personal Data

PII is defined as personally identifying information – birthdate, Social Security number, address, and full name - which can be used to impersonate an individual. Personal Data is defined as anonymized information (info from cookies, device ID, browsing data) that is not linked to an individual. However, California, which has the strongest PII protection laws in the country, considers them the same, as does Europe’s tough GDPR data privacy law. So, the PII meaning depends on where you’re located.

Controlling our Personally Identifiable Information is challenging when so many companies require access to it for recordkeeping purposes – and then sell it to brokers. In the meantime, much of our information is leaked through massive data breaches or hacked through phishing. There are few ways to defend ourselves from this insidious drip of data. The definition of PII is broad, encompassing both sensitive and anonymous information, depending on your location. We’ve provided many PII examples in this article, but there are many more, and brokers find a way to collect and sell most of them. U.S. lawmakers have resisted creating a strong, broad definition and law to protect citizens’ data, as Europe created in 2018.

FAQs

What Qualifies as PII?

There are two definitions of PII: one that classifies it as sensitive, unique information that must be encrypted, and another that includes it in a broader category of data from computer cookies, phone apps, location devices, and demographics. Strong laws define PII as information that is not anonymous, including our names, ages, birthdates, social security numbers, and addresses. However, existing laws in the U.S. often don’t differentiate between the different types of PII, allowing data brokers to buy and companies like health insurance to sell everything they have about consumers.

What is Not PII?

Anonymized information collected through computer cookies, phone apps, and search engines is not PII unless you are in California or Europe, where data laws consider that information PII.

What Steps Should Organizations Take to Safeguard PII?

Organizations that collect data are bound by law to anonymize information before selling it or using it for advertising, research, and other purposes. However, massive caches of such data have been breached and hacked over a period of years, with millions of Americans’ email addresses, passwords, and other PII exposed and sold on the Dark Web. Some authorities, such as the GDPR governing body, and to a lesser extent the Federal Trade Commission, have levied fines on companies that fail to safeguard PII.

What Are the Legal Regulations Concerning PII?

Companies that handle personally identifiable information in any way, whether in collecting for marketing purposes or for keeping medical records, should examine their industry regulations and follow these steps:

  • Employ an IT professional who is well-trained in data safety and knowledgeable about the industry’s regulations
  • Develop protocols for handling PII and train employees according to their positions
  • Keep compliance records of PII collection and use
  • Keep encrypted PII in a secure server
  • Ensure that data collected from European subjects or California residents are held to standards that apply to it
  • Run frequent tests of security
  • Educate employees on applicable laws and current phishing techniques