Personally identifiable information guide: PII examples & more

Businesses have an obligation to protect customers’ personally identifiable information (PII). But what separates PII from other personal and business data?

Not knowing the difference can damage brand reputation and lead to enormous regulatory fines.

This article is here to help. We’ll explain what personally identifiable information (PII) is and why it’s important. You’ll get a list of PII examples and actionable advice on how to keep your customers’ data secure.

What is PII (personally identifiable information)?

Personally identifiable information (PII) is data that can identify an individual, either on its own or when combined with other information.

There are two types of PII:

• Sensitive PII – information that identifies someone without additional data. Examples include Social Security Numbers and email addresses.
• Non-sensitive identifiers – data fragments that identify someone when combined with additional data. Examples include your race and date of birth.

PII, either sensitive or non-sensitive, is a frequent target for thieves and can result in identity theft and huge financial costs.

That’s why this information is a massive part of data privacy regulations like GDPR, which place such importance on protecting PII. Under GDPR, for example, a violation can result in fines up to 4% of annual global revenue.

It’s critical to understand what qualifies as PII — and how it’s defined across global privacy laws.

What’s considered PII depends on the context as well as which country you live in. Different parts of the world have factored in definitions of what “PII” or “personal data” is in their laws.

How is PII defined around the world?

Privacy regulations vary significantly across jurisdictions, which can create a minefield for cross-border businesses.

If you want to navigate regulations successfully, you’ll need to understand how each territory defines PII. Here are definitions from leading countries and trade zones:

USA

The US Office of Privacy and Open Government defines PII as:

“…information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”

Europe

The European Union (EU) doesn’t define PII directly. Instead, it’s encompassed by the definition of personal data in the General Data Protection Regulation (GDPR) act:

“Personal data is any information that relates to an identified or identifiable living individual (data subject). Different pieces of information, which together can lead to the identification of a particular person, may also be considered personal data.”

UK

The UK defines PII as personal data in the Data Protection Act 2018:

“Personal data only includes information relating to natural persons who:

• can be identified or who are identifiable, directly from the information in question; or
• who can be indirectly identified from that information in combination with other information.”

Canada

The Government of Canada defines personal information as:

“…any information that can be used to identify an individual, such as their name, home address, email address, telephone number, or date of birth. Even a number or symbol can be considered personal information if it can be attributed to an individual. Identifying personal information could depend on the context, circumstances, or how the information is combined.”

Australia

The Government of Australia defines personal information as:

“… a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.”

Despite these different definitions, what counts as PII will look the same in most of these countries. We cover some of the most common examples next.

PII examples every business needs to know

Different jurisdictions classify sensitive data differently.​

Under global privacy standards​ (e.g, OECD, APEC, and ISO privacy frameworks), “sensitive PII” is ​broad ​d​efined as any information that could cause harm if exposed. Under the GDPR​, traits such as racial or ethnic origin, political opinions, religious beliefs, health data, biometric identifiers, and sexual orientation are part of a specific ​subset of personal data that require additional protection.

Below, we’ve grouped common types of PII to show how different frameworks classify sensitivity and where stricter protections may apply.

Examples of sensitive PII (global context)

• Name: full names (first, middle, last name), maiden name, mother’s maiden name, alias
• Addresses: street address, email address
• Phone numbers: mobile, business, personal
• Asset information: Internet Protocol (IP), Media Access Control (MAC)
• Personal identification numbers: Social security number (SSN), passport information, driver’s license number, state identification number, taxpayer identification number or vehicle registration number
• Medical information: Medical records, patient identification numbers, biometric data (photographic images with distinguishing features, x-rays, fingerprints, retina scans or voice signatures)
• Biometric data: Financial information: Bank account numbers, debit and credit card numbers
• Electronic  information: online account numbers and passwords
• Information identifying personally owned property:

Examples of special category data

Under the GDPR, these categories have heightened requirements:

• Race or ethnicity
• Religious, political or philosophical beliefs
• Health data and biometric identifiers
• Sexual orientation

Examples of PII that may be non‑sensitive depending on jurisdiction

• Place of birth
• Date of birth
• Weight
• Activities
• Geographical location
• Employment information
• Education information
• Financial information
• Family members

What marketing data is considered personal information?

Data doesn’t have to include someone’s name or obvious identifier to be considered PII. Even technical identifiers can be PII if they can be linked to an individual. For example:

• Ecommerce order ID
• IP address
• Cookie ID
• Location data
• Heatmaps and session recordings

Does all personal data count as PII data?

No, not every piece of personal data counts as personally identifiable information in the US.

Under the GDPR in the EU and UK, all personal data is protected, regardless of whether it uniquely identifies someone.

Personal data has a much broader definition than PII, and can include behavioural, contextual, and inferred information that, while personal to your customers, can’t be used to identify them.

It’s important to note that privacy laws may still govern this information. That’s why it’s best to treat any personal data with care. You should aim to collect as little of it as possible and protect it carefully when you do.

How to protect PII?

Almost every company will naturally collect PII during the day-to-day running of its business.

But just because you collect PII doesn’t mean you’ll breach GDPR or put your users at risk. Protect your company by using the following strategies to collect and store PII responsibly.

Minimise collection

• Run regular audits
• Delete unnecessary data
• Implement data retention policies

Data minimisation strategies encourage businesses to limit PII collection as much as possible. You should only collect and store it for key business needs.

Regular audits can help identify personal data you are storing unnecessarily, which can then be deleted. Alternatively, you can automate the process by creating data retention policies and procedures that automatically delete data sets after a given period.

Anonymise when possible

• Mask IP addresses
• Disable cookies
• Avoid custom user IDs

Just because you collect data about your users doesn’t mean it has to be identifiable. Data anonymisation is the process of transforming data so that it can’t directly or indirectly identify anyone. Even you, the data owner, can’t use it to identify your users.

You can configure Matomo to anonymise data collection in a couple of ways:

• Masking visitor IP addresses (either partially or fully)
• Turning off cookies to avoid assigning identifiers
• Disable visit logs and visitor profile features

You can take things even further by configuring the platform to avoid using custom User IDs and strip URL parameters that may contain personal information.

Encrypt data

• Use end-to-end encryption
• Prevent unauthorised access

Encryption is a security measure that protects data from unauthorized access by making it unreadable.

You can encrypt data at rest (when it’s stored on your servers or in the cloud), in transit or both. That’s called end-to-end encryption, and it’s where data is encrypted from the point of origin to the destination, ensuring it remains encrypted throughout its lifecycle.

Strengthen access controls and staff awareness

• Use multi-factor authentication
• Apply least privilege principles

The more barriers you can put between users and sensitive data, the harder it will be for hackers to access it. Identity and access management controls, like two-factor and multifactor authentication, ensure that only authorised users can access sensitive information.

But technology alone isn’t enough protection.  Employees need to understand how to properly identify, handle, store and delete PII. Training programmes should educate staff using real-world scenarios where businesses might unintentionally expose or release personally identifiable information, such as a phishing scam.

To minimise risk, adopt the principle of least privilege. That means users only have access to the data they strictly need for their roles. In other words, you don’t give your product team access to your web analytics if they don’t need it.

Respect user agency

• Honour consent preferences
• Avoid manipulative phrasing and coercive UX patterns

Don’t force users to share their personal data if they don’t want to. Opt-out mechanisms, like the ones available in Matomo, mean consumers can make a clear choice about how your company tracks them.

Deloitte’s Connected Consumer survey found people are more worried than ever about online tracking and security breaches.

• 79% think it’s difficult to control the data collected about them.
• 79% of consumers say data privacy and security policies are unclear.
• 52% of those who felt policies were unclear also reported low trust.
• 64% would consider switching providers when that trust is broken.

With consumers’ concerns about digital privacy and security breaches continuing to grow, a privacy-first approach can be a differentiator and competitive advantage.

Achieve full data sovereignty

• Use on-premise tools
• Minimise third-party exposure

Cloud-based tools are convenient, but there are hidden costs. When you send data to the cloud, whether it’s a cloud server you control or a SaaS tool like Google Analytics, you risk sensitive data being exposed through vendor access policies and shared environments.

By keeping everything on your own servers, you can retain complete ownership and control over all of your data. This approach also minimises the risk of any third party accessing your users’ data.

With Matomo On-Premise, you host the software and the data you collect on your servers, so even we can’t access it — by design.

Protect PII with Matomo

Although Matomo Analytics is a web analytics software that tracks user activity on your website, we take privacy and personally identifiable information (PII) very seriously.

We are privacy-first by default, giving you 100% data ownership, data minimisation tools and opt-out mechanisms that respect user privacy and consent.

Want to take a privacy-first approach? Start your 21-day free trial today (no credit card required).