What Is Personally Identifiable Information and What Does It Mean in An Online World?

In the current digital age, we are inputting our emails, contact information, names, attributes, and even payment information into various websites. Companies talk all the time about how they strive to uphold users’ privacy and personal data, but how exactly could they do that?

Well, here we will discuss something called Personally Identifiable Information (PII) and Non-Personally Identifiable Information (Non-PII). We will also be discussing what is meta-data, cookies, and what they mean for you.

It should be noted that PII is not only for online data, and applies to any piece of personal information collected by a company.

What is PII and Non-PII?

PII is not personal information, but any piece of information when used in conjunction with another or on its own, can identify someone. So, for example, having someone’s full name might not be enough, but it does significantly reduce the number of people, and can make it easier to identify a person with that name.

PII includes information such as:

  • Full legal name
  • Driver’s license
  • Credit card information
  • Social security number (SSN)
  • Passport information
  • Medical records
  • Any other financial information

All PII comes in two types. PII is sensitive personal information, whereas non-PII can be non-sensitive personal information. A few examples of Non-PII information can be: 

  • Race
  • Gender
  • Zip code
  • Date of birth
  • Religion

Even if you have all of the above Non-PII data, you will not be able to identify an individual. This data does not particularly harm the person if the data is released to the public, at least in a vacuum.

How Do Companies Handle PII Data?

When you enter your name, address, payment information, or any PII data on a website, you are providing that information to that company. Whether online or offline, the company will store that data in some sort of database or repository.

How that data is stored, used, and deleted later on depends on the method of data collection, type of data, reasons for data collection, or other purposes. All this data is handled following the General Data Protection Regulations (GDPR), the California Consumer Privacy Act (CCPA), and other related consumer protection laws.

For example, according to the GDPR, organizations have to encrypt any PII data they store of users, so that even if a third-party steal that data, they will not be able to utilize it. This anonymization is crucial to protecting consumer data, especially in the wake of a myriad of data leaks that happen every year from multiple corporations.

How Is PII Different from Personal Data?

When you purchase anything from an online marketplace, such as Amazon, you are most likely providing your location, payment information, name, email address, phone number, and home or delivery address. In addition, Amazon also requires your device ID, your IP address, browser cookies, and other pieces of information called ‘meta data’ that are personal to you but cannot be used to identify you.

This is because a website needs access to your location to be able to see all this information and ensure that the service is accurately provided. In addition, any website you visit uses metadata that is personal to you but cannot be used to identify you.

For example, your device ID might not be useful for identifying you, but it is necessary to collect for the website to differentiate between a desktop or a mobile version of the website.

What Laws Protect PII From Being Misused?

Apart from the regular privacy laws, PII in general is protected in the US by the Federal Trade Commissions Act (FTC Act), and specific industries are governed under their regulations, such as:

  • The Electronic Communications Privacy Act (ECPA) and the Computer Fraud and Abuse Act (CFAA) for preventing the misuse of computer devices.
  • The Fair Credit Reporting Act (FCRA) for protecting the credit card information.
  • The Health Insurance Portability and Accountability Act (HIPAA) for fair use of healthcare-related information.

Data Protection Responsibilities for Companies

The GDPR applies to companies based on whether they are the data controller or the data processor. This means:

  • The data controller provides instructions to the data processor
  • The data processor executes the instructions and nothing else in excess

If a data processor performs any data controller tasks outside of the controller’s instructions, the data controller GDPR laws apply to them as well. 

Companies have to ensure that employees follow the relevant regulations, principles, and data controls set in place so that consumer data is handled as securely as possible. Organizations must ensure that their employees are provided with GDPR awareness training and CCPA awareness training to ensure employees are well aware of their responsibilities, especially when third parties and ad companies are involved.


Consumer data is a very sensitive subject, and companies need to be very careful when handling it. Here, we discussed what is PII, and Non-PII, and how it is handled by companies according to the relevant legislation.