What Actually Counts as Personally Identifiable Information (And What Doesn't)
You're filling out a form online. And you pause. But then they ask for your job title. In practice, your device ID. In practice, your IP address. Name, email, phone number — obviously personal. Is that really personally identifiable information?
Here's the thing: most people get this wrong. Not because they're careless, but because the definition of PII is broader than most realize, and it's gotten even more complicated as technology has evolved. What counts as personally identifiable information isn't always obvious, and that ambiguity has real consequences — for privacy, for compliance, and for your data security.
So let's clear it up.
What Is Personally Identifiable Information?
At its core, personally identifiable information (PII) is any data that can be used to identify, contact, or locate a specific individual. That's the simple version. But here's where it gets tricky: PII isn't just the obvious stuff like a Social Security number or a home address. It also includes information that, on its own, might not reveal who you are — but when combined with other data, absolutely can Which is the point..
Counterintuitive, but true Simple, but easy to overlook..
The U.S. government, through the National Institute of Standards and Technology (NIST), breaks PII into two categories: direct identifiers and indirect identifiers.
Direct identifiers are the obvious ones. They can uniquely identify someone on their own. Think full name, Social Security number, passport number, email address, or phone number. Remove those from a dataset, and you can't easily tie the remaining data to a specific person.
Indirect identifiers are trickier. Things like date of birth, place of birth, gender, race, or job title might not pinpoint a single person in isolation. But pile enough of them together, and you can often narrow someone down. This is why researchers talk about "quasi-identifiers" — data points that become identifying when combined Which is the point..
There's also a distinction between sensitive PII and non-sensitive PII. Sensitive PII includes data that, if disclosed, could cause harm or discrimination — Social Security numbers, medical records, financial account details, biometric data. Non-sensitive PII is information that, if leaked, causes less direct harm — like a public business email or a job title listed on a LinkedIn profile But it adds up..
Why the Definition Keeps Expanding
Here's what most people miss: the line between PII and non-PII isn't fixed. It shifts depending on context, technology, and what's available in other datasets Not complicated — just consistent..
An IP address used to be considered borderline. Today, courts and regulators increasingly treat it as PII, especially when combined with other logs. Your browsing history alone might not name you — but paired with a cookie ID and a timestamp, it increasingly can That's the part that actually makes a difference..
This matters because laws like the GDPR in Europe and CCPA in California have adopted broad definitions. They don't just protect the obvious identifiers. They protect anything that could potentially identify a person, either directly or indirectly.
Why This Matters (More Than Most People Think)
If you're wondering why any of this matters beyond a compliance checklist, here's the short version: what you consider "non-personal" data might legally be personal data under privacy laws, and that comes with obligations.
For businesses, misclassifying PII creates real risk. If you collect data you think isn't personally identifiable — say, hashed user IDs or device fingerprints — and a breach happens, you might still be on the hook for notification, protection, and penalties. The FTC has pursued companies for treating data as anonymous when it wasn't really.
For individuals, understanding what counts as PII helps you make smarter decisions about what you share. That "innocent" quiz that asks for your hometown, birth month, and pet's name? Those are classic indirect identifiers. Three or four answers like that can be enough to crack open a person's identity profile.
And honestly? Most people vastly underestimate how much can be pieced together from data points they consider harmless.
How to Tell What's PII (And What's Not)
This is the part you've been waiting for. Let's walk through actual examples — the kind that show up in real conversations, compliance trainings, and yes, on tests.
Direct Identifiers That Are Clearly PII
These are the no-brainers:
- Full legal name — alone, it can identify you, especially in smaller communities or organizations
- Social Security number — the classic example, and highly sensitive
- Email address — especially personal email, not generic business ones
- Phone number — particularly mobile numbers
- Physical home address — or even a significant portion of it
- Passport number or driver's license number
- Bank account or credit card numbers
- Biometric data — fingerprints, facial recognition data, voice prints
If you're collecting any of this, you have PII. Full stop.
Indirect Identifiers That Can Become PII
It's where it gets interesting. These pieces of data, on their own, might not identify you. Combined, they often can:
- Date of birth — especially when paired with other details
- Place of birth or ZIP code
- Gender and race/ethnicity
- Job title and employer
- Education history — especially specific institutions and graduation years
- Marital status and number of children
- Physical characteristics — height, weight, hair color
A 2022 study from Harvard demonstrated that 87% of the U.S. That's it. population could be uniquely identified by just three pieces of data: ZIP code, birthdate, and gender. Three indirect identifiers.
Digital Identifiers That Count as PII
Here's the modern layer that trips people up:
- IP address — increasingly considered PII, especially by European regulators
- Device IDs or MAC addresses
- Cookie identifiers — especially persistent ones tied to a browser
- Login IDs or usernames that persist across platforms
- Browsing history or search history linked to an individual
- Location data — GPS coordinates, or even aggregated location data over time
The key question to ask: Can this be linked back to a specific person, now or in the future, with reasonable effort? If yes, treat it as PII.
What Usually Doesn't Count as PII
Not everything is PII. These generally don't qualify on their own:
- Generic business contact info — a general company email like info@company.com
- Aggregate data — statistics about a group, not individuals
- Anonymous survey responses that truly can't be traced back
- Publicly available information — though this gets complicated if you're collecting it in a way that links it to individuals
But remember the caveat: "anonymous" data isn't always as anonymous as it seems. Re-identification attacks have shown time and again that data thought to be anonymous can be reverse-engineered.
Common Mistakes People Make
Let me point out where most people go wrong, because these mistakes are everywhere And that's really what it comes down to..
Mistake #1: Thinking Only "Sensitive" Data Matters
Some organizations focus only on SSNs and credit card numbers. But those are still direct identifiers. Which means they treat names, emails, and phone numbers as low-risk. A data breach exposing 10,000 customer names and emails is still a breach with real consequences — reputation damage, phishing risks, and often legal obligations to notify And that's really what it comes down to. Less friction, more output..
Mistake #2: Assuming "Anonymized" Data Is Safe
This is one of the biggest misconceptions out there. Researchers have repeatedly demonstrated this — matching "anonymous" datasets with public records to identify individuals. Data can be re-identified. If you can combine your "anonymized" data with any other dataset, there's a good chance you've created PII.
The official docs gloss over this. That's a mistake.
Mistake #3: Ignoring Indirect Identifiers
A date of birth seems harmless. That said, put them together and you've got a significant chunk of someone's identity profile. This leads to a ZIP code seems harmless. Many companies collect indirect identifiers without thinking twice about them, not realizing they've crossed into PII territory.
Mistake #4: Not Considering Context
Whether something is PII often depends on what else you have. The same data point can be PII in one context and not in another. In real terms, a customer ID in a database that's never linked to a name? Different story than a customer ID that's tied to a profile with a name, address, and email.
Practical Tips for Handling PII
If you're responsible for data — whether you're a business owner, IT professional, or just someone trying to protect their own information — here's what actually works.
Map your data. You can't protect what you don't know you have. Audit what you're collecting, storing, and sharing. Ask: what identifiers do we have, direct or indirect?
Apply the "linkage test." Ask yourself: can this data be linked to a specific person, now or later, through our systems or external data? If you can draw a line from the data to a person, it's PII Simple as that..
Minimize what you collect. The safest PII is the PII you don't have. Only collect what you actually need.
Don't rely on aggregation alone. If you aggregate data but retain the keys to link it back, it's still PII.
Treat indirect identifiers with respect. Date of birth, location, job title — these matter more than people think. Protect them accordingly.
When in doubt, err on the side of caution. It's better to over-protect data than under-protect it. The legal and reputational costs of a mistake are higher than the cost of extra caution.
Frequently Asked Questions
Is an IP address considered PII?
More often than not, yes. Day to day, s. Many U.Which means the European Data Protection Board has stated that IP addresses can constitute personal data, especially when they can be linked to an individual — through an ISP, through login data, or through other identifiers. organizations now treat IP addresses as PII for compliance purposes.
Is a phone number PII?
Yes. A phone number, especially a personal mobile number, is a direct identifier. It can be used to contact a specific individual, which meets the core definition of PII That alone is useful..
Is a username or screen name PII?
It depends. A unique, persistent username that can be linked to a real identity — yes, that's PII. But a generic username that doesn't connect to personal information — less clear. Context matters here. If the username is part of an account tied to other identifying data, treat it as PII.
Is workplace or employer information PII?
Often, yes. Job title and employer can be indirect identifiers, especially for people in specialized roles or smaller organizations. Combined with other data points, they can narrow an identity significantly.
Can data be both PII and non-PII?
Yes, depending on context. com generally isn't. Think about it: an email address tied to a customer record is PII. The same piece of data might be PII in one dataset and not in another. Here's the thing — a generic support email like help@company. Context, linkage, and purpose all matter.
The Bottom Line
The question "which of the following are examples of personally identifiable information" doesn't have a simple, fixed answer. It's also the indirect pieces that, when combined, create a profile. Practically speaking, it's not just the obvious stuff — your Social Security number, your home address. It's your IP address, your device ID, your date of birth paired with your ZIP code Turns out it matters..
The safest mindset is this: if it could identify a person, treat it as PII. That's the approach that keeps you on the right side of privacy laws, protects your users or customers, and avoids the kind of data mishandling that makes headlines.
Because the truth is, in a world where data is everywhere, the line between "anonymous" and "identifiable" is thinner than most people realize Practical, not theoretical..
