Personally Identifiable Information (PII):

Personally Identifiable information (PII) relates to information about people, but the scope of the term has changed over time and varies between users. Because of these inconsistencies, it is recommended that this term is not used. Instead, the phrase personal information should be used to denote information relating to individuals, and direct identifiers should be used to denote information that identifies individuals, such as name or account number. Therefore, direct identifiers are personal information, but personal information is not necessarily direct identifiers.

Historically PII was a term used in the US synonymous with direct identifiers (for example name, address, account ID, email and so on). Other data about people that didn’t directly identify them was called non-PII. Over time the potential to identify people using quasi-identifiers has led to the definition of PII being expanded to include quasi-identifiers as well and to mean something closer to the broader terms, personal data or personal information. However this expansion in its use has not been universal, leading to some confusion over its meaning. Modern US laws and guidelines, such as the CCPA, tend not to use the term, favoring personal information instead, which has a broader meaning, analogous to the GDPR definition of personal data.

As NIST state: “The phrase Personally Identifiable Information (PII) is typically used to indicate information that contains identifiers specific to individuals, although there are a variety of definitions for PII in various law, regulation, and agency guidance documents. Because of these multiple different definitions, it is possible to have information that singles out individuals but which does not meet a particular definition of PII. An added complication is that some documents use the phrase PII to denote any information that is attributable to individuals, or information that is uniquely attributable to a specific individual, while others use the term strictly for data that are in fact identifying Because of these inconsistencies, this document avoids the term “personally identifiable information”.

Return to glossary