Businesses collect and manage a lot of consumer information such as Personally Identifiable Information (PII), Personal Information (PI), and Sensitive Information. These data types might sound similar, but classification plays a significant role in data privacy and protection. Data privacy laws such as GDPR, CCPA, and others set different requirements for different data types. Thus, understanding the differences between various data types becomes essential for compliance with privacy laws.

Organizations and website owners must know which type of data they are dealing with so they can implement appropriate security measures required by the data privacy laws.

Here are three terms that will be covered in this article:

• Personally Identifiable Information (PII)
• Personal information (PI)
• Sensitive information

Comparison of Personally Identifiable Information, Personal information, and Sensitive information

The table shows a brief overview of Personally Identifiable Information (PII), Personal Information (PI), and Sensitive Information, some examplesof each data types, and differences between them. A more detailed description is provided below.

Shortly, all PII is personal information, but not all personal information is considered PII.

PII comprises both sensitive PII and non-sensitive PII; PI also comprises both sensitive PI and non-sensitive PI.

Use CookieScript CMP to deliver a cookie banner and collect and record user consent for the collection, storage, and sharing of all types of information in a privacy laws-compliant way.

CookieScript CMP is a Google-certified CMP.

In 2024, it was ranked by users as the best CMP on a peer-review site G2.

What is Personally Identifiable Information (PII)?

There is no global definition of Personally Identifiable Information (PII). So, different regulations use different definitions and describe it differently. As a result, definitions of PII can differ across organizations and countries.

However, the basic definition says that Personally Identifiable Information (PII) refers to any data that, on its own or combined with other data, can be used to identify, contact, or locate a single person, or can be used in combination with other data to identify someone.

This definition is the most widely used and aligns with the definition of the National Institute of Standards and Technology (NIST) in the United States.

Different Types of PII

There are two main types of PII:

• Direct identifiers: Information that allows us to identify an individual directly, without any other information. An example of direct identifiers could be full name, Social Security number, or passport number.
• Indirect identifiers: Information that can identify an individual only when combined with other information. An example of direct identifiers could be date of birth, place of birth, employment or education information.

PII can also be classified based on the potential harm that could result from its misuse:

• Sensitive PII: Information that, if disclosed or breached, could result in substantial harm or inconvenience to an individual. Many data privacy laws specifically address sensitive PII and require stringent protection measures due to its potential for misuse.
• Non-sensitive PII: Non-sensitive PII is information that, if disclosed or breached, wouldn’t result in substantial harm to the individual. While it is still protected by privacy laws, the security measures are not as strict as those for sensitive PII.

Examples of Personally Identifiable Information

PII comprises a wide range of data that can be used to identify an individual. We provide just some examples of PII that could allow you understand the concept of PII.

Examples of sensitive PII comprise:

• Passport number
• Social security number
• Driver’s license number
• Financial account numbers (e.g., bank account, credit card)
• Biometric data (fingerprints, retinal scans, DNA data)
• Medical or health records
• Genetic information
• Photo of a face.
• Personally owned property, like vehicle registration number, house registration number, etc.

Examples of non-sensitive PII include:

• Full name
• Email address
• Phone number
• Physical address
• Ip address
• Account username
• Date of birth
• Place of birth
• Race or ethnicity
• Educational records
• Financial records
• Employment information.

Note that even non-sensitive PII can raise substantial privacy concerns when combined with other data. Thus, it is recommended to protect all types of PII data with stringent security measures.

PII under the GDPR

While the GDPR does not explicitly explain the term “Personally Identifiable Information,” the regulation defines this data type within its broader definition of “personal data.”

However, the GDPR expands on the definition of PII by making it broader and more wide-ranging:

• Expanded scope: The GDPR includes a broader range of information that can be linked to an individual.
• Modern types of data categories: The GDPR includes such identifiers like IP addresses, cookies, and device IDs.
• Context-dependent approach: Under the GDPR, whether information is classified as PII depends on the context and the potential to identify an individual. The PII covers information that, when paired with other types of information, can identify a person.
• Pseudonymized and anonymized data: If Personally Identifiable Information is made anonymous and a person could not be identified, it is no longer personal PII. Note than the anonymization must be irreversible. If encrypted, de-identified, or pseudonymized data could be used to re-identify a person, such data still remains PII.
• Data minimization principle: The GDPR requires organizations to minimize data collection and processing to what is necessary for the specific purpose they have declared. Unrelated data could be considered excessive and would violate the principle of data minimization.
• Risk-based approach: The GDPR requires organizations to perform Data Protection Impact Assessment (DPIA) and evaluate the risk of processing personal data. In some cases, general or publicly available information could be considered PII. DPIA determines the necessary security measures for the protection of the PII.

Read more about PII and how to protect and manage PII. 

Struggling with GDPR compliance? Download this GDPR compliance checklist to ensure compliance with the regulation.

What Is Personal Information (PI)?

Personal Information (PI) is any information that can identify an individual. It comprises broader data than PII and covers all data types, including both direct identifiers and indirect identifiers that can identify individuals when combined with other information.

Examples of Personal Information

Examples of Personal Information (PI) comprise information covered by PII, both sensitive and non-sensitive PII, such as:

• Passport number
• Social security number
• Driver’s license number
• Financial account numbers (e.g., bank account, credit card)
• Biometric data (fingerprints, retinal scans, DNA data)
• Medical or health records
• Full name
• Email address
• Phone number
• Physical address
• IP address, etc.

Personal Information (PI) also comprises subjective information based on personal opinions, interpretations, or evaluations, such as:

• Customer feedback
• Personal preferences
• Personality assessments
• Medical symptoms described by a patient
• Cultural or social identity of a person, etc.

Thus, even subjective data can be considered personal information if it can be linked to an identifiable individual.

In some jurisdictions even publicly available information can be considered personal data. For instance, under the GDPR, publicly available information is considered personal information. However, under the CCPA, publicly available information is generally excluded from the definition of personal information.

Note that all PII is personal information, but not all personal information is considered PII.

Personal information (PI) under the GDPR

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (which is called “data subject”); such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

Under the GDPR, PI includes the following data:

• Direct identifiers: Information that allows us to identify an individual directly, without any other information. Examples of direct identifiers could be full name, Social Security number, or passport number.
• Indirect identifiers: Information that can identify an individual only when combined with other information. Examples of direct identifiers could be date of birth, place of birth, employment, or education information.
• Pseudonymized data: Even if data is pseudonymized, it is still considered as personal information if it can be re-identified. Anonymized data, where it can’t be re-identified, is excluded from the definition of PI.
• Publicly available personal information: Publicly available PI refers to data that is accessible to anyone in the general public, without the need for special qualifications, permissions, or privileges. There are some differences between the ePrivacy Directive and the GDPR regarding publicly available personal information. ePrivacy Directive protects publicly available personal data, while the GDPR does not cover any publicly available personal data.
• Special categories: The GDPR also includes sensitive data such as racial or ethnic origin, political opinions, religious beliefs, and health information.

The GDPR regulates both automated and manual processing of personal data.

Personal Information (PI) under the CCPA

The California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Under the CCPA, publicly available information at state, federal, or local government levels is excluded from the definition of Personal Information. Irreversibly anonymized information is also not considered PI.

Unlike the GDPR, the CCPA explicitly states that personal information is linked to individuals or households, whereas the GDPR mentions only natural persons.

Note that the definition of PI under the CCPA follows the definitions and precedents in US laws and could be broader than the definition of PI under the GDPR. This also means that different US states could apply different definitions of PI, and the practices of defining the PI could change over time.

What Is Sensitive Information?

Sensitive information is any confidential information that, when compromised, could lead to harm, discrimination, or negative consequences for the affected individual or organization. Sensitive information must be protected from unauthorized access using the most stringent measures to safeguard an individual’s or organization’s privacy and security.

Examples of Sensitive Information include:

• Passport number
• Social security number
• Driver’s license number
• Financial account numbers (e.g., bank account, credit card)
• Biometric or genetic data (fingerprints, retinal scans, DNA)
• Medical or health records
• Financial records
• Proprietary business details
• Racial or ethnic origin,
• Political opinions,
• Religious or philosophical beliefs
• Trade-union membership
• Data concerning a person's sex life or sexual orientation, etc.

Websites collect Personally Identifiable Information, Personal Information, and Sensitive information through cookie banners. Scan your website for free to see all your website cookies, local storage and session storage in use.

Conclusion

There is no global definition of all three types of information. Different regulations use different definitions and describe them differently, so definitions are different across organizations and countries.

However, the basic definition says that Personally Identifiable Information (PII) refers to any data that, on its own or combined with other data, can be used to identify, contact, or locate a single person, or can be used in combination with other data to identify someone.

Personal Information (PI) is any information that can identify an individual. It comprises broader data than PII and covers all data types, including both direct identifiers and indirect identifiers that can identify individuals when combined with other information.

All PII is personal information, but not all personal information is considered PII.

Sensitive information is any confidential information that, when compromised, could lead to harm, discrimination, or negative consequences for the affected individual or organization. Sensitive information must be protected from unauthorized access using the most stringent measures to safeguard the privacy and security of an individual or organization.

These data types might sound similar, but classification plays a significant role in data privacy and protection. Data privacy laws such as GDPR, CCPA, and others set different requirements for different types of data. To comply with data privacy laws, you need to handle these types of information differently.

Does it still seem complicated? Use CookieScript CMP, and we will handle the compliance issues for your website or app! We have all the functionalities you need for compliance in one place.

CookieScript CMP is a Google-certified CMP.

Compare CMPs and choose the best CMP, ranked by users on a peer-review site G2.

We have launched a trial for the PLUS pricing plan for 14 days. Now you can try the best product on the market for free, with all the functionalities, and no credit card is required!

Frequently Asked Questions

What is Personally Identifiable Information?

There is no global definition of Personally Identifiable Information (PII). However, the basic definition says that PII refers to any data that, on its own or combined with other data, can be used to identify, contact, or locate a single person, or can be used in combination with other data to identify someone. All PII is personal information, but not all personal information is considered PII. CookieScript CMP can help you to handle the differences and comply with data privacy laws.

What is Personal Information?

Personal Information (PI) is any information that can identify an individual. It comprises broader data than Personally Identifiable Information (PII) and covers all data types, including both direct identifiers and indirect identifiers that can identify individuals when combined with other information. You need to get user consent to manage Personal Information. CookieScript CMP can help you create a cookie banner and collect user consent.

What is Sensitive Information?

Sensitive information is any confidential information that, when compromised, could lead to harm, discrimination, or negative consequences for the affected individual or organization. Sensitive information must be protected from unauthorized access. Data privacy laws such as GDPR, CCPA, and others require to use the most stringent measures when collecting or processing sensitive information. Use CookieScript CMP to get user consent if you are collecting sensitive information.

Is an email address considered PII?

Yes, an email address is generally considered PII since it can often be directly linked to an individual and used to identify or contact them. If your website or app collects email addresses, you need to get user consent and must use strict protection measures to safeguard PII. CookieScript CMP can help you.

Is a phone number address considered Personally Identifiable Information?

Yes, a phone number is generally considered PII since it can often be directly linked to an individual and used to identify or contact them. If your website or app collects phone numbers or other data, you need to get user consent and must use strict protection measures to safeguard PII. CookieScript CMP can help you.

Is an IP address considered as personal data?

Yes, IP addresses are generally considered personal data under data privacy laws such as the GDPR. While they may not always directly identify an individual, they can be used in combination with other information to identify a specific person or household. If your website or app collects IP addresses and other data, you need to get user consent for such an activity. Use CookieScript CMP to get user consent and comply with privacy laws.

What are examples of personal information?

Personal information comprises a lot of data, including Social Security numbers, driver’s license numbers, full name, email address, phone number, physical address, IP address, customer feedback, personal preferences, etc. If your company collects personal information, you need to get user consent. CookieScript CMP is one of the best CMPs for this purpose.

What are examples of Personally Identifiable Information?

Examples of PII include passport number, Social Security number, driver’s license number, financial account numbers, biometric data, medical or health records, biometric data, genetic information, photo of a face, employment information, etc. If your company collects PII, you need to get user consent. Use CookieScript CMP to get user consent and comply with privacy laws.

Is publicly available information considered personal information?

It depends on the jurisdiction. For instance, under the GDPR, publicly available information is considered personal information. However, under the CCPA, publicly available information is generally excluded from the definition of personal information. Use CookieScript CMP to provide the right cookie banner and comply with data privacy laws.

What are examples of non-personal information?

Under the GDPR,, examples of non-personal information include anonymized data, an email address of a company (i.e. info@company-name.com), the company’s registration address, number, or number of employees, etc.