PII (Personally Identifiable Information)

Any data that can identify a specific individual, either on its own or when combined with other information. Names, email addresses, phone numbers, social security numbers, IP addresses, and device identifiers can all qualify as PII depending on context and jurisdiction.

PII is data that points to a specific human being. A name, an email address, a phone number, a mailing address, a social security number. In isolation, some of these are definitive identifiers. Others become PII when combined: a zip code, a birthdate, and a gender together can identify most Americans.

The definition is not fixed across jurisdictions. GDPR defines “personal data” broadly, including any information relating to an identified or identifiable person. CCPA uses “personal information” with its own scope. US federal law has no single definition. The result is that what counts as PII depends on where the data subject lives, what regulation applies, and how the data is being used.

Marketing as PII repository

Marketing organizations collect, store, and process PII at scale. CRM records, email lists, form submissions, cookie data tied to login events, purchase histories linked to customer accounts. Every one of these systems is a PII repository, whether or not the team thinks of it that way.

The regulatory and financial exposure is real. Mishandling PII triggers breach notification requirements, regulatory fines, and reputational damage. GDPR fines can reach 4% of global annual revenue. CCPA and state-level laws carry their own penalties.

PII is broader than most teams realize

The first mistake is thinking PII only means “name and social security number.” In a marketing context, PII includes email addresses, device IDs, IP addresses, and any behavioral data tied to an identifiable person. Marketing teams routinely handle PII without recognizing it as such, which means they are not applying the protections the data requires.

The second mistake is assuming anonymization solves the problem. Removing a name from a record does not make it anonymous if the remaining fields can be recombined to re-identify the person. True anonymization is harder than most organizations realize, and pseudonymization (replacing identifiers with tokens) still qualifies as personal data under GDPR.

Frequently Asked Questions

Is an email address always PII?

In most regulatory frameworks, yes. An email address directly identifies or can be linked to a specific person. Under GDPR, it qualifies as personal data. Under CCPA, it qualifies as personal information. The practical implication is that any system storing email addresses is handling PII.

What is the difference between PII and personal data?

The terms overlap but are not identical. PII is a US-origin concept focused on data that identifies an individual. GDPR uses ‘personal data,’ which is broader and includes any information relating to an identified or identifiable person, including pseudonymized data. In practice, treat both terms as requiring the same level of protection.

Related Definitions

  • GDPR (General Data Protection Regulation) — The European Union regulation governing how organizations collect, process, store, and share personal data of individuals in the EU and EEA. Enacted in 2018, it established consent requirements, data subject rights, and enforcement penalties that reshaped global marketing data practices.
  • Consent Management — The practice and technology of collecting, recording, and enforcing user consent for data collection and processing. Consent management ensures that every marketing touchpoint respects the permissions a customer has granted or withheld.
  • Data Governance — The framework of policies, processes, roles, and standards that controls how an organization collects, stores, manages, and uses its data. It determines who can access what, how data quality is maintained, and how compliance obligations are met.