A Guide to Personally Identifiable Information (PII)
Nearly every organization collects some form of personally identifiable information (PII)—but few fully understand what qualifies as PII or how to protect it. The stakes are high: mishandling sensitive data can lead to identity theft, data breaches, and a permanent loss of trust.
This guide breaks down what PII means under U.S. privacy law, provides examples of linked and linkable information, and outlines practical steps your company can take to improve data security and reduce risk.
Understanding PII: What Counts as Personally Identifiable Information?
There’s no single definition of PII. Multiple government agencies define it slightly differently, but the core idea is the same: PII is any information that can be used to distinguish, trace, or infer the identity of a specific individual.
Common Definitions of PII According to U.S. Agencies:
- U.S. Department of Commerce: Information that can distinguish or trace identity (e.g. name, SSN, biometrics) or is linked/linkable to an individual (e.g. employment, medical, or financial data).
- Department of Homeland Security: Data that permits direct or indirect identification of a person.
- Biometrics Identity Management Agency: Any information that identifies, relates to, or describes an individual.
- National Security Telecommunications Advisory Committee: Even non-obvious data may be considered PII if it can identify someone when combined with other information.
Types of PII (Linked and Linkable):
PII falls into two categories:
- Linked PII: Clearly identifies a person on its own
Examples: Full name, SSN, passport number, driver’s license number, date of birth, phone number - Linkable PII: Can identify someone when combined with other data
Examples: Zip code, race, gender, IP address, login credentials, job title, web cookies
Both must be protected under data protection regulations like the GDPR (which generally refers to PII as “Personal Data”) and HIPAA (which generally refers to “Protected Health Information”).
Examples of PII Commonly Collected by Businesses
Here’s a non-exhaustive list of PII that may exist in your systems:
- Full name
- Social Security Number (SSN)
- Date and place of birth
- Mother’s maiden name
- Passport or driver’s license numbers
- Biometric data (fingerprints, facial scans, handwriting)
- Phone number
- Email address
- Login credentials (usernames, passwords)
- IP address and device identifiers
- Physical location data
- Medical, educational, or employment records
- Financial account information
- School or workplace names
- Web cookies and behavioral tracking data
- Social media profiles and handles
If your company stores any of these—especially in combination—you likely have legal obligations under privacy law.
How to Handle PII: 7 Privacy Best Practices for Businesses
Once you determine what qualifies as personally identifiable information, it’s essential to take protective steps. Below are seven privacy law-aligned practices based on recommendations from the U.S. Department of Commerce:
1. Minimize the Amount of PII You Collect and Store
Only collect the data you truly need. The less PII you handle, the lower your exposure to regulatory risk and data breach liability.
2. Don’t Ask for PII Unless It’s Absolutely Necessary
Audit your forms, processes, and customer touchpoints. If something can function without PII—omit it.
3. Review Aging Data Regularly
Outdated or unused PII increases risk. Set a recurring schedule to assess stored data for relevance and eliminate anything obsolete.
4. Eliminate Unnecessary PII with Clear Policies
Don’t keep data “just in case.” Create internal protocols to securely delete unnecessary PII as part of your regular operations.
5. Categorize PII by Confidentiality Impact
Not all PII carries the same risk. Consider:
- How easily a person can be identified
- How many individuals are affected
- The sensitivity of the data fields
- How the data is used and stored
- Your legal or contractual obligations
6. Apply Appropriate Safeguards Based on Risk
Use redaction, encryption, access controls, and employee training. Sensitive PII should receive higher levels of protection.
7. Prepare an Emergency Response Plan
Have a documented breach response process:
- Customer notification
- Government reporting
- Remediation services like credit monitoring
Why PII Management Matters for Startups
You may feel stuck between needing customer data to operate and fearing liability from storing it. But privacy compliance doesn’t have to be overwhelming. By following these reasonable, scalable practices, your company can reduce risk, build trust, and stay ahead of evolving data protection regulations.
Ready to Build a PII Policy That Meets Legal and Customer Expectations?
Protect your organization and your customers by creating or refining your PII management policies.
DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.
Categories
Recent Posts
- Startup Funding: Selling Shares to Raise Funds
- Program-Related Investments (PRIs) for Startups
- Sam Taylor & Becky Mancero Best Lawyers: Ones to Watch®
- Boulder Landscaping Acquired By Strata Landscape Services
- The Delaware Flip: What Startups Should Know
- SPZ Legal Advises Redfast on Strategic Acquisition
- Raising Startup Funds from Friends and Family
- Becky Mancero Promoted to Partner at SPZ Legal