Increasing concerns over the privacy of personal data means companies must learn the laws regarding Personally Identifiable Information (PII).

1. What is
PII, non-PII
and Personal Data?
Authors: Michael Sweeney, Karolina Lubowicka
Increasing concerns over the privacy of personal data means companies must learn the laws
regarding Personally Identifiable Information (PII).

2. What is PII, non-PII and Personal Data?
In recent years, many people have become more concerned about their online data privacy and what
companies know about them, their web history, and their personal information.
While it’s true that data is collected each time a user accesses a web site, interacts with a post on social
media, or makes an online purchase, there are different types of user data being tracked — some of it can be
used to identify an individual person (known as PII) and some of it can’t.
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is a term regularly used in Ad Tech and MarTech, but it expends
well past these two industries.
In fact, PII is often referenced by US government agencies, such as the National Institute of Standards and
Technology (NIST).
NIST provides the following definition of PII:
PII is any information about an individual maintained by an agency, including (1) any information that can be
used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of
birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to
an individual, such as medical, educational, financial, and employment information.
What Pieces of Information are Considered PII?
PII can be divided into two categorizes: linked information and linkable information.
Linked information is any piece of personal information that can be used to identify an individual and
includes, but is not limited to, the following:
Full name
Home address
Email address
Social security number
Passport number
Driver’s license number
Credit card numbers
Date of birth
Telephone number
Log in details
Linkable information, on the other hand, is information that on its own may not be able to identify a person,
but when combined with another piece of information could identify, trace, or locate a person.

3. What is PII, non-PII and Personal Data?
Learn the main differences between personally identifiable
information (PII) and personal data. Get to know the types
of information that are the subject of the new European
data privacy regulation (GDPR).
What is Non-PII?
Here are some examples of linkable information:
First or last name (if common)
Country, state, city, postcode
Gender
Race
Non-specific age (e.g. 30-40 instead of 30)
Job position and workplace
Non-personally identifiable information (non-PII) is data that cannot be used on its own to identify, trace, or
identify a person, so basically the opposite of PII.
Examples of non-PII include, but are not limited to:
Device IDs
IP addresses
Cookies
Free Cheat Sheet: PII,
Personal Data or Both?
Download

4. What is PII, non-PII and Personal Data?
What’s the Difference Between PII and Personal
Data?
While PII is a commonly recognized term, there is another term that many people may be familiar with —
personal data.
The difference between PII and personal data can be explained by the following:
Personally Identifiable Information (PII) is a term used mainly within the USA.
Personal Data is considered to be the European equivalent of PII; however, it doesn’t completely correspond
to the PII definition popular in the US. The new EU data privacy law – General Data Protection Regulation
(GDPR) defines Personal data as the following:
Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of
that natural person;
Important note! GDPR states that even cookies can be considered personal data. This is detailed in Recital
30 of the new law:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and
protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency
identification tags. This may leave traces which, in particular when combined with unique identifiers and other
information received by the servers, may be used to create profiles of the natural persons and identify them.
The Future of PII
The line separating PII and non-PII is becoming thinner with every passing year and the online advertising
and marketing industries have already seen government organizations shift their stance on what constitutes
PII and what doesn’t — the FTC and Art. 29 WP being two prime examples.

5. What is PII, non-PII and Personal Data?
The Federal Trade Commission (FTC)
In a follow-up post to her speech at the 2016 NAI summit in San Francisco, Jessica Rich, the Director of
Bureau of Consumer Protection from the Federal Trade Commission (FTC), addressed the topic of persistent
identifiers:
“…We [the FTC] regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can
be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as
device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”
The post went on to say that the Commission has modified the definition of personal information to include
persistent identifiers, including, but not limited to:
A customer number held in a cookie
An Internet Protocol (IP) address
A processor or device serial number
A unique device identifier
The Article 29 Data Protection Working Party (Art. 29 WP)
This recent revelation from the FTC follows a similar movement from the European Union (EU) started a few
years ago when the Article 29 Data Protection Working Party (Art. 29 WP) suggested that IP addresses
should be viewed as personal data.
The implications of these two movements are substantial, especially for the Ad Tech and MarTech industries.
For starters, it now means there is a disconnect between the NAI’s Code of Conduct and the definition of
personal information from government organizations such as the FTC and EU, which makes it hard for
companies to comply with privacy standards and best practices.
In addition, if organizations like the FTC and EU continue creating a broader definition of PII and personal
data, then we could see emerging areas of Ad Tech, such as device fingerprinting that rely on collecting
persistent identifiers, being hit hard against new privacy regulations.
Contact us