20+ examples of personally identifiable information (PII)

Our identity consists of data points that include everything from our names to our bank accounts. Combining these individual pieces of information paints a picture of who we are, what we do, and where we are in the world. Many wish this picture to remain private. These data points are known as personally identifiable information (PII) and can be used to directly or indirectly identify individuals.

When users provide you with their PII, they are trusting you with their most valuable information and expect you to safeguard their privacy. Because the value of this sensitive information is so high, there are many compliance regulations surrounding the handling, collection, storage, and use of PII. Following compliance rules is essential to maintaining user faith and preventing potentially disastrous data leaks.

But what kind of information is considered PII? In this guide, we’’ll break down the different types of PII, provide examples of both PII and non-PII, and explain how to protect PII to help you ensure you’re handling users’ data responsibly. Understanding PII will help you better implement data security measures to keep your users’ information safe.

Direct identifiers: Clear examples of PII

Some PII can pinpoint your users’ identities without any additional data; these examples of PII are known as direct identifiers. In the wrong hands, these identifiers are the easiest way for someone to breach your compliance, security, and privacy protocols.

Some examples of direct identifiers include

• Full legal name
• Social Security number (SSN)
• Passport and driver’s license numbers
• Personal phone number and email address
• Biometric data (fingerprints, retina scans)
• Credit card and bank account numbers

Although these examples can be enough to identify individuals on their own, sometimes additional data is needed to identify a specific person. For example, if your user has a common name such as John Smith, a secondary form of identification would likely be necessary to distinguish the right person from the rest of the John Smiths of the world.

Phone numbers and some email addresses (depending on the provider) are also not unique. Because there is a finite number of phone numbers available, telecom companies often recycle numbers that are no longer in use. The same goes for email addresses, though they are not often reused. 

These examples of PII are typically subject to the strictest compliance standards under frameworks such as HIPAA and FERPA. You may collect this information during employee onboarding for background checks, direct deposit, and communication, so understanding compliance expectations is essential.

To comply with standards such as HIPAA and FERPA, consider collecting as little PII as possible and employing advanced security measures to protect any sensitive information that you collect. If you plan to use collected data for research purposes, you will likely need to remove certain identifiers to ensure anonymity and lower the risk of identity exposure.

Indirect (quasi) identifiers: Examples that may identify when combined

Again, some identifiers require more information or must be combined with other identifiers to pinpoint an individual. Indirect, or quasi, identifiers provide only some of the user picture. Think of these as puzzle pieces rather than snapshots. By aligning several indirect identifiers, it may be possible to narrow a search to a single person.

Here are a few examples:

• Date of birth
• Geographic data (address, city, ZIP code)
• Employment and educational records
• IP address and device identifiers
• Behavioral data (purchase history, browsing habits)

Many of these identifiers are broad, often shared across groups of individuals. For example, it would be nearly impossible to identify a single individual based solely on their birthday. Likewise, geographic identifiers can contain thousands, if not millions, of people. However, combining this data could pinpoint an individual.

Although indirect identifiers are less of a threat to user privacy in the wrong hands than direct identifiers, it’s still important to exercise caution in the way you collect and manage these data points. Data aggregation can help shield individual user identities by combining individual identifiers into a larger dataset or summary.

Generalization is another safer PII collection tactic. It collects broader versions of these identifiers, such as age ranges rather than specific birthdays. For instance, rewards programs and marketing strategies  still provide the insight you need to make business decisions without the increased privacy risk. As with direct identifiers, you can reduce potential exposure by minimizing the amount of data you collect from users overall.

Sensitive PII examples requiring special protection

While all types of PII carry some risk, there are a few examples of PII that are more sensitive than others. This PII requires the highest level of security to guarantee its safety.

Sensitive PII could be damaging in the wrong hands. Examples include

• Financial information (credit reports, tax records)
• Medical and health records (covered under HIPAA)
• Government-issued numbers (tax ID, military service numbers)
• Biometric identifiers and genetic data
• Legal records (criminal history, immigration status)

Due to the sensitive nature of this PII, your organization must take additional precautions to ensure its protection. But what can your organization do to keep data safe? Consider the following additional security measures:

• Encryption: Encryption scrambles readable data (also known as plaintext) into what appears to be random data or code (also known as ciphertext) using algorithms and decryption keys. This data is rendered unreadable by anyone without the decryption key, securing data both in transit and during storage.
• Restricted access: The fewer people who can access your sensitive PII, the more secure it is. Limiting who on your team has access to sensitive data will increase its overall privacy. To keep track of who is looking at this data and when, you can also use access logs. They are an easy way to monitor your data for suspicious behavior, allowing you to stay one step ahead of security breaches.
• Strict compliance controls: Each compliance framework will likely have its own set of required controls for handling PII. Structuring your data-handling practices to meet these expectations can help keep you out of regulatory trouble while also protecting your users’’ sensitive information.

The healthcare, education, and financial services fields require organizations to follow information security standards such as HIPAA, FERPA, and the FTC’s Financial Privacy Rule. Beyond industry standards, you must also comply with geographic-specific data privacy laws. For example, the EU’s General Data Protection Regulation (GDPR) has strict rules for how organizations operating in Europe collect, manage, and protect their users’ PII. These rules cover sensitive PII as well as direct and indirect identifiers.

In the US, the California Consumer Privacy Act (CCPA) gives users greater direct control over their personal information. If your organization does business in California, users who interact with your brand will have certain rights:

• Right to know: Users can see what personal information your business collects, uses, shares, and sells.
• Right to delete: Users can request that your business delete their personal information.
• Right to opt out of sale or sharing: Users can prevent your business from sharing or selling their data for any use.
• Right to limit sensitive information use: Users can determine for which specific, limited purposes their sensitive PII can be used.
• Right to correct: If a user notices a discrepancy in their personal data, they can request a correction.
• Right to nondiscrimination: Users are protected from being treated differently for exercising these rights.

These laws are designed to provide clear rules for how businesses handle sensitive data and peace of mind for users who must share their data in an age increasingly defined by digital footprints.

Digital and emerging PII examples

Your users are more online than ever before. This increased digital activity has changed what is considered PII and generated new types of data that must be taken into account when formulating your data-handling strategy, such as the following:

• IP addresses
• Device IDs and MAC addresses
• Cookie identifiers and browser fingerprints
• GPS and geolocation data
• Behavioral or biometric tracking (e.g., typing patterns, gait analysis)
• AI-inferred personal profiles

These PII examples are directly tied to users’ online activity, behavior, and habits and are considered highly valuable for sales and marketing. Your organization may collect these data points as users shop online, visit your site, fill out forms, and more.

But not every user feels comfortable having this information collected and stored because it still can be easily used to identify them (even more precisely than some traditional types of PII). That’’s why regulatory structures such as GDPR classify and protect these examples of PII as forms of personal data.

Some businesses anonymize this data, transforming it into pseudonymized data. This practice preserves the data’s utility for their internal purposes without breaching user privacy standards. 

However, under GDPR, pseudonymized data should be treated the same as standard personal data because it can be reversed to identify users. Full data anonymization, on the other hand, irreversibly alters data to avoid identification.

With the rise of digital PII, the question of what is considered PII and what isn’t has become less straightforward to answer. Learning the difference between non-PII and PII can help you better navigate the security and utility of your user data.

Non-PII examples: What does not count as PII

PII is protected data with significant restrictions on how it can be used. Even so, businesses rely on data of all kinds to make informed decisions and provide the quality products or services customers expect.

The key to navigating the difference between PII and non-PII is this: PII is information that can be used alone or in combination with other data to identify a specific person. Information that can’t be used on its own to identify an individual is considered non-PII. In many cases, non-PII is data that has been manipulated to obscure the identity of its owner. 

While security standards may limit how you can use this data, there are several ways to generate business value from user data while protecting privacy:

• Fully anonymized or aggregated datasets: By irreversibly anonymizing your user data or removing personal identifiers through aggregation, you can still gain valuable insights without risking noncompliance with PII privacy laws.
• Publicly available data with no link to an individual: If you don’t want to transform data, you can avoid using individual information altogether by using publicly available data sources. Though it may not provide the same benefits as direct data collection, public information can be used without regulatory scrutiny and still provide results.
• Generic demographic information: Rather than collecting specific identifiers, you may choose to ask users for more generalized data points. For example, rather than asking for someone’s birth date and city, you could ask for an age range and a state. These identifiers can create a broad, nonspecific user persona (e.g., 25- to 34-year-olds in Texas). Because this data could refer to a wide range of individuals, you won’t be in breach of privacy terms,  and you can use it to make smarter business decisions.

Each of these methods can ensure your compliance with data-security standards while elevating how you incorporate data into your business operations.

Protect your PII with Jotform

The definition of PII in today’s business world is broad, ranging from traditional identifiers to digital markers. As this space continues to change, it’s important for your team to keep up with the latest updates in compliance and proactive protection so you can avoid unforeseen data security issues.

If you’re looking for a way to stay ahead of the curve and ensure your data’s confidentiality, Jotform offers a full suite of secure solutions designed to collect, process, and protect PII across a range of industries. Incorporate these tools into your workflow today to approach data-handling with confidence.