Direct identifiers
Data that points to one person on its own: full name, email address, phone number, social security or national ID number, passport number, or a customer account ID tied to a real identity.
PII — personally identifiable information — is any data that can identify a specific person, on its own or combined with other data. The definition is broader than most people expect, and getting it right is the foundation of every privacy obligation from GDPR to CCPA.
Personally identifiable information is any information that can be used to identify an individual — directly, like a full name or a passport number, or indirectly, by combining several data points until only one person fits. The key idea is identifiability: data is PII if it can single someone out, even if their name never appears.
This is why the definition trips teams up. An IP address, a device identifier, a cookie ID, or a precise location trail can all identify a person even though none of them is a name. Regulators treat identifiability as the test, not whether the field is labelled 'personal'.
It helps to split PII into data that identifies someone by itself and data that identifies them in combination.
Direct identifiers
Data that points to one person on its own: full name, email address, phone number, social security or national ID number, passport number, or a customer account ID tied to a real identity.
Indirect identifiers
Data that identifies someone when combined: date of birth, postal code, job title, IP address, device ID, or location history. Any one is ambiguous; together they routinely narrow down to a single individual.
Special-category data
GDPR gives extra protection to sensitive data: health, genetics, biometrics, race or ethnicity, religion, political opinions, trade-union membership, and sexual orientation. Processing it usually requires stronger legal grounds.
Not quite. 'PII' is the common US term; GDPR uses 'personal data,' which is defined even more broadly as any information relating to an identified or identifiable natural person. In practice, GDPR personal data includes things some narrow PII definitions leave out — like online identifiers and pseudonymized data that can still be linked back to a person.
For a data team, the safe mental model is: if a field relates to a human being and could plausibly be linked back to them, treat it as in scope. Under-scoping is where compliance gaps start.
Every privacy obligation is defined in terms of personal data: the right to access it, the right to have it deleted, the duty to keep it only as long as needed, the duty to report a breach that exposes it. If you misclassify a field as 'not PII,' it silently drops out of all of those workflows.
That is why discovery and classification come first. Before you can honour a deletion request or answer an audit, you need an accurate map of which fields — across raw tables, derived models, and connected tools — actually hold personal data. Undeclared PII (ghost data) is the most common cause of an erasure claim that turns out to be false.
What are examples of PII?
Common examples include full name, email address, phone number, home address, national ID or passport number, IP address, device identifiers, precise location data, and any customer account ID that can be linked to a real person. Sensitive examples include health, biometric, and financial data.
Is an email address PII?
Yes. An email address usually identifies or can be linked to a specific individual, so it is treated as PII under US frameworks and as personal data under GDPR. It is one of the most common fields that must be included in deletion and access requests.
Is an IP address considered PII?
Under GDPR, yes — the Court of Justice of the EU has held that IP addresses are personal data because they can be linked to an individual, especially in combination with other information. US definitions vary, but treating IP addresses as PII is the safer default.
Is pseudonymized data still PII?
Usually yes. Pseudonymized data (for example, data keyed by a token instead of a name) can still be linked back to a person if you hold the mapping, so GDPR still treats it as personal data. Only truly anonymized data — where re-identification is not reasonably possible — falls outside scope.
Why pseudonymized data is still personal data, and what actually takes data out of GDPR scope.
The undeclared PII hiding in your warehouse — how it accumulates and why it fails audits.
How Chameleon maps where personal data lives across your BigQuery warehouse.