What is Personally Identifiable Information (PII)?

Defining PII

Personally Identifiable Information, commonly known as PII, is any data that can be used to identify a specific individual. It's a broad category that covers far more than most people expect, and understanding it is essential for anyone who runs a website, app, or online business.

Privacy laws around the world, including GDPR in Europe and the DPDP Act in India, are built around the concept of PII. If you collect it, you have legal obligations around how you store, use, and protect it.

What Counts as PII?

The obvious examples include full name, email address, phone number, home address, date of birth, and government ID numbers like a passport or Aadhaar number. But PII goes much further than that.

Less obvious forms of PII include IP addresses, which can be used to identify a person's location and sometimes their identity. Cookies and device identifiers that track a specific browser over time also qualify. Even a combination of non-identifying data — like a person's job title, employer, and city — can become PII when combined because together they might identify one specific person.

Sensitive PII

Some categories of PII are considered especially sensitive and require extra protection. These include health and medical information, financial information like bank account or credit card numbers, racial or ethnic origin, religious beliefs, political opinions, biometric data like fingerprints or facial recognition data, and sexual orientation. If your website collects any of these, you need to be especially careful about how you handle and disclose this.

How Websites Accidentally Collect PII

Many website owners are surprised to discover they're collecting PII without realising it. Google Analytics, for example, collects IP addresses by default. Contact forms collect names and emails. Comment sections collect usernames and sometimes email addresses. Even a simple newsletter signup captures PII. If you use any of these features, you are a data controller under most privacy laws and you need a privacy policy that says so.

Your Responsibilities as a Website Owner

If you collect PII, you must tell your visitors what you collect and why, store it securely and only for as long as necessary, never sell it to third parties without explicit consent, allow users to request access to or deletion of their data, and keep it accurate and up to date. These obligations aren't just ethical best practices — they're legal requirements in most countries.

How to Stay Compliant

Start by auditing your website to identify every point where you collect data — forms, analytics tools, comment systems, payment processors. Then make sure your privacy policy clearly lists all of these. PolicyCraft makes this easy by letting you check exactly which types of data you collect and generating a customised policy that discloses them properly.