It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 23, 2024
Published: August 17, 2022
We’re officially in an era where navigating data privacy regulations — and striving for constant compliance — are expected, commonplace practices. But among the nuances and stipulations attached to data privacy compliance, organizations must also learn the wealth of terminology and definitions behind it all.
Your organization is expected to understand, at least at a basic level, how to interpret this new lexicon — and how it applies in the data privacy world. Especially when several terms seem to hold similar definitions. Shouldn’t “personally identifiable information” (PII) mean the same as “personal information” (PI)?
Not necessarily.
The good news? We’re here to break down PII versus PI (and one other commonly confused phrase) for you. Here are three terms that we’ll cover in this article:
Depending on the jurisdiction, the term “personal data” can take on varied meanings. But as an umbrella definition, “personal data” refers to digital or analog information that can be used to identify a specific person.
Personal data can include a person’s name, address, email address, IP address, phone number, Social Security number, banking information, and more.
That said, context matters. Take the name Jane Smith. With no other information attached to the name, jurisdictions wouldn’t consider it personal data for any legal reason. Many Jane Smiths exist in the world, and if there’s only a name to go off of, there’s no way to know which Jane Smith is in question.
However, if Jane Smith has a street address and phone number attached to her name in a single location or file, most jurisdictions would call that personal data. As such, companies in possession of Jane’s data are beholden to data privacy regulations.
Bottom line? The more info you have on a person (especially when collected in a single place), the more “personal” the data becomes.
To ensure your organization is compliant with all relevant data privacy laws and regulations, understanding the definition of “personal data” across jurisdictions is imperative. Of course, the definition can vary — geographically, legally, and otherwise — which means you must give careful consideration to how you interpret it.
Here’s something that’ll confuse you: Technically, all personally identifiable information (PII) is considered personal data, but not all personal data is considered PII.
They’re not mutually exclusive.
PII consists of any information about a person — including data that can trace or distinguish their identity — and any information that can be linked to them (like medical, financial, or employment data). But personal data on its own doesn’t always consist of all those identifiers.
When we talk about distinguishing a person’s identity, that means identifying one individual over another using specific data (like the Jane Smith example). Tracing that individual means you’re processing enough data to understand aspects of that person’s status or activities. As such, personal information like name, email, phone number, Social Security number, etc. are considered PII.
From a zoomed-out perspective, the greatest difference between personal data and PII is that PII is often used to differentiate one person from another, while personal data includes any information related to a living individual, whether it distinguishes them from another individual or not. Again, think of Jane Smith. Jane’s name is her personal data, but it isn’t PII since there are many Jane Smiths out there.
Still, depending on the data privacy regulations your organization is beholden to — i.e., the GDPR or others like it — the definition of PII can vary.
We provide insight here into how several data privacy laws interpret the phrase.
The term “personal information,” or PI, is most often used in one particular data protection law: the California Consumer Privacy Act (CCPA).
Though PI and PII are closely related, the CCPA defines PI as:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
However, this doesn’t include information that has been made publicly available by the local, state, or federal government. Still, identifiers that can be linked to a California resident include those similar to PII identifiers: a person’s name, address, email, Social Security number, etc.
One notable difference when it comes to PII versus PI? Personal information, under the California law, also constitutes data like IP addresses; biometric, location, or audio information; and personal device identifiers.
The definition of “sensitive information” — also known as “sensitive data” — is a bit different from one data privacy law to another.
As an overarching definition, sensitive information is personal data that most jurisdictions believe should be treated with a higher standard of care. To protect it, your company may have to apply greater security measures. And, depending on the law, it’s possible you’ll need different kinds of consent to collect it.
If your organization allows unauthorized access to a data subject’s sensitive information, you face a greater risk of being penalized by data protection authorities. Permitting excessive access to sensitive data leaves a data subject open to various forms of harm and/or discrimination based on, for example, their sexual orientation, religious beliefs, private health matters, and the like.
Additionally, depending on location, sensitive information may comprise data collected from children. The latest GDPR regulations allow children 16 and older to consent to having their data processed on their own. Parental consent is required for children 13 to 15; children under 13 cannot, under any circumstances, provide consent themselves.
Like PI, sensitive information isn’t collected from unrestricted directories; it doesn’t include any data that the government makes available to the public.
Similar to the other terms previously listed, the way each data privacy law interprets sensitive information varies. For that reason, check your jurisdiction’s definitions before your organization collects personal information.
The other half? Knowing what kind of data you collect and where it lives.
While the amount of jargon associated with data privacy can be dizzying, keeping up with it all is imperative. Understanding the subtle nuances behind PII vs. PI and how each data privacy law interprets them will get you far.
But you’ll go even farther when you’re able to keep track of the data your company collects. Data discovery tools can make it easier. Because understanding your data is the first step in understanding the privacy laws (and all of the lingo) attached to it.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.