Personally Identifiable Information (PII)

By Michael X. Heiligenstein
November 30, 2020
Privacy

Personally identifiable information (PII) refers to any information that can be used to identify someone. Your name, for instance, or your social security number, are both personally identifiable: you can identify yourself by either, and other people can use your them to identify you.

Not all personal information is personally identifiable. Your shoe size, for instance, is personal information that cannot be used to identify you – most of the time.

In the right context, however, almost any personal information can become personally identifiable. If a detective investigating a crime scene comes across footprints that match yours, suddenly your shoes and their sizing become personally identifiable.

On its own, that one piece of personally identifiable information does not prove you were there. One piece of personally identifiable information is not always enough to identify someone with certainty.

Even a name isn’t perfectly identifiable; speaking from personal experience, even the Michael Heiligensteins of the world have uncles who are also named Michael Heiligenstein. If your name is John Smith, it’s probably even harder for someone you don’t know to identify you on name alone.

Admittedly, if I write my name as Michael X. Heiligenstein, I’m pretty sure my name is distinct among living residents of Earth. But let’s take away the last name, and let “Michael” stand on its own – all of a sudden I share my name with 4.4 million Americans, as well as over 1,000 art and crafts stores.

Now let’s say your name were Michael Jordan – and you were not the professional basketball player. In this case, you’ll forever be known as the other Michael Jordan. Even if you became a famous actor in your own right, you’d go by Michael B. Jordan. As you can see, even names on their own aren’t a completely accurate personal identifier.

Types of Personally Identifiable Information

The most important distinction between types of personally identifiable information is how confidential you should keep it. Some types of PII should be kept top secret. Your social security number is a great example: for financial purposes, it is often the key to your identity.

Other pieces of personally identifiable information are semi-public – your name or address, for example. That doesn’t mean you have to share this information with everyone, and I would strongly advise against publicizing information like your birthdate and address on social media.

In sensitive scenarios, such as opening a bank account or crossing a border into another country, semi-public details on their own are not enough to prove who you are. To open a bank account, you’ll need to give them your social security number. To cross a border, you need to identify yourself with a passport.

Top secret personally identifiable information is useful for these purposes because it’s secret. It’s much harder for an identity thief to know your social security number than your name, making your SSN a much better proof of your identity.

It goes without saying, but you should guard your top secret personally identifiable information as closely as possible. You should never share this information unless you absolutely trust the person you’re talking to, are certain they are who they say they are, and fully understand why they need this particular piece of information.

You should never give out this critical information in response to an unsolicited call or email. If someone calls and asks for this type of information, you should end the call, look up the official number, and call that number. By looking up their contact information independently and calling them directly, you minimize the chances a scammer will mislead you into giving away your information.

Top Secret Personally Identifiable Information Examples:

  • Social Security Number
  • Driver’s license number
  • Passport number
  • Car registration
  • Employer Identification Number

Semi-Public Personally Identifiable Information Examples:

  • Name
  • Date of birth
  • Age
  • Address
  • Email address
  • Phone number
  • Social media handles
  • Job
  • Family relationships
  • Education and graduation year
  • License plate number
  • IP Address
  • Appearance

How Companies Track and Use Personally Identifiable Information

For marketing and sales purposes, companies track your behavior online and compile a profile based on your activity. These companies include not only tech companies, such as Google and Facebook, but also major brands and smaller websites as well. As these companies develop a profile based on your activities, they then use this information to put relevant offers in front of you, so as to boost their sales.

These companies have a few ways to track users. Cookies, little packets of text data stored on your web browser, are common on the web. Some cookies are necessary to maintain a basic website experience. Without cookies, for instance, a website wouldn’t even be able to keep track of what you have in your shopping cart.

Many websites also use tracking pixels. A tracking pixel is just what it sounds like: an image of a single pixel hidden on a web page. When your computer loads the pixel, the website knows you visited the page or opened the email. They can also learn details like your IP address and screen resolution.

Much of this information is not personally identifiable – on its own, at least. Let’s say Adidas tracks your behavior on their website. You look at three pairs of shoes before settling on one and purchasing it. Adidas keeps a record of this behavior, which is not personally identifiable on its own.

But when sites connect this behavioral information to a profile along with your name, address, and credit card, all of which you gave them when you made a purchase, all of a sudden the entire packet of information becomes personally identifiable. So information like your browsing and purchase history is not personally identifiable on its own – but in the context of a broader profile on you, it becomes personally identifiable.

Sometimes this profile persists across multiple websites. Online ad networks such as Google AdSense track your behavior across thousands of websites and apps. With information coming from more than one source, these networks can develop a much more sophisticated consumer profile than one website on its own.

How to Protect Your PII Online

As you might expect, your top secret information is the most important personally identifiable information to protect. Fortunately, very few organizations collect this type of information. If a website ever asks for top secret info, stop and carefully ask yourself the following questions.

  • Do I absolutely trust this website or person?
  • Am I completely certain they are who they say they are?
  • Do I understand why they need this information, and how they intend to use it?

As a general rule, you should not give up your top secret PII except to a legitimate government organization or well-established company. When possible, you should visit in-person instead of online. Your chances of being scammed in response to an unsolicited call or email are very high. They’re much lower if you go to the website on your own, and close to zero if you go to the bank or DMV in person.

Unfortunately, you just can’t automatically trust that someone is who they say they are. It’s surprisingly easy for scammers to impersonate someone over the phone: websites, email addresses, and caller IDs can all be faked to look just like the real thing.

You should also make sure you understand why someone needs your information, and how they intend to use it. For most cases, these types of ID are used to verify your identity. The reason banks ask for your social security number is, in fact, so that they can be verify your identity. The same goes for getting a passport or driver’s license; because these can be used for identification purposes, government offices want to be as certain as possible that you are who you say you are.

Semi-public personal information is a different story. You can’t hide it from everyone, but you can limit who has access to it. To protect your identity, you should share as little detail with as select a circle as possible. Details like your date of birth and address should not be made publicly available unless absolutely necessary. Remember, an identity thief needs not only your top secret information, but semi-public information as well to steal your identity.

What can you do about companies tracking you online? A lot of that depends on where you live – in places like California and the European Union, laws exist requiring companies to allow users to opt out of tracking. When given the option, you should as a general rule deny companies the ability to track you online.

If you don’t have the ability to opt out of these requests, you don’t have a lot of options to prevent websites from tracking you. Even if you use incognito mode on your browser, the websites you visit are still collecting information tied to your IP address. If you want more control over your privacy online, arguably the best thing you can do is write your political representatives and advocate for your right to privacy.

Stay vigilant.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.