If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

PII (Personally identifiable information)

Personally identifiable information (PII) refers to data that can directly or indirectly identify individuals.

Direct identification

The following PII directly identify an individual:
PII typeExample
NameKavita Hawkins
Social Security number123-45-6789
Biometric data
A fingerprint

Indirect identification

A name or a thumbprint are obvious examples of PII. It's not always that straightforward, however.
Consider a phone number:
Using just the phone number, could you directly identify a person? Probably not. Yet, if you also had a phone book for the 408 area code, you probably could.
In other words, the phone number when linked with the phone book could indirectly identify someone.
This example highlights another form of PII: linkable PII, which refers to data that can be combined from separate sources to identify individuals.
Common examples include:
PII typeExample
RaceAmerican Indian
Location116 Broadway, NYC, NY, 10027
Medical dataDate of visit: March 12, 2020, Diagnosis: Flu

Is X considered PII?

Classifying information as PII is challenging. For example, one view of IP addresses suggests they are not PII since they identify computers instead of individuals. On the other hand, IP addresses could be considered PII since they often identify geographical locations and act as linkable PII. The correct classification is unclear.
Even if data is not considered to be PII in the present, it may be in the future. If a future government law enforces that an individual owns a set of IP addresses, then IP addresses will become PII by definition. The classification of data as PII can change over time.
Linkable PII makes this classification even more difficult. For example, you can use the timestamps from someone's social media posts to infer the timezone they live in. If that person also posts a photo of a restaurant they ate at, you can use the timezone to figure out where the restaurant could be located. At this point, you could form an approximate idea of where a person lives or who they are! All from linking timestamps with a restaurant photo.
🤔 In this fictional example, do you think the linkable PII was the restaurant photo or the timestamps? What are other examples of data that could be classified as direct PII or linkable PII?

PII theft

Attackers can steal PII from companies, often known as a data breach.
In 2017, the consumer credit agency Equifax was the victim of a data breach, and attackers had access to the PII of 143 million Americans. The PII included Social Security numbers and credit card numbers. 1
Once attackers had access to that data, they could use the Social Security numbers to impersonate people or use the credit card numbers to make unauthorized purchases.
How would you know if you were a victim of a data breach? The breached organization will hopefully notify you, but services like HaveIBeenPwned can also provide an answer.
Here's an example from HaveIBeenPwned for a generic email address:
Screenshot from HaveIBeenPwned.com. Includes text "Check if you have an account that has been compromised in a data breach", then a text field with the email address "hello@example.com", a button that says "pwned?". Results underneath say "Oh no - pwned! Pwned on 26 breached sites and found 1 paste (subscribe to search sensitive breaches)"

PII regulations

Because PII falling into the wrong hands can hurt the lives of its owners, laws regulate how institutions store and process PII.
For instance, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) regulates medical PII, whereas the Children's Online Privacy Protection Act (COPPA) regulates the PII of children. In Europe, most forms of PII are regulated under a law called General Data Protection Regulation (GDPR). If you ever develop a website or app that deals with PII of users in those jurisdictions, you’ll have to follow these regulations.


As users, it's best to only give out our PII to online services when it's necessary—and it's almost never necessary to give out government identifiers like a Social Security number.
We should also be careful about our posts on social media. Even if our posts are not clearly PII now, there could be things about that data that we don't yet understand that make it linkable PII in the future.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • blobby green style avatar for user ysheikhkassim
    So can people link your information just from your name or phone number?
    (32 votes)
    • leaf green style avatar for user SwissGerman
      Yes! There are numerous websites where you can link someone's phone number to their name, or vice versa. Whitepages is a good example of this. However, you can also look up some things, like phone numbers, in phone books or other more traditional collections of personal information to find out who exactly someone is and where they live.
      (36 votes)
  • old spice man blue style avatar for user 𝕊𝕠𝕣𝕥𝕙𝕚𝕠𝕦𝕤
    "When you see an ad on a site that seems personalized to your interests, do you feel happy that it's catering to you or mad that it knows you so well?" -from the article to Discuss

    They don't "know you so well", they made a guess. When a company says that it is collecting information to make my experience better, I hear, "We want to know all about you, so we can bombard you with Ads, and make using a search engine worthless. When I first started using search engines you could get EXACTLY what you were looking for. Now? Now, no matter what you search for, you have to wade through ads to find what you want. Algorithms to make search engines better have made them worse, because they seem to be geared toward promoting sales, not information. Amazon is good example of how bad Search Engines have gotten. If you search for Batteries, the results will return every conceivable item that could possibly be related to and/or used with a battery. Using the filters on Amazon to narrow your search is a waste of time, as they still try to push items you aren't searching for on you. So, you spend an hour looking for an item, when it should have taken less than 5mins. This, in my opinion, is not making my experience better.
    (53 votes)
    • leaf green style avatar for user Shane McGookey
      You bring up an interesting trade-off between the economic pursuits of the host company and user experience.

      To extend the discussion, how do you feel a given company could promote its partner's interests (i.e. display advertisements) without detrimenting the user experience? Do you have any suggestions?

      Interesting discussion topic, nice work!
      (25 votes)
  • blobby green style avatar for user 40443
    how can we safeguard our social security or credit card?
    (17 votes)
    • starky ultimate style avatar for user KLaudano
      Here are some tips for keeping your information safe.

      1) Never enter sensitive information on a public computer.

      2) Never enter sensitive information into a website unless you are certain you can trust it.

      3) Never enter sensitive information when connected to a public wifi network.

      4) Never email sensitive information, even if you receive an email from what looks like a legitimate organization asking for your information.

      5) Never insert a flash drive into your computer if it is not yours.

      6) Do not download (and especially run) files unless you are confident that they are safe.
      (70 votes)
  • blobby green style avatar for user Eric West
    how can a PII from social media be a PII later but not be a PII in a former instance?
    (14 votes)
    • blobby green style avatar for user Miona N
      The more personal details you contribute through your history of posting on social media, the more contextual info a person viewing it has about you over time. Just knowing that you live in X city is random info. Your name + city + what school you went to for the 5 year reunion + which sports you like + photos from the same park, same time of day you always post on weekends, all start painting a more specific image of who you are, what you have, and your habits. This becomes an aggregate of information which could be exploited. Sorry it's general and long-winded but I hope it gives you an idea of how random info collected over time can become specific and relevant.
      (28 votes)
  • aqualine ultimate style avatar for user si.sanvi2
    at a doctor's appointment i put my real info but at other places i don't why?
    (13 votes)
    • leaf green style avatar for user SwissGerman
      A doctor is someone you can trust with your information, since the government has put laws in place that prevent them from exposing your PII. Other places, like suspicious websites, aren't as secure. Some websites will want to steal your information to use it for malicious purposes. However, doctors just need to know some of your information (personal medical history, family medical history, who you are, where you live, etc) so they can help you when you get sick, both by making sure to treat your illness better and identify its cause.
      (27 votes)
  • duskpin ultimate style avatar for user Hui Jun Chen
    my head hurts because of all this info! can someone briefly explain?
    (12 votes)
    • area 52 purple style avatar for user John Smith
      In a nutshell, PII is information that can be used to identify you online. It includes things like phone numbers, social security numbers, fingerprints, names, and so on.

      There are two types of PII: direct and indirect. Direct PII can immediately let someone know who you are. Indirect PII differs from direct PII because it usually has to be combined with other information in order to identify you.

      Many legal gray areas exist when it comes to PII, such as the IP address. It can be used to find your location, even though technically it is not considered PII yet.

      Finally, laws in every country regulate how PII is used. For example, the USA has HIPAA and Europe has GDPR. Both of these laws regulate companies' uses of their customers' PII. This is important, as data breaches and irresponsible use of PII can lead to identity theft.

      I hope this helped, and please let me know if you have any more questions!
      (21 votes)
  • leafers seed style avatar for user mlmosely1
    is there decent PII laws for people.
    (11 votes)
  • duskpin tree style avatar for user Tezi the turtle
    I wonder what pwned means :(
    (8 votes)
    • starky tree style avatar for user frank ocean
      PWNED is most commonly used in sport or online gaming with the meaning "Owned or Truly Beaten" to indicate that a player has suffered or inflicted a humiliating defeat. The term PWNED almost certainly derives from the erroneous typing of OWNED. (The letters P and O are next to each other a standard keyboard.)
      (13 votes)
  • blobby green style avatar for user TysonTheTubaPlayer
    why am i doing this
    (10 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Kyle Chmielowski
    When is it ever acceptable to give a social security number? Is it ok to put a social security number on a job application if it is from a reputable organization?
    (6 votes)
    • starky ultimate style avatar for user KLaudano
      You will generally need your social security number when doing things related to finances such as taking out loans or filing taxes. You probably would not need to put your social security number on a job application, however, if you accept a job offer, you will need to provide it for tax forms.
      (8 votes)