If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

PII (Personally identifiable information)

AP.CSP:
IOC‑2.A (LO)
,
IOC‑2.A.1 (EK)
,
IOC‑2.A.10 (EK)
,
IOC‑2.A.5 (EK)
Personally identifiable information (PII) refers to data that can directly or indirectly identify individuals.

Direct identification

The following PII directly identify an individual:
PII typeExample
NameKavita Hawkins
Social Security number123-45-6789
Biometric data
A fingerprint

Indirect identification

A name or a thumbprint are obvious examples of PII. It's not always that straightforward, however.
Consider a phone number:
(408)-930-0000
Using just the phone number, could you directly identify a person? Probably not. Yet, if you also had a phone book for the 408 area code, you probably could.
In other words, the phone number when linked with the phone book could indirectly identify someone.
This example highlights another form of PII: linkable PII, which refers to data that can be combined from separate sources to identify individuals.
Common examples include:
PII typeExample
Age25
RaceAmerican Indian
Location116 Broadway, NYC, NY, 10027
Medical dataDate of visit: March 12, 2020, Diagnosis: Flu

Is X considered PII?

Classifying information as PII is challenging. For example, one view of IP addresses suggests they are not PII since they identify computers instead of individuals. On the other hand, IP addresses could be considered PII since they often identify geographical locations and act as linkable PII. The correct classification is unclear.
Even if data is not considered to be PII in the present, it may be in the future. If a future government law enforces that an individual owns a set of IP addresses, then IP addresses will become PII by definition. The classification of data as PII can change over time.
Linkable PII makes this classification even more difficult. For example, you can use the timestamps from someone's social media posts to infer the timezone they live in. If that person also posts a photo of a restaurant they ate at, you can use the timezone to figure out where the restaurant could be located. At this point, you could form an approximate idea of where a person lives or who they are! All from linking timestamps with a restaurant photo.
🤔 In this fictional example, do you think the linkable PII was the restaurant photo or the timestamps? What are other examples of data that could be classified as direct PII or linkable PII?

PII theft

Attackers can steal PII from companies, often known as a data breach.
In 2017, the consumer credit agency Equifax was the victim of a data breach, and attackers had access to the PII of 143 million Americans. The PII included Social Security numbers and credit card numbers. start superscript, 1, end superscript
Once attackers had access to that data, they could use the Social Security numbers to impersonate people or use the credit card numbers to make unauthorized purchases.
How would you know if you were a victim of a data breach? The breached organization will hopefully notify you, but services like HaveIBeenPwned can also provide an answer.
Here's an example from HaveIBeenPwned for a generic email address:
Screenshot from HaveIBeenPwned.com. Includes text "Check if you have an account that has been compromised in a data breach", then a text field with the email address "hello@example.com", a button that says "pwned?". Results underneath say "Oh no - pwned! Pwned on 26 breached sites and found 1 paste (subscribe to search sensitive breaches)"

PII regulations

Because PII falling into the wrong hands can hurt the lives of its owners, laws regulate how institutions store and process PII.
For instance, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) regulates medical PII, whereas the Children's Online Privacy Protection Act (COPPA) regulates the PII of children. In Europe, most forms of PII are regulated under a law called General Data Protection Regulation (GDPR). If you ever develop a website or app that deals with PII of users in those jurisdictions, you’ll have to follow these regulations.

Recommendations

As users, it's best to only give out our PII to online services when it's necessary—and it's almost never necessary to give out government identifiers like a Social Security number.
We should also be careful about our posts on social media. Even if our posts are not clearly PII now, there could be things about that data that we don't yet understand that make it linkable PII in the future.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • blobby green style avatar for user 40443
    how can we safeguard our social security or credit card?
    (10 votes)
    Default Khan Academy avatar avatar for user
    • starky ultimate style avatar for user KLaudano
      Here are some tips for keeping your information safe.

      1) Never enter sensitive information on a public computer.

      2) Never enter sensitive information into a website unless you are certain you can trust it.

      3) Never enter sensitive information when connected to a public wifi network.

      4) Never email sensitive information, even if you receive an email from what looks like a legitimate organization asking for your information.

      5) Never insert a flash drive into your computer if it is not yours.

      6) Do not download (and especially run) files unless you are confident that they are safe.
      (43 votes)
  • old spice man blue style avatar for user 𝕊𝕠𝕣𝕥𝕙𝕚𝕠𝕦𝕤
    "When you see an ad on a site that seems personalized to your interests, do you feel happy that it's catering to you or mad that it knows you so well?" -from the article to Discuss

    They don't "know you so well", they made a guess. When a company says that it is collecting information to make my experience better, I hear, "We want to know all about you, so we can bombard you with Ads, and make using a search engine worthless. When I first started using search engines you could get EXACTLY what you were looking for. Now? Now, no matter what you search for, you have to wade through ads to find what you want. Algorithms to make search engines better have made them worse, because they seem to be geared toward promoting sales, not information. Amazon is good example of how bad Search Engines have gotten. If you search for Batteries, the results will return every conceivable item that could possibly be related to and/or used with a battery. Using the filters on Amazon to narrow your search is a waste of time, as they still try to push items you aren't searching for on you. So, you spend an hour looking for an item, when it should have taken less than 5mins. This, in my opinion, is not making my experience better.
    (22 votes)
    Default Khan Academy avatar avatar for user
    • leaf green style avatar for user Shane McGookey
      You bring up an interesting trade-off between the economic pursuits of the host company and user experience.

      To extend the discussion, how do you feel a given company could promote its partner's interests (i.e. display advertisements) without detrimenting the user experience? Do you have any suggestions?

      Interesting discussion topic, nice work!
      (9 votes)
  • aqualine ultimate style avatar for user si.sanvi2
    at a doctor's appointment i put my real info but at other places i don't why?
    (7 votes)
    Default Khan Academy avatar avatar for user
    • leaf green style avatar for user SwissGerman
      A doctor is someone you can trust with your information, since the government has put laws in place that prevent them from exposing your PII. Other places, like suspicious websites, aren't as secure. Some websites will want to steal your information to use it for malicious purposes. However, doctors just need to know some of your information (personal medical history, family medical history, who you are, where you live, etc) so they can help you when you get sick, both by making sure to treat your illness better and identify its cause.
      (15 votes)
  • blobby green style avatar for user Eric West
    how can a PII from social media be a PII later but not be a PII in a former instance?
    (7 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user Miona N
      The more personal details you contribute through your history of posting on social media, the more contextual info a person viewing it has about you over time. Just knowing that you live in X city is random info. Your name + city + what school you went to for the 5 year reunion + which sports you like + photos from the same park, same time of day you always post on weekends, all start painting a more specific image of who you are, what you have, and your habits. This becomes an aggregate of information which could be exploited. Sorry it's general and long-winded but I hope it gives you an idea of how random info collected over time can become specific and relevant.
      (14 votes)
  • blobby green style avatar for user ysheikhkassim
    So can people link your information just from your name or phone number?
    (7 votes)
    Default Khan Academy avatar avatar for user
    • leaf green style avatar for user SwissGerman
      Yes! There are numerous websites where you can link someone's phone number to their name, or vice versa. Whitepages is a good example of this. However, you can also look up some things, like phone numbers, in phone books or other more traditional collections of personal information to find out who exactly someone is and where they live.
      (10 votes)
  • leafers seed style avatar for user mlmosely1
    is there decent PII laws for people.
    (6 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user maldonadoa2027
    what is one way we can protect ourselves from our information
    (6 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user killingswortht2027
    what is one way I can be safe online?
    (6 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user LANDYNS
    how do you get PII from a person there self.
    (5 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user williamsl2027
    how do we stay safe and not any hacker steals ur information?
    (4 votes)
    Default Khan Academy avatar avatar for user
    • starky sapling style avatar for user s243000
      Make sure that you are aware of the information you spread online, that the information is going to a unarguably trustworthy place. For the "hacker" issue, if you use information when needed and make sure it is removed from the device after, there is no information on the device for the hacker to steal.
      Hope this helped,
      Bye
      (2 votes)