Personal identification information (PII) can broadly be defined as any information that can be used to identify an individual. So, what exactly is PII? This could include your name, social security number, date of birth, and any other identifying information. Non-sensitive PII, on the other hand, refers to data that does not typically identify an individual, such as their street address. Who Uses PII? PII is widely used in both the public and private sectors, including the following:
- Government agencies Government agencies use PII to carry out their functions, such as delivering services or enforcing laws.
- Businesses PII is used by businesses↗ to identify and contact customers, track sales and marketing efforts, and measure customer satisfaction.
- Employers Employers use PII for various reasons, including verification of employment eligibility, processing payroll, and providing benefits information.
- Education services Schools and universities also collect PII, usually for enrollment or financial aid purposes.
- Medical institutions Healthcare providers use PII to provide care to their patients as they need access to medical history in order to provide the best possible care.
- Insurance agencies Insurers use PII to determine eligibility for coverage and set premiums. They also use it to process claims and investigate fraud.
- Banks Banks use PII to identify their customers and prevent fraud. They also use it to process transactions and for marketing purposes.
How to Protect PII Online security is a big concern for everyone, especially when protecting personal information↗. Here are some best practices for protecting PII:
- Use strong passwords and change them often.
- Be aware of what you're sharing online—only share information that you're comfortable with others knowing.
- Use antivirus and malware software to protect your computer from online threats.
- Install a firewall on your computer and update it regularly.
- Don't open suspicious emails or attachments, or at least be sure to scan them with antivirus software before opening.
- Be careful about where you browse online—don't visit unfamiliar websites or download files from unknown sources.
- Keep your operating system and applications up-to-date with the latest security patches.
PII Security Policies It is more important than ever for organizations to have comprehensive security policies in place to protect PII↗. If this data falls into the wrong hands, it can be used to commit identity theft or other crimes. According to the National Institute of Standards and Technology (NIST), organizations should have a PII security policy in place to protect sensitive information. A PII security policy should identify who is responsible for implementing and enforcing it and what steps need to be taken to protect PII. The policy should also specify how long PII should be retained and when it should be destroyed. One of the most important aspects of protecting PII is ensuring that all employees know the organization's security policies and how they should handle sensitive information. Employees should be trained to identify PII, protect it, and know what to do if they suspect it has been compromised. Organizations should also have protocols in place for responding to data breaches. If PII is compromised, the organization must take steps to notify affected individuals and mitigate any damage. PII security policies are critical because they help ensure that sensitive data is protected from unauthorized access or disclosure. Organizations that don't have a PII security policy in place are at greater risk of a data breach, which can harm their reputation and result in financial losses.
PII Collection Points in Your eCommerce Stack
Your eCommerce platform collects PII at multiple touchpoints, and each one represents a risk if not properly secured. When a customer creates an account on Shopify or BigCommerce, you're capturing their name, email, phone number, and shipping address. Your payment processor then handles credit card data (though you should never store full card numbers yourself). Email marketing platforms like Klaviyo store customer profiles linked to purchase history. Google Analytics and Meta Pixel track behavior tied to email addresses or customer IDs.
The problem: these systems talk to each other. Your Shopify store syncs customer data to your email tool, which connects to your ad platform. Each connection is a potential exposure point. A breach in any single tool can compromise your entire customer database.
Start by mapping where PII flows in your stack. Document which platforms have access to what data. Then audit their security certifications—look for SOC 2 compliance or ISO 27001. Ask your vendors directly: Do they encrypt data in transit and at rest? Who has access to your data? How long do they retain it? These questions should be part of your vendor contracts.
You should also implement data minimization. If Klaviyo doesn't need your customers' phone numbers to send emails, don't send them. The less PII floating around your ecosystem, the smaller your attack surface.
Creating a Data Retention Schedule for Your Brand
Storing PII longer than necessary is a liability. GDPR and state privacy laws like CCPA require that you can justify why you're holding onto customer data. Many eCommerce brands keep customer records indefinitely "just in case," but this increases your breach risk and your legal exposure.
Define a retention schedule: How long do you need shipping addresses after fulfillment? Typically 30–90 days after delivery is sufficient. Payment information? You should never store full card details; your processor handles that. Customer email addresses? If they haven't engaged with your brand in 24 months, you may not need them. Deletion requests? You should have an automated process to purge records within 30 days of a customer asking (a DSAR or "right to be forgotten" request).
Document your schedule in your privacy policy so customers understand what happens to their data. Then enforce it—set calendar reminders or use automated tools to delete old records. This isn't just legal hygiene; it's practical risk management. Fewer records mean a smaller breach surface and lower costs if you ever do face a compromise.