We live in a world where technology is constantly advancing. With this advancement comes new ways for our personal confidential and sensitive information↗ to be compromised. From credit card numbers to social security numbers, our personal information is valuable to hackers and identity thieves. By protecting our personal information, we can reduce the risk of becoming a victim of identity theft or fraud. What Is PII? What is considered PII and why is protecting PII so important? When it comes to personally identifiable information (PII), there is a lot of ambiguity surrounding the term. This is because PII can refer to a wide range of data points, both big and small. Generally speaking, PII refers to any information that could potentially be used to identify an individual. This might include anything from a person's name and address to their Social Security number or driver's license number. It can also include less obvious data points, like date of birth or credit score. In short, any bit of information that could be used to uniquely identify someone falls under the category of PII. There are a few reasons why PII is so important. For one thing, it can be used by identity thieves to commit fraud. Additionally, PII can also be used by companies for marketing purposes. What Is Personal Data? Okay, so what is personal data and what information does it cover? Data can be classified into two types: public and private. Public data is information that is available to anyone who wants to see it, such as the name of a company or the addresses of its shareholders. Private data, on the other hand, is information that is kept confidential and is not released to the public. This includes information about an individual's health, finances, and contact information. Personal data is a type of private data that refers specifically to information about an individual. It can include anything from a person's name and address to their social security number and bank account details. Personal data is often collected by companies in order to better understand their customers and target them with relevant advertising. There are a number of ways for individuals to protect their personal data. One of the most important things people can do is be aware of how much personal information they are sharing online. How Is PII Different From Personal Data? And how does PII differ from Personal Data? When most people think of personal data, they think of PII. However, there is a distinction between the two that is often misunderstood. PII consists of any information that can be used to uniquely identify an individual. Personal data, on the other hand, refers to all other types of information about an individual. This can include contact information, medical records, financial records, and more. The distinction between PII and personal data is important because different laws and regulations apply to each. For example, PII is protected by the Health Insurance Portability and Accountability Act (HIPAA), while personal data is protected by the General Data Protection Regulation (GDPR)↗. How Should Organizations Handle PII and Personal Data? The handling of personal data and the protection of sensitive information↗ is a critical issue for all organizations. The safekeeping of personally identifiable information (PII) is essential to the security and privacy of individuals. There are a number of steps that organizations can take to protect PII↗. One important step is to create a data protection policy, which should outline the procedures that the organization will follow to protect PII. The policy should also specify who is responsible for each step in the process and how often the policy will be reviewed. Another important step is to secure the computer systems that store personal information. Organizational networks should be protected with firewalls and anti-virus software. Access to PII should be restricted to authorized personnel only. Organizations must also ensure that they are compliant with applicable data protection laws. eCommerce also poses threats to private information. If you’d like to learn more about this topic, check out our posts on eCommerce privacy policies↗ or privacy policies for Shopify↗.
Where eCommerce Platforms Collect PII and Personal Data
Your Shopify or BigCommerce store collects different types of customer information at every touchpoint. During checkout, you're gathering PII like names, addresses, and payment card details. But you're also collecting personal data through other channels—email signup forms, customer account profiles, purchase history, and browsing behavior tracked by Google Analytics or Facebook Pixel.
The distinction matters because each type of data requires different security measures. When a customer submits their credit card number, that's PII that needs encryption and restricted access. But when they browse your product catalog and that behavior gets tracked by a third-party pixel, that's personal data that still requires consent under regulations like GDPR and CCPA—even though it's not directly identifying information on its own.
Many eCommerce brands don't realize their analytics tools and advertising pixels are collecting personal data. If you're using Klaviyo for email marketing, you're storing customer email addresses and purchase behavior. If you're running Meta ads with the Conversions API, you're sending personal data about customer actions to Meta's servers. Each of these data flows needs to be documented and, in many cases, requires explicit customer consent before collection begins.
Understanding where your data lives is the first step toward compliance. Create an inventory of every tool, plugin, and third-party service connected to your store. Note what information each one collects—whether it's PII, personal data, or both—and how long it's retained.
PII and Personal Data in Customer Service and Support
When customers contact your support team—whether through email, chat, or a contact form—they're often sharing PII without thinking twice. A customer might email asking about an order and include their full name, order number, and payment method details in the message. Your support team now has that PII stored in your help desk software (Zendesk, Gorgias, or similar).
Personal data also flows through customer service interactions. Every time a customer describes a problem with a product, leaves a complaint, or discusses their preferences, you're collecting personal data about their behavior and needs. This data often lives in systems outside your main eCommerce platform, making it easy to forget it needs protection too.
Many eCommerce brands don't encrypt customer support conversations or restrict who can access them. Support staff may have visibility into payment information they don't actually need to see. This creates unnecessary risk and often violates privacy regulations that require you to limit data access to only what's needed.
Set clear policies for your support team: what information they should ask customers for, how long to retain support tickets, and who has access to sensitive conversations. Train staff not to ask for full credit card numbers or Social Security numbers via email or chat. Use your help desk software's security features to encrypt stored conversations and limit access based on job role.
How Consent Impacts Your PII and Personal Data Collection
You cannot simply collect PII and personal data without consent—at least not in most jurisdictions where your customers live. If you operate in Europe or collect data from European customers, GDPR requires explicit consent before processing personal data. California and other US states have similar requirements under CCPA and similar laws.
Consent is not a one-time checkbox on your privacy policy. You need to be specific about what data you're collecting and why. A cookie banner that says "We use cookies" is vague and likely insufficient. Instead, tell customers: "We use Google Analytics to track how you use our site" or "We use the Facebook Pixel to show you relevant ads on social media."
For eCommerce stores, this means your cookie banners need to differentiate between essential cookies (required for checkout) and non-essential ones (analytics, marketing, advertising). When customers opt out of non-essential cookies, you must actually stop that data collection. If a customer rejects the Meta Pixel, that pixel should not fire on their browser.
Many Shopify and BigCommerce stores use generic cookie banner apps that don't properly document consent or allow customers to change their preferences. This creates compliance gaps. Your consent records should show exactly what each customer agreed to and when, so you can respond accurately if they request a data deletion later.
Handling Data Deletion Requests for PII and Personal Data
When a customer asks you to delete their data—a Subject Access Request (SAR) or deletion request under GDPR or CCPA—you need to understand what "their data" includes. It's not just PII in your customer database. It includes personal data stored in every connected system: your email marketing platform, your analytics tools, your abandoned cart apps, your review apps, and your customer service software.
If a Shopify customer submits a deletion request, you cannot simply delete their customer record in Shopify and call it done. You also need to delete or anonymize their data in Klaviyo, Google Analytics, Facebook, TikTok, and any other third-party service that has collected their personal data. Many brands miss this and inadvertently stay non-compliant.
Document which systems store which types of data. Create a deletion workflow that covers all of them. Some services (like Google Analytics) require you to anonymize data rather than delete it. Others allow true deletion. Know the difference for each tool you use.
Test your deletion process by requesting your own data as if you were a customer. You'll quickly discover which systems you forgot about or don't have access to delete from. Fix those gaps before a customer finds them during a compliance audit.