Data privacy involves a complex network of laws and regulations. It can be easy to confuse PII with sensitive personal data and sensitive PII. This post explores the key difference between the three. » Where does personal data fit in? Discover the difference between personal data vs PII↗
What Is PII?
Personally identifiable information (PII↗) refers to any sensitive information that can help identify an individual. PII is classified as either "sensitive" (i.e., capable of being used to positively identify an individual) or "non-sensitive" (i.e., information that is available from public sources and cannot alone positively identify an individual).
What Is Sensitive PII?
Sensitive PII is information that can directly disclose an individual's identity. A few examples are:
- Full name
- Fingerprint
- Iris scan
- Social Security Number (SSN)
- Driver’s license
The consequences of mishandling sensitive PII can be severe to both your organization and your customers. It can cause public embarrassment, trust issues (with consumers or employees), and reputation damage. Damaged client relationships can cost your organization business, and privacy law violations can cause financial harm. » How do you protect PII? Learn the best security practices to protect PII↗
What Is Sensitive Data?
Data is considered sensitive when it is subject to certain legal or contractual requirements, such as those governing privacy, trade secrets, and intellectual property. Generally speaking, if any sensitive data is improperly disclosed without authorization, it can spell disaster for those involved. Therefore, PII shared on a need-to-know basis qualifies as sensitive data.
How Is Sensitive Data Different From PII and Sensitive PII?
- Scope and Applicable Laws Sensitive data does not only refer to information that can reveal a person's identity like PII. It could also pertain to classified government information and private company data. However, these definitions may vary depending on the data privacy regulation.
- Security level Because of its scope, sensitive data requires a higher level of security where only authorized persons can access it.
- Consequences A higher security level means the consequences of a data breach are greater. If an unauthorized person accesses sensitive data like racial or ethnic origin, political views, or sexual orientation it can cause discrimination or animosity toward an individual.
Conclusion
Understanding the data privacy laws that apply to your organization and how to interpret various data types will aid in compliance and help you protect sensitive data, thus avoiding PII violations. » Worried about compliance? Explore how PieEye↗ can help you navigate data privacy
How PII and Sensitive Data Show Up in Your Shopify Store
Your eCommerce platform collects different types of data at every touchpoint. When a customer signs up for your newsletter, enters their billing address, or saves their payment method, you're handling PII. When they provide their SSN for age verification or their driver's license number for identity confirmation, you've got sensitive PII on your hands.
The challenge is that these data types often live in the same systems. Your Shopify admin stores customer names, emails, and phone numbers alongside payment information. Your email marketing tool (like Klaviyo) tracks purchase history and browsing behavior. Google Analytics follows user behavior across your site. Each system has different security requirements, and treating all of this data the same way leaves you exposed.
For your brand, this means you need to know exactly where each data type is stored and who can access it. If a customer requests a DSAR (Data Subject Access Request), you need to pull their PII from Shopify, their email history from your marketing platform, and their behavioral data from your analytics tool. Without a clear inventory, you'll miss data and risk non-compliance fines.
Why Your Cookie Banner Isn't Enough
You've probably installed a cookie banner on your site. It asks visitors to consent to cookies from Google Analytics, Meta Pixel, and other tracking tools. But here's what many eCommerce brands miss: a cookie banner only addresses non-sensitive tracking data. It doesn't automatically protect the sensitive PII your store collects during checkout.
Your cookie banner tells visitors you're tracking their behavior—which is good. But it doesn't address the fact that you're also collecting their full name, address, phone number, and payment card information (or at least the last four digits). Sensitive data collection requires explicit consent and documented security measures that go far beyond cookie notices.
Many Shopify and BigCommerce stores rely entirely on their platform's built-in security without implementing additional safeguards for sensitive PII. Shopify encrypts data in transit and at rest, which is table stakes—not a competitive advantage. If you want to earn customer trust and stay compliant, you need to show that you're protecting sensitive data differently than you protect general browsing data.
The practical step: audit your consent flows. Do you ask for explicit consent before storing payment methods? Do you explain how you use customer names and addresses? Do you offer customers the ability to object to non-essential processing? Your cookie banner may satisfy one law, but sensitive PII handling is a separate compliance requirement.
Sensitive Data and Third-Party Integrations
Your eCommerce tech stack includes tools you don't own. You use Shopify for order management, Klaviyo for email, Meta for ads, and possibly a review platform, a shipping integration, and a customer service tool. Each time you connect these platforms, you're sharing customer data—and that data might include sensitive PII.
When you sync your Shopify customer list to Klaviyo, you're transferring names, emails, and purchase history. When you use Meta Pixel to track purchases, Meta receives transaction data tied to customer identifiers. When you use a third-party shipping provider, they get addresses and phone numbers. Each integration is a potential exposure point.
Your responsibility doesn't end when data leaves your Shopify admin. You're legally accountable for how those third parties handle sensitive data. That means you need data processing agreements (DPAs) in place with every vendor that touches sensitive PII. You should also regularly audit which integrations you actually need and disconnect the rest.
Building a Data Audit Process
Understanding the difference between PII, sensitive PII, and sensitive data is only useful if you know what your brand is actually collecting and storing. Start with an audit: list every platform where customer data lives, then categorize what type of data each platform holds.
Shopify admin: full name, email, address, phone, payment method (encrypted), order history Google Analytics: device IDs, behavioral data, approximate location, purchase value (no names) Klaviyo: email address, full name, purchase history, engagement data Meta Pixel: email hash, device identifiers, purchase events, behavioral data Custom forms or quizzes: whatever fields you've added
Once you've mapped your data, identify which systems hold sensitive PII. Those systems need the highest security standards: role-based access control, encryption, audit logs, and regular security reviews. Non-sensitive data like behavioral analytics can live under a lighter security model—though you still need consent.
Doing this audit yourself takes time. Most brands discover they're holding sensitive PII in places they didn't realize—abandoned databases, old third-party integrations, or backup systems. Getting visibility into where sensitive data lives is the first step toward actually protecting it.