PI vs. PII: What's the Difference?
The short answer: PII (personally identifiable information) is the narrower, older security term for data that directly identifies a specific person — a name, Social Security number, passport number, or email. PI (personal information) is the broader legal term used by modern privacy laws like California's CCPA: any information that identifies, relates to, describes, or could reasonably be linked to a person or household. All PII is PI, but not all PI is PII — the legal definition sweeps in data, like an IP address or browsing history, that traditional PII frameworks often leave out.
| PII (Personally Identifiable Information) | PI (Personal Information) | |
|---|---|---|
| What it is | Data that directly identifies or can be traced to a specific individual | Any data that identifies, relates to, or could be linked to a person or household |
| Where the term comes from | US information-security practice (e.g. NIST); older and narrower | Privacy law — the CCPA/CPRA and similar statutes; broader and legal |
| Typical examples | Name, SSN, passport number, email address, fingerprint | All PII plus IP addresses, cookie and device IDs, geolocation, browsing and purchase history, and inferences |
| Core question | "Does this identify the person?" | "Could this be associated with the person or household?" |
| Who uses it | Security teams, US federal guidance | CCPA/CPRA regulators and modern privacy programs |
What Is PII?
PII — personally identifiable information — comes from the world of information security and US federal guidance. It describes data that can be used, on its own or combined with other data, to identify or trace a specific person. Classic examples are a full name, a Social Security number, a driver's license number, a passport number, a home address, an email address, or a biometric identifier like a fingerprint.
The defining feature of PII is identification. The question it answers is narrow: does this piece of data point to a particular human being? If yes, it's PII; if not, traditionally it wasn't treated as PII at all. For a related distinction — how PII compares to "sensitive data" and "sensitive PII" — see our breakdown of PII vs. sensitive data vs. sensitive PII.
What Is PI (Personal Information)?
PI — personal information — is the term that privacy laws actually use, and it is deliberately much broader. The CCPA defines personal information as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Read that carefully: it doesn't require the data to identify anyone by itself. It only has to be reasonably capable of being associated with a person or household. That pulls in a whole category of data that classic PII frameworks ignore:
- IP addresses and device identifiers
- Cookie IDs and advertising identifiers
- Geolocation data
- Browsing history, search history, and purchase history
- Inferences drawn about a person (interests, preferences, predicted behavior)
The GDPR uses a different label — "personal data" — but its scope is similarly broad and also covers these indirect, online identifiers. In other words, both the CCPA's "PI" and the GDPR's "personal data" are wider than the security world's "PII."
All PII Is PI — But Not All PI Is PII
The cleanest way to hold the two terms in your head: PII is a subset of PI. Every piece of personally identifiable information is also personal information. But plenty of personal information — a standalone IP address, a cookie that tracks a shopper across pages, an inference that someone is "likely a new parent" — is not PII in the traditional sense, because none of it directly names the individual.
This isn't an academic distinction. It changes what you're legally responsible for.
Why the Difference Matters for Your Store
Most compliance mistakes here come from scoping privacy work to PII only — protecting names, emails, and payment details while treating cookies and analytics as "anonymous." Under the CCPA and GDPR, that's a gap.
Your Meta Pixel, Google Analytics, and advertising cookies collect PI every day, even when no name is attached. An IP address tied to a browsing session, a device fingerprint, a record that "this visitor viewed these five products" — all of it is personal information that consumers can ask you to disclose or delete, and that you must let them opt out of selling or sharing. If your data map only tracks PII, you'll under-count what regulators actually examine.
The practical fix is to standardize on the broader definition. Treat anything that could be linked to a person or household as personal information, map where it lives across your tools, and apply your privacy controls there — not just to the obvious name-and-email fields. For how this plays out under California law specifically, see our CCPA cookie compliance hub, and for a refresher on what counts as PII in the first place, our guide on confidential vs. sensitive information.
Frequently Asked Questions
What is the difference between PI and PII?
PII (personally identifiable information) is the narrower US security term for data that directly identifies someone — a name, Social Security number, or email. PI (personal information) is the broader legal term used by laws like the CCPA, covering anything that identifies, relates to, or could be linked to a person or household, including IP addresses, cookie IDs, and browsing history. All PII is PI, but not all PI is PII.
Is an IP address PII or PI?
An IP address is generally treated as PI under the CCPA and as personal data under the GDPR, even though traditional PII frameworks often don't classify a standalone IP address as PII. This is a common reason businesses under-count the data they're responsible for.
Does the CCPA use PII or PI?
The CCPA and its CPRA amendments regulate "personal information" (PI), defined very broadly to include information reasonably capable of being associated with a consumer or household. It deliberately reaches further than the older, narrower "PII" concept.
Is PI the same as personal data under GDPR?
They're close. The GDPR's "personal data" and the CCPA's "personal information" are both broad and cover indirect identifiers like online IDs and location data. "PII" is the narrower, mostly US security term and isn't the legal standard in either law.
Why does the PI vs. PII distinction matter for my store?
If you scope compliance to PII only — names and emails — you'll miss the cookie, pixel, analytics, and inference data that counts as PI. That broader category is exactly what regulators check, so treating PI as the standard keeps you compliant.