With data protection rules getting stricter, protecting customer privacy is now a key focus for anyone working in digital marketing. While marketers handle different types of data at all times, one type of data is particularly sensitive. We’re talking about Personally Identifiable Information.
In this post, we will cover the basics of PII, explain why it matters, how to handle it responsibly and safely, and show how server-side tracking can help with obtaining compliance while handling PII.
Let’s start with the PII meaning so we’re on the same page along the way.
| Personal data, also referred to as personal information or Personally Identifiable Information (PII), is any information that relates to an identified or identifiable person. An identifiable individual is one who can be directly or indirectly identified, particularly through identifiers such as names, identification numbers, online identifiers, location data, or factors specific to physical, genetic, mental, economic, cultural, or social identity. |
The scope of personal data varies by legal jurisdiction based on the state, country and region. PII is further divided into two categories - sensitive and non-sensitive.
As you can see from the diagram below, PII data examples include personal details (e.g., full name, address), identification numbers (e.g., passport, SSN), contact information, health records, financial data, biometric records, criminal or employment history, and digital identifiers (e.g., IP address, login credentials).
As you can see from the examples of PII, there is a wide range of data points that can impact a person’s privacy and identify them directly or indirectly. And whether a piece of data is PII or not largely depends on the context. For instance, a username or phone number is considered PII only if it can be connected to a specific person.
PII information is important because it identifies individuals and can distinguish or trace an individual's identity, either on its own or when linked to other personal information. It is used for communication, verification, or transactions.
Businesses use PII to:
It all comes to this - PII data meaning is huge for businesses. It helps businesses connect with their customers, tailor their offering to fit the needs of the customers better and boost brand loyalty and customer trust.
Not all personal data qualifies as PII. For example, browsing preferences, like the types of products someone looks at online, aren't considered to be PII because they don’t directly identify a person. PII refers to data that can pinpoint a specific individual, such as information used to verify identity with a bank. Not all PII, in turn, is sensitive. PII is divided into sensitive and non-sensitive categories.
What PII data is considered sensitive?
| Sensitive PII directly identifies an individual and can cause significant harm if exposed. |
Examples:
Sensitive PII is not publicly available and requires strong protection like encryption and controlled access under data privacy laws.
What PII data is considered non-sensitive?
| Non-sensitive PII is personal information that can identify an individual but poses minimal risk of harm if exposed. |
Examples of PII that is not sensitive (with explanations why it’s not sensitive):
To sum up, non-sensitive PII identifies a person but is low-risk if exposed, like a name or email. It’s often public but can be misused if combined with other data.
Ways in which PII is collected:
These methods are commonly used to gather, store, and analyze personal data elements.
Every business must protect data, especially sensitive customer information. PII is valuable to your customers, and handling it properly is crucial to maintaining your company's reputation as a trustworthy place to do business. Protecting PII is crucial to keep individuals' privacy safe and prevent issues like identity theft, account takeovers, medical fraud, extortion, and other threats. If PII is compromised, it can cause financial losses, lower credit scores, emotional stress, and legal problems.
If we take a look at PII examples like a person’s full name, social security number, credit card information, or medical records, it becomes clear why safeguarding this information is so important.
Examples of PII and reasons for securing it:
Each piece of PII, when compromised, can have a direct and harmful impact on an individual’s life, underscoring the need for strict privacy measures.
Apart from all the reasons mentioned above, you must protect personal data under data privacy regulations like GDPR, HIPAA and many others. Failing to comply with these regulations can result in significant financial penalties, legal consequences, and irreversible loss of customer trust.
Let’s have a look at the main PII-centered regulations, their scope, requirements and non-compliance penalties.
| Scope | Requirements | Penalties | |
| GDPR (EU) | This applies to organizations processing the personal data of EU residents. | Organizations must get consent, allow access, correction, and deletion of data, and notify about breaches. | Fines can reach €20 million or 4 percent of global turnover, whichever is higher. |
| HIPAA (US) | This law applies to healthcare entities that handle protected health information (PHI). | Healthcare entities must safeguard PHI, notify about breaches, and get patient consent. | Fines range from $100 to $50,000 per violation, with a maximum of $1.5 million per year. Criminal penalties can go up to $250,000.(HHS) |
| CCPA (California) | This covers businesses that collect personal data from California residents. | Businesses must allow access to data, delete it upon request, let consumers opt out of data sales, and notify about breaches. | Penalties Fines are $2,500 per unintentional violation and $7,500 for intentional violations.(CPPA) |
| LGPD (Brazil) | This law governs the processing of personal data in Brazil. | Organizations must obtain consent, be transparent, and implement security measures. | Penalties Fines can go up to 2 percent of annual revenue, with a cap of R$50 million per violation. |
| PIPEDA (Canada) | This applies to organizations in the private sector that handle personal data. | Organizations must obtain consent, ensure transparency, and protect the data they collect. | Fines can be up to CAD $100,000 per violation. |
These laws require protecting personal data and following strict rules. An organization that fails to protect PII can face serious fines. Apart from the regulations mentioned above, other regional or industry-specific regulations could apply to your organization. Seek legal advice to ensure full compliance.
Turning to server-side tagging for data collection and processing isn’t a guarantee that PII will be fully protected, but it does offer a more secure and controlled environment for handling sensitive data. Using server-side tracking in a GDPR-compliant way requires secure processing, PII minimization, anonymization, and obtaining user consent.
Unlike client-side tracking, which sends data directly from the user's browser to third-party platforms (like Google Analytics or Facebook), server-side tagging processes the data on a server first. This helps protect PII by giving businesses a possibility to filter or anonymize the data before sending it to external services.
We created European Server GTM Hosting. Stape Europe, registered in Estonia, hosts server GTM containers on Scaleway, a 100% EU-based cloud provider. Using tools like Google Consent Mode ensures GDPR compliance by adjusting data collection based on user consent.
With Stape Europe, no data is transferred to the US, as our servers are fully EU-based. Currently, we don’t offer automated user data removal but are actively working on features to simplify the removal of PII.
Here are some more ways in which Stape can help you reach GDPR compliance and protect user PII:
1. Anonimyzer
Google analytics IP anonymization is often an issue for companies handling PII. Stape comes with a power-up for that. Anonimyzer is available for all Stape users. Its main goal is removing or anonymizing user data from Google Analytics 4. When GA requests go through the tagging server URL that includes /anonymize, we automatically remove or anonymize selected parameters.
A consent banner is essential for obtaining users' permission to collect their data. It must clearly explain what data is being collected, why it’s being collected, and comply with regulations like GDPR.
3. GEO Headers
GEO headers provide user location data, useful for targeting and complying with local data protection laws. Ensure they’re properly configured. Server-side tracking can help address these needs, but consult your legal team to ensure full compliance.
So, what is considered PII? It’s any information that can identify a person - like names, email addresses, phone numbers, or even browsing history and location data. This kind of information is collected in various ways, often without users realizing it. PII is divided into sensitive and non-sensitive.
While some personal information examples are widely accessible for the general audience and harmless, others, like financial details, health records, or government-issued IDs, are considered sensitive and require stricter protection. Collecting and processing any PII, especially sensitive types, must comply with data protection regulations (like GDPR or CCPA) to ensure users' privacy and security.
Stape helps businesses handle PII securely with tools like the Anonimyzer for GA4 to anonymize data and EU-based server hosting to keep data compliant with GDPR. Features like Consent Banner and Geo Headers ensure transparent and responsible data management in a secure, controlled environment.
Non-PII is data that cannot identify an individual, such as browser type, device type, or general location. Non-PII must still be handled carefully, as combining it with other data may allow indirect identification.
These measures safeguard sensitive information and maintain trust.
PII identifies individuals, while PHI is health-related data linked to an individual and protected under laws like HIPAA.
Under GDPR, PII is any data that can identify an individual, like names, emails, IP addresses, or location data.
After a PII data breach, businesses must secure the breach, notify affected individuals, and report to authorities if required.
How can PII be removed using SST to ensure compliance?
PII can be removed with server-side tracking by anonymizing or filtering data before sending it to third parties. We have a tutorial on how to anonymize user data in GA4 with server GTM. It can help you with PII security.
We're happy to hear that! Click on Try for free to register and check Stape's benefits.
