Skip to main content
Privacy & Compliance

What Counts as PII? A Practical Checklist for Business Owners

PII isn't just names and email addresses. Here's a practical checklist of what counts as personally identifiable information — and what doesn't.

Most business owners know that names and email addresses are PII. Fewer know about the long list of data points that also qualify — and the "combination" effect that turns individually non-sensitive data into PII when combined.

Here's the practical checklist.

Clearly PII (Always Treat as Personal Data)

  • Full name (first + last)
  • Email address
  • Home, work, or mailing address
  • Phone number (mobile, home, or work)
  • Date of birth
  • Social Security Number / National Insurance Number / equivalent government ID
  • Driver's license number
  • Passport number
  • Financial account numbers (bank account, credit/debit card)
  • Medical record numbers and health information
  • Biometric data (fingerprints, face scans, voice prints)
  • IP addresses (in most jurisdictions)
  • Username + password combinations
  • Photos that clearly identify an individual

Contextually PII (Depends on Use and Combination)

These aren't always PII, but become PII in certain contexts:

Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.

  • Job title: "CEO of Acme Corp" + company name = identifying
  • ZIP code alone: Not PII, but ZIP + birthdate + gender can be uniquely identifying
  • Device identifiers: Phone IMEI, browser fingerprint — often treated as PII in GDPR context
  • Location data: Repeated location data that reveals home and work address patterns
  • Behavioral data: Clickstream, purchase history — can be identifying when combined
  • Voice recordings: May or may not identify an individual depending on context
  • Employment records: May include identifying information depending on content

Not PII (Aggregate or Non-Identifying Data)

  • "Our customers are 45% female" — aggregate, not individual
  • Revenue totals, averages, statistical summaries
  • Anonymized data that has been irreversibly de-identified
  • Business-to-business contact data (company name, work department) — though work email and direct phone may still be PII

The Combination Rule

Data that isn't PII individually can become PII when combined. The classic example: ZIP code + birth date + sex can uniquely identify 87% of US residents (Sweeney, 2000). When combining multiple data points about individuals, consider whether the combination is identifying even if the individual points aren't.

What This Means Practically

Before sharing a dataset internally or externally, check it against this checklist. Unexpected PII — especially in free-text fields, "ref" columns, or concatenated identifiers — creates compliance obligations you didn't intend.

Sohovi scans your CSV for PII patterns across all columns, flagging personal data in expected and unexpected locations — running entirely in your browser so your data stays on your machine.

When in doubt, treat it as PII and handle accordingly. The cost of over-classifying is minimal; the cost of under-classifying can be significant.

Selva Santosh

Data quality, for people who ship

Selva writes practical guides on data quality, profiling, and governance to help teams ship better data.

Start for free

Stop guessing. Start knowing your data quality.

Sohovi profiles your datasets in minutes — surfacing completeness gaps, type mismatches, and duplicate patterns before they reach production.

No credit card required · Free forever plan