Skip to main content
Privacy & Compliance

What Is PII? A Plain-English Guide for Small Business Owners

PII (Personally Identifiable Information) is any data that can identify a specific person. Knowing what counts as PII is the first step in handling it legally.

You're running a small business. You collect customer names, email addresses, and shipping addresses. You might also have phone numbers, birthdays from a loyalty program, and payment information. Some of this is regulated. All of it is sensitive. Knowing what counts as PII is the first step in handling it responsibly.

PII stands for Personally Identifiable Information — any data that can be used to identify a specific individual, either on its own or in combination with other data.

What Definitely Counts as PII

Direct identifiers: Information that uniquely identifies an individual without needing any other data:

  • Full name
  • Email address
  • Phone number
  • Home or work address
  • Social Security Number (SSN) or Tax ID
  • Date of birth
  • Driver's license or passport number
  • Financial account numbers or credit card numbers
  • Biometric data (fingerprints, face scans)
  • IP address (in many jurisdictions)
  • Device identifiers

What Counts as PII in Combination

Individually, some data points don't identify anyone. Together, they can:

  • ZIP code + birth date + gender: A famous study found this combination uniquely identifies 87% of Americans
  • Job title + company + department: Can narrow down to a specific individual
  • Location + time + behavior: Behavioral data that, when combined, becomes identifying

See exactly what's wrong with your data — try Sohovi free — try Sohovi free.

What Doesn't Count as PII (Usually)

Aggregate, anonymized data generally isn't PII:

  • "45% of our customers are between 25 and 34 years old" — not PII
  • Revenue totals, average order values, aggregate demographics — not PII

However, "anonymized" data can sometimes be de-anonymized if enough data points are combined.

Why It Matters for Small Businesses

GDPR (Europe), CCPA (California), and similar regulations impose requirements on how PII is collected, stored, used, and deleted. These aren't only enterprise concerns — small businesses that sell to EU residents or California residents are subject to these laws regardless of their size.

Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.

The practical minimum: know what PII you hold, have a legal basis for holding it, handle it securely, and be able to delete it on request.

Sohovi can scan a CSV file for common PII patterns — detecting email columns, phone columns, SSN patterns, and other personal data — entirely in your browser, with no data ever leaving your machine.

Knowing what PII you have is prerequisite to protecting it.

Selva Santosh

Data quality, for people who ship

Selva writes practical guides on data quality, profiling, and governance to help teams ship better data.

Start for free

Stop guessing. Start knowing your data quality.

Sohovi profiles your datasets in minutes — surfacing completeness gaps, type mismatches, and duplicate patterns before they reach production.

No credit card required · Free forever plan