You're running a small business. You collect customer names, email addresses, and shipping addresses. You might also have phone numbers, birthdays from a loyalty program, and payment information. Some of this is regulated. All of it is sensitive. Knowing what counts as PII is the first step in handling it responsibly.
PII stands for Personally Identifiable Information — any data that can be used to identify a specific individual, either on its own or in combination with other data.
What Definitely Counts as PII
Direct identifiers: Information that uniquely identifies an individual without needing any other data:
- Full name
- Email address
- Phone number
- Home or work address
- Social Security Number (SSN) or Tax ID
- Date of birth
- Driver's license or passport number
- Financial account numbers or credit card numbers
- Biometric data (fingerprints, face scans)
- IP address (in many jurisdictions)
- Device identifiers
What Counts as PII in Combination
Individually, some data points don't identify anyone. Together, they can:
- ZIP code + birth date + gender: A famous study found this combination uniquely identifies 87% of Americans
- Job title + company + department: Can narrow down to a specific individual
- Location + time + behavior: Behavioral data that, when combined, becomes identifying
See exactly what's wrong with your data — try Sohovi free — try Sohovi free.
What Doesn't Count as PII (Usually)
Aggregate, anonymized data generally isn't PII:
- "45% of our customers are between 25 and 34 years old" — not PII
- Revenue totals, average order values, aggregate demographics — not PII
However, "anonymized" data can sometimes be de-anonymized if enough data points are combined.
Why It Matters for Small Businesses
GDPR (Europe), CCPA (California), and similar regulations impose requirements on how PII is collected, stored, used, and deleted. These aren't only enterprise concerns — small businesses that sell to EU residents or California residents are subject to these laws regardless of their size.
Sohovi automatically detects PII in your datasets — emails, phone numbers, SSNs — all processed client-side so your data never leaves the browser.
The practical minimum: know what PII you hold, have a legal basis for holding it, handle it securely, and be able to delete it on request.
Sohovi can scan a CSV file for common PII patterns — detecting email columns, phone columns, SSN patterns, and other personal data — entirely in your browser, with no data ever leaving your machine.
Knowing what PII you have is prerequisite to protecting it.
