**Personally identifiable information** (**PII**) is any data that can be used to identify, locate, or contact a specific individual, either on its own or in combination with other information. Common examples include a person's full name, [[Social Security number|social security number]], [[Passport|passport]] or [[Driver's license|driver's license]] number, [[Date of birth|date of birth]], [[Home address|home address]], [[Email address|email address]], [[Telephone number|telephone number]], [[Biometrics|biometric data]], and [[Financial data|financial account information]]. The concept of PII is central to [[Data privacy|data privacy]] law, [[Information security|information security]] practice, and [[Data governance|data governance]] frameworks, and organizations that collect, store, or process PII are typically subject to legal obligations governing its protection, use, and disclosure. The precise definition of PII varies across legal and regulatory frameworks. In the [[United States]], PII is addressed through a patchwork of sector-specific laws including the [[Health Insurance Portability and Accountability Act|Health Insurance Portability and Accountability Act]] (HIPAA), which protects [[Protected health information|protected health information]] (PHI); the [[Family Educational Rights and Privacy Act|Family Educational Rights and Privacy Act]] (FERPA), which covers student records; the [[Gramm–Leach–Bliley Act|Gramm–Leach–Bliley Act]] (GLBA), which governs financial data; and the [[California Consumer Privacy Act|California Consumer Privacy Act]] (CCPA), which provides broad privacy rights for California residents. The [[European Union|European Union's]] [[General Data Protection Regulation|General Data Protection Regulation]] (GDPR) uses the broader term **personal data**, defined as any information relating to an identified or identifiable natural person, and imposes comprehensive requirements on organizations collecting or processing such data, including lawful basis for processing, data minimization, and rights of access, rectification, and erasure. PII is commonly distinguished between **directly identifying information**, such as name or government identification number, which identifies an individual without reference to other data, and **indirectly identifying information**, such as [[IP address|IP address]], [[Geolocation|geolocation data]], or [[Online identifier|online identifiers]], which may identify an individual when combined with additional data points. The sensitivity of PII varies by category, with financial identifiers, health data, and government-issued numbers typically classified as high-sensitivity. Organizations manage PII risk through technical controls including [[Encryption|encryption]], [[Data masking|data masking]], [[Pseudonymization|pseudonymization]], and [[Access control|access control]], as well as governance measures such as [[Data retention|data retention]] policies, [[Privacy impact assessment|privacy impact assessments]], and employee training. Failure to adequately protect PII can result in [[Data breach|data breaches]], regulatory penalties, civil litigation, and reputational harm.