PII (Personally Identifiable Information)
PII (Personally Identifiable Information) is any data that can be used, on its own or in combination with other information, to identify, locate, or contact a specific individual.
How PII (Personally Identifiable Information) works
PII is a term rooted in United States privacy practice, where it typically distinguishes between direct identifiers and indirect identifiers. Direct identifiers, such as a full name, Social Security number, passport number, email address, or phone number, point to a single person by themselves. Indirect (or quasi-) identifiers, such as a date of birth, postal code, or job title, may not identify someone alone but can do so when combined.
The concept overlaps with, but is not identical to, the GDPR's broader notion of 'personal data', which covers any information relating to an identified or identifiable natural person, including online identifiers like IP addresses and device identifiers. As a result, data that a US framework might treat as non-PII can still qualify as personal data under European law.
Organizations classify and inventory PII to apply appropriate safeguards: access controls, encryption, retention limits, and breach-notification procedures. Techniques such as pseudonymization (replacing identifiers with tokens), anonymization (irreversibly removing the link to an individual), and hashing are used to reduce the sensitivity of data while preserving some utility.
In fraud and device-intelligence contexts, a key question is whether a device signal or fingerprint counts as PII or personal data. Individually, signals like screen resolution or installed fonts are not identifying, but a stable fingerprint derived from many signals can single out a device and, by extension, a person, which places it within the scope of privacy law even when no name is attached.
Why PII (Personally Identifiable Information) matters for fraud prevention
Distinguishing PII from non-identifying telemetry is central to privacy-conscious fraud prevention. Effective detection often requires stable identifiers, yet handling more identifying data than necessary raises regulatory exposure and breach risk. The goal is to detect fraud using the minimum identifying information required, favoring pseudonymous device signals over raw personal details, and to keep any genuine PII tightly controlled. Getting this balance right lets security teams stop attackers while honoring data-minimization principles.
How TRACIO handles it
TRACIO is built to minimize reliance on traditional PII. Its identification derives a device signal from more than 130 technical signals rather than from names, emails, or government identifiers, producing a pseudonymous visitor identifier oriented toward security use. Where signals are combined into an identifier, TRACIO applies hashing and data-minimization practices in its design. Whether the resulting identifier constitutes personal data in a given jurisdiction is a legal determination that customers must make for their own use case; TRACIO provides the transparency and controls to support that assessment rather than a blanket legal guarantee.
Frequently asked questions
Identify every device with confidence
Start with a free plan of 2,500 API calls per month. No credit card required.