What is PII?

The two-tier model: standard vs. sensitive

Modern privacy laws (CCPA, CPRA, GDPR, the state-by-state US laws) split PII into two tiers:

Standard PII — name, address, phone, email, date of birth, IP address, customer-ID numbers, browser cookies, family relationships. Protected by deletion rights and opt-out rights under most privacy laws. Frequently published openly by data brokers.

Sensitive PII — Social Security number, driver's-license number, passport number, financial-account numbers, medical or health information, race, religion, sexual orientation, precise geolocation, biometric data, login credentials. Protected by stronger rights including (in California) the right to limit use, not just delete.

The split matters because regulators treat sensitive PII more strictly. CCPA's "limit the use of sensitive personal information" right (§1798.121) applies only to the sensitive tier. GDPR's "special category data" definition (Art. 9) is the European equivalent and triggers heightened consent and security requirements.

What counts as PII when combined

This is where most data-broker exposure happens. None of these alone identifies you. All of them together is your full profile:

• First name + city = millions of matches
• First + last name + city = thousands of matches
• First + last + city + DOB month/year = handful of matches
• First + last + full DOB + zip code = unique in 87% of US cases (per a 2000 study still cited)

Data brokers' core business model is selling these combinations — not just one identifier, but the constellation that uniquely identifies you.

Where to remove it

PII removal is the work the rest of Delist's site covers in depth. The short version:

• From data brokers: see the data-brokers hub.
• From AI training: see the AI removal hub.
• From search engines: see the search-engine hub.
• From face-search: see the face-search hub.