Personal Identifiable Data (PII): 2026 RevOps Guide

Personal identifiable data (PII) is any data that identifies a specific individual. Direct identifiers (name, SSN, email, phone) are the easiest to recognize. Indirect identifiers (job title + employer + city, IP address + browser fingerprint) are the ones most teams overlook. GDPR uses the broader term "personal data," CCPA uses "personal information," and CPRA adds a sensitive sub-category. RevOps and marketing teams handle PII every day through CRM, MAP, ad platforms, and the warehouse, which makes data subject access requests (DSARs), retention rules, and processor agreements an operational responsibility, not just a legal one.

Direct vs Indirect PII

PII falls into two buckets based on how easily the data identifies a person:

• Direct identifiers identify someone on their own: full name, Social Security number, passport number, driver's license number, email address, phone number, biometric ID, financial account number. A single direct identifier is enough to link the record to a specific human.
• Indirect identifiers identify someone in combination: ZIP code plus birthdate plus gender (which alone can identify 87% of the US population per the classic Sweeney 2000 study), job title plus employer plus city, IP address plus browser fingerprint plus session ID. None of these is identifying alone; combined they almost always are.

The legal mistake most B2B teams make is treating only direct identifiers as PII. GDPR and CCPA both pull indirect identifiers into scope. A "de-identified" CRM export that strips name and email but keeps job title, employer, city, and engagement timestamps is still personal data under GDPR.

PII Under Major Privacy Regimes

Different laws use different terms, with different scope:

• GDPR (EU): "Personal data" is the umbrella term. Any information relating to an identified or identifiable natural person counts. Article 9 sub-categories ("special category data") cover race, ethnicity, religion, union membership, health, sex life, sexual orientation, genetic, and biometric data with stricter handling rules.
• CCPA / CPRA (California): "Personal information" is broad: identifies, relates to, describes, or is reasonably capable of being associated with a California resident or household. CPRA added "sensitive personal information" covering SSN, driver's license, financial accounts, geolocation, race, religion, union membership, contents of mail or messages, and biometric data.
• HIPAA (US healthcare): "Protected health information" (PHI) is PII tied to health context: medical history, insurance ID, treatment records. Stricter rules apply.
• GLBA (US financial): "Non-public personal information" covers financial account data held by financial institutions.
• State-level US laws: Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Utah UCPA, and others all define PII with minor variations. The federal patchwork means RevOps teams in scope of multiple state laws default to the strictest definition.

What PII Lives in a Typical CRM

Almost everything in a CRM contact record is PII. The standard fields:

• Direct PII: First name, last name, work email, personal email, work phone, mobile phone, work address, home address (rarely), LinkedIn URL, Twitter handle, photograph.
• Indirect PII: Job title, company, department, manager, employee ID, hire date, education, certifications, location (city, region, country).
• Behavioral PII: Email opens, link clicks, page views, form fills, demo attendance, call recordings, meeting attendance, chat transcripts. Each event is tied to an identified person, so each is PII under GDPR.
• Derived PII: Lead score, persona segment, intent score, propensity score. Output of automated processing on personal data, still personal data under GDPR Article 22.

Salesforce, HubSpot, Pipedrive, and Close all hold these fields by default. Gong, Salesloft, Outreach, and Apollo replicate them. Marketing automation (Marketo, Pardot, HubSpot Marketing Hub) holds them. The data warehouse (Snowflake, BigQuery, Databricks) holds the consolidated copy. Tracing PII across the stack is the foundation of any DSAR workflow.

Data Subject Rights and How RevOps Wires Them

GDPR grants EU data subjects eight core rights over their personal data. The two that matter most operationally are access and erasure:

• Right of access (Article 15): The data subject can request a copy of all personal data the controller holds about them. RevOps must produce a machine-readable export across CRM, MAP, ad platforms, support tickets, and the warehouse within 30 days.
• Right to erasure / right to be forgotten (Article 17): The data subject can request deletion. Implementation requires a synchronized delete across CRM + MAP + sales engagement + warehouse + ad platform audiences. Salesforce and HubSpot expose APIs for this; the warehouse and ad platforms usually do not.
• Right to rectification (Article 16): Correction of inaccurate data. Self-service preference centers cover most of this.
• Right to portability (Article 20): Machine-readable export. Overlaps with right of access.
• Right to restrict / object to processing (Articles 18, 21): Stop processing for marketing or specific purposes. Wired through CRM consent fields and MAP suppression lists.
• Rights related to automated decision-making (Article 22): Explanation and human review for fully automated decisions. Relevant when lead scoring drives routing.

CCPA and CPRA grant similar rights: right to know, right to delete, right to opt out, right to correct, and right to limit use of sensitive personal information.

PII vs PHI vs PCI: The Three That RevOps Mixes Up

RevOps teams often confuse these three categories. Quick decoder:

• PII (personally identifiable information): Any data identifying an individual. Broadest category. Covers all CRM contact data.
• PHI (protected health information): PII tied to health context under HIPAA. Medical history, insurance ID, treatment records. Stricter handling. Healthcare ISVs and pharma sales teams handle PHI; most B2B SaaS teams do not.
• PCI (payment card industry) data: Cardholder data under PCI DSS. Card number, CVV, expiration. Finance and billing teams handle PCI; most sales and marketing teams should never touch it.

The fastest way to keep teams clear: PII is the umbrella, PHI is the healthcare slice with extra rules, PCI is the payment slice with extra rules. A sales contact record is PII. A patient record is PHI. A credit card on file is PCI.

How RevOps Should Handle PII Operationally

Six controls separate teams that pass a privacy audit from teams that fail one:

• Role-based access control. AEs see their own accounts, not the whole CRM. Reps cannot export PII without manager approval. Salesforce Profile + Permission Set design is the lever.
• Field-level security. Sensitive fields (SSN, mobile, home address) hidden from view for any role that does not need them. Most teams have field-level controls available and unused.
• Audit logs. Every read and export of PII tracked. Salesforce Shield, HubSpot audit logs, and warehouse query logs cover this.
• Retention rules. Inactive contacts deleted after the legal retention window. Most teams over-retain. Set 24-month default for cold leads, 36-month for opt-in subscribers, longer only with legal basis.
• DSAR and deletion workflows. Documented runbook for processing data subject requests across CRM, MAP, support tickets, ad platforms, and warehouse. Automated where possible; manual review with SLAs where not.
• Processor agreements (DPAs). Data processing agreement on file with every vendor that touches PII. The DPA review usually surfaces the long tail of tools nobody knew were processing personal data.

For broader CRM data discipline that supports privacy controls, see our CRM data hygiene playbook and RevOps tech stack audit guide.

Anonymization vs Pseudonymization

Most "anonymized" datasets are not actually anonymized. The distinction matters legally:

• Anonymized data: Identifiers permanently removed. Re-identification is not reasonably possible. Under GDPR, anonymized data is no longer personal data, so the regulation does not apply.
• Pseudonymized data: Identifiers replaced with a token, but the token can be re-linked to the original person with the right key. Still personal data under GDPR. Pseudonymization is a security control, not an exit from the regulation.
• Aggregated data: Counts, averages, distributions above a minimum cell size (commonly 5 or 10). Closer to true anonymization. Used for executive dashboards and external benchmarks.

Most B2B benchmark datasets and "anonymized" customer journey datasets are pseudonymized, which means they still carry PII obligations. Confirm the data-handling category before sharing with vendors or partners.

What Changed Recently (2026 Update)

Three privacy dynamics moved practice in 2025 to 2026:

• Q1 2026: Texas TDPSA enforcement window opened, adding the 8th US state-level comprehensive privacy law with binding rights. RevOps teams now default to a unified 8-state DSAR workflow.
• Q4 2025: CPPA (the CCPA enforcement authority) issued enforcement guidance on automated decision-making (ADMT). Lead scoring and routing systems that materially affect access to services now fall into ADMT scope with explanation requirements.
• Mid-2025: The EU Data Act took effect, adding new portability obligations for connected products and cloud services. B2B SaaS providers must support data portability into and out of the service.

Frequently Asked Questions

What is personally identifiable information (PII)?

Personally identifiable information (PII) is any data that can identify a specific individual, either by itself (direct identifiers like name, SSN, email, phone, address) or in combination with other data (indirect identifiers like job title plus employer plus city). Under GDPR the equivalent term is "personal data," which is broader. Under CCPA and CPRA, "personal information" includes IP addresses, geolocation, and inference data. RevOps and marketing teams handle PII every day in CRM contacts and form submissions.

What is the difference between direct and indirect PII?

Direct identifiers identify a person by themselves: full name, SSN, passport number, email address, phone number, biometric ID, government ID. Indirect identifiers identify a person in combination: ZIP code + birthdate + gender (which alone can identify ~87% of the US population), job title + company + city, IP address + browser fingerprint. Direct PII carries strictest handling rules. Indirect PII is often overlooked but legally counts as personal data under GDPR.

Is a work email considered PII?

Yes. A work email ([email protected]) is direct PII because it identifies a specific individual. Under GDPR it is personal data and falls under data subject rights (access, deletion, portability). Under CCPA it is personal information. Under US sectoral laws (HIPAA, GLBA, FERPA), work email is treated as PII when combined with sensitive context. RevOps teams should treat work emails the same as personal emails for data subject access requests (DSARs) and deletion workflows.

What PII lives in a CRM?

Standard CRM PII fields include first name, last name, work email, personal email (if collected), phone, mobile phone, work address, home address (rarely), LinkedIn URL, Twitter handle, job title, company, and any custom fields holding identifiers. Activity records (call logs, email opens, meeting attendance) also constitute PII because they tie behavior to an identified person. Salesforce, HubSpot, and Pipedrive all hold these fields by default.

What are GDPR data subject rights for PII?

GDPR grants EU data subjects eight core rights over their personal data: access (a copy of their data), rectification (correction), erasure (right to be forgotten), restriction of processing, data portability (machine-readable export), objection (to processing including marketing), rights related to automated decision-making, and the right to be informed. RevOps must wire CRM, marketing automation, and data warehouse to support each. The standard SLA is 30 days from request.

What is the difference between PII, PHI, and PCI data?

PII (personally identifiable information) is the broadest category: any data identifying an individual. PHI (protected health information) is PII tied to health context under HIPAA: medical history, insurance ID, treatment records. PCI (payment card industry data) is cardholder data under PCI DSS: card number, CVV, expiration. Each has separate regulatory authority and stricter handling rules than baseline PII. Sales and marketing usually handle PII; finance handles PCI; healthcare ISVs handle PHI.

How should RevOps handle PII in a CRM?

Six controls: role-based access (only sales reps see their own contacts), field-level security (sensitive fields like SSN hidden from view), audit logs (every read of PII fields tracked), data retention rules (delete inactive contacts after the legal retention window), data subject request workflows (DSAR and deletion across CRM + MAP + warehouse), and processor agreements (DPAs with every vendor that touches the data). The toughest part is the cross-system reach: PII in CRM also lives in Gong, Salesloft, marketing automation, and the data warehouse.

What is PII under CCPA and CPRA?

CCPA defines "personal information" broadly as anything that identifies, relates to, describes, or is capable of being associated with a California resident or household. CPRA (effective 2023) added "sensitive personal information" as a sub-category: SSN, driver's license, financial account, geolocation, race or ethnicity, religion, union membership, contents of mail or messages, and biometric data. CCPA + CPRA together cover most B2B and B2C CRM data. Companies above the revenue and consumer thresholds must offer right-to-know, right-to-delete, and right-to-opt-out.

What is anonymized vs pseudonymized data?

Anonymized data has identifiers permanently removed and cannot be re-linked to an individual: it is no longer PII under GDPR. Pseudonymized data has identifiers replaced with a token, but the token can be re-linked to the person with the right key: it is still PII under GDPR. Aggregation (averages, counts above a minimum threshold like 5) is closer to anonymization. Most "anonymized" B2B datasets are actually pseudonymized and still carry PII obligations.

What are the penalties for mishandling PII?

GDPR fines top out at 4% of global annual revenue or 20M EUR, whichever is higher. CCPA penalties are up to $7,500 per intentional violation. State-level US laws (CPRA, Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA) carry separate enforcement authorities and fines. Beyond regulatory fines, the bigger cost is usually breach notification expense, customer trust loss, and DSAR processing overhead. Treating PII hygiene as a RevOps KPI rather than a legal afterthought is the cheapest path.