PII

Personally identifiable information, abbreviated PII, is the umbrella term for data that ties — directly or in combination — to a specific person. Names, dates of birth, government ID numbers, biometric templates, and address records are the obvious examples. Less obvious examples (IP addresses, device identifiers, persistent cookies) are PII under some legal regimes and not others. The category is intentionally broad because it's the lever every privacy law pulls when defining its scope.

Where it gets complicated is jurisdiction. The EU's GDPR scopes PII (personal data) in Article 4(1); California's CCPA defines it in §1798.140; many US state laws (Texas, Virginia, Colorado, Connecticut) each scope it slightly differently. The categories overlap heavily but not perfectly. The practical consequence for an identity-verification system is that the data minimization, retention, encryption, and disclosure rules an integrator has to follow depend on which jurisdiction the user is in, what the user is verifying for, and which credential the user presented.

For an identity-verification system specifically, PII is unavoidable — verification means receiving identifying data, comparing it against a credential, and returning a decision. The lever a verification system can pull is what comes back to the merchant. A well-designed flow returns the eligibility decision (over 21: yes, matches the document on file: yes) rather than the underlying PII (date of birth, document fields, biometric template). The merchant's product code never has to handle the underlying data, and the audit log is bound to the decision rather than the raw evidence.

Retention is the other lever. PII used to make a verification decision can be discarded after the decision is made; PII held for chargeback or fraud-investigation lookback is retained against a contractual retention window. The narrower the window and the smaller the surface, the smaller the compliance and breach exposure on both sides of the integration. Related: identity verification walks through Stile's signed-webhook shape; US state coverage tracks which jurisdictions impose specific PII-handling rules on age and identity verification.