PD > PII
Although marketers often use the terms interchangeably, Personal Data (PD) and Personally Identifiable Information (PII) are not the same.
The concept chart above gives an idea of why they are easily confuse-able. While PII is PD, PD is not always PII. (Please excuse the black published-on date circle, it is part of the Squarespace page template - not a third category of data!)
Personal Data is a concept from the European Economic Area's (EEA) General Data Protection Regulation (GDPR). It includes information that can be used to identify an individual either on its own or in combination with other data.
Personally Identifiable Information is a concept used by numerous US laws and regulations (like HIPPA and COPPA). It includes only information that can be used on its own to identify a specific person.
Directionally, PII can be thought of as identifiers like name and email address whereas PD extends to data like Device ID and Cookie (Browser ID). The GDPR concept of PD is more inclusive and therefore more protective.
PD and PII have "sensitive" versions which extend to information like political affiliation, sexual orientation and biometrics which have higher standards for custody and use.
Why should people who create and run marketing communications campaigns care about this? Isn't it just for the CPO's office and legal team?
In a word, "no".
As the amount of consumer data collected on our behalf, for our use, explodes, and gets applied to targeting and messaging, and measurement, and personalization of the UI, and now generative AI ... we need to understand the basics to use them conscientiously.
There are numerous proprietary tools and methods to help - Mindshare's data ethics compass comes to mind specific to audience targeting data.
But professionals also need to develop their own sense of right-ness and wrong-ness that goes beyond heuristics like "it's in the terms of service, so it's OK" and "that's creepy, so it's not OK".