[dkersten]

I don't know "how unique" it needs to be. I'll ask if I get the opportunity.

It just has to be correlatable if I understood it correctly, but I don't know if unique or not. To me it sounded like if there's only a small number of possible people it could identify (say 4) then its potentially PII, however I have no idea where the line is drawn. Clearly if k is 1, its PII. If k is 2, it probably is too. If k is 1000, its probably not. But at what point does it stop being PII? I have no idea!

The legal person basically said "its complicated, anything can become PII when combined with something else, even if neither on their own are PII". The bottom line is does some combination of information identify a person, then its PII (its in the name really!), but unfortunately that means there is no clear simple list of things that are or aren't PII, it really depends on each individual case.

Her advice was to think carefully about any data stored about or for users and to avoid storing it if possible, and if not possible, think carefully about whether or not it could identify a user in some way. Its not a very satisfying answer, I know. It also doesn't answer your question :(