PII is the older, US-centric term that most data privacy regulations and information security frameworks were built around. It typically refers to data that could be used — alone or in combination — to identify a specific person: full name, Social Security number, driver's license, account credentials, biometric records.
The GDPR's "personal data" definition is broader than PII as classically understood. Under traditional PII, an IP address might not always be covered; under GDPR, it usually is. US state laws — CCPA/CPRA, Colorado, Connecticut, and others — have updated their definitions to mirror the GDPR's broader scope, so the practical gap is narrowing, but the term PII still appears in older laws, NIST frameworks, and security standards.
When you see "PII" in a contract, security policy, or product specification, treat it as a flag to clarify which legal definition applies in context. For most modern compliance work, the safer mental model is the GDPR's broad "personal data" — anything that relates to an identifiable individual, including inferences.