Schema properties whose names suggest personally identifiable information such as email, ssn, phone, dob, birth, or address should carry an x-pii marker so privacy tooling, governance, and consumers can identify and handle sensitive data appropriately across the API surface.
OpenAPI Schema Property PII Info
Message: Properties that look like PII SHOULD carry an x-pii marker.
Policies
Data Privacy and PII Classified
I require that every schema property carrying personally identifiable information is explicitly classified as such in the API definition, so that PII is visible to governance, tooling, and downstre...