In this new age of ultra-connectivity, you may not know you are already giving out personal information to others, worse – you might already be giving out personal information of your users. We should make sure we are not sending out Personally Identifiable Information or PII.
What is Personally Identifiable Information?
PII is pretty much any data that could potentially identify a certain person. Anything that can be used to distinguish one person from another and can be used for de-anonymizing data can be considered PII.
PII can be classified as Sensitive or Non-sensitive. Non-sensitive PII can be easily gathered from public records, phone books, corporate directories, and websites. It can be transmitted through the unencrypted form without resulting in harm to the individual. Sensitive PII on the other hand, includes biometric information, medical information, personally identifiable financial information (PIFI) and unique identifiers such as passport or Social Security numbers. This could result in harm to the individual whose privacy has been breached.
According to Google policies, no data should be passed to Google that Google would recognize as personally identifiable information (PII) to protect user privacy:
“To protect user privacy, Google policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII). PII includes, but is not limited to, information such as email addresses, personal mobile numbers, and social security numbers. Because laws across countries and territories vary, and because Google Analytics can be used in many ways, consult an attorney if you are in doubt whether certain information might constitute PII or not.”
How to avoid sending Personally Identifiable Information
When implementing Google Analytics, these practices could help you reduce the possibilities of sending PII.
- PII entered by users – Be sure to remove PII from user-entered information in search boxes and form fields before it is sent to Analytics.
- Data Import – You should not upload any data that allows Google to identify an individual or a certain device even in hashed form.
- Geolocation – Ensure that the location collected is not GPS or fine-grained location information.
- Analytics features and privacy risk – No PII should be sent to Analytics when using features such as User ID override, Campaign dimensions, All custom dimensions, Site search dimensions, and Event dimensions.
- Page URLs and titles – If there is any possibility of your URLs or titles containing PII, you’ll need to remove it since the basic Analytics page tag collects the page URL and page title of each page that is viewed. URL path and parameters must be free of PII.
- AdSense – When using Adsense, make sure to keep an eye on Form implementation (Use POST rather than GET), URL schemes, Links in emails, Keywords for targeting purposes.
- User IDs – No email addresses, user logins, social security numbers, phone numbers or any piece of data that is deemed to be “PII” when using own user identifier to join offline data with Google Analytics.
- Hashed and salted PII – You can use an encrypted identifier or custom dimension that is based on PII when sending to Analytics, as long as you use the proper encryption level. Google has a minimum hashing requirement of SHA256 and strongly recommends the use of salt (refers to a one-off value that is difficult to guess), and a minimum of 8 characters. You may not send Google Analytics encrypted Protected Health Information (as defined under HIPAA), even if it is hashed or salted.