PII (Personally Identifiable Information): Protecting Personal Data in Web Analytics

Personally Identifiable Information (PII) is any information that can identify a specific individual, alone or combined with other data. In analytics, PII drives compliance challenges under GDPR, CCPA, and similar laws and demands a real protection strategy.

PII Fundamentals

Definition

PII includes any information that can distinguish or trace an individual's identity, alone or together with linked or linkable personal information.

Direct IdentifiersIndirect Identifiers

Data that uniquely identifies a person:

• Full name
• Social Security number
• Passport number
• Email
• Phone number
• Biometric data

Data that identifies when combined:

• Date of birth
• ZIP code
• IP address
• Cookie ID
• Demographic characteristics
• Geolocation data

PII vs Personal Data

The American "PII" and the European "personal data" are not the same.

Aspect	PII (USA)	Personal Data (GDPR)
Definition	Distinguishes a specific person	Any information relating to an identifiable person
Scope	Identification focus	Broader
IP addresses	Not always considered PII	Considered personal data
Cookies	Disputed	Definitely personal data
Regulation	Various federal/state laws	Unified GDPR regulation

Key Difference

According to Article 29 Working Party opinion, personal data that has been de-identified, encrypted or pseudonymized but can be used to re-identify a person remains personal data and falls within the scope of GDPR.

PII Sensitivity

Sensitive PII

Information whose disclosure could cause significant harm.

Financial:

• Credit card numbers
• Bank accounts
• Financial history
• Tax IDs

Medical:

• Medical history
• Prescriptions and diagnoses
• Biometric indicators
• Genetic information

Government:

• Social Security numbers
• Driver's licenses
• Passports
• Military IDs

Non-sensitive PII

Data that alone is low-risk but dangerous in combination.

• Name (without other data)
• Place of work
• Education
• Public social profiles
• ZIP code

Combination Risk

It's important to understand that non-PII can become PII when additional information becomes publicly available from any source, which in combination with other available information could be used to identify an individual.

Risks and Threats

Identity Theft

With a few pieces of personal information, thieves can open false accounts, accumulate debt, fake a passport, or sell the identity.

graph TD
    A[PII Breach] --> B[Financial Fraud]
    A --> C[Medical Fraud]
    A --> D[Tax Credit Theft]
    A --> E[Fake Account Creation]
    B --> F[Money Loss]
    C --> G[Wrong Medical Treatment]
    D --> H[IRS Problems]
    E --> I[Reputational Damage]

Emotional impact:

• Stress and anxiety
• Lost trust in digital services
• Time spent on recovery
• Long-term financial issues

Business Threats

Financial:

• Amazon was fined $888 million for GDPR violation in 2021
• CCPA can impose fines of $2,500 per violation and $7,500 for intentional violations
• Lawsuits from affected parties
• Customer churn

Reputational:

• Lower customer trust
• Negative press
• Competitive disadvantage
• Long-term brand damage

Scale of the Problem

According to ESG research, 66% of companies that underwent data privacy audits in the last three years failed at least once, and 23% failed three or more times.

Regulation

GDPR (European Union)

GDPR sets strict rules for processing personal data.

Lawful ProcessingData MinimizationSubject Rights

Grounds:

• Consent
• Contract performance
• Legal obligation
• Vital interests
• Public interest tasks
• Legitimate interests

Requirements:

• Collect only what's necessary
• Purpose limitation
• Storage limitation
• Accuracy

Core rights:

• Information
• Access
• Rectification
• Erasure (right to be forgotten)
• Restriction
• Portability

GDPR sanctions:

• Up to 4% of global annual turnover
• Up to €20 million
• Notification within 72 hours
• Notice to affected individuals

CCPA/CPRA (California)

CCPA defines personal information as "Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Consumer rights:

• Right to know what personal data is collected
• Right to delete personal data
• Right to opt-out of sale of personal data
• Right to non-discrimination

Features:

• Applies to households, not just individuals
• Includes IP addresses as personal information
• Threshold: $25M annual revenue or 50,000+ consumers
• Fines up to $7,500 for intentional violations

Other Jurisdictions

Law	Region	Key Features
PIPEDA	Canada	Consent for collection, use, disclosure
LGPD	Brazil	GDPR-like, fines up to 2% of revenue
PDPA	Singapore	Notice, consent, portability
POPI Act	South Africa	8 information protection principles

PII in Analytics

Where PII Sneaks In

Many standard analytics metrics can carry PII.

Auto-collected:

// Potentially problematic data
{
  "ip_address": "192.168.1.100",        // PII under GDPR
  "user_agent": "Mozilla/5.0...",       // Indirect identifier
  "session_id": "abc123...",            // Can link activity
  "client_id": "GA1.2.123456...",       // Persistent identifier
  "geolocation": "lat:40.7, lng:-74.0", // Precise geolocation - PII
  "referrer": "https://internal-app.com/user/john" // May contain PII
}

In custom events:

• Email in event parameters
• Usernames in URLs
• Personal IDs in custom dimensions
• Search queries with personal terms

URL Problem Example

A URL like example.com/user/[email protected]/dashboard contains email and is PII that automatically appears in analytics reports.

Protection in Analytics

HashingPseudonymizationIP Anonymization

One-way hashing of sensitive data:

// Safe email handling
function hashEmail(email) {
    return CryptoJS.SHA256(email.toLowerCase().trim()).toString();
}

// Send hashed identifier
analytics.track('user_signup', {
    'user_id_hashed': hashEmail(userEmail),
    'signup_source': 'website'
});

Replace identifiers with pseudonyms:

• Random IDs instead of email
• Internal user_id
• Session tokens
• Reversible only via a protected database

Mask last octets:

• 192.168.1.100 → 192.168.1.0
• 2001:db8::1 → 2001:db8::
• Reduce geo accuracy to city/region
• Aligns with GDPR

Consent Categories

NecessaryAnalyticsMarketing

Required for operation:

• Session cookies
• Site security
• Basic functionality
• No consent required

Performance measurement:

• Anonymized analytics
• Aggregated metrics
• A/B testing
• Consent required

Personalization and ads:

• Behavioral targeting
• Remarketing
• Cross-site tracking
• Explicit consent required

Consent gating:

// Check consent before tracking
function trackEvent(eventName, eventData) {
    if (hasConsent('analytics')) {
        // Full tracking with personal data
        analytics.track(eventName, eventData);
    } else if (hasConsent('essential')) {
        // Only anonymous aggregated data
        analytics.track(eventName, {
            'event_category': eventData.category,
            'consent_status': 'declined'
        });
    }
}

Technical Protection

Encryption

At rest:

• AES-256 for databases
• Encrypted backups
• Protected key storage
• Regular key rotation

In transit:

• TLS 1.3 on all connections
• Certificate pinning
• HSTS
• Encrypted API endpoints

Access Control

Identity and Access Management (IAM):

Access Level	Data	Personnel
Full	All PII	Data Protection Officer
Limited	Hashed PII	Analysts
Aggregated	Metrics only	Marketers
Public	Anonymous reports	All employees

Controls:

• MFA
• Role-based access (RBAC)
• Zero-trust architecture
• Access logs

Monitoring and Detection

Data Loss Prevention (DLP):

• PII scanning
• Block unauthorized transfers
• Sensitivity classification
• Auto-masking

graph LR
    A[Data Sources] --> B[DLP Scanner]
    B --> C{PII Detected?}
    C -->|Yes| D[Block/Mask]
    C -->|No| E[Allow]
    D --> F[Alert Security Team]
    E --> G[Log Activity]

Breach Procedures

72-Hour Plan (GDPR)

Hours 0-4: Detection

• Isolate affected systems
• Initial scope assessment
• Activate response team

Hours 4-24: Investigation

• Determine cause
• Identify affected data
• Document the incident

Hours 24-72: Notification

• Notify regulator
• Prepare DPA report
• Plan user notifications

Notification Requirements

Required content:

• Nature of the breach
• Categories and approximate number of subjects
• Likely consequences
• Measures taken or planned

Recovery

Technical:

• Apply patches
• Replace compromised keys
• Increase monitoring
• Audit access

With affected parties:

• Personal notifications
• Free credit monitoring
• Protection consultations
• Damage compensation

Best Practices for Analytics

Privacy by Design

Data minimization:

• Collect only necessary metrics
• Auto-delete old data
• Aggregate over detail

Transparency:

• Clear privacy policy
• Plain-language cookie notices
• Accessible tracking information

User control:

• Granular settings
• Easy consent withdrawal
• View collected data

Alternative Approaches

Server-side tracking:

• Bypass blockers
• Full data control
• Compliance-friendly
• Less browser dependency

Differential privacy:

• Statistical noise
• Individual record protection
• Aggregate utility
• Works at scale

Federated learning:

• Train without data transfer
• Local processing
• Aggregate results only
• Maximum privacy

Compliance Checklist

• Inventory all collected data
• Classify by sensitivity
• Document legal grounds
• Implement consent procedures
• Deploy subject rights handling
• Train staff
• Run regular privacy impact assessments
• Sign data processing agreements with vendors

PII protection in analytics needs technical, procedural, and legal alignment. Modern analytics platforms must balance the need for detailed data with obligations to protect users.

About AI participation in writing articles

This article, like many others on our site, was created, written and proofread by a team of developers. Of course, not without the participation of AI assistants. We don't hide this and believe that modern systems are already quite good at handling simple tasks and, relatively speaking, writing an article about Viewport yourself is quite strange. It won't come out significantly better and will take a lot of time. But providing basic understanding to beginner webmasters is necessary. Of course, after the article is written by assistants - there's always proofreading, and this is where not one or two people participate, and only after that the article is published.

Start Protected Analytics

Try our platform with built-in PII protection. Get complete analytics with automatic data anonymization and GDPR compliance out of the box.

---

Ready to take control of your web analytics? Try Statable free for 30 days — no credit card required, full feature access, GDPR-compliant by default. Start your free trial or view a live demo.