Personally Identifiable Information (PII)

Here’s what Google says is PII:

• Name
• Username + Password
• Email Address
• Credit Card Details
• Government ID
• Public user name

Here’s Google doesn’t consider to be PII:

• CRM Identifier
• “Private” Username (i.e. FusionAuth User UUID)
• Aggregated Classification
• Shared Dimension
• IP addresses (excluded from definition)

References:

• Best practices to avoid sending Personally Identifiable Information (PII)
• Are ‘usernames’ Privately-Identifiable Information (PII)?
• Is GDPR going to kill your company’s Google Analytics?
• Why You Could Lose ALL Your Google Analytics Data

Google Analytics and GDPR Summary

These are the key points to take out of this post, but as I said before, your company needs to make its own decisions and most importantly document them.

• Google Analytics in its standard set up is pretty GDPR / PII compliant
• Risks vary from low to high depending on how customised your installation of Google Analytics is
• To improve the standard set up look at:
  • Anonymising IPs
  • Check and remove PII in URLs
  • Turn on Data retention limits for User and Event data
• Check if PII is intentionally being stored and consider that this breaks GA Service Level Agreement and what legal right (consent / legitimate interest) you may have to hold that data

If you have a custom GA setup using known PII then you have 4 options

1. Get users to give consent to use it
2. Build a legitimate interest case for it
3. Remove it
4. Anonymise it

Also, remember you could be breaking the Google Analytics Service level agreement by storing PII in there!

Slug

Current user’s slug is PII and should never be transmitted to Google Analytics.

FusionAuth User IDs

Lovia uses FusionAuth User IDs which are UUIDs. These should always be used when dealing with Google Analytics, as they are not PII.

Special Category Data Controller

By its nature, Lovia and Miluv are special category data controllers processing this type of information:

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life
• sexual orientation

As a company, you are a Data Controller, and Google is a Data Processor. In this special category relationship, the Data Controller must protect the data subject from the Processor’s risks.

If you are processing special category data through Google Analytics you may consider “hiding” the IP of visitors from the system

There is a tool provided by Google (yep who knew) but thanks to the German privacy requirements this has been created and is available here.

List of Subcontractors

The GDPR states that processing of data without explicit consent is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” (Article 6, paragraph 1 (f)*). There’s a legitimate business interest for you to measure and understand your revenue.

You should also list ChartMogul in your list of subcontractors as required by the GDPR (you can see our own list here). You should also read and sign our data processing agreement and send it back to us.

Difference between PII and Personal Data

• Diiference between PII and Personal Data

Sensitive PII

PII is considered as sensitive if the loss, compromission, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual. For instance, the following information is considered to be sensitive PII: 

• medical
• educational
• financial
• employment information