Here’s what Google says is PII:
- Username + Password
- Email Address
- Credit Card Details
- Government ID
- Public user name
Here’s Google doesn’t consider to be PII:
- CRM Identifier
- “Private” Username (i.e. FusionAuth User UUID)
- Aggregated Classification
- Shared Dimension
- IP addresses (excluded from definition)
- Best practices to avoid sending Personally Identifiable Information (PII)
- Are ‘usernames’ Privately-Identifiable Information (PII)?
- Is GDPR going to kill your company’s Google Analytics?
- Why You Could Lose ALL Your Google Analytics Data
Google Analytics and GDPR Summary
These are the key points to take out of this post, but as I said before, your company needs to make its own decisions and most importantly document them.
- Google Analytics in its standard set up is pretty GDPR / PII compliant
- Risks vary from low to high depending on how customised your installation of Google Analytics is
- To improve the standard set up look at:
- Anonymising IPs
- Check and remove PII in URLs
- Turn on Data retention limits for User and Event data
- Check if PII is intentionally being stored and consider that this breaks GA Service Level Agreement and what legal right (consent / legitimate interest) you may have to hold that data
If you have a custom GA setup using known PII then you have 4 options
- Get users to give consent to use it
- Build a legitimate interest case for it
- Remove it
- Anonymise it
Also, remember you could be breaking the Google Analytics Service level agreement by storing PII in there!
Current user’s slug is PII and should never be transmitted to Google Analytics.
FusionAuth User IDs
Lovia uses FusionAuth User IDs which are UUIDs. These should always be used when dealing with Google Analytics, as they are not PII.
Special Category Data Controller
By its nature, Lovia and Miluv are special category data controllers processing this type of information:
- ethnic origin
trade union membership genetics biometrics(where used for ID purposes)
- sex life
- sexual orientation
As a company, you are a Data Controller, and Google is a Data Processor. In this special category relationship, the Data Controller must protect the data subject from the Processor’s risks.
If you are processing special category data through Google Analytics you may consider “hiding” the IP of visitors from the system
There is a tool provided by Google (yep who knew) but thanks to the German privacy requirements this has been created and is available here.
List of Subcontractors
The GDPR states that processing of data without explicit consent is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by a third party” (Article 6, paragraph 1 (f)*). There’s a legitimate business interest for you to measure and understand your revenue.
You should also list ChartMogul in your list of subcontractors as required by the GDPR (you can see our own list here). You should also read and sign our data processing agreement and send it back to us.
Difference between PII and Personal Data
PII is considered as sensitive if the loss, compromission, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual. For instance, the following information is considered to be sensitive PII:
- employment information