Are ‘usernames’ Privately-Identifiable Information (PII)?

Are ‘usernames’ Privately-Identifiable Information (PII)?

On their own, usernames and login IDs are not Privately-Identifiable Information (PII).   They are insufficient on their own to identify a person.  However, in our interconnected world, PII leakage across a number of sites can facilitate identifying a person with simply a username.

At the recent Google Analytics Summit, it was announced that data uploads from offline systems into Google Analytics are now possible.  While this is a wonderful new feature, without proper governance and oversight, you could land in hot water if care is not taken to keep PII out.

  • The Google Analytics Terms of Service (US version) stipulates that you agree to not send any PII in your Google Analytics data stream.
  • If PII does find its way into Google Analytics, the only way to remove it is to delete the profile completely.
  • If this happens, all historical data will be lost.  So, ensure you do not accidentally upload PII  to Google Analytics.

Google considers public usernames to be PII, but not private usernames.  Here’s what Google says is PII:

  • Name
  • Username + Password
  • Email Address
  • Credit Card Details
  • Government ID
  • Public user name

Here’s Google doesn’t consider to be PII:

  • CRM Identifier
  • “Private” Username
  • Aggregated Classification
  • Shared Dimension

‘Private usernames’ are private if they are system generated.  In this case, we agree that they are not PII since such randomly generated numbers would not be cross-referenceable with any other source.

However, if you are allowed to select a system username, you may decide to use your public Twitter handle as your username.  You may mention your Twitter ID on your Facebook or Google+ page or LinkedIn profile.  Self-selected system usernames should be considered PII because a site owner will not know if a person’s self selected usernames are the same as their public username.

Similarly, the information that isn’t PII (CRM Identifier, Aggregated Classification and Shared Dimension) are all typically generated by the CRM or database system, and not likely to be cross-referenceable externally to identify a person.

Here’s the current privacy section from Google’s Terms of Use  (US version):

…7.  Privacy.
You will not (and will not allow any third party to) use the Service to track, collect or upload any data that personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to such information by Google. You will have and abide by an appropriate Privacy Policy and will comply with all applicable laws and regulations relating to the collection of information from Visitors. You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data, and You must not circumvent any privacy features (e.g., an opt-out) that are part of the Service.

There are too many privacy gaffes still occurring these days.  We suggest proactively informing and reminding those who are handling data to think about why this is happening, and take care of your customers.

=====

Note:  The information in this post should not be considered legal advice or information.  Consult with your lawyer for legal advice.

By | 2014-10-31T15:17:06+00:00 November 5th, 2012|Analytics, Google Analytics, Privacy|7 Comments

7 Comments

  1. Boris May 28, 2014 at 12:24 pm - Reply

    So if Google considers names or usernames to be PII. What about scenarios such as these:

    http://www.url.com/profiles/johnson4
    http://www.facebook.com/profile.name

    What about simple searches on websites. For example about.com, which is a major adsense earner, has a search bar, so do millions of other websites which run adsense. Are we all suppose to take adsense out of the search results, simply because someone might go and search for username or a name of the person? Right now you go to about.com and search for a name, adsense is there.

    What about cases where it is a white pages, or a linked in type websites. White pages are free to use and might have names in the link, otherwise it won’t work as well.

    For example: http://www.myawesomewhitepage.com/phones/444-435-4444

    What about yellow pages type websites. Businesses may have their phones listed, which is not a person to begin with.

    What now?

    • June Li May 30, 2014 at 4:19 pm

      Hi Boris,

      What Google does not want to happen is to have PII of the *visitor* to a website attached to *behaviour* collected by Google Analytics of *that visitor*.

      Person 1 can search for Person 2 on a website. The fact that Person 2 was searched for is not a violation of Person 1’s privacy. But recording the real name of Person 1 and putting it together with the fact that they searched for Person 2, would be a violation of proper use of Google Analytics to record Person 1’s behaviour.

      Hope this helps!

  2. Chris April 15, 2015 at 12:48 pm - Reply

    Where did you find or hear that “Aggregated Classification” is ok? I would like a link if possible to reference and share with folks.

    There are a number of things I would like to track but am not sure if they are considered PII or not such as the company name the user works at, or their job title. Do you have any references on either of these?

    • June Li April 15, 2015 at 10:26 pm

      Hi Chris,

      By definition, something that is “aggregated” should not be easily deconstructed by someone external to a company. Any aggregate should have a minimum of 3 inputs.

      Section 7 of the GA terms of use (https://www.google.com/analytics/terms/us.html) lists a few things Google considers personal information.

      If you can tell who a person is by the information, by definition, that is indeed “personally identifiable information”.

      If there is only one person with that job title at a company, that is likely PII if the job title is for a specific time. However, if there are many people with that job title, it is likely not PII because you can’t narrow down to one person with the job title and company.

      If you are looking for references you can use with your organization, you really should consult your corporate lawyer for an official position.

Leave A Comment