On their own, usernames and login IDs are not Privately-Identifiable Information (PII). They are insufficient on their own to identify a person. However, in our interconnected world, PII leakage across a number of sites can facilitate identifying a person with simply a username.
At the recent Google Analytics Summit, it was announced that data uploads from offline systems into Google Analytics are now possible. While this is a wonderful new feature, without proper governance and oversight, you could land in hot water if care is not taken to keep PII out.
- The Google Analytics Terms of Service (US version) stipulates that you agree to not send any PII in your Google Analytics data stream.
- If PII does find its way into Google Analytics, the only way to remove it is to delete the profile completely.
- If this happens, all historical data will be lost. So, ensure you do not accidentally upload PII to Google Analytics.
Google considers public usernames to be PII, but not private usernames. Here’s what Google says is PII:
- Username + Password
- Email Address
- Credit Card Details
- Government ID
- Public user name
Here’s Google doesn’t consider to be PII:
- CRM Identifier
- “Private” Username
- Aggregated Classification
- Shared Dimension
‘Private usernames’ are private if they are system generated. In this case, we agree that they are not PII since such randomly generated numbers would not be cross-referenceable with any other source.
However, if you are allowed to select a system username, you may decide to use your public Twitter handle as your username. You may mention your Twitter ID on your Facebook or Google+ page or LinkedIn profile. Self-selected system usernames should be considered PII because a site owner will not know if a person’s self selected usernames are the same as their public username.
Similarly, the information that isn’t PII (CRM Identifier, Aggregated Classification and Shared Dimension) are all typically generated by the CRM or database system, and not likely to be cross-referenceable externally to identify a person.
There are too many privacy gaffes still occurring these days. We suggest proactively informing and reminding those who are handling data to think about why this is happening, and take care of your customers.
Note: The information in this post should not be considered legal advice or information. Consult with your lawyer for legal advice.