Cardinal Path’s response to COVID-19 Cardinal Path is sharing all we know to help marketers during COVID-19.  Learn more.

It’s time for some real-talk. If you are an enterprise brand and you haven’t already undertaken the necessary steps to root out personally identifiable information (PII) throughout your data ecosystem, you need to address this as soon as possible. 

Marketers have enough to reckon with in this digital-first world and data breaches, compliance concerns, and the potential for losing consumer trust in your brand are all risks you don’t need right now. 

Download our Free Guide to PII in Google Analytics

I’ve conducted enough data privacy engagements with some of the world’s largest brands to know that if you’re reading this, you likely have PII leaching into your Google Analytics account. The good news is that this can be remedied with some straightforward steps, a continuous monitoring solution to prevent future leaks, and robust hardening against what could lead to major problems. Digital data is your secret weapon, and must be treated as the precious asset it is for your organization.

What is Personally Identifiable Information, or PII?

Like legislative bodies around the world, Google has addressed the issue of privacy head-on by adding stipulations around data privacy to its terms of service for its core analytics product, Google Analytics (GA). Google Analytics policies clearly prohibit the collection of PII.

When your GA account ends up containing personally identifiable information, it may have a significant impact on your organization, with challenges such as:

  • Increased probability that PII has infiltrated other data repositories, which may not be aligned with your organization’s privacy policies and other obligations
  • Triggering unexpected compliance obligations under privacy laws
  • Increased level of effort and complexity in responding to personal information requests
  • Broken trust with customers, prospects, and partners

Examples of PII as defined by Google commonly include email addresses, phone numbers, physical addresses and full names, among others. Examples of what may not be considered PII by Google include IP addresses or pseudonymous user identifiers such as a numeric ID that ties back to a platform outside of Google Analytics. 

Google’s interpretation of PII today is “information that could be used on its own to directly identify, contact, or precisely locate an individual.” 

The definition above is a good starting point for understanding the concept of PII, but it’s important to involve your organization’s legal team and complete a proper review of the contracts, terms of service, and policies that apply to platforms such as Google Analytics —

as well as your organization’s own policies — to determine what types of data may be considered personal in nature and may not be appropriate to collect in each case.

Why is PII so important?

As marketers, we are experiencing a massive shift around the way we obtain and use personal data. The data privacy landscape has become increasingly complex, with disparate influences converging to shape what privacy means for your organization and to your customers.

Consumer trust is eroding. 
With large data breaches frequently in the headlines, customers are losing confidence in companies’ ability to keep their private information safe and secure. Signals include the large swaths of consumers taking steps to opt out of data-sharing, whether it’s simply not consenting to be tracked on their favorite websites or installing ad blocking software in their browser.

Legislative intervention is on the rise. 
Governments around the globe are becoming more active in regulating how organizations can utilize consumer data. In just the last two years, major statutory changes have gone into effect, drastically altering the privacy landscape. The most well known of these, the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), may be a harbinger of additional governmental actions to come.

Tech industry leaders are listening. 
Google has announced that it will soon block third-party cookies in its Chrome web browser, joining Apple Safari’s Intelligent Tracking Protection (ITP) and Mozilla Firefox’s Enhanced Tracking Protection (ETP) feature in potentially fundamentally changing the way online tracking and privacy work. Meanwhile, new privacy-oriented alternatives to major digital players are coming to market, such as the Duck Duck Go search engine or Brave browser, and existing market leaders are updating their policies to address privacy concerns, following the lead of government. 

With these coinciding influences, data privacy has become both highly complex and highly fluid as the ground continues to shift, forcing companies to adapt in real time. All of these elements are pushing organizations towards investing in and developing its first party data.

First party data is information a company has directly collected on a consumer. Sometimes that data might include elements that may be classified as “personal data” (GDPR), “personal information” (CCPA), or “personally identifiable information” (Google, among others), each of which are defined and regulated differently. 

With companies collecting more first party data than ever, there are more opportunities to unintentionally collect consumer information that fits these definitions. For every company that has made headlines for customer data breaches, there are likely many others who have unknowingly collected individuals’ personal data in their digital platforms, introducing risk to the organization. It’s these risks that you should be aware of and take seriously.


The elephant in the room is most likely the PII in your data. It’s something most brands are actively, and unknowingly collecting and can have dire data privacy implications for your organization. In collaboration with data privacy experts, analytics practitioners, and legal teams, we have put together a definitive guide to combating PII within Google Analytics

Learn more about why PII is a time-sensitive concern, how to mitigate your immediate risks, and stand up a tried-and-true solution that will harden your organization against it and give you the freedom to focus on forward-thinking strategies to maintain a competitive advantage.