What are online trackers?

Online trackers, in simplest terms, are technologies used by websites and apps to collect data about user interactions. These trackers remember and recognize users by recording, processing, or logging details such as browsing habits, time spent on a webpage, clicked links, and more. This data may serve multiple purposes, from personalizing content and targeted ads to improving website functionality, analytics, or authenticating users for web experiences.

Some common organizational or business purposes for using online trackers include:

• Website analytics: Understanding how users interact with websites or which features they use help businesses improve their user experience and marketing strategies.
• Targeted advertising: Tracking technologies allow advertisers to show personalized ads based on your interests and browsing behavior.
• Fraud detection and security: Tracking can be used to identify and prevent suspicious activity, such as credit card fraud or online hacking.
• Market research: Companies use tracking data to learn about consumer behavior and preferences.
• Personalization: Some websites, advertising, and social media platforms use tracking to personalize your experience by remembering your preferences and settings.

Cookies, a type of tracker, are small pieces of data stored on a user’s device by websites a user visits. Cookies are used to remember user preferences, login information, auto-fill information, shopping cart information, and other information that help enhance a user’s experience.

First-Party and Third-Party Data: What’s the difference?

Online trackers (including first-party and third-party cookies) have the ability to collect two different kinds of data: first-party data and third-party data. What is the difference between the two?

First party data provides valuable specific information to your organization as it is collected directly from your audience (e.g., consumers, data subjects, or website users) and the lawful basis (e.g., consent, legitimate interest, etc.) will vary depending on the purpose and use of the data. In other words, first party data utilizes in-house or internally developed cookies or trackers set directly by your organization on your own web pages or web properties.

On the other hand, third-party data is information collected by other organizations that do not have a direct relationship or interaction with the user. This type of data is typically what is collected by online trackers that are provided by third-party providers (e.g., a third-party analytics or advertising provider) on a website. In other words, third-party data utilizes cookies that may be set by your organization, but are created by third-party service providers or partners, and placed in your web pages or web properties.

Third-party cookies can be accessed by external parties in a manner that results in less user control or understanding of data processed, collected, or tracking – including without the knowledge of the website owner. Since the result of third-party cookies is a physical file/data being placed on a users’ device, some browser providers believe there is elevated privacy risk and have decided to block third-party trackers/cookies, including Firefox and Safari, with Chrome following suit in early 2025 (expected).

Different types of online trackers

Online trackers can, depending on their use case and implementation, share personal or sensitive information with third-party entities, such as advertisers, to help with tailoring and personalizing advertising. This is done for a variety of reasons, including to make ads more relevant to recipients and also to manage ad spend. Trackers come in several forms, each serving distinct purposes and collecting different types of data. Below are some common examples of trackers:

1. Cookie trackers: These are small files stored on your device that track your website activities. Third-party cookies have been the primary method of storing client-side data for over two decades.
2. Pixels: Also known as web beacons, these are tiny, invisible images embedded in web pages or emails, used to track user interaction. These are popularly used for advertising as well, but have numerous purposes.
3. Browser fingerprinting: A more advanced method that gathers data about your device (like screen resolution, installed fonts, or browser type) to create a unique profile for tracking, even without cookies.
4. Embedded scripts: Code snippets that track user behavior within a website. These scripts create most trackers and are responsible for reading and storing data
5. Web beacons: Embedded images that track when a page is loaded.

Types of cookies

Generally speaking and historically, cookies have been one of the most common and popular forms of tracking technologies. Cookies can serve many purposes, including remembering preferences (language, login credentials), tracking website usage (clicks, pages visited), securing a page/preventing fraud, and aiding in personalized content, user experiences, and ads.

Types:

• Session cookies: Temporary, deleted when you close your browser.
• Persistent cookies: Remain on your device for a set period or until manually deleted.
• First-party cookies: Placed by the website you’re visiting or by embedded scripts loaded on your site.
• Third-party cookies: Placed by a different website (e.g., advertising network). They are usually created as a hidden frame and exchange information with a third-party domain.

Examples:

• Session cookie remembering your login on a website.
• Persistent cookie saving your language preference on a news site.
• Third-party cookie tracking your browsing across different websites to show targeted ads.

As noted above, cookies are a specific type of tracker, while trackers are a broader category. Cookies in particular primarily collect website browsing data, while trackers can gather a wider range of information.

Third-party cookies and trackers are at the center of recent privacy concerns due to their ability to collect, aggregate, and store information across sites without user consent. They are able to mass data harvesting, profiling, and real-time bidding for marketing advertising and analytics as well as gather extensive personal data, including IP addresses, search and browsing history, and private details like health and religious beliefs.

Cookie Consent Manager

Meet global consent requirements with minimal effort while maximizing opt-ins and fueling customer trust.

Learn more

Website Monitoring Manager

Identify and monitor cookies, trackers, and website behavior to deliver a secure digital user experience.

Learn more

Current and future state of third-party cookies in browsers

Cookies, first introduced in the 1990s as a way for websites to remember information about the user or their visits and at a time, called “HTTP cookies.” Cookies were designed to fill the gap created by the stateless nature of the web, where websites could not inherently remember previous interactions.
In some circumstances, third-party cookies can be used to track users around the web and build a detailed profile based on browser history and hence are referred to also as tracking cookies. This type of profiling and targeting that is not aggregated has become an essential tool for online advertisers, who use them to track individual user behavior across multiple websites to deliver personalized ads.

Legislation like the General Data Privacy Regulation (GDPR) and Digital Markets Act (DMA) in the European Union and the California Consumer Privacy Act (CCPA) have strong data privacy components around third-party cookie tracking. Combined with strong consumer demand for greater privacy, the combination of regulation and consumer demand has led web browsers and major publishers or media houses like the New York Times to react to these concerns by blocking or depreciating third-party cookies.

Chrome

While Google first pledged depreciation in 2022, there have been a number of delays over the last few years. On January 4th, 2024, Chrome began restricting third-party cookies for 1% of users, or approximately 30 million users, under Tracking Protection, with intention to restrict 100% of users in 2024. Google has now reversed it’s decision to phase out third-party cookies, and plans to maintain third-party cookie support while continuing to develop additional privacy-preserving functionality.

Google’s Privacy Sandbox, is the main vehicle which Google uses to test and development proposals for the replacement of third-party cookies with a collection of emerging technologies aimed at protecting users’ online privacy while also providing tools to provide relevant advertising and targeting.

The sandbox is designed to allow users to still see relevant ads based on interests, with the intent to keep personal information from being tracked or stored by websites. The effectiveness of these new approaches is novel and therefore, is yet unproven, and many details are still being worked out. Regulators such as the CMA (Competition & Markets Authority) and ICO (Information Commissioner’s Office) still have questions about these approaches.

Google’s Privacy Sandbox Proposal

Some of the new mechanisms within Google’s Privacy Sandbox include Google’s TopicsAI, a type of contextual targeting, which uses categories of topics of interest, without relevant additional information about the user’s browsing history. Other types of contextual targeting include keyword and semantic versus behavioral targeting. Some critics have had concerns that this may introduce discriminatory practices.

Google has also introduced other mechanisms such as Enhanced Conversions to capture hashed customer data where advertisers can collect hashed first party conversion data from a website to Google in a privacy safe way. Essentially, matching the data against Google’s logged-in data for identification.

CHIPS (Cookies Having Independent Partitioned State) is another method introduced by Google that allows developers to opt a cookie into partitioned storage, with a separate cookie jar per top-level site. This allows cookies to be set by third-party services, but only read within the context of the top-level site where they were initially set. This blocks cross-site tracking while still enabling non-tracking uses of cookies for different persisting use cases such as persisting chat widgets across different sites, persisting configuration information for CDN load balancing, or headless CMS providers.

FLoC (Federated Learning of Cohorts) is a new way for advertisers to show relevant ads by grouping users into cohorts with similar recent browsing history without being individually identified, providing a level of anonymity, while still allowing advertisers to deliver targeted ads.

Google continues to solicit feedback on its Privacy Sandbox proposal.

Firefox

Mozilla’s Firefox has already phased out third-party cookies and implemented Enhanced Tracking Protection (ETP) by default, blocking third-party cookies and limiting the data advertisers can collect. Firefox has yet to initiate alternative solutions, however it is possible to allow for usage of third-party cookies on a case-by-case basis in Firefox via browser settings.

Safari

Apple has also already blocked third-party cookies by default and implemented Intelligent Tracking Prevention (ITP) to protect user privacy. Apple has also taken a stringent approach towards cookies, where allowing access to third-party cookies per frame can only be done at the code level, via the Storage Access API. Similarly, Apple’s iOS updates (e.g., AppTrackingTransparency framework also known as ATT) has given users more control over their data, requiring apps to ask for permission to track user activities.

Emerging advertising technologies across platforms

With the demise of third-party cookies, advertisers are also turning to other emerging tech and advertising options such as universal IDs (e.g., TradeDesk Unified 2.0 solution), data clean rooms, device IDs, “on device” and client-side processing (e.g., Privacy Sandbox Solutions), contextual targeting, and server-side tags or customer data platforms. Techniques like fingerprinting and CNAME cloaking are also being considered.

Time will tell what privacy initiatives will be popular with consumers and marketers. While these new approaches and emerging tech are being tested for effectiveness, advertisers may need to further rely on first-party data instead.

Future of tracker vendor management

The challenge in the future as alternative tracking technologies arise will be two-fold. First, effective management of online trackers in compliance with privacy regulations will be increasingly important. Second, advertisers and publishers will need to obtain consent to process user data.

Organizations can future-proof their business by effectively managing cookies and online tracking technologies as well as obtaining end-user tracker consent with TrustArc’s compliance solutions:

• Cookie Consent Manager: Obtain tracker consents and manage trackers. Easily support server-side tag management integrations and zero-load best practices. Set up automated tracker scans (of pixel tags, beacons, HTML 5 local storage, HTTPS/JavaScript cookies, etc.) regularly and receive on-demand tracker reports for compliance (e.g., CCPA report). Amplify your advertising compliance and recognize enhanced privacy requirements and signals such as Global Privacy Controls (GPC), IAB TCF and GPP frameworks support, and Google Consent Mode as Google certified CMP.
• Website Monitoring Manager: Enrich tracker scanning, auditing, and reporting across your websites. This product includes on-demand compliance risk reports, regular automated tracker vendor scanning, and simplified compliance review to ensure adherence to regulations such as GDPR, CCPA, and guidelines by the FTC.
• Consent & Preference Manager: Leverage a universal preference center that captures all first-party data consents from your customers and sync preferences across all your third-party systems. With a universal repository, Tag Manager technologies can manage tracker technologies based on recorded consents and within an ad ecosystem, Ad Publishers can retrieve the consent status for a particular user in real-time from the Consent & Preferences Manager at the time of serving ads.
• DAA AMI Validation: Demonstrate your online advertising privacy compliance when using data collected through addressable media identifiers to safeguard consumer privacy. TRUSTe helps validate your practices in a cost-effective way assuring your partners and customers that your interest-based advertising practices align with industry standards and best practices.

As privacy regulations tighten and user awareness increases, it’s more crucial than ever for businesses to understand and manage online trackers effectively while maintaining transparency and trust.

Data hoarding is epidemic. The global pandemic triggered a second data gold rush, with enormous uptake of cloud computing’s ‘shovels and buckets’, as organizations scrambled to adapt to ‘digital first’ operations. Businesses were practically encouraged by cloud service providers to hoard all the data. But how much of it is worth something (if anything)?

Here’s how the volume of data created, captured and consumed worldwide is exploding thanks to cloud technologies according to research firm Statista:

• 2017 – 26 zettabytes of data in the world (approximately 26 billion terabytes or 26 trillion gigabytes)
• 2021 – 79 ZB at the height of the pandemic, triple the growth in four years
• 2024 – 147 ZB, almost doubling in growth again in three years
• 2025 – close to 200 ZB (200 trillion GB)

Researchers at Statista estimate most of the data made and consumed in the world isn’t stored long, with only a few percent of the total volume held over from one year to the next.

Still, businesses are determinedly hoarding more data than they need and for much longer than is necessary: by 2025 half the world’s data is expected to be stored in cloud servers at some point in its journey (according to The 2020 Data Attack Surface Report from Arcserve and Cybersecurity Ventures).

Consumers Demand Businesses Cut Cloud Pollution

The exponential growth of cloud computing is also causing devastating atmospheric and environmental pollution.

Businesses might have shrunk some of their direct energy costs (and real estate footprints) by switching from on-premises servers to cloud servers, but their carbon footprint from powering computers and server room cooling systems hasn’t disappeared – it’s just out of sight.

Yes, some larger cloud providers are now moving towards carbon-neutral services, but as data hoarding is an escalating trend, carbon-cutting efforts must rapidly scale up across the entire industry.

The Cloud Is Material: On the Environmental Impacts of Computation and Data Storage, a peer-reviewed study by Steven Gonzalez Monserrate, published by MIT Schwarzman College of Computing on January 28, 2022, found:

• Cloud computing now has a larger carbon footprint than the airline industry
• The electricity used by data centers accounts for 0.3% of overall carbon emissions
• The electricity used by the world’s computing devices (data centers combined with networked devices such as laptops, smartphones and tablets) accounts for 2% of overall carbon emissions
• As heat is a waste product of computation, cloud servers must be constantly cooled to prevent ‘thermal runaway events’, which can cause system failures.
• Cooling systems account for more than 40% of electricity usage in most data centers
• Only 6-12% of energy use at data centers is devoted to active computational processes – the remainder is allocated to cooling and maintaining extensive chains of redundant fail-safes (redundant servers, power supplies) to prevent costly downtime
• A single data center can consume the equivalent electricity of 50,000 homes
• E-waste is also a huge problem: estimates by Greenpeace show only 16% of computing devices are recycled at end-of-use.

As consumers become aware of the massive amounts of energy and other resources consumed to run cloud technologies, they’re demanding businesses adopt energy saving practices for data storage, including data minimization – or risk losing customers.

‘51% of consumers are especially concerned that data storage produces pollution when, on average, half of the data enterprises store is redundant, obsolete or trivial and another 35% is “dark” with unknown value,’reported Veritas in a March 2023 report titled:

Consumer Sentiment on the Environmental Impact of Hoarding Unnecessary Enterprise Data

The study also found ‘47% of consumers said they would stop buying from a company if they knew it was wilfully causing environmental damage by failing to control how much unnecessary or unwanted data it is storing’.

Business Challenges of Hoarding too much Data

TrustArc has helped more than 1,500 companies globally establish and manage rigorous privacy programs designed to comply with the latest regulations.

Trustworthy regulatory advice is essential, of course, along with astute guidance on technologies and methods for managing information governance.

We’ve frequently found organizations are hoarding more data than they are aware of and need help discovering and consolidating it into more manageable and useful volumes.

The principle of data minimization is simple: only keep data that is lawfully necessary and useful. Doing so can also improve return on investment in your data activities – and reduce their associated risks.

Business Impacts of Hoarding Personal Data

Business benefits of data minimization

GDPR Compliance Solutions

Set up and manage compliance effectively with TrustArc’s Data Inventory Hub, Assessment Manager, Cookie Consent Manager, and Individual Rights Manager.

Learn more

Data Inventory Mapping

Reduce privacy risk with automated data flow mapping, risk analysis, and remediation for on-demand compliance reporting and audit trails.

Learn more

Businesses need to get a whole lot smarter about how they consume data because greed is not good: it’s risky and uneconomical.

And it’s not like the warning signs weren’t there in the early data gold rush.

It might seem quaint now, but in 2017 when business publications such as The Economist reported “The world’s most valuable resource is no longer oil, but data”, they framed it as a conflict between big tech companies’ apparently unbridled growth versus rising public demand for antitrust and privacy regulations to reign them in.

The next year the EU GDPR (European Union General Data Protection Regulation) became enforceable (May 25, 2018), giving European citizens stronger personal data privacy rights, including the right to restrict processing and the right to delete. GDPR compliance requirements include data minimization as a key principle (see below).

California’s Consumer Privacy Act (CCPA) became law a month later (June 28, 2018) with a similar intent to drive greater protections of personal information, and CCPA compliance became enforceable from July 1, 2020. The CCPA was the first U.S. privacy law with data minimization as a compliance requirement (see below).

Data Minimization Requirements in Privacy Regulations Worldwide

While many enforcement actions of privacy regulations focus on privacy breaches and/or misuse of personal information, investigators also look for compliance with data minimization principles, which are now standard in many regulations. These principles were put in place to address data hoarding and focus on:

• Breach exposure minimization – minimizing the amount and detail of any personal information that could be stolen in breach
• Purpose limitations – restricting data collections to information that is provably necessary for stated purposes. Mostly this should mean for the stated purposes of delivering personalized customer experiences
• Consumer consent – limiting collection of personal data only from consumers who have given informed and explicit consent for its collection, processing, sharing, and sale.

Questions to ask about personal data collected by your organization:

• Is it mapped and tracked throughout its lifespan? Can the business quickly identify the locations of each piece of personal information collected and track its use history, including every instance of how it was accessed and processed – and why each activity was necessary?
• Is it adequate? Does the personal data collected contain enough (but not more than enough) information to help your business identify the individual and sufficiently deliver a personalized service (stated purpose)?
• Is it relevant? Is it clear how each piece of personal information is relevant to fulfilling the stated purpose?
• Is it limited to what is necessary? Does the data collection only capture information needed for the stated purpose – and no more than is probably necessary?
• Is it still useful and do you still have permission to store it? Is the information contained in a collection of personal data up-to-date and accurate or has it passed its acceptable and/or permitted use-by date?
• Is it properly secured? Is the data protected by access controls and other cybersecurity measures to prevent unauthorized and unlawful use, or accidental loss or damage?
• Is access controlled based on permissions? Does each data system, staff member, third party, or business partner only have access to the data they are explicitly permitted to access – and only what is adequate, relevant, and necessary for them to fulfill a permitted task (and nothing else)?

EU GDPR made data minimization a key principle

The EU’s GDPR set a standard for privacy that gives EU citizens strong privacy rights, especially more visibility, and control of how organizations may collect and use their personal information.

Data minimization is listed in GDPR Article 5 as one of seven principles relating to the processing of personal data:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Limited storage periods
• Integrity and confidentiality
• Accountability

The data minimization principle is explained by the European Data Protection Supervisor:

‘The principle of “data minimisation” means that a data controller should limit the collection of personal information to what is directly relevant and necessary to accomplish a specified purpose.

‘They should also retain the data only for as long as is necessary to fulfill that purpose. In other words, data controllers should collect only the personal data they really need, and should keep it only for as long as they need it.

‘The data minimisation principle is expressed in Article 5(1)(c) of the GDPR and Article 4(1)(c) of Regulation (EU) 2018/1725, which provide that personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.’

UK data protection rules on data minimization similar to EU GDPR

The UK Data Protection Act (2018) was updated post-Brexit with a set of UK GDPR rules that closely follow those of the EU GDPR. As a result, UK citizens have stronger personal data and sensitive personal data privacy rights, including more control over how organizations may collect and use their personal data.

The UK GDPR data protection principles match all seven of those listed in the EU GDPR (see above).

The data minimization principle is explained by the UK Information Commissioner’s Office:

You must ensure the personal data you are processing is:

• adequate – sufficient to properly fulfil your stated purpose;
• relevant – has a rational link to that purpose; and
• limited to what is necessary – you do not hold more than you need for that purpose.

Article 5(1)(c) says: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”.

So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.’

Data minimization rules in CCPA/CPRA

The California Consumer Privacy Act, which was amended by the California Privacy Rights Act (CPRA), led the way in the U.S. with the first comprehensive state privacy regulation to give consumers enforceable rights over how – or whether at all – businesses collect, process, store, share or sell personal data.

The amendments under CPRA place more restrictions on collection, storage and use of sensitive personal information, and include data minimization and purpose limitation rules in section 1798.100 ‘General Duties of Businesses that Collect Personal Information’ which accompany requirements for informing consumers of purposes for data collection:

• Additional categories – 1798.100 (a) (1): “A business shall not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing the consumer with notice consistent with this section.”
  (Note: subsection (a) (2) uses practically the same words as the rule above, applying them to ‘sensitive personal information’.)
• Storage period – 1798.100 (a) (3) “The length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine that period provided that a business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose.”
• Proportionate use – 1798.100 (c) “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.”

Businesses must also ensure third parties, contractors and commercial partners comply with CCPA/CPRA rules, including data minimization requirements.

All organizations collect various types of data (information), including personally identifiable Information (PII). PII data can be sensitive or non-sensitive, and more often than not, is called by employee mistakes as well as a target in a data breach. In some situations, these data breaches get exposed on the Dark Web.

As a consumer, you’ve likely received some type of alert that information like your email address or telephone number has been exposed in a data breach. This is often just the tip of the iceberg regarding the consequences of PII data getting into the wrong hands.

If regulators can track down the source of the breach there are often penalties and financial consequences for businesses. Additionally, when PII data is exposed, consumers lose trust in the organization that didn’t properly protect that information from both internal mishandling or external bad actors.

What is Personally Identifiable Information (PII) Data?

As technology progresses, some argue that the definition of Personally Identifiable Information (PII) must progress as well.

PII data is any information about an individual that can be used to identify that individual, including information that can be combined with other personal or non-information to identify the individual.

The National Institute of Standards and Technology (NIST) defines PII as “information that can be used to distinguish or trace an individual’s identity – such as name, social security number, biometric data records – either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (e.g. data and place of birthday, mother’s maiden name, etc.).”

PII data includes religion, geographical indicators, employment information, personal health information, and behavioral characteristics such as activities and schools attended. In some situations, IP addresses, passport or license numbers, and financial account numbers, combined with other data points further enrich an individual’s “online” profile.personal data

As more data types are introduced, more questions about how to define PII data arise. Are usernames or social media handles PII? Is information collected by cars and IoT devices treated as PII?

The answers to these questions have important business implications to consider. Misusing or mishandling PII data can be costly both financially and particularly when consumer trust is lost.

Personally Identifiable Information vs. Personal Data

While Personally Identifiable Information and Personal Data may seem similar, they’re not the same thing. The GDPR doesn’t use the term Personally Identifiable Information and instead uses the term Personal Data.

As defined in the GDPR, personal data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

The European Commission provides personal data examples such as:

• Name and surname
• Home address
• Email address
• Identification card numbers
• Location data
• Health data (prescriptions, mental health)
• Financial data (bank accounts, credit cards)
• Passports
• IP address
• A cookie ID
• The advertising identifier of your phone
• Data held by a hospital or doctor
• While both PII and Personal Data include common data attributes(names, email, home, passports, and license/identification card numbers), personal data explicitly covers a few categories PII data leaves out(cookie ID, the advertising identifier of your phone (device ID), location data).

At a higher level, PII is used to distinguish an individual, and personal data includes any information related to the individual, whether it identifies them specifically or not.

What Qualifies as PII?

Specifically, this data is considered to be PII:

• Name, maiden name, mother’s maiden name, alias
• Passport #, Social Security #, Drivers License #, Taxpayer Identification #
• Address (personal or business)
• Email address
• Telephone numbers
• Vehicle registration number, vehicle title number, or Vehicle Identification Number
• Financial Account Numbers, Credit Card Numbers
• Personal Health Information (PHI), Patient Identification Number
• Biometric Records – Personal characteristics, including a photographic image of faces or other distinguishing characteristics, x-rays, fingerprints, or other biometric image or template data (retina scan, voice signature, facial geometry)

Other information can also become PII when combined with publicly available information used to specifically “identify” an individual. This data is considered linked or linkable to one of the examples above.

For example, non-PII that can become PII under certain conditions:

• Internet Protocol (IP) address or Media Access Control (MAC) address
• Web cookies, trackers
• Date of Birth
• Place of Birth
• Religion
• Weight
• Activities
• Geographical Indicators
• Employment or Educational Information, such as where someone works, worked in the past, or where they attended school
• Financial Information

Sensitive PII is information that, when disclosed, would jeopardize one’s individual rights and thus result in some harm to the individual. This includes financial information (like credit card numbers), health information, criminal records, and the like. Depending on the jurisdiction, some PII may have greater sensitivity.

Under GDPR these data are classified as special category data (race, ethnicity, political opinions, religion, etc.) and warrant the highest level of security, integrity, and explicit consent to be “processed.”

It’s important to note that while all sensitive PII IS PII, NOT all PII is considered sensitive. But no matter the type, safeguarding PII data is vital to maintaining privacy and trust.

PII in the Context of Cybersecurity

Cybercriminals use simple phishing, vishing, and smishing scams to gain access to one’s PII. Furthermore, Cybercriminals know that PII data gets them one step closer to their ultimate goal of one’s SPI (which has significant value in the Dark Web).

Despite increased cybersecurity technology, cybercrime continues to mount as more data is shared due to the benefits of the Internet of Things. Moreover, the exponential growth and ubiquitous access to AI have increased cybercrime’s sophistication. This in turn has increased the risk of internal or external data breaches. Therefore, taking measures to secure one’s PII from the outset is critical to breaking this vicious cycle.

The Impact of PII Data on Identity Theft

Identity theft occurs when criminals use PII data to impersonate individuals, again for financial gain. By accessing PII data, a criminal could open up new credit card accounts, apply for loans, or even file fraudulent tax returns in your name.

One infamous example of such a case is the Equifax data breach in 2017, where the personal information of 147 million people was exposed, leading to widespread identity theft. More recently, there have been several notable breaches :

In 2023, the genetics testing company 23andMe was hacked causing the exposure of genetic information and PII of 6.9 million people.
Earlier in 2023, Progress Software’s MOVEitTransfer enterprise file transfer tool was exploited causing a ripple effect of over 2,000 organizations reportedly being attacked and data thefts affecting 62 million people and counting.

Top Considerations for Protecting PII

Protecting PII data is more than just a best practice—it’s a necessity. Here are eight proactive steps you can take to emphasize PII protection:

1. Establish a Data Privacy and Security Program: Build a Program that fosters collaboration between privacy compliance and infosec teams and ensures support from senior leadership.
2. Data Minimization: Only collect PII you need to complete the intended purpose and when the purpose is over permanently purge from the environment (including backup systems).
3. Know Your Data and Risks: Understand what PII data you collect, where it’s stored, who has access, and how it’s used and shared.
4. Limit Access: Only give access to PII data to those who need it to perform their job function.
5. Keep Hardware Current: Keep all your devices, including smartphones, computers, and tablets, up to date with the latest software and security patches.
6. Train Your Team: Ensure everyone in your organization understands their role in protecting PII data and provide specific job training for those “processing” PII.
7. Stay Compliant and Vigilant: Follow relevant privacy laws and regulations, and keep your policies and procedures up-to-date; Conduct ongoing system penetration testing to ensure data security
8. Prepare for Data Incidents: Have a plan for dealing with data incidents and breaches, including notification procedures; Consider performing breach simulation exercises annually to remain vigilant and ready to act in extreme circumstances.

Get Support to Protect Your Business PII Data

Protecting PII data is not just about compliance—it’s about safeguarding trust, privacy, and your reputation. As privacy professionals, it’s our responsibility to ensure that PII data is treated with the respect it deserves. TrustArc is a partner in this journey, offering expert guidance and cutting-edge solutions in PII data protection.

Consumers who want to opt-out of the sale or sharing of their personal information can find it hard to exercise this important privacy right.

An extensive study by Consumer Reports about compliance issues related to the California Consumer Privacy Act noted:

“Consumers struggled to locate the required links to opt-out of the sale of their information. For 42.5% of sites tested, at least one of three testers was unable to find a DNS (Do Not Sell) link. All three testers failed to find a “Do Not Sell” link on 12.6% of sites, and in several other cases, one or two of three testers were unable to locate a link.

The Global Privacy Control (GPC) was designed to address this issue.

GPC gives users a universal privacy control in a web browser extension, allowing them to store their choice to opt-out of having their data collected for sale or sharing before they interact with any business online.

GPC was developed by a collective of technologists, researchers, civil rights activists, web publishers and representatives of several technology businesses (ranging from browser vendors and extension developers to software companies).

Under the California Consumer Privacy Act (CCPA), California consumers’ privacy right to opt-out was meant to be streamlined by requiring businesses to get consent from California consumers to share and/or sell their personal information. CCPA includes a provision for opt-out to be signaled via Global Privacy Control settings in consumers’ browsers, saving them from having to go through opt-out processes with every business they interact with online.

Global Privacy Control: Key Dates

• November 14, 2011 – A first draft of a “Do Not Track” (DNT) standard for online privacy, also known as Tracking Preference Expression, is published by the World Wide Web Consortium (W3C), an organization developing open standards and guidelines for the web based on the principles of accessibility, internationalization, privacy, and security. A Tracking Protection Working Group is established to standardize DNT and the DNT header for browsers is supported in major web browsers including Chrome, Firefox, Internet Explorer, Opera and Safari.
• January 18, 2019 – the W3C Tracking Protection Working Group is closed, with a statement from the group noting “since its last publication as a Candidate Recommendation, there has not been sufficient deployment of these extensions (as defined) to justify further advancement, nor have there been indications of planned support among user agents, third parties, and the ecosystem at large.”
• October 2020 – Global Privacy Control is introduced.
• January 28, 2021 – the GPC organization announces the browser signal is being used by more than 40 million users and honored by major publishers such as The New York Times as “a valid opt-out of sale under the CCPA”.
• August 14, 2022 – the Office of the California Attorney General Rob Bonta, announces a CCPA enforcement settlement with Sephora, which is “part of ongoing efforts by the Attorney General to enforce California’s comprehensive consumer privacy law that allows consumers to tell businesses to stop selling their personal information to third parties, including those signaled by the Global Privacy Control (GPC) … There are no more excuses. Follow the law, do right by consumers, and process opt-out requests made via user-enabled global privacy controls.”

Lack of Trust Motivates Opt-outs and GPC Signals

Most people are now very aware they’re tracked online and are becoming more active in adjusting privacy settings to exercise their personal privacy rights.

Arguably the main reasons people opt-out of allowing their personal information to be collected, processed, sold and/or shared are related to a lack of trust.

Worse case: people don’t trust a business to protect their privacy at all. High profile data breaches have made them fearful, so some people lock down privacy settings whenever they’re online, such as using a browser in private mode or connecting via a virtual private network.

Worst case: people don’t trust a business to only use their personal information for relevant and useful purposes – and only then at times that suit the consumer.

As a consumer, no doubt you’re frequently targeted with supposedly ‘relevant’ offers or suggestions that miss the mark.

Irrelevant intrusions from businesses you’ve previously connected with can be irritating, but they’re especially annoying when they’re from businesses you have no relationship with at all. No one likes nuisance calls, spam, and other unsolicited communications from organizations you never wanted to share your contact information with, let alone allow them to know information that’s more personal.

So, it’s not surprising more and more consumers actively seek and select stricter privacy settings – or choose GPC – in their efforts to stop apparently unsolicited and/or irrelevant intrusions from businesses.

However, GPC can mean consumers might inadvertently block themselves from the benefits of loyalty schemes and other financial incentive programs when they’ve previously opted-in.

Businesses Can Build Trust by Demonstrating the Benefits of Opt-in

In our 2023 TrustArc Global Privacy Benchmark Report we highlighted how more businesses are now onboard with maintaining brand trust through robust privacy efforts: the link between brand trust and proactive privacy measures rose in importance from 2022 to 2023, up seven points to 62%).

Trust can be built by continually demonstrating how consumer information is used for purposes that are relevant and beneficial for your customers.

Under privacy regulations such as CCPA and General Data Protection Regulation (GDPR), consumers have a right to know what personal information is collected by a business and how it is used, shared or sold.

When you ask customers to consent (via an opt-in mechanism) to having their data used, shared, or sold you must prove to them the relationship is worth maintaining. Financial incentive programs are one way to achieve this – if what you offer is genuinely useful and appealing to your customers.

TrustArc’s Financial Incentive Notice Service

TrustArc can help your business design and implement a Financial Incentive Notice triggered by a customer’s GPC signal that is easy for them to understand and act on.

Our aim is to ensure your business complies with privacy regulations such as CCPA at the same time as creating opportunities to keep customers enrolled in loyalty offers and other financial incentive programs.

Your Financial Incentive Notice must be simple and offer genuine choice for customers who have previously opted-in to a financial incentive program and now use GPC.

When a GPC opt-out signal is detected from the browser of a customer who is enrolled in a financial incentive program (such as a loyalty points program), it should clearly acknowledge both facts:

• The customer now has a GPC opt-out signal from their browser; and
• The signal conflicts with their existing participation in your business’ financial incentive program, which requires opt-in to tracking technologies.
• Next, it should explain to the customer they can choose not to be tracked and, therefore, not participate in your incentive program anymore or continue to be tracked so they can receive offers without disruption.

TrustArc will then ensure the customer’s choice is immediately actioned in your TrustArc customer consent and preference management solution.

When Can You Use Legitimate Interest as the Basis for Processing Data?

The GDPR, Brazil LGPD, Thailand PDPA, and many other privacy regulations around the globe require that organizations determine the legal basis for processing individuals’ data (customers, employees, etc.) as part of their business operations.

For example, Article 6 of GDPR states that processing shall be lawful only if at least one of the following applies:

• • data subject consent has been obtained;
  • processing is necessary for the performance of a contract;
  • processing is necessary for compliance with a legal obligation,
  • to protect someone’s life or to perform a task in the public interest;
  • or the processing is necessary for your legitimate interests.

The three most common applicable bases for processing are consent, the performance of a contract, and legitimate interests pursued by the controller or a third party.

Which Basis Makes the Most Sense for Your Specific Data Processing Activities?

Companies have had to change how they approach consent to ensure they are clear and concise about their reasons for processing.

For example, use this test to determine whether consent is your legal basis. Are company operations impossible to conduct without consent? If so, then it’s not the right basis for that activity.

As laid out in the GDPR, the performance of a contract is a criterion the data controller can utilize in order to process data.

While performance of a contract seems simple, there can be danger in an overly broad interpretation of what is within the scope of a contract. Be mindful to not stretch your contract basis outside of its limitations.

Leveraging Legitimate Interest as the Basis for Processing Data

Legitimate interest is a preferred approach for many organizations because of its flexibility and applicability to any reasonable processing purpose.

In contrast, other legal bases of processing, such as demonstrable consent, center around a specific purpose the individual agreed to.

Legitimate interest is closely related to what that data subject can expect out of that relationship with the controller, which should be extremely clear.

If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

Organization’s should conduct a Legitimate Interest Assessment (LIA) by by performing a purpose test, a necessity test, and a balancing test.

Reasonable exceptions for legitimate interest can be shaped by transparency and clarity.

The 4 Boxes You Must Check to Leverage Legitimate Interest

Box 1. The processing is not required by law but is of a clear benefit to you or others.

An online retailer can promote a pair of sunglasses to someone browsing in hot location during the peak of the summer season.

Alternatively, an online store might use a visitor’s location data to offer a limited-time free shipping offer to the visitor’s area.

Box 2. There’s a limited privacy impact on the individual.

Most websites collect their visitors’ browsing data to optimize performance for the user. Often, this aligns well with the Legitimate Interests provision.

Collecting this data doesn’t pose a threat as long as it is anonymized.

Box 3. The individual should reasonably expect you to use their data in that way.

Some businesses will want to send communications via email or SMS to remind clients of upcoming appointments.

While it always needs explicit consent, most individuals expect their data to be used in this way.

Box 4. You cannot –or do not want to– give the individual full upfront control (consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.

The use of second-party and third-party data can provide insights about the demographics of customers. This data can be used to identify target segments with personalized content.

When processing this data, you may not want to have to give full control over to the individual to determine what messages they want to receive, as they’re likely relevant to the person.

Do the Benefits Outweigh the Risk for Processing Data?

Checking off each of these boxes is the single most complex aspect of leveraging legitimate interests as your basis for processing data.

Conducting a legitimate interests assessment is challenging because the logic to determine whether the benefits significance outweighs the risk to individuals is complex.

If the benefits outweigh the risks, then the organization may use legitimate interests as its basis for processing data.

The challenging part is that companies must quantify each side of the scale within subcategories of benefits and risks.

Privacy leaders could spend hours creating a spreadsheet to perform a balancing test for each business process that the company wants to establish legitimate interests as its basis for processing.

When multiplied by the total number of business processes a company has, the amount of time spent creating balancing tests could quickly amount to dozens or hundreds across the organization.

Why is it Important to Understand Personally Identifiable Information?

Organizations have been collecting information about people for as long as anyone can remember.

Consumers and businesses have provided information to receive services, process orders, and conduct payments and rarely thought twice.

However, in the past decade, the amount of Personally Identifiable Information (PII) being collected and the number of organizations collecting it has significantly increased. 

To conduct business today, organizations are collecting and storing consumer and vendor PII across various systems and departments.

Meanwhile, hackers, internet scams, and security breaches are becoming ever more prevalent in the news and people’s daily lives.

While individuals are often targeted, organizations are a much more desirable target for PII breaches. You may think that this doesn’t apply to your department, or that it’s someone else’s responsibility.

But as more data is being collected and used across the organization, the more it becomes every leader’s responsibility to understand PII and the regulations in place to protect it.

What is Personally Identifiable Information?

While at times this answer is black and white, technology innovations have started to make this area a little less clear.

The National Institute of Standards and Technology (NIST) Guide to Protecting Confidentiality of Personally Identifiable Information defines PII as any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, and any information that is linked or linkable to an individual with additional information.

This data is considered to be PII:

• Name, maiden name, mother’s maiden name, alias
• Passport #, Social Security #, Drivers License #, Taxpayer Identification #
• Address (personal or business)
• Email address
• Internet Protocol (IP) address or Media Access Control (MAC) address
• Telephone numbers
• Vehicle registration number, vehicle title number, or Vehicle Identification Number
• Financial Account Numbers, Credit Card Numbers
• Personal Health Information (PHI), Patient Identification Number
• Biometric Records – Personal characteristics, including a photographic image of faces or other distinguishing characteristics, x-rays, fingerprints, or other biometric image or template data (retina scan, voice signature, facial geometry)

Other information can also become personally identifiable information when combined with publicly available information used to identify an individual. This data is considered linked or linkable to one of the examples above.

Non-PII that can become PII:

• Date of Birth
• Place of Birth
• Religion
• Weight
• Activities
• Geographical Indicators
• Employment or Educational Information, such as where someone works, worked in the past, or where they attended school
• Financial Information

Additionally, organizations may collect information about a data subject that’s not mentioned above. This is where that gray area appears.

What about usernames or social media handles? Are those considered PII? Are ‘likes’ and posts and lists of friends considered PII? Will information collected from IoT devices be treated as PII?

There are still many unknowns, and it’s wise to seek expert legal advice. It’s also worth mentioning that the various regulations across the globe define personally identifiable information and personal data differently.

Therefore, organizations have much to consider when it comes to classifying and protecting PII. 

What Responsibilities do Businesses have to Protect PII?

Healthcare and financial services organizations are no strangers to responsibilities when it comes to protecting Personally Identifiable Information.

However, for many organizations and industries, laws and regulations governing PII have more recently come into play.

One of the most significant laws governing PII is the General Data Protection Regulation (GDPR). Although the GDPR is a European law, it requires any organization that collects information on European consumers to be in compliance.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) ensures that organizations must obtain an individual’s consent to collect, use or disclose PII.

In the United States, there are various state laws governing privacy and data security within specific industries. To date, California and Massachusetts have adopted the most stringent state data privacy laws in the country.

Since 2010, Massachusetts General Law Chapter 93H requires every business that licenses or owns personally identifiable information of Massachusetts residents to comply with the minimum security standards set forth in the regulation.

The California Consumer Protection Act (CCPA) and California Privacy Rights Act (CPRA) place the decision to share or sell data in the hands of consumers, instead of the organization.

Businesses must provide California residents with access to their data and a way to decline data collection, and remove their personal information from the database.

Other U.S. laws governing Personally Identifiable Information or Personal Data include: 

• Nevada SB220 Privacy Law
• Colorado Privacy Act (CPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Confidential Information Protection and Statistical Efficiency Act (CIPSEA)

While this list is not exhaustive, you get an idea of the number of laws and regulations businesses must comply with when handling PII.

Violations of these laws can result in civil or criminal penalties, skyrocketing fines, and loss of consumer trust.

Consumers are rapidly becoming more wary of companies collecting their personal data. 2019 PEW research reveals that 81% of Americans feel as if they have very little or no control over the data companies collect.

Furthermore, 81% don’t think the potential benefits outweigh the risks of collecting their data, and 79% are somewhat or very concerned about how companies are using the data they collect.

These consumer attitudes about businesses are concerning. However, organizations can see this as an opportunity to improve relationships with customers and differentiate themselves from the competition.

You have a responsibility to help consumers understand why and how their personal data is being collected – and how to prevent it from being collected.

These tips can help you get started.

Tips for Protecting Personally Identifiable Information:

• Have a clear why for collecting PII
• Only collect what you need
• Purge what you don’t need regularly
• Create data inventory maps to identify how and where data is being collected, used, and shared
• Have a process in place for auditing and updating data inventory maps
• Conduct Privacy Impact Assessments (PIA) to determine the potential security risks for each type of PII
• Be transparent with consumers about PII you are collecting and using and obtain their consent
• Train employees consistently on the policies and procedures in place to protect PII
• Adopt software designed for data privacy management to gain clear understanding of your privacy program and practices

Bonus Business Benefits

Understanding the personal data your organization collects isn’t just a compliance exercise.

You can leverage your data inventory to manage risk, respond to data subject access requests (DSAR), manage international data flows, and govern your privacy program.

This information helps improve processes and collaboration across the organization.

Data privacy is too important to operate in a silo.

Consumers are demanding less invasion of their personally identifiable information, and more transparency from organizations.

Companies that are taking these demands seriously benefit from strong customer loyalty and repeat purchase opportunities.

Even more so, privacy officers can feel confident their organization is not at risk of penalties and fines.