What counts as PII in web analytics, and what Clicky never touches
"Are we even allowed to collect this?" This question like arrives at the worst possible time. A privacy audit was just flagged, a new privacy law has just landed, or a developer starts asking uncomfortable questions.
The answers to this question can vary greatly, depending on who you ask. Your lawyer may give you a high-level definition of "Personal Data." A developer will talk about unique identifiers and fingerprinting. Half the tools on the market will claim they're "privacy-compliant" while quietly collecting enough data to reconstruct a pretty detailed picture of a specific user.
This post explains what actually shows up in your analytics data, where the line is between safe and legally problematic, and how Clicky's privacy-friendly web analytics service is built to stay on the right side of it all.
PII vs. Personal Data
If you've looked at a compliance checklist before, you've probably seen these two terms used almost interchangeably, but they're not the same thing.
PII (Personally Identifiable Information) is primarily a US concept. Under frameworks like the CCPA (California Consumer Privacy Act), PII is information that identifies, relates to, or could reasonably be linked to a particular consumer or household. That household piece matters: data doesn't have to point to a specific person like "John Doe" to be protected. If it points to a specific device used by a family, it often qualifies.
Personal Data is the term the GDPR (General Data Protection Regulation) uses, and it's a broader standard. Under the GDPR, Personal Data is any information relating to an identified or identifiable natural person. If a piece of data can be combined with another piece (a timestamp, a location) to single someone out, it counts as Personal Data under European law.
This distinction has a practical consequence: a tool that's "PII-compliant" in the US might still create real liability if you have visitors from the EU or UK. If you want to be genuinely safe across the board, you need to design around the stricter standard.
The obvious stuff: what definitely triggers compliance requirements
When it comes to web analytics data, three categories almost always require attention.
Direct identifiers are the clearest cases. Names, email addresses, or user IDs passed into your analytics platform via custom event tracking. If your setup is capturing any of these, you're collecting Personal Data. No ambiguity.
Online identifiers are where most modern analytics tools live. These aren't names, but they're unique enough to track a specific person across sessions. Persistent cookies, or device IDs tied to a specific browser instance. The persistence is the problem: a cookie that lets you recognize the same visitor across dozens of sessions is effectively a personal identifier, even without a name attached.
IP addresses are probably the most common source of confusion. The argument goes: "It's just an IP address, it doesn't say 'John Smith'." Under the GDPR (specifically following the Breyer v. Germany ruling), that argument doesn't hold up. IP addresses are considered Personal Data because they can be linked to an individual using information from an ISP. Under the CCPA, they're explicitly listed as identifiers. If your analytics platform is logging full IP addresses, you're processing Personal Data.
Is your analytics setup creating privacy headaches? See how Clicky handles privacy differently.
The less obvious stuff: where things get tricky
Even if you strip out names and IP addresses entirely, there's a category of data that can still identify people. This is the part that catches a lot of teams off guard.
Device fingerprinting has become increasingly common as browsers move away from third-party cookies. Instead of placing a cookie on someone's device, a script gathers a combination of technical signals: screen resolution, browser version and OS, installed fonts, time zone, GPU/WebGL information. Individually these mean nothing. Combined, they create a digital signature specific enough to identify a device with surprising accuracy. Because it happens silently and there's no "clear my fingerprint" button in the browser, regulators have been paying close attention to it.
The "household" concept from the CCPA is also worth understanding. If a shared device is consistently identified by its behaviors, that data is considered personal information even if you never know a specific name. The household is the unit of protection, not the individual.
Geolocation precision makes a significant difference. Knowing a user is somewhere in "New York, USA" is very different from knowing they're at a specific address. Most analytics tools use IP addresses to get approximate location, which is generally fine. GPS-level precision from a mobile device is a different category entirely, classified as Sensitive Personal Information under most frameworks and subject to stricter requirements.
What Clicky actually does with this data
Most analytics tools treat privacy as a compliance layer added on top. They collect everything and offer a checkbox or a "GDPR mode" to turn some of it off. The problem is that defaults matter: if you forget to flip the switch, or you're operating in a region the checkbox wasn't designed for, you're exposed.
Clicky's approach is to avoid the most problematic data types as the default way of doing things.
IP addresses: we anonymize IPs, and don't store the raw IP in a way that enables individual tracking, unless you specifically enable that feature for the legitimate interest of security or anti-fraud.
Cookies: No tracking cookies are used by default. You get meaningful session data without building a persistent profile for every visitor.
Fingerprinting: we don't use canvas rendering, WebGL hashes, font enumeration, or anything like that.
There are of course tradeoffs with this approach. For example, no tracking cookies means metrics like unique visitors, new visitors, and returning visitors won't be nearly as precise as they would be with a tool that does use them. You're trading some granularity for a much simpler privacy posture. For most sites, that's worth it.
Reduce your exposure
Privacy regulations aren't getting simpler. The cleanest way to reduce your exposure is to reduce the amount of identifiable data you're collecting in the first place. Less data surface area means less risk, fewer compliance headaches, and simpler answers when someone asks what you're doing with visitor data.
Choosing an analytics tool that handles this by default, rather than as a feature you have to remember to configure, is the easiest way to get there.
| Data Type | Is it PII/Personal Data? | How Clicky handles it |
|---|---|---|
| IP Addresses | Yes (Indirect) | Anonymized by default. |
| Tracking Cookies | Yes (Indirect) | Off by default. |
| Device Fingerprints | Yes (Indirect) | We don't use fingerprinting techniques. |
| Precise Geolocation | Yes (Sensitive) | We only use coarse, city-level location. |
| Names / Emails | Yes (Direct) | We don't collect this. |
| User IDs | Yes (Direct) | We don't collect this. |
Ready to see how privacy-first analytics can work for you?