惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
博客园_首页
H
Help Net Security
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
GbyAI
GbyAI
Scott Helme
Scott Helme
D
Docker
Hacker News: Ask HN
Hacker News: Ask HN
P
Privacy & Cybersecurity Law Blog
Jina AI
Jina AI
雷峰网
雷峰网
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Spread Privacy
Spread Privacy
G
GRAHAM CLULEY
C
Cisco Blogs
The Hacker News
The Hacker News
F
Full Disclosure
Y
Y Combinator Blog
Blog — PlanetScale
Blog — PlanetScale
Recent Announcements
Recent Announcements
G
Google Developers Blog
量子位
K
Kaspersky official blog
Cisco Talos Blog
Cisco Talos Blog
The Cloudflare Blog
A
About on SuperTechFans
C
Cybersecurity and Infrastructure Security Agency CISA
Last Week in AI
Last Week in AI
博客园 - 三生石上(FineUI控件)
Microsoft Security Blog
Microsoft Security Blog
Martin Fowler
Martin Fowler
T
Tenable Blog
P
Palo Alto Networks Blog
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
W
WeLiveSecurity
Schneier on Security
Schneier on Security
The Register - Security
The Register - Security
F
Fortinet All Blogs
Stack Overflow Blog
Stack Overflow Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
The Blog of Author Tim Ferriss
N
News and Events Feed by Topic
Hugging Face - Blog
Hugging Face - Blog
小众软件
小众软件
V
V2EX
爱范儿
爱范儿

PostHog's RSS Feed

Training our own AI models - PostHog From 270GB RAM to 5GB: Moving local flag evaluation from Django to Rust The best analytics stack for vibe-coded apps The do's and don'ts of minimum viable product marketing - PostHog The best MCP servers for startups, by workflow 4,063 errors closed without a human opening PostHog – here's what we learned - PostHog PostHog Code and the self-driving product - PostHog Why attacking your competitors online is dumb - PostHog The best real-time analytics platforms for developers, compared DuckDB vs ClickHouse: Why we use both at PostHog - PostHog PostHog's next chapter - PostHog Making Claude Cowork actually useful - PostHog PostHog vs Matomo in-depth tool comparison You're doing lifecycle emails wrong Untangling Tokio and Rayon in production: From 2s latency spikes to 94ms flat The best HIPAA-compliant A/B testing tools - PostHog A beginner's guide to testing AI agents - PostHog I hate the standup bot (so I built an agent to do it for me) - PostHog The best CDPs for developers, compared The best error tracking tools for developers, compared The best feature flag software for developers, compared 7 best session replay tools for mobile apps 7 best free open source business intelligence tools right now 7 best free and open source LLM observability tools PostHog vs LogRocket in-depth tool comparison The most popular PostHog alternatives, compared Open source (and self-hosted) session replay tools - PostHog The 9 best GA4 alternatives for apps and websites - PostHog PostHog vs Google Analytics 4 in-depth tool comparison How we built automatic clustering for LLM traces - PostHog The 7 best HIPAA-compliant analytics tools 8 best open source analytics tools you can self-host - PostHog The best product analytics tools for startups, compared PostHog vs FullStory in-depth tool comparison The best in-app survey tools for product teams, compared The 7 best mobile app analytics tools PostHog vs Hotjar in-depth tool comparison The 8 best free and open-source feature flag services - PostHog The 5 best free and open-source A/B testing tools - PostHog The best mobile app A/B testing tools, compared What is a feature flag? Feature Flags vs Remote Config vs A/B Testing PostHog is now available in Vercel’s v0 The best Heap alternatives & competitors, compared PostHog vs Heap in-depth tool comparison PostHog vs Pendo in-depth tool comparison PostHog × Vercel: feature flags, minus the plumbing Your logs' final destination is in GA. You always end up here anyway Behind the scenes of a PostHog hackathon - PostHog The most popular Mixpanel alternatives & competitors, compared PostHog vs Mixpanel in-depth tool comparison The 9 best GDPR-compliant analytics tools How we use Logs at PostHog The best web analytics tools for developers, compared Stop AI slop: Run evals with LLM-as-a-Judge - PostHog You product data just got a job: Workflows is now out App onboarding: How to fix drop-off points Meet Logs (beta) – logs with all the tools you’re already using Why small teams crush tiger teams How we built user behavior analysis with multi-modal LLMs (in 5 not-so-easy steps) - PostHog The best Contentsquare alternatives & competitors, compared 8 learnings from 1 year of agents – PostHog AI - PostHog Why we killed our AI product assistant Workflows graduate to beta! Product data, meet automation The best Rollbar alternatives & competitors, compared Workflows are now in Alpha and I already broke mine - PostHog I've consistently underestimated how important communication is as a CEO - PostHog How we made feature flags even faster and more reliable The best session replay tools for developers, compared What I learned attending my first ever hackathon - PostHog Did you know AI is answering our community questions? - PostHog How not to be boring - PostHog We built an internal tool to generate changelog images for social media - PostHog What we built at our windswept Mykonos hackathon - PostHog How we built our onboarding email flow (with actual performance data) - PostHog We're building a better PostHog community by closing our public Slack - PostHog Introducing Notebooks for PostHog - PostHog Why we've launched PostHog user surveys - PostHog How we made feature flags faster and more reliable - PostHog In-depth: ClickHouse vs Redshift - PostHog Introducing HouseWatch: An open-source toolkit for ClickHouse - PostHog Introducing HogQL: Direct SQL access for PostHog - PostHog What we built at our sun-kissed Aruba hackathon - PostHog In-depth: ClickHouse vs BigQuery - PostHog In-depth: ClickHouse vs Elasticsearch - PostHog HogMail #22: Why do companies over-hire?" - PostHog Our simpler goal: Help engineers to be better at product - PostHog In-depth: ClickHouse vs Snowflake - PostHog HogMail #21: Avoiding the "Product Death Cycle" - PostHog Sunsetting Kubernetes support for PostHog - PostHog Why 'Product Engineer' is the most fun role I've had in tech - PostHog HogMail #20: Why do startups fail? - PostHog The best Google Optimize alternatives for apps and websites - PostHog Array 1.43.0: Massive performance improvements! - PostHog In-depth: ClickHouse vs Druid - PostHog HogMail #19: Which meetings should you kill? - PostHog CEO diary: The things I learned in 2022 - PostHog The essential tools used by product engineers - PostHog HogMail #18: What can SaaS learn from the New York Times? - PostHog What is a product engineer? - Product Engineer Handbook - PostHog Array 1.42.0: Get beta features via our roadmap! - PostHog
A simple guide to personal data and PII - PostHog
Andy Vanderv · 2022-02-21 · via PostHog's RSS Feed

Engineers and product managers need to be vigilant when collecting user data. Punitive GDPR fines can run to €20 million or 4% of a company's global turn (whichever is greater) and that's after the expense, time, energy, and stress generated by the legal process.

This guide will help you understand what is and isn't personal data, so you can identify what personal data you're collecting and take appropriate actions.

Contents:

Personally Identifiable Information (PII) is a US legal term - it's not used in the EU's GDPR, which prefers the broader term 'personal data'. That said, if something is considered PII in the US, it's probably considered personal data under the GDPR.

There is no single legal document in the US that defines PII. Instead, specific federal and state laws define what is considered PII in any given context. Helpfully, though, the National Institute of Standards and Technology (NIST), has a definition of PII that is widely accepted:

"(1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records"

"(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."

Examples of PII

Again, we're leaning on the NIST here, which provides numerous examples of PII:

  • Names, including an individual's full name, maiden name, mother's maiden name, or known aliases

  • Personal identification numbers, such as such a social security number (SSN), passport number, driver‘s license, taxpayer identification number, patient identification number, and financial accounts or credit card numbers

  • Digital identifiers, which includes but is not limited to static IP addresses, MAC addresses, and unique device identifiers (UDI)

  • Addresses and contact information, including home addresses, email addresses, and any type of telephone number

  • Personal characteristics, such as photos of an individual's face or other distinguishing characteristics, x-rays, fingerprints, and biometric data

  • Any other linked of linkable information, including date of birth, place of birth, race, religion, weight, employment information, medical data, education information, financial information, and most kinds of geographical identifier.

What's the difference between PII and PHI?

Protected Health Information (PHI) is a type of PII as defined by the US HIPAA law and many of the items listed above are also examples of PHI.

PHI that's connected to individual identifiers, such as name, address, etc., must be treated with extreme care under HIPAA. Penalties for breaches include fines and even jail time in extreme cases.

If HIPAA compliance is a concern for your business, read our guide to the best HIPAA-compliant analytics tools. And, in case you were wondering, Google Analytics is not HIPAA compliant.

Under the GPDR, 'personal data' is defined as any information which:

  1. Identifies a 'data subject' directly
  2. Can be used to identify a 'data subject' when combined with other information

This second point is what makes the GDPR powerful, or troublesome depending on your point of view. The GDPR anticipates, and seeks to prevent, organizations from combining data in order to circumvent its provisions.

Also, note the use of "data subject" here. It's deliberate. You don't even need to know an individual's name for them to be identified. Any kind of digital profile counts, even if the profile doesn't include a name.

Of course, any time you're collecting personal data, consent is required: hence cookie consent notices on websites.

Names, identification numbers, location data and plenty more besides qualifies as personal data under the GDPR, but there is no official list of what the regulation considers personal data. Common sense prevails, though, and certainly everything in our list of PII examples applies to the GDPR.

The GDPR does, however, define 'special categories of personal data' that are subject to additional protections. These include:

  • race
  • ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where this is used for identification purposes)
  • health data
  • sex life
  • sexual orientation

Collecting this data requires "explicit consent" and must be justifiable under relevant local laws and under the GDPR. The UK Information Commissioner's Office (ICO) has a useful guide summarizing the requirements.

What is non-personal data?

It's also useful to understand what isn't considered personal data under the GDPR. Here are a few examples:

  • Personal data that has been successfully anonymized
  • Generalized data, such age ranges
  • Partially or fully-masked IP addresses
  • Data not originating from an identifiable individual

The European Commission published guidance on the free flow of non-personal data in relation to the GDPR in May, 2019. It stresses that mixed data sets of personal and non-personal data doesn't have to be processed separately, but when combined the GDPR fully applies even when "personal data represents only a small part of the dataset".

PostHog and privacy compliance

PostHog offers EU hosting for GDPR compliance and a Business Associate Agreement (BAA) is available for companies who need to comply with HIPAA.

Read our privacy compliance documentation, which covers the GDPR, HIPAA and CCPA for more information on how to deploy PostHog in a privacy-compliant manner.

Want to just try it already?

(Sorry for the shameless CTA.)