Understanding the collection of personally identifiable information is paramount to complying with various regulatory bodies such as GDPR and CCPA. In response the team at Tag Inspector has launched a new feature as of 2/10/20, PII detection!!!!
How Do I set up PII detection on my account?
Here are the 3 "must haves" in order to enable the PII feature in Tag Inspector:
Must be a premium Tag Inspector License holder.
Must have the Realtime Feature enabled on your account.
Must have the Realtime script running on your website.
If you are not a premium license holder and would like to learn more contact us here. Learn more about the Realtime feature here.
How Does PII detection work?
The PII feature in Tag Inspector works in unison with our Realtime feature. Realtime is a premium feature of Tag Inspector that "listens" passively to live user interactions with your website to validate Tag Behavior. During these interactions we run algorithms on the network requests generated by the tagging platforms you have implemented to detect PII and report back to you if any is found.
What PII does the feature detect?
We detect and report the following data points:
Country Identification Number (U.S. SSN only at launch)
Credit Card Numbers
***We do not store or display the PII as it is sent in the network request. The particular instances of PII are obfuscated in our database and in the interface.***
How do I access the reporting in Tag Inspector?
To access the PII reporting first select Realtime in Tag Inspector, then the "PII"
If any PII is detected in a network request by Realtime it will be reported by Category (Type of PII), By Tag and By page.
Category reporting gives you a overview of all the types of PII we detected, how many unique pages collect it and how many different tagging platforms contain each type of PII.
Selecting the "By Tag" portion of the report will display all the types of PII we detect on a per platform basis. Selecting the red numerical value will list the instances and URLs associated with the network requests containing PII.
Selecting the "By Page" portion of the report will display all the types of PII we detect on a per page basis. Selecting the red numerical value will list the instances of PII we detected on that particular page.
The core requirement for an organization’s compliant data collection processes is an understanding of all data being collected by each platform loading across all digital assets. This visibility provides the foundation for requirements across laws and regulations such as CCPA, GDPR, COPPA, HIPPA, and more.
Does Tag Inspector itself collect PII?
PII and "personal information"/"personal data'' - First for PII (name, email, etc.), it is possible that Tag Inspector would be collecting PII within our Realtime platform. With this technology we are recording all of the requests sent by all scripts on the page on which we are running. If PII is being passed by any of those other tags then we would be collecting this information as well. This is the core feature of our PII reporting in the Privacy & Compliance module - we are surfacing this behavior and alerting you to its happening. We are looking for characteristics of this PII at the point of collection and are obfuscating the identified PII at initial processing so it is never stored in an identifiable format. In addition, as outlined in the security documentation, all of the data is encrypted both at rest and in motion.
For "personal information" and/or "personal data" (CCPA and GDPR respectively) - When we are collecting data via the Scan process, any unique identifier assigned to our "user" is assigned to our virtual browsers executing the scans so this would not be applicable. With the Realtime method of data collection, again we are collecting the tag requests from the live environment as users are interacting with the site. Therefore, we are collecting the unique anonymous identifiers used by the various third-parties in use. However, in our context, we are not associating hits/requests together from one page to the next. We are also not assigning any kind of identifier to users (no cookies, no ids that we assign). As a result of this, we are not processing this data in such a way as for any identifier to be able to be associated with a particular user, device, or household. This ensures our data collection does not fall within the scope of those "personal information" and "personal data" definitions.
To summarize - PII we do collect in Realtime and surface that in our PII reporting. Those data points are identified and obfuscated at the point of ingestion and never stored in an identifiable format. Personal information/data we do not process nor store in a manner where any of the data points could be associated with a user, device, nor household.
Next Steps/Suggested Articles: