Being Data-Conscious: Protecting More Than Just Your PII (PART 1)

Would you believe that even without sharing your name or email, you can still be tracked online? Have you ever searched for a product on Google, only to find your social media flooded with related ads shortly after?

What’s happening here? Many assume that protecting their Personally Identifiable Information (PII)—such as names, emails, or social security numbers—is enough to maintain privacy. However, the reality is far more complex. Beyond PII, a vast amount of seemingly harmless data can still expose you to risks, from targeted ads to digital profiling and even security threats.

This article explores the hidden data you may be unknowingly sharing while part two will provide practical steps to enhance your privacy. Being data-conscious means looking beyond PII and taking control of your digital footprint—let’s dive in.

What is PII and Why Do We Focus on It?

PII (Personally Identifiable Information) refers to any data that can be used to identify an individual. For instance, if your name is mentioned within an organization where multiple people share the same name, it may or may not be unique enough to identify you immediately. However, when combined with details such as your address, it becomes significantly easier to pinpoint exactly who you are.

There are two main categories of PII:

1. Direct Identifiers: These can uniquely identify an individual on their own. Examples include: Full name, home address, email address, telephone number, social security number (SSN), driver’s license number, credit or debit card number, and biometric data (e.g., fingerprints, facial recognition).
2. Quasi-Identifiers: These pieces of information may not identify an individual on their own but, when combined with other data, can be used for identification. Examples include: age, date of birth, gender, geographic location, passport number, race, or ethnicity.

Why Is PII the Primary Focus of Data Protection Laws?

PII is the core focus of major privacy regulations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA). These laws impose strict guidelines on how organizations collect, store, process, and share PII because it directly links to an individual's identity, making it highly sensitive and valuable.

However, while these regulations play a crucial role in protecting identifiable data, they often overlook non-PII data—such as metadata, behavioural analytics, browsing history, and device information. When aggregated, these data points can be just as revealing, enabling companies and bad actors to track, profile, and manipulate individuals without directly using their PII.

This brings us to a critical question: What other types of data, beyond PII, could put your privacy at risk?

The Overlooked Data That Puts You at Risk

1) Behavioural Data

Unlike PII, which could easily identify you, behavioural data are obtained from your actions, preferences, and interactions across digital platforms. Like the example that was given at the beginning of this article, where you search for something on Google only to realize that your searched products are appearing on your social media timeline. This type of data allows companies, advertisers, and even malicious actors to predict behaviours, influence decisions, and personalize experiences—often without explicit consent. Examples of this are: 

• Browsing history: The websites you visit, how long you stay on a page, and what links you click.
• Search queries: What you type into Google or other search engines, which can reveal interests, concerns, and even personal struggles.
• Online purchases: What you buy, when, and how often, helping companies build a profile of your spending habits.
• Social media activity: Likes, shares, comments, and interactions that shape digital advertising and content recommendations.
• App usage patterns: How often you use certain apps, your activity levels, and even your scrolling behaviour.

Why Is Behavioral Data a Privacy Concern?

1. Profiling and Manipulation: Advertisers use behavioural data to create detailed consumer profiles, targeting you with hyper-personalized ads, product recommendations, and even dynamic pricing (charging different users different prices based on perceived willingness to pay).
2. Predictive Analytics: Machine learning models analyze behavioural data to predict future actions, such as your likelihood of making a purchase, voting for a candidate, or even switching jobs.
3. Third-Party Sharing: Many platforms share or sell behavioural data to third parties, often without users realizing the extent of data collection.
4. Lack of Regulation: Unlike PII, behavioural data often falls into a regulatory gray area, making it easier for companies to collect and use without direct consumer consent.

2) MetaData

This is another overlooked piece of data that puts you at risk. Metadata is information that describes other data and provides details about how, when, and where that data was created, modified, or transmitted. It is often referred to as the data about data. Metadata doesn’t contain the actual content of your emails, calls, or messages, but it provides crucial contextual details that can still be used to track, profile, and even de-anonymize individuals.

Examples of Metadata:

• Email metadata: Sender, recipient, timestamp, device used, and location (but not the actual email content).
• Call metadata: Who you called, for how long, and when (but not the actual conversation).
• Photo metadata: Time and date a photo was taken, camera type, GPS location, and even editing history.
• Document metadata: Author, creation date, last modified date, and revision history.
• Web browsing metadata: IP address, device type, time spent on a page, and referral links.

Why Is Metadata a Privacy Concern?

1. Revealing Patterns: Even without knowing the content, metadata can reveal who you communicate with, when, and how often, helping companies or governments build detailed social graphs.
2. Location Tracking: Metadata from photos, emails, and devices often contains geolocation information, allowing for precise tracking of movements.
3. Surveillance and Profiling: Intelligence agencies and corporations use metadata to analyze behaviour, interests, and networks without needing direct access to private content.
4. De-anonymization: De-anonymization is the process of re-identifying people from supposedly anonymous data. Even if data is "anonymized," metadata can often be used to re-identify individuals by cross-referencing patterns with other data sources.

3) Device & Location Data

When Twitter was banned in Nigeria following the EndSARS protests in 2020, many people turned to VPNs to bypass restrictions and regain access to the internet. This incident highlighted an important truth: even when Personally Identifiable Information (PII) is protected, your device and location data can still be used to track, restrict, or manipulate access to digital services. Device and location data refer to the information collected from your phone, laptop, or other smart devices about your identity, habits, and whereabouts.

Examples of Device Data:

• Device type & model: Your phone brand (iPhone, Samsung) and model (iPhone 14, Galaxy S23).
• Unique device identifiers: Your device has a MAC address, IMEI number, and advertising ID that can be used to track it.
• IP address: Reveals your general location and internet service provider.
• Wi-Fi & Bluetooth connections: Tracks which networks and devices you connect to.
• App usage patterns: How often and when you use apps, even if you don’t log in.

Examples of Location Data:

• GPS data: Tracks your precise location in real-time.
• Cell tower triangulation: Your phone connects to nearby cell towers, allowing providers to estimate your position.
• Wi-Fi network tracking: Stores the names of networks you connect to (e.g., home, work, coffee shop).
• Geofencing & Beacons: Apps and stores use GPS, Wi-Fi, or Bluetooth to track when you enter or leave a specific area.

Why Is Device & Location Data a Privacy Concern?

1. Constant Tracking: Your phone pings GPS, Wi-Fi, and cell towers, creating a detailed map of your movements—even with GPS off.
2. Sensitive Information Exposure: Your daily routines, habits, and visits (e.g., work, gym, medical appointments) can be inferred from location data.
3. Targeted Ads & Manipulation: Companies use location data for hyper-targeted advertising and personalized experiences.
4. Security Risks: Hackers and cybercriminals can exploit leaked GPS data, spoof locations, or intercept connections.

What’s Next?

Now that we’ve uncovered how behavioural data, metadata, and device/location data can be just as revealing as PII, the next step is learning how to protect yourself. In part two of this series, we’ll explore practical strategies to reduce digital tracking, enhance privacy, and take back control of your data. Stay tuned!