How Much PII Can My Ecommerce Website Track

How Much PII Can My
Ecommerce Website Track?

To stay competitive in the new digital economy, it’s important to personalize the user experience of your customers and website users.

Big companies are in a position to devote huge teams to collecting data and developing user profiles. Meanwhile, CDPs and CRMs are making it easier for smaller businesses to start doing the same thing and scale their personalization efforts.

But in the data economy, where personal data is collected and sold, there is a market desire to collect as much data as possible – at any cost.

Consumers are becoming increasingly conscious of how vulnerable their information is and what it is used for. For example, Apple’s iOS 14.5 update tried to make it easier for their customers to know what data apps were trying to collect.

The Covid-19 pandemic has changed a lot in consumer behaviors, and the biggest shift has been the rise in online shopping in all ecommerce categories across all user demographics. So the big question for retailers entering or existing in the digital space is: what Personally Identifying Information (PII) should we be collecting?

Personal data is helpful to users and businesses alike, as we wrote about in How Much Data Personalization Is Too Much Personalization?

Consumers, knowing some level of data is collected and known about them online, expect a certain level of personalization for that sacrifice, such as recommendations specific to their needs and location.

What PII Does an Ecommerce Store Collect?

Websites can track digital analytics information such as session duration, average time on page, what pages were visited, events and conversions, bounce rates and IP addresses. Additionally, ecommerce stores collect payment information, shipping addresses, email addresses, and information about the kind of products bought.

The Payment Card Industry (PCI), which was formed by the likes of American Express, Visa and Mastercard, established the Data Security Standards to protect payment account information. Merchants worldwide that accept credit card payments are required to comply: “the DSS standards define requirements and best practices for securing the processing and storage of payment account data, as well as other personal information.”

Customer data can be collected by:

  • Asking customers for it: Personal information is valuable. As such, ecommerce businesses often offer enticing incentives (like discounts) to collect even more information about consumers.
  • Indirectly tracking customers: Cookies are a way for information to be pulled from data layers about users and their device information, such as IP addresses.
  • Appending other sources of data: The biggest sources for collecting personal information are social media sites, like Facebook, that can integrate with your CDP and be used to natively personalize targeting.

The Benefits of Tracking Personally Identifying Information

From a usability perspective, customer data can be used to improve the shopping and checkout experience, whether by showing relevant products to users or by storing information to make the checkout process fast and easy.

You can also use it to encourage an increase in cart value among other opportunities that can benefit your business.

The first step in understanding the benefits of tracking your user’s data is knowing what kind of data you are able to collect from different sources. Tracking data with Google will give you different insights than if you track data with Facebook, but if you compile all that data into a Customer Data Platform (CDP), you can get an even better insight into your customers and their behaviors.

CDPs can even be used to better understand your marketing efforts as users evaluate and research your product in the stage of the purchasing journey known as the messy middle.

In addition to social metrics and analytics data, you can include CRM platform data from sources like Salesforce to make nurturing your existing customers more personalized.

When you know what data you have on your customers and prospects, you can act on this information by:

  • Personalizing remarketing campaigns
  • Recommending relevant products and promotions
  • Improving customer experience in the complaints department to reduce attrition
  • Building segments of typical high-value customers
  • Targeting relevant prospects to improve LTV
  • Making your prospecting audiences and efforts leaner to improve acquisition costs

Collecting personal identifying information illustration

Unknown to Known: A 360° View of Your Customer

Do you know when a customer is in your store? How about which exact customer is in your store?

With the right data systems and the correct UX, it will appear to your customers as though your website knows them. This means collecting enough data to build a 360° view of your customer and having the right platforms to then use that information. When that user is in your store, you want the right triggers and responses to give them an appropriate experience.

Data about users can be gleaned from third-party tools, cookies, data-layers, forms or social media profiles. While some information is fluid, such as the products in their cart or their geolocation, some information will be static, like their name or date of birth.

The same data that you collect can also be used as a trigger to say “hey, this person is back in our store” with varying degrees of certainty. For example: if a user signs in to an account, it’s high certainty it is that person; if you’re using a cookie to target a specific device on a specific IP, that’s a reduced level of certainty because it could be another individual on that device.

When building user profiles, you should be hyper-conscious of what data you are collecting. Just because it can be measured, doesn’t mean it should be. There are legislative and regulatory efforts to be aware of.

What Are My Obligations to Protect Consumer Data?

In the United States, the California Consumer Privacy Act is the most important legislation to pay attention to. If your site is international, you need to be aware of similar regulations in other economic areas, such as The General Data Protection Regulation that protects European citizens.

Businesses need to be aware that it’s not just about what kind of information you collect but what you do to protect that information. For example, GDPR makes it so that companies have to safeguard data, including:

  • Personally identifiable information (PII), such as name, address and Social Security numbers.
  • Web data, such as IP addresses, cookie data and RFID tags.
  • Health and genetic data.
  • Political opinions.
  • Sexual orientation.

GDPR allows you to collect this information as long as it remains completely anonymous, which negates the purpose of collecting personal information for personalization purposes.

Why Should I Limit the PII I Collect and Act On?


Consumers are not going to shop, or keep shopping, from a business they don’t trust.

Limiting the data you collect on your customers, and taking seriously the safeguarding of the information you do collect, is paramount to your business’s continued success selling online.

As consumers, I’m sure we’ve all felt the uncanny sensation of having an ad served to us that feels like it knows a little too much about our interests or activities.


Too much data can create unnecessary noise in the information. Although you will likely outsource the storage and sorting of the data to another system or AI, the more information you have, the slower your systems will be.

There will also be people involved in making decisions around how to use the data. You want only to collect the data you wish to act on, so that the team members analyzing and using that data can:

  • Be efficient with their time and energy.
  • Not worry about compliance.
  • Not be in a position where they can do something nefarious with the information they have.

The Data Economy

With an abundance of data, success will not be about who has more data than anyone else but who uses it best. Success will come down to security and utility.

To win in this new economy: collect data legitimately, store it securely, then use it efficiently and appropriately to create effective personalization.