blog-header-securityseries-semgrep-4-2024-1
Engineering · 5 min read

Fullstory’s guide to protecting behavioral data and user privacy

At Fullstory, safeguarding your data isn't just a priority; it's a partnership. When building our product, we consider the security of the data we collect from start to finish.

Understanding consumer behavior through data has become integral for companies as more and more of our lives are managed online. However, acquiring this information involves understanding what behavioral data is and how collecting behavioral data could lead to collecting personal data.

What is behavioral data?

Behavioral data refers to how customers interact and behave across different touchpoints. This data includes website browsing history, purchase history, social media engagement, and customer service interactions. The data is captured through interactions with software (websites/apps) or servers and includes foundational interaction events such as page visits and clicks.

At Fullstory, it includes the foundational interaction events along with signals that demonstrate customer sentiment, including frustration and friction signals like Rage Clicks, Error and Dead Clicks, and Thrashed Cursors; and browsing indicators, including touchscreen gestures, page refreshes, scroll depth, and highlighted text.

By weaving together these signals with analytical data, we empower organizations to grasp how their products are embraced and identify untapped opportunities, crafting truly personalized customer journeys.

What if behavioral data includes personally identifiable information (PII)?

First, we need to define PII to understand if the behavioral data collected includes PII. According to the National Institute of Standards and Technology, PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number (or other national identity number), date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

From a high level, it may not seem like there’s much potential to collect PII while collecting behavioral or sentiment data based on the previous definitions. Zoomed in, however, how a person interacts with your website—what they buy, or the services they use or subscribe to, along with the data that they submit (login credentials or data entered into a form)—if not redacted—could be considered PII and would need to be protected as such.

Best practices for collecting behavioral data when it comes to PII

Consider why you’re collecting behavioral data

You might consider collecting behavioral data from your website to better understand customers' preferences and behaviors. The data collected can provide valuable insights into how users navigate the website, what features they engage with most, where they encounter frustration, and what motivates their decision-making processes. By analyzing behavioral data, you can optimize the user experience, tailor your marketing strategies, improve products or services, boost conversion rates, and enhance overall customer satisfaction.

With Fullstory, a wide array of data points can be gathered. It’s easy to look at the options available and think, why not collect it all? It may be useful at some point; however, collecting data you don’t need means ensuring that it is properly protected and doesn't interfere with the accurate analysis of the data you need.

Limit who has access to the collected data

Limiting access to collected data is important for several reasons. First, it limits the number of people with access to potentially personal and sensitive information, decreasing the threat of potential misuse or accidental disclosure, thereby protecting individuals' privacy rights. Unauthorized access to data can result in identity theft, fraud, or reputational damage, among other possible harms. Second, restricting access adheres to data protection laws and regulations such as GDPR, which require organizations to uphold stringent data control measures. Lastly, limited access to data can also prevent accidental changes or loss, ensuring its accuracy and integrity. Limiting data access is a critical aspect of responsible data management, protecting individuals, complying with legal obligations, and preserving data quality.

Train employees who will have access to the collected data

Even if you limit who has access to your collected data, it’s important to ensure those employees are trained on the appropriate ways to access and use the behavioral data. Training is essential so your employees understand the guidelines around using behavioral data.

Adopt a cybersecurity framework

Most modern cybersecurity frameworks, like SOC2 or ISO 27001 (security) and 27701 (privacy), include controls for risk management and mitigation and allow your security and privacy programs to be audited by an external firm to ensure the relevant controls are in place and are being met. If risk management is the only control set that your organization needs to implement, ISO 31000 is a framework and process for managing risk in any organization. Regardless of the framework chosen.

Conduct a risk assessment

Working with your risk management team to perform a risk assessment can help you identify if collecting and using the behavioral data aligns with your internal risk strategies. An internal risk assessment allows you to examine the threats and vulnerabilities that your organization faces that may lay outside of the questions external auditors may ask.

Collecting behavioral data can answer many questions you may have about how your customers interact with your website or app. It may even answer questions you didn’t know you had.

author

Chris Powell

Senior Security Compliance Analyst

Chris is an experienced Security Analyst and Policy Expert with experience across a diverse range of organizations, from non-profits to the software industry, from early-stage startups to enterprise organizations.