Personally Identifiable Information (PII) is key in privacy laws and data handling standards. Most organizations focus on how this data is stored and processed in backend systems. But PII data also moves through the frontend, where controls are weaker and visibility is often limited.

Client-side scripts introduce privacy risks that are difficult to detect. These scripts are usually analytics, advertising, user experience enhancements, or payment processing. Once they are loaded into the browser, they can observe page content, interact with forms, access cookies, and make outbound connections.

Most websites do not track what these scripts are doing. As a result, they may expose sensitive data to third parties without knowing it.

To reduce the risk, it’s important to understand what qualifies as PII. It is also important to know where it might appear in the browser. Our recently released behavior dashboard helps to surface that information.

What constitutes PII?

The core idea of PII is consistent across most regulations. PII refers to any data that can identify an individual, either on its own or when combined with other information.

Common examples of PII include:

• Name
• Home address
• Phone number
• Email address
• Date of birth
• National ID or passport number
• Financial account details
• Login credentials

These are all considered direct identifiers. But many privacy regulations also include indirect identifiers when they can be linked back to a person. This includes:

• IP addresses
• Device IDs
• Browser fingerprints
• Cookie values
• Location data
• Unique tracking IDs
• Session tokens

GDPR requirements regarding PII

GDPR defines PII as:

From Recital 30 of the GDPR:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.”

Link

From Article 4(1) GDPR:

“Personal data are any information relating to an identified or identifiable natural person… especially by reference to an identifier such as a name, an identification number, location data, an online identifier…”

Link

The GDPR lists specific examples:

• IP addresses
• Cookie identifiers
• Location data
• Online identifiers such as device or browser IDs

These are all covered under “online identifier.”

HIPAA requirements regarding PII

HIPAA defines PII as:

From HIPAA de-identification guidance:

“Device identifiers and serial numbers; Web URL; Internet Protocol (IP) Address; … Any other unique identifying number, characteristic, or code.”

Link

HIPAA defines 18 identifiers that must be removed to de-identify Protected Health Information (PHI). These include but are not limited to:

• Device identifiers and serial numbers
• IP addresses
• Web URLs
• Any other unique identifying number or code

PCI DSS requirements regarding PII

PCI DSS defines PII as:

From PCI DSS v4.0, Section 3.3:

“Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).”

Link

PCI DSS focuses specifically on protecting cardholder data and sensitive authentication data. This includes:

• Primary Account Number (PAN)
• Card holder name
• Expiration date
• Service code Card Verification Value (CVV, CVC)
• PIN and PIN block data
• Magnetic stripe or chip data

Unlike GDPR or HIPAA, PCI DSS does not classify IP addresses, cookies, device IDs, or browser identifiers as sensitive data. The standard’s scope is limited to protecting payment card information, which makes sense given its purpose.

However, all of the above is of course also part of PII.

CCPA / CPRA

CCPA / CPRA defines PII as:

From the California Privacy Protection Agency:

“Personal information includes any data that identifies, relates to, or could reasonably be linked to you or your household, directly or indirectly … IP address.”

Link 

“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Link

From Colorado Senate Bill 21‑190:

“‘IDENTIFIED OR IDENTIFIABLE INDIVIDUAL’ means an Individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier.”

Link

CCPA/CPRA protects a wide range of identifiers, including:

• IP addresses
• Device IDs
• Browser fingerprints
• Cookie values
• Location data
• Unique tracking IDs
• Session tokens
• Browsing history

How PII gets exposed in the browser

PII is often handled on the frontend. That is where it’s visible to the user, and entered into form. Visibility into what scripts have access to is limited, and behavior is harder to control. Nearly all modern websites include 3rd-party JavaScript libraries and services. These may come from analytics providers, advertising platforms, customer support tools, or marketing optimization vendors.

Once these scripts are loaded into the browser, they execute with full access to the page.

They can:

• Read form inputs as users type
• Access cookies and local storage
• Parse the DOM and extract visible data
• Track user behavior
• Make network requests to external domains
• …

Some scripts are designed to collect this information. Others gain access unintentionally due to how they are implemented. And most importantly: all scripts technically have access to that PII.

Meaning: personal data can be exposed to systems outside your control.

This data does not have to be stored in a database to create risk. If a script sends form input or cookie data to an outside server, that qualifies as a PII transfer. If that script belongs to a vendor you do not fully control, or to a domain you do not recognize, this can quickly become a compliance issue.

Most websites do not log what happens inside the browser. That makes client-side activity difficult to audit. Even advanced server-side monitoring will not capture these behaviors.

Our behavior dashboard now helps fill this gap.

It tracks two critical types of exposure:

1. Request data: which scripts are making outbound requests and to which domains.
2. Form access: which scripts are reading or interacting with input fields.

If a script reads a user’s email address or sends it to an external server, the dashboard will record this. If a session token is sent to a tracking pixel or analytics domain, that will also appear. This information can help teams detect accidental exposures or policy violations before they escalate.

So PII can be exposed in ways that do not involve a breach of your servers. It can be handled, accessed, and transmitted entirely within the browser. If that activity is not monitored, you don’t  know when or what personal data is being shared with external parties.

Privacy regulations demand you to control your customers' PII. And that includes what happens on the client side. By understanding what qualifies as PII and how it flows through the frontend, you can reduce risk and comply with compliance requirements.

Monitoring form access and outbound script behavior is a practical step. It helps reveal issues that backend tools often miss. It also creates a more accurate picture of how personal data moves through your website in real-world conditions.

Additional questions answered

Q: What is personally identifiable information (PII), and why is it important for websites?

PII is any data that can identify someone. Sometimes that happens directly, other times it happens when personal data is combined with public data. PII includes obvious things like names, email addresses, and phone numbers. But it also covers less visible data like IP addresses, device IDs, and cookie values.

Privacy laws such as GDPR, CCPA, and HIPAA require you to protect this data.

Q: How can personally identifiable information (PII) be exposed through my website's frontend without my knowledge?

Your website’s frontend runs 3rd-party scripts with full access to the page. These scripts can read personal information as users fill out forms. They can access cookies, capture data, and exfiltrate it to outside servers. Most websites don’t track what these scripts are doing. Meaning personal data can be shared without your knowledge.

Q: What types of PII are covered by privacy laws?

Privacy laws cover both direct and indirect personal information.

Direct identifiers include: names, addresses, phone numbers, email addresses, and Social Security numbers.

Indirect identifiers are things like: IP addresses, device IDs, browser fingerprints, cookie values, and session tokens.

All of this inside and outside of cybersecurity.

Most regulations define PII as any data that can identify a person, either directly or by linking it with other details. Different laws have different categories, but knowing what counts as PII helps you stay compliant across the board.

Q: Why do traditional security tools fail to detect client-side PII exposures?

Traditional security tools focus on the server-side. But client-side PII exposure really happens in the user’s browser, not on your servers. At least not at first.

When a 3rd-party script reads personal identifying information from forms and sends that information to an external domain, that activity doesn’t show up in your server logs.

Client-side monitoring is needed to see what personal data is being accessed and where it’s going.

Q: What specific client-side behaviors should I monitor to safeguard PII?

You should monitor two things:

1) which scripts make outbound requests.

2) which scripts access form inputs that contain personal information.

Our behavior dashboard tracks this activity. It shows when scripts access data like email addresses or send personal information to tracking domains. It also flags when any PII is exfiltrated to external servers. This helps you see what counts as a PII exposure.

Q: How does PCI DSS differ from other privacy laws regarding PII?

The PCI Data Security Standard has a narrower focus than frameworks like GDPR, CCPA, or HIPAA. It applies specifically to payment card information, not to general personal data. However, both fall under the same umbrella.

PCI DSS defines cardholder data as Primary Account Numbers (PAN), cardholder names, and expiration dates. It does not classify IP addresses, cookies, or other indirect identifiers as sensitive data.

Businesses need to protect all types of personal information under broader privacy laws. At the same time, they must meet PCI DSS requirements for securing payment data. More on that can be read here.

Q: When does client-side PII exposure lead to a compliance violation?

A compliance violation happens when personal information is transmitted to third parties without permission. If a script sends form inputs or cookie data to an external server you don’t control, that’s a violation of privacy rules, next to manually sharing that data of course.

Knowing what counts as PII and tracking where it goes helps you stay compliant with GDPR, CCPA, HIPAA, and other privacy frameworks.

Q: Who is responsible for monitoring client-side PII exposures within an organization?

Monitoring and protecting personal information requires the whole company to chip in. This counts for big as for smaller companies. Some organizations have full time privacy officers, others might just have a privacy focussed developer.

The whole company needs to understand how personal data flows, so they can meet reporting requirements under laws like GDPR, CCPA, and HIPAA.

The ultimate responsibility lies with company management.

Q: What are the most common ways websites inadvertently expose PII through 3rd-party scripts?

Common exposures happen through otherwise regular scripts that are hacked or turn malicious:

• Analytics scripts suddenly capturing form data beyond their scope
• Ad pixels reading cookies outside their designated domains
• Support widgets accessing user inputs in unauthorized forms
• Scripts designed for legitimate data collection that exceed their boundaries
• … and more

Some scripts intentionally collect PII by design. Others do it by accident or with malicious intent.

Knowing what personal information is being collected, and where it’s going, helps prevent accidental leaks.

Q: What level of risk does unmonitored client-side activity pose to my business?

Regulators under GDPR, CCPA, and HIPAA can and have issued heavy fines for mishandling PII. Customers also expect their data to be protected. Breaches involving personal information will damage trust and reputation. Class action lawsuits have been successfully filed and won in the past.

Q: What immediate actions can I take to minimize client-side PII exposure risks?

Start by auditing all 3rd-party scripts to see what personal information they can access. Implement data exfiltration detection tools to give you visibility into those scripts. Then, monitor and protect them. 

Review your privacy policies to make sure they include how data flows through and is captured on your frontend.

Implement both traditional server-side protections and client-side protection.