It is important to adhere to best practices when managing personal information (PI). PI can include identifiers such as name, address, email, and even IP address. While certain data privacy and security regulations (such as GDPR) explicitly require PI management protocols, it is always important to prudently manage PI.
Mixpanel has safeguards to protect the security of data sent to our APIs (see our security whitepaper for more details), however there is always some inherent risk when handling PI. For this reason, Mixpanel gives full control to its customers to specify which data to send (or not send) to the Mixpanel platform. It is therefore necessary to consider which data includes PI when implementing Mixpanel tracking.
There are several precautions that can be taken that will maximize the security and privacy of the personal information of end users. The following list offers several suggestions and practices for managing PI while using Mixpanel.
Secure Tracking Plans
Mixpanel provides the ability to customize and adjust the information that is collected by Mixpanel. While this flexibility facilitates meaningful tracking and analytics, it also necessitates extra focus on managing end users’ PI.
It is important to create a tracking plan before implementing Mixpanel. Incorporating security and privacy concerns into this plan will decrease the possibility of unknowingly collecting sensitive information. In general, we recommend collecting only the data that will help with answering your specific business questions.
Additionally, having a competent tracking plan will make it easier to manage PI and quickly respond to end user inquiries about that information.
Use Randomly Generated Identifiers
Mixpanel’s client-side libraries automatically assign a unique random hash for the user’s unique identifier called a distinct_id. The distinct_id represents a unique user in Mixpanel and it is necessary for Mixpanel report calculations. It is possible for Customers to either use the default Mixpanel distinct_id to identify users, or to create a custom identifier to use as the distinct_id. It is also possible to alias the distinct_id to a custom value to assist with keeping your users’ distinct_ids consistent across platforms.
It is possible to assign custom values as the user’s distinct_id or alias that include PI. If you wish to track users truly anonymously, however, then your tracking implementation should not use user-specific information, such as the user’s email address. Instead use a value that is not directly tied to a user’s PI, whether it be a unique anonymous hash, or a non-PI internal user identifier.
Disable Geolocation Tracking
Mixpanel automatically assigns location properties (City, Region, Country) to incoming data. This is done through the collection and parsing of the end user’s IP address. Mixpanel does not store IP addresses, but rather, only uses IPs to assign geolocation properties to data upon ingestion.
It is possible to prevent default location properties from being assigned to data sent to Mixpanel. Follow the instructions in this article to disable IP address collection. Reference this article when handling IP address collection on server-side Mixpanel implementations.
Mixpanel supports individuals' right to control their personal information. Every tracking implementation should incorporate an ability to opt an end-user out of tracking if the end-user does not give permission to be tracked.
If using one of Mixpanel's client-side tracking libraries, it is possible to halt tracking of end-users from a particular browser or device by changing their opt-out state. No data will be sent for users with a local opt-out state of “true.”
Mixpanel opt-out methods control data that is sent out from a particular tracking implementation located on the end-user’s device. In order to prevent data from a particular user being sent to Mixpanel, that user must be opted out of tracking on each platform from which data is sent.
For example, data sent to Mixpanel server-side or in response to a user opening an email will still be sent if the user is opted-out on a website or application. To prevent message analytics from being sent to Mixpanel when a user is targeted in a message, it is best practice to delete the user’s people profile in addition to opting them out of tracking.
Refer to our developer documentation to learn more about managing opt-out state of end users.
Use a Server-Side Implementation
Mixpanel's tracking libraries are open-source and can be viewed in the Mixpanel Github repository. These libraries are built as a convenience, but it is possible to forego the use of them.
Data must be collected, formatted, and sent directly from a private server for absolute control over the data sent to Mixpanel. See the Mixpanel HTTP spec for a full breakdown of the expected format of data sent to Mixpanel.