Can you do analytics without tracking individuals?

Yes. Most product questions are aggregate, so you can answer them with counts and distributions computed on the device, without collecting identifiable per-person event streams.

Why collect less data even when it is allowed?

Because detailed data about identifiable people is a liability that must be secured and may be breached or legally demanded. Data never collected carries none of that risk.

← All articles

April 28, 20266 min readanalytics, privacy, measurement, data-minimization

Privacy-Preserving Analytics: Measuring Products Without Surveillance

By Maksym Bardakh · Co-founder & President

In short

You can understand how a product is used without surveilling individuals. Privacy-preserving analytics relies on aggregation, on-device processing, and collecting only the minimum needed to answer specific questions, so you measure behavior in the aggregate rather than tracking identifiable people across time.

Most product questions are aggregate questions

The first realization that makes privacy-preserving analytics possible is that most of what a team needs to know is aggregate. How many people use a feature, where they get stuck, which path is common: these are questions about the population, not about any particular person. Yet conventional analytics often answers them by tracking individuals in detail, collecting far more than the question requires.

Starting from the question rather than the tool flips the default. If you only need a count, you do not need an identity. If you need a distribution, you do not need a timeline of one user’s every action. The surveillance is incidental to the analytics, not essential to it.

Aggregate at the edge

The strongest privacy guarantee comes from never collecting individual records in the first place. Computing aggregates on the device and sending only the aggregate means the server never holds a per-person event stream that could be exposed, demanded, or misused.

Send counts and distributions rather than individual events.
Compute on the device so raw events never leave it.
Avoid persistent identifiers that let events be linked across sessions.
Collect only the fields tied to a specific question you intend to answer.

Techniques that protect individuals

Beyond aggregation, several established techniques reduce the risk that aggregate data reveals individuals. Avoiding stable identifiers prevents linking a person’s actions over time. Reporting only when a group is large enough avoids exposing a single user hiding in a small bucket. These methods come from the broader field of privacy-preserving data analysis.

Aggregation alone is not automatically private. Small groups can still expose individuals, and multiple aggregate queries can sometimes be combined to single someone out. Privacy-preserving analytics requires care, not just a decision to report totals.

Less data is also less liability

There is a practical argument beyond ethics. Detailed behavioral data about identifiable people is a liability: it must be secured, it can be breached, it may be subject to legal demands, and it carries obligations under privacy laws. Data you never collected cannot be any of those things.

Privacy-preserving analytics therefore serves the team as well as the user. You still learn what you need to improve the product, while holding far less sensitive data and earning the trust that comes from measuring respectfully. The goal is understanding the product, not watching the people who use it.

Key takeaways

Most product questions are about the population, not about identifiable individuals.
Computing aggregates on the device avoids collecting per-person event streams.
Avoiding stable identifiers and small-group reporting reduces re-identification risk.
Aggregation alone is not automatically private and requires deliberate care.
Collecting less sensitive data reduces security and legal liability as well as protecting users.

Frequently asked questions

Can you do analytics without tracking individuals?: Yes. Most product questions are aggregate, so you can answer them with counts and distributions computed on the device, without collecting identifiable per-person event streams.
Is aggregation enough to guarantee privacy?: Not by itself. Small groups can still expose individuals and multiple aggregate queries can sometimes be combined to single someone out, so privacy-preserving analytics requires deliberate care.
Why collect less data even when it is allowed?: Because detailed data about identifiable people is a liability that must be secured and may be breached or legally demanded. Data never collected carries none of that risk.

References

Office of the Privacy Commissioner of Canada

About the author

Maksym Bardakh

Co-founder & President

Maksym is a software engineer and product strategist focused on executive-function and behavioral system design. At BBMM he leads product direction across Flowo, TextPack, and Pillow, working at the intersection of human cognition and durable interface design.