Personally identifiable information (PII) learning

Privacy laws across the globe require protecting user information in various forms. Our products help you find and manage this information as it passes through the network. Or network continues looking for personal data outside of your API definitions in the event some appears in payloads you didn't expect.

What is PII?

Personally identifiable information (PII) is any information or combination of information that identifies an individual. That includes anything involving personal information: name, Social Security number, date and place of birth, mother's maiden name, biometric data, or any other data linked to an individual that can be used to identify who they are.

For more information on PII, see What is PII.

How does PII learning work?

The network finds locations in your API that look like they contain PII, for example a parameter that appears to contain an email address or credit card number, and flags the parameter for your review. You'll see the parameter with a PII flag the next time you log in to Control Center and navigate to your api definition. Note that the parameter's value is not visible in Control Center, only the parameter itself.

What PII types are supported?

Only email, credit card, and Social Security numbers are currently supported.

How to enable API PII Learning?


You can enable PII learning only for APIs protected with security configurations.

  1. Log in to Akamai Control Center with your username and password.
  2. Go to ☰ > Web & Data Center Security > Security Configurations.
  3. Open the security configuration that protects the API for which you want to enable PII learning.
  4. In the Configuration Overview tab, ensure that the hostname linked with your API is listed in the Hostnames currently associated with this configuration section.
  5. Go to the Advanced Settings tab.
  6. Turn on API PII learning.
  7. Activate the security configuration.

How does API PII learning work?

After you activate the security configuration, the learning starts. Learning requires your API traffic to contain supported PII types. Also, your API has to process traffic from various sources to ensure valid results. Learning data is refreshed once a day. 24 hours after enabling the feature is the minimum time required to receive the learning results.

For registered APIs, PII learning runs constantly.
For unregistered APIs (API Discovery), PII learning runs in 35-day cycles: after you enable it, learning continues for 10 days, and then it stops for 25 days. If you didn’t register the API, the cycle repeats. The maximum number of unregistered APIs eligible for learning at one time is 1000.

What do I do when PII is found in my API?

While PII discovery finds PII in any of your APIs, you can only take action for PII found in APIs you've registered in API Definitions. See Respond to PII recommendations for more details.

You can still see PII found in APIs that you haven't registered, but you'll need to register them before you respond to the PII recommendations.

Once PII in a parameter is defined and the API is registered, you can choose how the network enforces the PII constraints for that API.