To prevent/foresee issues such as T121104, we should have metrics. Because there are privacy implications to this, I think the best way to handle this is to put this behind an interface that is only accessible to people who have signed an NDA.
What are we allowed within the confinements of the privacy policy? I don't think IP is useful, but the refer(r)er could be considered private information -- but that definitely /is/ useful to have.
Just setting up e.g. piwik might be the easiest solution, but there are of course others.