Are you collecting Personally Identifiable Information (PII) in Google Analytics account? You may be and not even know it.
The Google Analytics Terms of Service prohibits Personally Identifiable Information (PII) from being saved in Google Analytics. If PII information exists in your GA account, your account could be immediately closed. We don't want that, right? (note: Google is usually forgiving and allows you to rectify the problem)
So what does Google consider to be PII ? Anything that can uniquely identify a person and cannot be easily changed. For example:
- Name: first name, last name
- Username + Password
- Email Address
- Credit Card Details
- Any Government issued IDs
- Mobile phone number
- Public user name
- Bio-metric information
The following data can be safely saved to Google Analytics.
- Aggregated classification such as: age, zip, date of birth, gender, city
- CRM or any other system private ID
So you know the GA ToS and you are careful to not store PII as a Custom Dimension in your Google Analytics properties, you still may send PII data accidentally. How you ask?
- One example may be the decision to provide an improved customer experience (CX) by including the user's First and/or Last Name in an error or confirmation message. So you can monitor your CX and set up some custom alerts you came up with the great idea of sending error messages to Google Analytics and now the two ideas are in conflict with Google Analytics ToS, without trying to be malicious, just delivering the best experience possible for your customers.
- A second example may occur if a page URI includes a user name, email or any other PII, this may happen if a link from your website to a third-party page includes a user's email in the URL. if you are tracking exit links from your website, a users clicking on that links with the embedded identifier the PII data is sent to you GA Account.
- A third common example is the Page Title. Yep, it is very tempting to include the user's full name or account identifier in the Page Title of the admin section, but once you have GA code on that page or the Google Tag Manager (GTM), your Page Title goes straight to Google Analytics.
Below are some Internetrix best-practice tips to avoid having personally identifiable information (PII) in Google Analytics
- For user forms submissions: use the POST method rather than GET
- Use unique site identifier instead of user email or user name in the URL (a random user identifier which can later be cross referenced)
- Proactively monitor if any common PII has been added to URL parameters with GA Custom Alerts
- Make sure your analytics team is monitoring for PII which has found it's way into GA
- Educate your developer team to not include email, user name and other PII in the URLs or Page Titles
- Use Google Analytics filters to drop PII from URLs, Page Titles, events, Custom Variables and Custom Dimensions
- Run reports at least once a quarter in an attempt to uncover any accidental PII in your Google Analytics data
Sound like a lot of work? Well, the alternative is losing all of your data if you "break the rules", intentionally or not.
Ok, it happened - you found personally identifiable information (PII) in your Google Analytics data. What should you do now?
- It’s urgent that you immediately eliminate the code sending it from your website
- Create filters in every view which will effectively cut the PII
- Backup data you may need for future analysis using Google Analytics API or native reporting
- Depending on how long you have been sending PII to Google Analytics, you may have to delete your GA data
- Refer to the Resolving Violations of the Identifying Users Policy guide
For more information please read Best practices to avoid sending Personally Identifiable Information (PII) by Google.
A bit of sugar in the end :)
Tap, Tap, Tap.