Convertmind knowledge base
For this article, the definition of personal identifiable information as used by Google themselves is used, which may differ from applicable law. If you’re unsure what this definition entails, please make sure to read up on that first.
Google Analytics doesn’t have any features designed to collect personal identifiable information. However, it’s still possible for Google Analytics to pick up personal identifiable information depending on how your site is set up.
Google’s terms of service, contracts, privacy policies, etc. do not allow tracking of PII in any way. This naturally means that Google Analytics does not have any features designed or aimed at gathering this information. So Google Analytics on its own will not collect any PII.
However, it’s still possible for PII to be collected by Google Analytics depending on how you have your site and your Analytics set up. For example, Google Analytics gathers the full URL users travel to. Some sites have search features or forms that work by putting the search string in the URL. For example, users may enter their email address in a form, which then gets put in the URL as https://firstname.lastname@example.org.
This URL contains PII, and thus may not be collected by Google Analytics. However, Google Analytics doesn’t know there’s PII in there, and if you tell it to collect that URL, it will. This means that you are responsible for making sure this doesn’t happen. You can do this by adjusting how your site works to prevent this from happening, or by adjusting the Google Analytics code in analytics.js to change the URL before it’s send over to Google Analytics.
Make sure you check for cases like this all across your setup before you run it. Another example of easily missed PII being gathered is tracking search strings being used in certain fields, when these fields are used for PII. That would also mean Google Analytics collects PII, which is not allowed, so you’ll need to adjust this too.
Google makes it explicitly clear in their various terms of service, privacy policies, contracts, etc. that you are not allowed to send any form of Personal Identifiable Information, or PII, to Google Analytics or any other Google service. This term, however, isn’t explicitly clear on what exactly is considered PII and what isn’t.
To clear this up, Google has set up guidelines on what they do and don’t consider PII. Google has given PII the following definition:
‘Information that could be used on its own to directly identify, contact or precisely locate an individual’
To clear this up, various given examples of this kind of information include:
Then what does not count as PII? Basically any data that, according to Google, cannot be used to directly identify a person. For this, pseudonymization of such data is typically enough. I can identify Hiroshi Yamauchi, but I can’t identify User #1, regardless of how much Analytics data I have on them. Examples Google has given of data that’s OK to gather include:
When it comes to PII, it’s very important to realise Google isn’t the only party with demands. Depending on where your business is situated and what kind of audience you serve, the law may give different guidelines. For example, Google is fine with IP addresses being processed, but the European General Data Protection Regulation act (GDPR) is more strict on the processing of IP addresses. Make sure you check the law of all places your site will service, and your use of Google Analytics is compliant with these laws as well.
There may be some data you want to gather that falls into a bit of a grey area. If you’re not sure whether the data you want to collect is OK to collect, we recommend asking a lawyer or other legal expert for advice.
It’s possible for PII to be collected by Google Analytics depending on how you have your site and your Analytics set up. For example, Google Analytics gathers the full URL users travel to. Some sites have search features or forms that work by putting the search string in the URL. For example, users may enter their email address in a form, which then gets put in the URL as https://email@example.com.
This URL contains PII, and thus may not be collected by Google Analytics. However, Google Analytics doesn’t know there’s PII in there, and if you tell it to collect that URL, it will. There are other cases like this as well. Think of a form with fields for PII which Google Analytics is set to track, for example.
You are responsible for making sure Google Analytics doesn’t capture PII in such ways. There are various ways you can accomplish this.
Preventing PII from being collected by Google Analytics
There are multiple ways to prevent Google Analytics from tracking PII. Which one is best for your depends on your setup.
First off, make sure you check for cases of possible PII being tracked all across your setup before you run it. Go through your entire Google Analytics setup and through your whole site, looking for any possible point where PII could come through. Once you’ve identified these, you can decide on the best solution.
Change the way your site processes the information
If your site processes the PII in such a way that Google Analytics easily tracks it, you may be able to make adjustments to your site to fix it. For example, does your site put PII in the URL like the email address in the earlier example? Try to see whether you can adjust this so this won’t happen. If you’re not sure how to do this or whether this is possible, consult the developers who work on your site.
Disable tracking for the offending areas
You may find the problems are caused by a certain element or page on your site. Perhaps you’re tracking a field in a form which often contains PII. If the data you get from this field is not that valuable otherwise, you could consider simply disabling tracking for this element in Google Analytics. You may lose some data, but you also won’t be gathering any illegal or banned data.
Adjust the coding of analytics.js to hide PII before it’s send to Google Analytics
The solution that gives you the most flexibility and control is to adjust the code in analytics.js to filter out PII by creating a custom tracker. As this requires adjusting code, this can get rather technical. If that’s not your strong suit, it may be advisable to consult a developer or other technical expert. To get started with this, we recommend starting out on this official support page from Google.
Removing PII already collected by Google Analytics
If you notice that Google Analytics has already collected PII, you’ve officially breached your contract with Google, and depending on where you do business maybe the law too. If this is the case, make sure you immediately stop all tracking! In this case, it’s better to be safe than sorry, so we’d highly recommend you delete all tracking data that contains offending information. You may lose some valuable data, but that data is not worth breaking the law. For further steps to take after this, we recommend consulting a legal expert.
Identifying PII in your Google Analytics data, or identifying whether or not such data could be captured by Google Analytics can be tricky. There are some things you can do to check whether you’re at risk of sending PII to Google Analytics, however.
Check your site for possible sources of PII
Start at your site. Go through your entire site from top to bottom, looking for any places where PII could come from. Make sure you leave no stone unturned with this – links from marketing emails are an often forgotten source! Once you have an idea of where PII could come from, check whether any of these sources are tracked by Google Analytics, or whether information is processed in such a way that it could be send to Google Analytics (like by putting it in the URL for example). If you realise this is the case, implement a solution to prevent this.
Check your data in Google Analytics
It’s possible some PII may already be in Google Analytics, even though this is technically not allowed. Unfortunately, Google Analytics does not have a feature to automatically detect this for you. If you want to check whether this is the case for you, you’ll have to check this manually. Simply go through your various data records where PII could be located, and see whether you find any. Some areas where this is the most common include the list of URLs users have visited, search terms they’ve used for your site search, and the information being filled in forms. You could make use of filters here if you have large chunks of data, but be wary when doing this, as you may accidentally filter out exactly the thing you’re looking for.
This depends on who you ask. To Google, it is not. As of their privacy policies per June 18th 2020, Google does not consider IP addresses to be Personal Identifiable Information. This means that if by using Analytics you share IP addresses of you or your visitors with Google, this is not a problem to Google.
However, keep in mind that the law may interpret this differently. For example, under the European General Data Protection Regulation act (GDPR), IP addresses from users are most definitely considered a form of personal information. Always make sure to check the privacy and internet laws of the countries and areas your site serves, and make sure you’re compliant. For further advice on this, we recommend asking a legal expert.
Let smart algorithms audit your Google Analytics data. Find hidden conversion leaks and increase your conversions.