To protect user privacy, Google policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII). PII includes, but is not limited to, information such as email addresses, personal mobile numbers, and social security numbers. Because laws across countries and territories vary, and because Google Analytics can be used in many ways, consult an attorney if you are in doubt whether certain information might constitute PII or not.
Learn more about what Google considers PII.
When implementing Analytics on a property, follow the best practices in this article to reduce the risk of passing PII to Google.
In this article:User IDs
Before using User IDs, read Best practices for User-ID
Page URLs and titles
The basic Analytics page tag collects the page URL and page title of each page that is viewed. PII is often inadvertently sent in these URLs and titles. Both the URL path and parameters must be free of PII. If there is any possibility of your URLs, URL parameters, or titles containing PII, you'll need to remove it.
You can configure data redaction in Analytics to remove email addresses on a best-effort basis and to remove URL query parameters that you specify. Data redaction is configured in the Admin section of Analytics and doesn't require that you write any code. It is only available for web data streams. Learn more about Data redaction.
You can also add analytics.js code to change the URL before it gets sent to Analytics. For example, to alter the URL to "example.com/example?a=b":
ga('set', 'location', 'http://example.com/example?a=b');
See the developer reference.
Similarly, you can alter the page title before it gets sent to Analytics. For example, to change the title to "New Title":
ga('set', 'title', 'New Title');
See the developer reference.
There are additional strategies to avoid sending PII through URLs. To learn more, read Best practices to avoid sending PIIin the AdSense help center.
PII entered by users
Website visitors and users sometimes enter PII into search boxes and form fields. Be sure to remove PII from user-entered information before it is sent to Analytics.
Data Import
Read the Upload data use policy before using Data Import or uploading data to Analytics.
Analytics features and privacy risk
Special care should be taken to ensure no PII such as names, social security numbers, email addresses, or any similar personal identifiers, or data that permanently identifies a particular device such as a mobile phone’s unique device identifier (if such an identifier cannot be reset) is sent to Analytics when using these following features:
- User ID override
- All custom dimensions
- Campaign dimensions: Source, Medium, Keyword, Campaign, Content
Be sure not to include PII in custom campaign parameters utm_source, utm_medium, utm_term, utm_campaign, and utm_content. - Site search dimensions: Site Search Term and Site Search Category
- Event dimensions: Event Category, Event Action, Event Label
Geolocation
If collecting geolocation info, ensure it is not GPS or fine-grained location information, as this could lead to reasonable inference of the individual. “Fine-grained location” information for Analytics is defined as any area less than 1 square mile, including any lat/long data. In some instances, such as in the UK, zip code can map to a single residence and thus cannot be passed to Analytics.
AdSense
If you use AdSense, read and follow the Best practices to avoid sending PII in the AdSense help center.