Best practices to avoid sending Personally Identifiable Information (PII)
To protect user privacy, Google policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII). PII includes, but is not limited to, information such as email addresses, personal mobile numbers, and social security numbers. Because laws across countries and territories vary, and because Google Analytics can be used in many ways, consult an attorney if you are in doubt whether certain information might constitute PII or not.
When implementing Analytics on a property, follow the best practices in this article to reduce the risk of passing PII to Google.In this article:
Page URLs and titles
The basic Analytics page tag collects the page URL and page title of each page that is viewed. PII is often inadvertently sent in these URLs and titles. Both the URL path and parameters must be free of PII. If there is any possibility of your URLs, URL parameters, or titles containing PII, you'll need to remove it. You can add analytics.js code to change the URL before it gets sent to Analytics. For example, to alter the URL to "example.com/example?a=b":
ga('set', 'location', 'http://example.com/example?a=b');
See the developer reference.
Similarly, you can alter the page title before it gets sent to Analytics. For example, to change the title to "New Title":
ga('set', 'title', 'New Title');
See the developer reference.
There are additional strategies to avoid sending PII through URLs. To learn more, read Best practices to avoid sending PII.
PII entered by users
Website visitors and users sometimes enter PII into search boxes and form fields. Be sure to remove PII from user-entered information before it is sent to Analytics.
Analytics features and privacy risk
Special care should be taken to ensure no PII such as names, social security numbers, email addresses, or any similar personal identifiers, or data that permanently identifies a particular device such as a mobile phone’s unique device identifier (if such an identifier cannot be reset) is sent to Analytics when using these following features:
- User ID override
- All custom dimensions
- Campaign dimensions: Source, Medium, Keyword, Campaign, Content
Be sure not include PII in custom campaign parameters utm_source, utm_medium, utm_term, utm_campaign, and utm_content.
- Site search dimensions: Site Search Term and Site Search Category
- Event dimensions: Event Category, Event Action, Event Label
If collecting geolocation info, ensure it is not GPS or fine-grained location information, as this could lead to reasonable inference of the individual. “Fine-grained location” information for Analytics is defined as any area less than 1 square mile, including any lat/long data. In some instances, such as in the UK, zip code can map to a single residence and thus cannot be passed to Analytics.
If you use AdSense, read and follow the Best practices to avoid sending PII in the AdSense help center.
Hashed and salted PII
You can send Google Analytics an encrypted identifier or custom dimension that is based on PII, as long as you use the proper encryption level. Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, with a minimum of 8 characters. Notwithstanding any of the foregoing, you may not send Google Analytics encrypted Protected Health Information (as defined under HIPAA), even if it is hashed or salted.
Unless otherwise specified in writing by Google, Google does not intend uses of Google Analytics to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Google Analytics satisfies HIPAA requirements. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.