You have often come across the acronym PII or Personally Identifiable Information and wondered what it is and how to fix it in Google Analytics.
PII are all the information that can give you the possibility to identify a user.
This topic is closely linked with Privacy and, especially for the EU, with the GDPR (General Data Protection Regulation).
In this post I’ll show you how to identify if your Google Analytics account is collecting and storing personal information or PII
Content: - What information are covered by the PII? - How do I know if I collect PII? - PII Collection: Event Category/Action/Label - PII Collection: Custom Dimensions - PII Collection: Pages - PII Collection: Search Terms - PII Collection: Data Import - What to do if I collect PII? - Conclusions
- Name and Lastname
- Credit Cards
- Telephone number
- Personal Information from the login page
- Exact GPS coordinates
- IP addresses
The collection of these information is strictly prohibited by Google Analytics and, in case of violation, can lead to permanent deletion of your account.
Now you can have the following question: How can I know if I’m collecting personal information from my users in my Google Analytics account?
There are several possibilities to know if you’re collecting PII. Below I’ll show you some concrete examples which I check during my Google analytics audit.
I suggest you to check the hierarchy Category/Action/Label into the Top Events Report and see if you’re collecting any type of PII information into the events you have set up.
Check if you collect email, telephone numbers or any other stuff by clicking in each event.
You should check if the custom dimensions you created in the account do not collect PII.
Go into the Admin > Property and check the dimensions.
You can simply create a Custom Report with your custom dimensions and easily see which values are collected. If these values contain personal information you have to fix the issue asap.
Let’s continue your checklist by going in the All Pages report and control if there is any PII inside.
PII can be contained in the query parameters, so a way to check that information such as e-mail address is not processed in your Google Analytics account is to look for the @ symbol in the filter.
If the result is zero, no pages with the query parameter @ have been found. That’s good!
You should also check the Search Terms Report. Here you can find the most searched terms typed by your users in the internal search engine of your website.
By checking this Report, you could find some personal information.
In Google Analytics you have the possibility to import set of data. Hence, it’s important to check what kind of data you want to import in order to avoid having PII imported.
So, remember to don’t skip this check!
If I notice that I’m collecting personally identifiable information, what actions should I take? The advice I give you is to having a meet with your IT Department to find the best solutions to stop collecting personal information.
For some PII such as the IP address, Google Tag Manager can come to your rescue, especially if you’re using the Universal Analytics version of GA (Google Analytics 4 automatically provides to anonymize IP addresses)
But in general, it’s a good practice to better coordinate with developers to find the most robust solution!
Knowing which parts of the website are collecting certain information is a great starting point to be more effective and find optimal solutions.
The Privacy aspect is a very important issue, not only on a theoretical but also a practical level. As mentioned, if you do not respect the terms proposed by Google, you risk account suspension and other legal problems.
For this, the final tips that I share with you are the following:
- Coordinate with your Legal Department to understand which data you can collect and which you cannot. At least, involve the legal department to make them aware of what is possible and cannot be done on Google Analytics (don’t take it for granted!);
- Periodically perform an audit on your Google Analytics account. Remember: the audit is not just about the PII part but needs to be more structured. Personal information is an important area but there are other points as well;
- Involve the IT Department. With the audit you can find the critical points in more detail; by involving IT, you will be able to find more qualitative solutions and understand if Google Tag Manager is enough for you to correct the collection of some data, or if you need a stronger solution.