What Type of Data Does Google Analytics Prohibit?
Google Analytics is the engine that powers data-informed decisions for millions of businesses, but sending it the wrong kind of information can get you in serious trouble. One policy violation can lead to Google deleting your data or even terminating your account. This article will show you exactly what data Google Analytics prohibits, how to check if you’re collecting it by accident, and what to do to fix it.
The Golden Rule: No Personally Identifiable Information (PII)
The single most important rule in Google Analytics is this: you are strictly forbidden from collecting Personally Identifiable Information, or PII. Google's terms define PII as any data that could be used, on its own, to directly identify, contact, or locate an individual. It’s a bright red line, and crossing it - even accidentally - is a major violation.
While the concept sounds simple, the application can be tricky. Think of PII as any information that points to one specific person. Common examples include:
- Full names
- Email addresses
- Phone numbers
- Physical mailing addresses
- Social Security numbers, national insurance numbers, or other government identifiers
- Precise location data (like specific GPS coordinates)
- Usernames or login credentials
- Credit card numbers
Essentially, if you could take a single piece of data, put it into a search engine (or your own database), and confidently pin it to one human being, it’s almost certainly PII.
So, Why is PII Prohibited?
Google’s strict stance on PII isn’t arbitrary, it’s rooted in global privacy regulations and liability. Laws like Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) place strict requirements on how companies collect, store, and process personal data.
By creating a "no PII" policy, Google shields itself from the massive legal responsibility of becoming a custodian for billions of people's personal data. It pushes the responsibility onto you, the website owner, to ensure you’re sending clean, anonymized data. Ultimately, this protects visitor privacy and keeps both you and Google on the right side of the law.
How PII Accidentally Sneaks Into Your Google Analytics Data
Most marketers don't intentionally send PII to Google Analytics. It usually happens by accident through poorly configured website elements or tracking code. Here are the most common ways PII finds its way into your reports.
1. URL Query Parameters
This is, by far, the most frequent culprit. Query parameters are the bits added to the end of a URL after a question mark (?). They are often used to pass information from one page to another or track marketing campaigns.
An issue arises when your website's forms (like contact, search, or sign-up forms) use the GET method instead of the POST method. A GET request appends the form data directly to the URL, making it visible to anyone - including Google Analytics.
You might see URLs in your reports that look like this:
- Email in URL:
https://www.yourstore.com/thank-you?email=jane.doe@email.com - Name and Zip Code in URL:
https://www.yoursearch.com/results?first_name=John&last_name=Smith&zip=90210 - Phone Number in URL:
https://www.yoursite.com/confirmation?phone=123-456-7890
Since Google Analytics records the full page URL, including all query parameters, this PII gets stored directly in your account.
2. Page Titles and Page Paths
Sometimes PII isn’t in a query parameter but in the main URL path itself. This can happen with user profile pages, order confirmation pages, or any other scenario where a user's information becomes part of the URL structure.
For example, if your site creates profile pages using a username, the URL might be: https://www.yourcommunity.com/profile/johnsmith123
If a user sets their name or email as their username, that’s PII. In a worst-case scenario, pages could even be generated with full names directly in the path: /users/john-smith.
3. Custom Dimensions & Events
In an attempt to get a more granular view of user behavior, marketers sometimes send PII through custom tracking setups. It's tempting to create a Custom Dimension for "User Email" or send a logged-in user's ID as an Event Label to better track their journey, but this is a clear violation.
For instance, you might see an event set up like this in Google Tag Manager:
- Event Category: Form Submission
- Event Action: Newsletter Signup
- Event Label:
{{user_email}}(This variable captures the email from the form field)
This setup sends every user's email address directly into your GA reports, creating a significant compliance problem.
How to Check if You're Collecting PII
Regularly auditing your account for PII is crucial. Don't wait for a warning email from Google. Here’s a proactive checklist for hunting down potential violations.
Step 1: Audit Your Page Reports for Suspicious URLs
This is your first line of defense. In Google Analytics 4, go to Reports > Engagement > Pages and screens. In the search box just above the data table, start looking for common PII indicators:
- Search for "@" — This will immediately surface any URLs containing email addresses.
- Search for terms like "phone", "email", "firstname", or "address". These are common parameter names that might carry PII.
- Look for long sequences of numbers that could be phone numbers or account IDs.
- Sort the "Page path and screen class" column and skim through the list, looking for anything that stands out as unusual or person-specific.
Step 2: Check Custom Dimensions and Metrics
Go to your GA Admin section. In GA4, click Custom definitions under the "Data display" heading. Review every user-scoped Custom Dimension you’ve set up. Ask yourself: could this dimension possibly contain personal data? Beware of anything named "UserID," "CustomerID," "client_id," or "user_email."
Step 3: Test with Google Tag Manager's Preview Mode
Prevention is better than a cure. Google Tag Manager (GTM) is the perfect tool for this. Use its Preview mode to see exactly what data is being fired to Google Analytics before any changes go live.
- Open GTM and click the "Preview" button.
- Enter your website's URL and start navigating your site.
- Interact with every form and website feature. Submit a test contact form, create a test account, use the search bar.
- In the GTM Preview console, click on the Google Analytics tags that fire on the left-hand navigation.
- Inspect the variables being sent with each tag. Pay close attention to the "Page Location" variable (for URLs) and any event parameters or custom dimensions. If you see your test PII in there, you have a problem to fix.
You Found PII...Now What? A Step-by-Step Plan
Discovering PII in your reports can be scary, but don't panic. Acting quickly is key. Follow these steps to contain the damage and fix the root cause.
1. Stop the Bleeding: Filter PII from Future Data
First, you need to stop collecting more PII. Go into your Google Analytics settings and create filters to exclude the offending query parameters. In GA4, you can do this from Admin > Data Settings > Data Filters. You can create a filter to exclude traffic where a specific query parameter (e.g., "email") is present.
Important: Filters only work on a go-forward basis. They will not scrub the PII from your historical data.
2. Fix the Source of the Leak
Filtering is just a band-aid. The real fix needs to happen on your website or in your tagging configuration.
- For URL Parameters: The best solution is to talk to your web developer and have them change your forms to use the POST method instead of GET. This will stop form data from appearing in the URL.
- For PII in Tagging: Go back into Google Tag Manager and remove any variables or settings that pass PII into GA events or custom dimensions. Replace them with anonymized IDs if a user identifier is genuinely needed.
3. Clean Up Historical Data
This is the hardest part. Google doesn't have an "undo" button for specific data points. Your main tool is the Data Deletion Request feature in the GA Admin panel. This tool allows you to request the removal of data associated with certain user identifiers for a specific date range.
However, be very careful: this is a blunt instrument. A request to delete data tied to every instance of email=john.doe@email.com might also delete every other piece of data that GA has for that user. Use it as a last resort and follow Google's instructions precisely.
Beyond PII: Other Prohibited Data Types
While PII is the biggest concern, Google's terms of service also prohibit sending other types of sensitive information, even if it’s not directly identifiable. This includes:
- Sensitive Financial Information: Credit card numbers are a form of PII, but this category extends to bank account numbers and similar data.
- Health Information: Data covered under regulations like HIPAA should never be sent to GA.
- Religious beliefs, political affiliation, or sexual orientation.
Put simply, keep your Google Analytics data focused on anonymized user behavior - sessions, clicks, pageviews, and goal completions. When in doubt, leave it out.
Final Thoughts
Keeping PII out of Google Analytics is a non-negotiable part of responsible data stewardship. It's about protecting visitor privacy, complying with the law, and ensuring the long-term health of your account. By regularly auditing your URLs, event tracking, and custom definitions, you can catch issues before they escalate into serious problems and keep your data clean and actionable.
Manually auditing GA reports and managing performance across different platforms can quickly consume your day, pulling you away from high-level strategy. This is precisely why we built Graphed. We connect directly to all your data sources - like Google Analytics, Google Ads, and Shopify - so you have one centralized view of your business. Rather than digging through complex reports, you can simply ask questions in plain English, and our AI data analyst builds dashboards and provides insights in seconds, giving you back time to focus on growing your business effectively.
Related Articles
How to Enable Data Analysis in Excel
Enable Excel's hidden data analysis tools with our step-by-step guide. Uncover trends, make forecasts, and turn raw numbers into actionable insights today!
What SEO Tools Work with Google Analytics?
Discover which SEO tools integrate seamlessly with Google Analytics to provide a comprehensive view of your site's performance. Optimize your SEO strategy now!
Looker Studio vs Metabase: Which BI Tool Actually Fits Your Team?
Looker Studio and Metabase both help you turn raw data into dashboards, but they take completely different approaches. This guide breaks down where each tool fits, what they are good at, and which one matches your actual workflow.