The EU Data Regulation is approaching. Few are aware of the fact that collecting personally identifiable information (PII) and data poses a high risk to your data in Google Analytics. It's actually one of the worst things that can happen: you might end up performing an illegal action without knowing it.
Google underlines in their guidelines, that as an Analytics customer, you are neither allowed to send personally identifiable information to Analytics such as names, social security (CPR) data, email addresses and any similar data. Nor are you allowed to send data which permanently identifies a particular device such as a mobile phone's unique device identifier and/or phone number.
View a list of PII examples here PII-examples.
If your company has collected PII, the chance of Google deleting your Analytics data without notice is at high risk. Hence it is recommended to check on whether your company or organisation is in breach.
It does happen…
You might not have any concerns since you have never asked Google Analytics to collect PII data. However, it is our experience that in most cases the data collection happens completely unintentionally. For instance, if a customer signs up for your newsletter or requests a call, the email address will automatically be added to the URL as the user completes the form.
In such a case Google Analytics will most likely detect the e-mail address as part of your pageview.
As email addresses are unique and often only sporadically used, they will rarely show up in the Google Analytics reporting.
Therefore, many of our new customers are not aware that their Google Analytics data contains PII data. We recommend a regular check of your Google Analytics information.
Other areas where PII data can show up:
- Event parameters (Event Tracking is a method available in the tracking code that you can use to record user interaction with website elements)
- Custom dimensions (quantitative measurements)
- Social event dimensions (You can use social interaction analytics to measure the number of times users click on social buttons embedded in web pages)
- Campaign tags
- Data import
Google Support has introduced a thorough guideline which we recommend you read. Best practices to avoid sending Personally Identifiable Information (PII)
We offer the service of either checking your Google Analytics for PII data or providing you with a full health check of your Google Analytics, thereby ensuring that you only collect the correct data and do not send out PII data unlawfully.