What Data Does Google Analytics Prohibit Collecting?

Google Analytics is incredibly powerful for understanding user behavior, but sending the wrong kind of data can get your account suspended and your historical data deleted. The platform has strict policies about what you can and cannot track to protect user privacy. This guide will walk you through exactly what data is prohibited, where it often hides, and how you can make sure your account stays compliant.

The Absolute Rule: No Personally Identifiable Information (PII)

The most important rule in the Google Analytics universe is this: you are strictly forbidden from collecting any Personally Identifiable Information (PII). This is the cornerstone of their Terms of Service and is in place to protect both user privacy and Google from legal liabilities related to data privacy laws like GDPR and CCPA.

PII is any data that could be used on its own or in combination with other information to directly identify, contact, or locate a specific individual. While some PII is obvious, other forms are more subtle. Think of it this way: if you could use the piece of data to look up a specific person in a phone book or find their real-world address, you can't send it to Google Analytics.

Obvious Examples of PII Not To Collect

This is the low-hanging fruit - data points that are clearly tied to a single person. You should never, under any circumstances, capture these directly in any standard or custom Google Analytics field.

• Full names (e.g., "Jane Smith")
• Email addresses (e.g., "jane.smith@email.com")
• Mailing addresses or physical street addresses
• Phone numbers
• Social Security Numbers, national insurance numbers, or any government-issued identification numbers
• Precise location data (like specific GPS coordinates)
• Usernames or login credentials that could be traced back to an individual

The Sneaky Culprits: Where PII Hides in Plain Sight

Most marketers and business owners know not to create a custom dimension for "Customer Email." The real trouble often comes from PII that gets collected accidentally. It slips into your data through standard website functionality without you even realizing it. Here are the most common places to find and fix these hidden issues.

1. PII in URLs and Page Paths

This is by far the most frequent source of unintentional PII collection. When a user fills out a form on your website - like a contact form, password reset, or newsletter signup - their information can sometimes be passed through the URL of the confirmation page.

For example, imagine a user submits a contact form. After clicking "submit," they are redirected to a thank you page with a URL that looks like this:

https://www.yourwebsite.com/thank-you?email=jane.smith@email.com&amp,name=Jane+Smith

Google Analytics, by default, records the full page path including these query parameters. In this case, you’ve just unintentionally sent a user’s name and email address directly into your GA reports. Fixing this requires working with your web developer to ensure form data is submitted securely via the POST method instead of the GET method, which appends the data to the URL.

2. PII in Page Titles

Just like URLs, GA collects all page titles. If your website architecture creates dynamic page titles that include user information, you could have a problem. For example, on a user profile confirmation page, the title might render as "<title>Welcome, Jane Smith!</title>". This title, along with the user’s name, gets sent to Google Analytics with every pageview.

3. User ID Misuse

The User ID feature in Google Analytics is a powerful tool for stitching together a user’s journey across different devices. It allows you to assign a unique, non-personally identifiable ID to your logged-in users. The key word here is non-personally identifiable.

A huge mistake is using a user's email address, username, or another piece of PII as their User ID. Instead, you should use an internal, randomly generated ID from your own database that has no public meaning. For example:

• Don't do this: userId: 'jane.smith@email.com'
• Do this instead: userId: 'A84B-9S33-28D8-J7S2'

The "good" example is meaningless outside of your internal systems, making it safe to use in Google Analytics. The bad example is a direct policy violation.

4. PII in Custom Dimensions, Events, or Parameters

Custom Dimensions and Events allow you to track data specific to your business needs, but this flexibility can be a double-edged sword. It's easy to accidentally configure a tag in Google Tag Manager to capture a value that contains PII.

This could happen if you set up an event to track form submissions and one of the event parameters captures what the user typed into a form field, like their name or phone number. Always double-check your event and custom dimension configurations in GTM and your site's code to ensure you’re only capturing anonymized information.

How to Check Your Account for PII and Stay Compliant

Being proactive is the best defense. You don’t want to wait for Google to discover an issue. Regularly run audits of your Google Analytics property to check for PII.

Step-by-Step Mini-Audit

1. Scan Your Page Reports: Go to the Pages and screens report in Google Analytics. In the search bar above the data table, search for common PII patterns. Try searching for "@" to find email addresses, or query parameters like "email=", "name=", or "phone=". Expand the date range to get a wide sample of your data.
2. Check Your Custom Dimensions: In your Admin settings (Configure > Custom definitions), review the list of every custom dimension you’ve created. Are any of them intended to capture text fields where a user could potentially enter their personal details? Think critically about what data is powering these dimensions.
3. Review User ID Implementation: If you use the User ID feature, work with your developers to confirm that the value being sent is a persistent, non-personally identifiable string from your backend system, not an email or username.
4. Use GA4's Data Redaction Feature: Google Analytics 4 has built-in features to help. Go to Admin > Data Streams > [Select Your Stream] > Configure tag settings > Redact data. Here you can automatically redact email addresses and user-specified URL query parameters. This feature scans all incoming events for patterns that look like an email address or any query parameters you specify (e.g., 'firstname', 'lastname', 'addr') and removes them before the data is ever stored. This is a great safety net, but shouldn’t replace a proper audit.

The Consequences of Non-Compliance

Google takes its PII policy extremely seriously. Ignoring it can lead to severe consequences that can set your analytics efforts back to square one.

• Account Suspension or Termination: For repeated or severe violations, Google may terminate your Google Analytics account entirely.
• Permanent Data Loss: When Google discovers PII, they may demand you delete it. More often, they will simply delete the offending property - or the entire account - and all the historical data along with it. There is often no way to recover this data.
• Legal Ramifications: Collecting PII without user consent can put you in violation of privacy laws like GDPR or CCPA, leading to significant fines and legal trouble separate from Google's actions.

Final Thoughts

Keeping PII out of Google Analytics is non-negotiable for anyone who values their data and respects user privacy. By understanding where sneaky PII hides - in URLs, page titles, and custom event parameters - and by conducting regular audits, you can ensure your account remains clean, compliant, and running smoothly.

Of course, Google Analytics is just one part of your data puzzle. The real insights often come from combining your website data with information from other platforms like Shopify, HubSpot, or your advertising channels. At Graphed , we help you break down these data silos. We make it easy to connect all your sources in one place and use simple, natural language to build real-time dashboards and ask questions. Instead of jumping between a dozen tabs and manually wrestling with spreadsheets, we empower you to get faster, more holistic answers about what's truly driving your business.