Graphed LogoGraphed
Login

When Do Google Analytics Terms of Service Permit?

Cody Schneider

Using Google Analytics means you've agreed to its Terms of Service, but what does that dense legal document actually say you can and cannot do? Misinterpreting these rules can lead to serious consequences, including losing all of your historical data. This guide will break down the most important rules in plain English, helping you use your analytics data effectively while staying safely compliant.

The Absolute Biggest Rule: Never Send Personally Identifiable Information (PII) to Google Analytics

If you remember only one thing from this article, let it be this: You are strictly forbidden from collecting Personally Identifiable Information (PII) in Google Analytics. This is the golden rule, and violating it is the fastest way to get your account suspended.

Google defines PII as any data that could be used to directly identify an individual. Think of it as information that points to a specific person, not just an anonymous user identifier. Violating this isn't just a Google policy issue, it can also put you in breach of major privacy regulations like GDPR and CCPA.

What Counts as PII?

While this list isn't exhaustive, here are common examples of information you must never collect in standard Google Analytics fields:

  • Full names

  • Email addresses

  • Mailing addresses

  • Phone numbers

  • Usernames that can identify a person

  • Social Security numbers or other national ID numbers

  • Precise location data that isn't IP-based (e.g., exact GPS coordinates)

How PII Can Accidentally Sneak Into Your Reports

Most people don't violate the PII policy intentionally. It often happens unexpectedly through your website or advertising setup. Here are some common ways it can creep into your Google Analytics account:

  • URL Query Parameters: After a form submission, you might see sensitive details passed within the URL. For example: http://www.yoursite.com/thank-you?email=john.smith@email.com&name=John%20Smith If this URL is tracked by Google Analytics as an event click or landing page path, you've just broken the Terms of Service.

  • Form Capturing Fields: If you've manually configured event tracking (especially within Google Tag Manager) and mistakenly record values from an email or name field instead of a generic ID.

  • Custom Dimensions and Metrics: Sending PII in a custom dimension is a common way people violate terms. A resource might try to 'enrich' GA data by sending something like a customer's email address to identify their sessions. This is a severe violation. Use the Customer ID feature for that instead, as it is a non-identifiable, unique number.

  • Ecommerce Data: Mistakes when sending product data can lead to violations, like transmitting a billing address with product details or other personal data. Double-check that your ecommerce data flows and names are clear of personal information.

What to Do if You're Accidentally Collecting PII

It's good practice to regularly audit your account to ensure compliance. Here are the critical points to check:

  1. Check Your Page Titles & URL Paths: Go into Reports > Behavior > Site Content > All Pages in your GA4 account. Scrutinize the list of page paths. Look for any URLs that contain email addresses, names, or other PII. Use the search bar to hunt for symbols like "@" to quickly find email addresses.

  2. Review Your Event Parameters: If you're using event tracking for user interactions, ensure you haven’t mistakenly set up any labels, actions, or categories to record sensitive user data fields. For example, an event label should never include an email address or phone number.

  3. Check Your Site Search Terms: If users have a search function on your site, inspect their search terms by going to Admin and clicking on View Settings > Search Settings. Some might naively search for their own email addresses or other PII, accidentally causing the data to be captured by GA. You can set up filters to exclude all information with an "@" sign, for instance, to mitigate this risk.

If you find any PII in your reporting, take prompt action to filter it out going forward. If you're a developer or have IT support for your website, work with them to troubleshoot and fix how information is being sent to GA to prevent it from happening again in the future. Google has a data deletion feature you may use to clear out existing PII data from your record.

Transparency is Key: You Must Have a Privacy Policy

The second major rule is that you MUST have a clear connection to a privacy policy on your site.

Your privacy policy has to disclose the following things:

  • That your site uses Google Analytics.

  • How it collects and processes information (you can easily link to Google's own explanation, titled "How Google uses information from sites or apps that use our services")

  • Any Google Analytics Advertising Features you have enabled on your account like Remarketing with Google Analytics or Demographics and Interests Reports.

You Must Inform Users About Their Options

Google also requires that you inform users about the option of opting out of being tracked by Google Analytics. At a minimum, you will need to include information on your Privacy Policy page about how users can opt-out by offering a link to the Google Analytics opt-out browser add-on. This is to ensure compliance with both Google’s terms of service and privacy laws such as GDPR. All of this is easy to fix by simply adding all the relevant wording to your existing Privacy Policy documentation.

Who Owns the Data (and Who Can I Share It With)?

Here is some great news: according to the Terms of Service, you own your data. You are not giving up ownership of your data to Google by using their service. This provides you with complete control over the reports you analyze with your in-house team, share with your own partners, or with clients if you’re an agency.

Google does, however, reserve the right to use your information in certain ways to operate and improve their services. These typically include using your anonymized data in aggregate form to perform functions like preparing reports and industry analysis, but not your personally identifiable information directly.

Limits on Sharing Your Data

The rules on sharing are clear:

  • You Can Share Reports: You can create summary reports in Google Analytics and share them with colleagues, clients, or leadership. This is regular business practice and is perfectly compliant. You can use the built-in sharing feature to email reports to anyone directly from the GA4 interface, or you can send the data in PDF or XLSX formats.

  • You Cannot Disclose or Sell Your Raw Data Without Permission: You are prohibited from sharing your raw, hit-level Google Analytics data that connects specific advertisements to specific customers with third parties without either the customer's consent or being compelled to do so under applicable law. For most businesses, this simply means not selling your raw GA4 data to other marketers or businesses, and not making it public.

  • You are allowed to integrate your Google Analytics data with other Google products like Google Ads or Search Console, or to link that data to third-party platforms like Shopify or Salesforce via GA4 to get richer data insights within the ecosystem. In fact, GA actively encourages it for those purposes to better understand your customers.

Impact of Violating the Google Analytics Terms of Service

Google is quite strict about enforcing the terms of service, particularly the PII provisions. The consequences of not adhering to the rules can be disastrous for your product analytics capabilities.

Cancellation of Your Google Analytics Account

The worst-case scenario is Google terminating your analytics account entirely and without any notice. When this happens, you will lose access to all your historical data permanently. Imagine losing all the insights you have accumulated over years and months about your customers' behaviors in an instant with no option for appeal or reversal of the actions taken against your account.

Data Deletion by Google

In other less severe cases, especially if you have accidentally collected PII data, Google can simply delete your datasets that contain that PII data from your GA4 account. This will result in gaps or discrepancies in your reporting. Since it is a breach of terms of service, Google may not notify you when this has happened and the only way for you to know will be noticing it during your own data analysis.

Legal Repercussions Under Privacy Laws

Besides Google’s terms of service violations, collecting data illegally may get you in serious trouble with your local governing bodies. For example, collecting information from European-based citizens without their consent will put you in violation of GDPR laws and leave you vulnerable to severe financial penalties. Similarly, it could be a violation of the rights of your own customers or user base, which may lead to civil lawsuits against you for mishandling their sensitive data.

Most Businesses Can Stay Entirely Compliant

Following a few general guidelines can help you avoid these pitfalls:

  • Regularly Audit Your Analytics Account: Make it a regular practice to conduct an audit on your analytics setup at least a couple of times a year to check for accidental PII collection in URL, forms, or event data.

  • Clean Up Your Data in GA4: Use Google Tag Manager to create rules and filters to clean up and prevent any PII data from being sent to your GA4 property. If available, IP anonymization is also a good best practice to add an extra layer of personal protection. (Anonymization of IP addresses is a default setting now on GA4, so no action is necessary to ensure it is in place.)

  • Train Your Teams in Data Handling Procedures: Ensure that everyone on your team who has access to the Google Analytics account understands the fundamental guidelines around collecting PII and other privacy topics, especially those who are responsible for setting up tracking on the account.

  • Use the ‘User ID’ Feature Properly: The User ID feature is designed to allow you to track users across their devices, not to identify them personally. Always assign an anonymous, non-recognizable User ID to users in the form of a string of numbers or characters rather than using names or email addresses.

Final Thoughts

Understanding the Google Analytics Terms of Service does not have to be a complicated task for business owners and marketers alike. It really comes down to a few simplified rules to follow diligently: respect your users’ privacy by not collecting PII, be transparent with your users on how you track and collect their data, and do not share any data irresponsibly by not selling or sharing it with third parties without their permission. If you abide by these simple rules, you can keep your business out of trouble and preserve your valuable business data for years to come with no interruption from service.

I know that connecting data sources such as Google Analytics and making sense of all this information can be a huge pain point as well as time-consuming for many businesses. At Graphed, we have made this process very easy for our clients with their customized reporting and data analysis needs on all of their analytics data matters. By linking your Google Analytics account through one-click integration, we can help you start creating real-time reports with just a few quick queries into our CI data analyst tool using simple voice commands within a matter of minutes, saving you much time instead of weeks of work to set up on your own. The data will remain fully automatically synchronized into your dashboards every time you log in so you can focus on getting the answers you need to grow your business faster than ever before, because you will no longer need to worry about manual data reporting or compliance issues at all.