The safe and secure usage of information over the Internet has been a debatable question for years. People worldwide have been using Google Analytics for tracking website activities, and to do this much of individuals’ information is collected. But, which data does Google Analytics prohibit collecting?
The Google Analytics terms of service prohibit collecting Personally Identifiable Information (PII) by Google Analytics. PII consists of every information that can be used to identify an individual, including names, billing information, and email addresses. This is due to protecting user’s privacy.
In this article, I will discuss which data is not accessible to Google Analytics, and what are the reasons for this. I am going to explain how Google Analytics might be used in a secure way, so you can be sure which of your data is safe and which is exposed.
What Data Does Google Analytics Prohibit Collecting?
If you have recently started using Google Analytics, or you are thinking about using it, you are probably concerned about which of your personal data will be collected. It is smart to get informed before sharing anything online, especially your personal information. Nowadays, personal data has been a target to many hackers, and it has risen a lot of questions about which sites are actually safe.
Therefore, Google Analytics policy prohibits sending PII to Google Analytics. Many terms of service, contracts, and policies for Google Advertising refer to Personally Identifiable Information or PII. This is a separate categorization of information that the EU General Data Protection Regulation (GDPR) considers as personal data.
However, you should bear in mind that there are different interpretations of personal data that differ from GDPR or the California Consumer Privacy Act (CCPA). So, some data might be excluded from Google’s interpretations of PII.
Therefore, it is important that you know exactly which information you are sharing while using different online platforms and websites. In other words, it is important to understand which data Google Analytics considers as PII. This way you can minimize the confusion and know which of your data is fully protected.
You should always ensure that you read all the terms and policies given by Google before giving any information online. When you give certain data, you usually accept the terms on which a certain platform works, therefore it is better to read all the terms on which you are sharing your data.
What Google Considers PII
Google considers Personally Identifiable Information each data that can be used to identify or locate an individual. So, this group includes email and billing addresses, phone numbers, precise locations, and full names and usernames.
To understand this better, I will give a more precise example. Let’s say your publisher’s contract prohibits you from sharing PII with Google. That means that the URLs of your website’s pages that display Google ads, must not include email addresses.
This is because those URLs will be passed to Google in every ad request, and this is against Google’s privacy terms.
However, there are also exclusions or limitations to which you can send particular forms of PI to Google. For instance, some products might allow sharing of location data, but only if each requirement is met.
PII That Google Excludes
As I explained above, there are limitations that might allow sending some Personally Identifiable Information to Google. But, this is only possible if all of the requirements given by Google are met.
Some PII that Google excludes might be pseudonymous cookie and advertising IDs, IP addresses, and other pseudonymous end user identifiers. So, if an IP address is sent with an ad request, there will be no prohibition by Google Analytics. This means that there is no breach of any prohibition policy since IP addresses belong to the group of Google’s exclusions.
However, you should remember that although Google makes different interpretations of PII, that does not mean that certain information is not considered personal data. The data for which Google makes an exclusion might still be under GDPR, CCPA, or other privacy legislation entities.
Why Does Google Analytics Prohibit Collecting PII?
To protect user’s privacy Google has passed a prohibition by which sending personal data is against Google’s terms and policies. Since there have been a lot of data leakages due to online hacking, Google has taken up measures to ensure that users are safe.
PII refers to personal data, which means that this information may help track or discover an individual’s identity. Everything that is shared on the Internet may lead to potential danger, therefore it is recommended to leave personal information out of cyberspace.
An IP address can easily turn into an ID since every time a person uses a search engine the website automatically stores data about that individual. This data includes URLs that include IP addresses, dates, and times of a particular search. Through the URLs and IP addresses, you can easily reach personal information about a certain person.
The data stored from IP addresses contain information about person’s operating system, browser, search preferences, etc. Also, they also store a unique ID for each user account. Therefore, it is easy to track a person’s identity through the IP address.
To protect users from potential tracking and revealing identity, Google has prohibited sending this kind of data to Google Analytics. The primary usage of Google Analytics is to check website activity, not to be a target for revealing and illegal use of personal data.
Following Google terms and policies is strongly recommended, and any breach might lead to a termination of the Google Analytics account. This way Google protects its users, but itself as well.
How To Avoid Sending PII
Now, you have the idea of what you can and cannot send to Google. So, before implementing Google Analytics, you need to check certain things, so you can be on the safe side.
Since Google prohibits sharing of email addresses, you may create non-obfuscated alphanumeric database identifiers only for your visitors. Another option is to use an encrypted identifier that has a certain, secure level of encryption. To get a clearer idea of how to create a proper identifier, you should read User ID guidelines.
Since PII sending is prohibited, you should keep in mind that your URL must not contain any personal data. If it does contain, you will need to remove it. To make things easier you can add analytics.js code before your URL gets to Analytics.
Analytics.js code will remove PII for you. This way you can be sure that your URL does not contain any personal data, therefore you are not breaching any Google policy.
Personal Data Entered By Users
Sometimes, users that enter the website might leave PII and form fields of personal data. Before entering Analytics, you should make sure that the website is free from PII entered by users.
When you import data to Google Analytics, you give Google access to use that data to store, host, reproduce and modify the uploaded data for providing Google Analytics service. Before uploading this data you should be sure that you have the needed rights to give license or access to Google for that data.
Also, the uploaded data needs to be free of Personally Identifiable Information, so it may not contain personal names, security numbers, email addresses, and similar data. Furthermore, the uploaded data should not contain information that identifies a particular device like a mobile phone’s unique device identifier.
If you include any kind of personal information, your Google Analytics account can be terminated. For better understanding, you can read the Upload data use policy.
If you are collecting location data, you should make sure that that data does not include GPS or fine-grained location information. The location data that includes GPS is considered PII, and Analytics will not allow it to pass.
If you are using AdSense, you should keep in mind that this could easily lead to including PII in the URLs. To avoid that successfully, there are features that might help you. There are different kinds of steps you may take to ensure that using AdSense does not interfere with Analytics terms.
To achieve PII-free URLs in AdSense, you should read about the features in AdSense Help Center.
Hashed And Salted PII
Google Analytics allows you to use an encrypted identifier that is based on PII, but as long as it has the proper level of encryption. Google has a minimum hashing requirement of SHA256 and it strongly advises users to use salt of a minimum of eight characters.
If you do not provide the proper level of encryption, you might not be able to use Google Analytics. Also, this could lead to the termination of your Google Analytics account.
If you have read everything carefully, it should be clearer to you which data is prohibited collecting by Google Analytics and that the reasons for that are mainly to protect your ID. You should be aware that everything you share on the Internet might be potentially dangerous, so you should steer clear from sharing personal data.