PII Reference Guide for Google Analytics Auditing

What this guide covers

This guide explains how Verified ANALYTICS identifies and flags personally identifiable information (PII) within Google Analytics datasets, and what that means in practice for teams responsible for data quality and compliance.

It is intended for analysts, data owners, and compliance stakeholders who need a clear understanding of what is being detected, how detection works, and how to respond when issues are found.

Why PII in analytics matters

PII should never be present in Google Analytics. When it is, the issue is not theoretical — the exposure has already occurred. In most cases, PII enters analytics unintentionally, often through URLs, form handling, or tagging logic. Once captured, it may be stored in multiple locations beyond your control, including logs, integrations, and third-party systems.

This creates three immediate concerns:

• a breach of platform terms (including Google Analytics policies)
• potential exposure across systems and vendors
• regulatory risk under frameworks such as GDPR and CCPA

For this reason, auditing is not about prevention alone. It is about identifying where exposure has occurred and ensuring it is properly remediated.

How PII detection works

Verified ANALYTICS analyses the data already collected within your analytics environment. Rather than relying on assumptions or configuration reviews, it inspects actual values across key dimensions where PII is most likely to appear.

In practice, this includes areas such as page URLs, referrers, campaign parameters, event data, transactions, and custom dimensions. These are common sources of leakage, particularly where user input or identifiers are passed dynamically.

To make this process efficient at scale, datasets are sampled intelligently. Up to 30,000 rows are analysed per audit, and where volumes exceed this, sampling is distributed across high-, medium-, and low-frequency data. This ensures that both dominant patterns and edge cases have a realistic chance of being detected.

Importantly, detected values are never stored in their original form. Any potential PII is immediately hashed (scrubbed), meaning the system can identify patterns without retaining sensitive data. All issues remain within your Google Analytics property, allowing you to investigate and resolve them directly.

What types of PII are identified

PII can take many forms, and in analytics data it is often less obvious than expected. While email addresses are a common example, they are only a small part of the overall picture.

Detection rules are designed to cover several broad categories.

At the most fundamental level, this includes direct identifiers such as email addresses, phone numbers, names, IP addresses, and usernames. These are typically the highest-risk and most immediately actionable findings.

Beyond this, the system also checks for financial data, including patterns consistent with credit card numbers, IBANs, and banking identifiers. While less common, their presence represents a more severe form of exposure.

There is also a layer of technical and device-related identifiers, such as IMEI numbers, MAC addresses, and advertising IDs. These are often overlooked but can still fall within the scope of personal data depending on usage.

Finally, detection extends to sensitive or regulated data types, including medical-related terms and government-issued identifiers such as passport or national ID numbers.

To support global use cases, the ruleset also incorporates a wide range of country-specific identifiers. These cover formats such as national insurance numbers, tax IDs, and social security equivalents across multiple jurisdictions. The list is continuously maintained and expanded as requirements evolve.

See the APPENDIX for country specific PII checks

What to do when PII is found

Finding PII in your analytics data is not unusual, but it does require a structured response.

The first step is to understand where the data is coming from. In most cases, the source will be one of the following:

• a URL structure passing user input as a query parameter
• form data being exposed unintentionally
• a tagging or tracking misconfiguration
• an integration with another platform

Once identified, remediation should focus on removing the issue at source. This might involve changing how forms are processed, preventing certain parameters from being captured, or updating tagging logic to exclude sensitive values. Note, Verified ANALYTICS does not make any changes to your Google Analytics data. Such work is left in the hands of real people.

After changes are made, validation is essential. Re-running the audit confirms whether the issue has been resolved and ensures no related leakage remains elsewhere in the dataset.

A note on common causes

Across implementations, the same patterns tend to appear repeatedly. Email addresses in URLs are one of the most frequent issues, often introduced through confirmation pages or marketing links. Query string parameters are another common source, particularly when they are used to pass user-entered values.

In other cases, problems originate from third-party tools or integrations that send more data than intended. These issues are not always visible without inspecting the collected dataset directly, which is why auditing plays a critical role.

Ongoing auditing

PII detection should not be treated as a one-off exercise. Analytics implementations change over time — new tags are added, integrations evolve, and website functionality is updated.

Each change introduces the possibility of new data being captured unintentionally.

Regular auditing ensures that your data remains:

• compliant with platform and regulatory expectations
• free from unintended sensitive information
• reliable for analysis and decision-making

APPENDIX – Specific PII Checks

The Core Identifier dimensions are always checked for PII. You can also check specific fields such as tax IDs, social security numbers etc from the list of 39 countries:

Argentina, Australia, Belgium, Brazil, Canada, Chile, China, Colombia, Denmark, France, Finland, Germany, Hong Kong, India, Indonesia, Ireland, Isreal, Italy, Japan, Korea, Mexico, Netherlands, New Zealand, Norway, Paraguay, Peru, Poland, Portugal, Singapore, South Africa, Spain, Sweden, Taiwan, Thailand, Turkey, United Kingdom, United States, Uruguay, Venezuela.