As per the Google Analytics Terms of Service, you are not allowed to send Personally Identifiable Information (PII) into your reports – even if you have explicit permission from your visitors. Essentially Google does not want it as doing so would put a huge legal responsibility on it.
Obviously name; email address; street address, telephone number, national ID numbers constitute personal data. However, be aware of the non-obvious data points that may at first appear benign, such as a visitor’s gender, age, language, type of car owned, demographic group etc. These in isolation are harmless in that that do not identify an individual. However, string them together and pretty soon you can identify who that person is..
If you have a process that collects PII into your back-end systems e.g. a contact form or transactional website, ensure personal information is not being sent to Google Analytics.
How to deal with historically captured personal information
Essentially all routes lead to the deletion of data, and at present this remains very blunt from Google.
PII comes in many shades, but for blatant abuse i.e. deliberate collection of personal information collected over a long period, expect the possibility of losing your GA property or even your account.
For a specific issue, Google deletes the date range effected. So for example a serious breach happening each day, even if low level which mostly these things are, can mean ALL data from the effective date range being deleted.
If you have a problem with collected PII, follow these steps:
- Set up a separate “clean” property to run alongside the one with the collected PII. This mitigates your risk should your original property have to be deleted.
- Consider the customTask method in this post to stop any PII being collected. This prevention happens at the point of data capture and can be a real life/career saver i.e. apply filters within GA is too late in the process to make yourself compliant – the data has already been sent.
However, the key is for you to regularly monitor i.e. audit the data, so that small mistakes do not become major catastrophes. Essentially anyone can make a mistake and the GDPR is not there to police the internet – rather it is there to ensure organisations have a process in place to spot mistakes and fix them quickly.
What PII does Verified Data check for?
The PII signals Verified Data looks for at listed at https://verified-data.
Real-Time Governance checks are also your friend as these are automatically checked every 4 hours. For example, from the screenshot below you can see the audit passed for PII Compliance on its last audit, but since then has failed for a governance check.