What data can't be sent to Google Analytics?
Google Analytics, as every other SaaS vendor, puts limits on its users. So, what exactly is Google prohibiting us from sending to its service? How about legal restrictions, beyond commercial contracts?
Let's dive into this subject.
What is Google Analytics?
Google Analytics is a web and mobile app analytics platform, businesses can use to measure and understand their online performance. The service is partially free and tracks and reports various metrics such as traffic, conversions, user behaviour, and more. Google Analytics helps businesses optimize their websites and apps, improve their marketing campaigns, and increase their revenue. However, the tool comes with restrictions and limitations, imposed by both, its Terms of Service and data protection regulations.
Limitations from Google Analytics Terms and Conditions
Google policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII).
Those restrictions are important for you and your engineering and marketing teams to know. As PII and Personal Data are often, incorrectly, used interchangeable, let's first clarify what these are.
What is Personal Identifiable Information
Personal Identifiable Information (PII) is defined as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
Some examples of PII are:
- Name: full names (first, middle, last name), maiden name, mother’s maiden name, alias
- Address: street address, email address
- Phone number: mobile, business, personal
- Asset information: internet protocol (IP), media access control (MAC)
- Government identifiers: passport number, driving licence number, social security number (SSN)
- Financial information: credit card number, bank account number
- Biometric data: fingerprint, facial recognition, DNA profile
- Medical records: health conditions, prescriptions, test results
PII can be sensitive or non-sensitive, depending on how easily it can identify a person and how much harm it can cause if exposed. Sensitive PII includes data that can uniquely identify a person or reveal sensitive information about them. Non-sensitive PII includes data that is easily accessible from public sources and does not pose a significant risk to the person's privacy.
What is Personal Data?
Personal data is any information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors.
Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
What is the difference between PII and Personal Data?
PII and Personal Data are two terms that are often used interchangeably to refer to information that relates to an individual. However, there is a distinction between the two that is frequently misunderstood. PII consists of any information that can be used to uniquely identify an individual, such as their name, social security number, biometric records, etc. Personal Data, on the other hand, refers to all types of information about an individual, such as contact information, medical records, financial records, etc. PII is a subset of Personal Data that is more sensitive and requires more protection. The term PII is commonly used in the United States, while the term Personal Data is generally used in the European Union under the General Data Protection Regulation (GDPR).
In the rest of this article, we will use the term Personal Data to cover both, PII and Personal Data.
How can Personal Data be sent to Google Analytics?
Some personal data may be inadvertently sent to Google Analytics due to the way some websites are set up or how users interact with them. For example, if your website includes a user email address in the URL (e.g.,
https://firstname.lastname@example.org), then this URL contains Personal Data and should not be sent to Google Analytics.
With GTM, It is possible to implement swooping rules that will always remove email or name from the URL, before submitting the page event.
In the 2022 and early 2023 the website owners were faced with data restrictions. This time coming from GDPR enforcement and numerous local Data Protection Authority rulings. By loading the Google Analytics script on your website, the browser of your user contacts the Google infrastructure. We have to trust Google that these requests, and associated IP addresses, are not stored and processed further. Sadly, such a trust cannot be established as Google is a US corporation and must comply with US surveillance laws.
This can prove challenging to circumvent and is unlikely to be achieved with engineering and infrastructure effort.
Luckily for many businesses which depend on GA and GA4, there is a solution, albeit it is not trivial.
How to Avoid Sharing IP Address with Google Analytics?
In the case of Universal Analytics, aka Google Analytics, you must implement IP Masking. This IP masking strips part of an address, rendering it non-reversible for most part.
Google Analytics 4, the GA4, the next generation of Google Analytics, claims that IP addresses are neither logged nor stored.
Even if the tracker script would not share the IP address, the issue we mentioned in the previous paragraph is still present. The browser making a request to Google servers will, in fact, share a full IP address.
If you intend to serve a European audience, you cannot relay solely on the Google's built-in anonymization techniques. As it was suggested by Commission Nationale de l'Informatique et des Libertés (CNIL), a French Data Protection Authority, the way to meet GDPR compliance while using Google Analytics is to send events via local, EU sovereign proxy.
Using proxy has additional benefits. It allows for finer control of how information is anonymized and obfuscated.
Unfortunately, the requirements for the proxy are not trivial.
- The proxy should not be operated on US cloud, which suffers from similar compliance shortcomings as Google.
- Moreover, maintaining proxy infrastructure is yet another moving element in your web architecture. It will require maintenance and security monitoring to avoid breaches and resulting fines and loss of reputation.
Can You Replace Google Analytics and avoid this hassle?
Recently, we have seen numerous Google Analytics alternatives show up on the market. You will find numerous options, some of which will offer sovereign, compliant web analytics.
A strictly compliant web analytics, the Wide Angle Analytics is completely hosted in the EU and does not engage in data transfer outside the EU. In addition, it is one of very few SaaS web analytics that openly permits processing Personal Data. Thanks to WAA strong security and baked-in compliance, you are covered.
Another possible solution is Matomo. Their product caters to more Enterprise customers and offers a great self-hosted solution for those who require full control over their environment and have resources to maintain it.
However, you have to be exceptionally careful with other solutions, just as with Google Analytics.
When you look closer at the Terms and Conditions or Data Processing Agreements of web analytics vendors, you might be surprised, that they outright prohibit you from sending them Personal Data. Leaving you and your business with the same problem that you experienced with Google Analytics in the first place.
Google Analytics prohibits you from sending Personal Identifiable Information to the service. Likewise, GDPR requires safety guards that Google legal reality cannot guarantee. To use Google Analytics legally, according to the Terms of Service and the law, you need to use an anonymization layer, such as a proxy.
You can avoid this concern altogether by using compliant web analytics, such as Wide Angle Analytics, which allow processing Personal Data. At the same time, when shopping around for a Google Analytics alternative, you should be weary of vendors who push responsibility back at you, by prohibiting you from sending them sensitive information.