The everything guide to PII: What does it know? Does it know things? Let’s find out.

No, we didn’t misspell pi (or pie, mmm). PII stands for “Personally Identifiable Information” and this kind of information is something that your Google Analytics property could be recording right at this very moment. You want to gain insight as to who is interacting with your website, but using PII is not the way to go about doing it, and in fact it can get you into trouble with Google if they catch wise.

🎶Gonna make a PII… 🎶 How to avoid collecting personally identifiable information on your website. Click To Tweet

Fortunately, while PII is a big deal, it’s also an easily resolvable one. Here’s what it’s all about.  


What is Personally Identifiable Information?

A number of factors can be constituted as PII. Personally Identifiable Information includes a user’s name, their social security number, email address, data identifying a particular device (like a mobile phone’s serial number), or any similar data in this vein.

It’s important to note that the U.S. General Services Administration doesn’t restrict the definition of “PII” to any specific category of information or technology. In the GSA’s Privacy Act, they refer to this information as:

“[Anything] that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.… In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”

Yes, you are able to collect much of this data from users, but they have to enter it willingly and the information cannot be encoded into any transmittable data.


What does that mean for my website?

One of the more common ways that PII is stored is in Google Analytics. Per the GA terms of service:

“You will not and will not assist or permit any third party to, pass information to Google that Google could use or recognize as personally identifiable information.”

If Google detects that PII is being sent and/or stored, they will terminate your account and destroy your data. Depending on the breach and your location in the world, you could also be looking at fines and misdemeanors. Check with your legal department or an attorney to know what laws are specific to your country and/or territory.


But what if I don’t know that my website is collecting PII?

That’s why you should check! PII can be spotted in Google Analytics and may come up as events if users are signing up with their email addresses, or it can manifest in URLs (such as unsubscribe URLs).

An ounce of prevention is worth a pound of cure here: Make sure the configurations being set up in your Google Analytics are never collecting PII. In auditing your GA account, you should also be aware of the ways that PII can be collected. Make it a monthly practice to check for these canaries in the coal mine.

How to be your own canary in the coal mine when it comes to collecting PII in Google Analytics. Click To Tweet

How do I know if my website is collecting PII?

The simplest way to check for PII is in query parameters in your Google Analytics. Navigate to Behavior » Site content » All pages and do a search on “ @ ” to see the active query parameters in the account.

To check for PII as event dimensions, navigate to the Events report in GA and check all Event categories, actions, and labels to make sure it’s not being stored.  

To check for PII in custom dimensions, go to Admin » Custom Definitions » Custom Dimensions. Create a custom report that pulls in custom dimensions, and from there check that none of the dimensions contain PII.

To check for PII in campaign parameters, scan the source, medium, campaign, and content for campaign-tagged traffic. If you see a utm tagged campaign, be sure to triple check that the parameters won’t bring in PII.

To check for PII in signup forms, make sure that form submits implement a “POST” request, not a “GET” request. Your developer can change this if you are implementing a “GET” request.

What do I do if I find PII?

Act immediately. If your website is collecting PII, this is a top priority to address. Work with your developer to stop collecting PII through the website. From there, strip the query parameters in Google Tag Manager to remove PII on that end.

Next, back up your account data with an export. From there, create a new view by copying the existing view to make sure it is PII-free going forward.

What does Google say?

Google has a number of resources to help you avoid sending PII when collecting your Analytics data. Check out their best practices guidelines, which includes categories on page URLs and titles, PII entered by users, data imports, AdSense, and how to send Google encrypted identification based on PII.

The Whole Whale solution

Want an easy-to-install Google Tag Manager configuration to strip PII from your website’s URLs before they are collected by Google Analytics? Sign up for the Whole Whale newsletter for a free code and guide on using it.