Google Analytics prohibits the collection of personally identifiable information. If detected, Google could delete PII from your reports. Users of Google Analytics should therefore be proactive to detect and then delete the PII if necessary.
I’ll explain how to do that in this post.
The best way to remove PII is not to send it to Analytics to begin with. For more, see “Best practices to avoid sending Personally Identifiable Information (PII),” a Google post.
Detecting PII
In the article above, Google explains where to search for PII in your reports. The main areas are:
- User ID settings,
- Content settings (pages and page titles),
- Event settings (category, action, label),
- Ecommerce settings (credit card, customer name, shipping and billing address, phone number),
- Campaign dimensions (source, medium, campaign, ad content, term fields),
- Site-search settings (search term or category),
- Custom dimensions.
The screenshot below is an example of PII data. The Source field contains an email address, and the Medium field contains a phone number, which I’ve partially obscured.
I’ve created a Google Data Studio report to detect PII. It should not be your only method of detecting, but it should work in most cases. Monitor this report regularly. Modify the filters to fit your setup and take action if PII is detected.
Deleting PII
Google provides a process for removing PII. Navigate to Admin > Property > Data Deletion Requests > Create Data Deletion Request.
Enter the “Start Date,” “End Date,” and “Fields to Delete.” In the below example, I am deleting “All” fields because my campaign URL parameters contained PII, and “All” is required to remove this data.
After clicking “Submit,” the status is “In Grace Period.” It takes at least seven days for Google to remove the data. Check after a week or so to confirm.
You can cancel the deletion request in the interim. To do this, click on “In grace period” in the table and reach the “Data Deletion Request Review” page (below), which includes the status, details, and option to cancel.
When it completes the Data Deletion Request, Google will notify you in an email. Also, the status will update to “Completed.”
Finally, confirm that Google has removed the PII in your reports. The example Acquisition report, above, included my email address and phone number, respectively, in the Source/Medium fields. Note, below, that both are now gone.