Google Analytics prohibits the collection of personally identifiable information. If detected, Google could delete PII from your reports. Users of Google Analytics should therefore be proactive to detect and then delete the PII if necessary.
I’ll explain how to do that in this post.
The best way to remove PII is not to send it to Analytics to begin with. For more, see “Best practices to avoid sending Personally Identifiable Information (PII),” a Google post.
Detecting PII
In the article above, Google explains where to search for PII in your reports. The main areas are:
- User ID settings,
- Content settings (pages and page titles),
- Event settings (category, action, label),
- Ecommerce settings (credit card, customer name, shipping and billing address, phone number),
- Campaign dimensions (source, medium, campaign, ad content, term fields),
- Site-search settings (search term or category),
- Custom dimensions.
The screenshot below is an example of PII data. The Source field contains an email address, and the Medium field contains a phone number, which I’ve partially obscured.
This sample Acquisition report includes a personal email address and phone number in, respectively, the Source and Medium fields. Click image to enlarge.
I’ve created a Google Data Studio report to detect PII. It should not be your only method of detecting, but it should work in most cases. Monitor this report regularly. Modify the filters to fit your setup and take action if PII is detected.
Deleting PII
Google provides a process for removing PII. Navigate to Admin > Property > Data Deletion Requests > Create Data Deletion Request.
Enter the “Start Date,” “End Date,” and “Fields to Delete.” In the below example, I am deleting “All” fields because my campaign URL parameters contained PII, and “All” is required to remove this data.
Enter the “Start Date,” “End Date,” and “Fields to Delete.” To delete PII in campaign URL parameters, select “All.”
After clicking “Submit,” the status is “In Grace Period.” It takes at least seven days for Google to remove the data. Check after a week or so to confirm.
You can cancel the deletion request in the interim. To do this, click on “In grace period” in the table and reach the “Data Deletion Request Review” page (below), which includes the status, details, and option to cancel.
To cancel a deletion request, click on “In grace period” in the table and reach the “Cancel Deletion” button on the “Data Deletion Request Review” page. Click image to enlarge.
When it completes the Data Deletion Request, Google will notify you in an email. Also, the status will update to “Completed.”
When finalized, the Data Deletion Request status will change to “Completed.” Click image to enlarge.
Finally, confirm that Google has removed the PII in your reports. The example Acquisition report, above, included my email address and phone number, respectively, in the Source/Medium fields. Note, below, that both are now gone.
Confirm in your reports that Google has removed the PII. This Acquisition report no longer contains a personal email address and phone number in the Source/Medium fields. Click image to enlarge.
