NEW: Google Analytics Now Auto-Removing Personal Data
Brian Clifton
Author; Founder Verified-Data.com; Former Head of Web Analytics Google (EMEA); Data Privacy Expert; PhD; Specialising in enterprise Google Analytics, GTM, Consent Management; Piwik PRO.
Google Analytics is now removing personal info from collected data. So far only for query term "email".
I regularly audit and test accounts for PII and found this today: Google Analytics is automatically replacing email addresses it finds in your reports with the text "obfuscated" - in real time. At present it seems only to work when sent as a value in the query term ?email=. As you can see form the screenshot, my test for ?emailaddr= still shows in the report.
Lets hope this proactive filtering can get smarter over time. That said, I hope web dev/admins don't get complacent and reply on this as band-aid fix.
No one should be sending personal info (PII) around the web in plain text as part of a URL, but amazingly it does happen. Even by big brands that should know a lot better... Apart form being a reputation killer, its illegal to do so in the EU.
SaaS. Leadership, Team & Rev Growth, Marketing, Innovation & Digital
8 年Some really valuable insight, many thanks for the article and subsequent comments & analysis. I was, perhaps naively, unaware that PII getting pulled into URLs was so prevalent still. Does anyone happen to have any kind of stats on it?
Founder & CEO, ClickInsight - Digital Analytics Consulting
8 年Brian Clifton Stéphane Hamel Aurélie P. Is this only happening in Europe? I tested "email=" with 3 different emails and did not get "obfuscated" on any of them.
Privacy engineer & Bizdev - DPO - Ethics "expert" - former European Center for Privacy & Cybersecurity (ECPC) board member
8 年Well it's a step, very small step, in the right direction and kind of the obvious one from an engineering perspective. You wouldn't have lists of what you consider to be PII/personal data by any chance? happy to show you mine ;-) after all, while the email is the one easy to detect - with @ and all -, companies like Iberia in Spain still push my last name - which is definitely personal data - into the URLs of their confirmation for downloading boarding tickets. And this finds it's way in GAP reports! While this has been escalated a couple of times, I'm not seeing any evolution, neither from the part of Iberia nor Google. This begs the following question and duty, on top of the engineering effort in detecting PII/personal data variables, of adequate internal escalation procedure when it is reported that the Terms & conditions of usage of the tool have been breached. For now, I don't see any enforcement of those terms onto accounts like the termination of them... Thoughts welcome, thanks for sharing!
Founder @ Turko : SEO & Performance Marketing Experts
8 年Does it obfuscate it as well if we send it as an event / custom dimension?