How to stop personal information getting into your Google Analytics

How to stop personal information getting into your Google Analytics

Google has strict policies around passing data to Google Analytics that includes personally identifiable information (or PII). This would include any hits that contain:

  • User emails
  • User addresses
  • User phone numbers
  • User full names or usernames

Depending on your tracking set up, the most common place for these to accidentally show up is inside URLs. So how do we fix this? The best way to avoid any PII data in the account is to clean it before it is sent. If use use Google Tag Manager for all your tracking (and you should be!), this is quite easy as GTM allows you to make structured transformation to your tracking at scale. If you aren’t familiar with GTM variables, it would be a good idea to learn the basics of GTM first before.

There is a good solution provided on Simo Ahava”s blog, however, our solution is more generic since it will also work for Google Analytics 4 setups.

The solution is to create a variable that returns the user”s current URL but stripped of any PII, and sending that value to Google Analytics instead of the default URL. Here”s how to set it up:

  • Navigate to the “Variables” item in the left-hand menu.
  • Scroll down past the “Built-in variables” section to the “User-Defined Variables” section, and click on the “New” button.
  • Name the variable according to your naming convention, eg. “JS – Cleaned Page”.
  • Click on variable configuration, then select the “Custom Javascript” option.
  • Click on the text area of the variable and paste the code from the shaded box below.
  • Click on Save in the top right-hand corner of the screen.

Code to be pasted in “JS – Cleaned Page” variable

function() {
  var m, x, i, key, value, keyArray, valueArray, result = "";
  var URLQuery =;
  var pagePath  = window.location.pathname;
  if(URLQuery=="") return pagePath;
  var queryStringArray = URLQuery.split("&");
  for (i = 0 ; i < queryStringArray.length ; i++) {
    x = queryStringArray[i];
    if(!x.includes("=")) {
      //Not a standard URL parameter, including in the URL sent to GA and moving to next parameter
      result = result + x +"&";
    //For standard URL parameters, break up the left and right hand side of the =
    keyArray = x.match(/^[^=]+/g);
    valueArray = x.match(/[^=]+$/g);
    if(keyArray===null || valueArray===null) continue;
    key = keyArray[0];
    value = valueArray[0];
    var regexValue = /\@|\%40|email|phone|name|postcode|mobile/i;
    if(key.match(regexValue)||value.match(regexValue)) {
      //Probable PII, skipping
      result = result + key + "=XXXX&";
    else if (key!=null&&value!=null) {
      result = result + key + "=" + value + "&";
  if(result.length==0) {
    if(typeof result === "undefined") return pagePath;
    else return pagePath+result;
  else {
    //Truncate final &
    if (result[result.length-1]=="&") result = result.substring(0,result.length-1);
    if (!result.includes("?")) result = "?" + result;
    if(typeof result === "undefined") return pagePath;
    else return pagePath+result;

Note the line that starts with “var regexValue”. This is what determines which parameters are considered PII. You may need to modify the terms separated by the vertical pipes in case you have legitimate URL parameters that don”t contain PII to make sure they are parsed. For example if you have an education website and when people do a course search the URL contains a parameter called coursename, you probably want to collect its value. In this case you would change the “name” part of the regular expression and make it more specific so that it does not cover the parameter coursename (you could for instance change it to “lastname”).

The last step is to make sure this new value is sent to GA with any hit:

  • Make sure that every Universal Analytics hit is using a GA Settings variable. For more info on creating one see this article by Google.
  • Edit your GA Settings variable (or if you have many variables edit them all)
  • Under “Fields to Set” create a new row. Under field name put “page” and under value click the button and select the name of the Javascript variable (in our case example, “{{JS – Cleaned Page}}”).
  • If you use Google Analytics 4, go to Tags and find your setup tag (the type column will have “Google Analytics: GA4 Configuration”) and edit it.
  • Again under “Fields to Set” make sure there”s a row for the URL. This time the field name is “page_location” and the value should be the hostname followed by the URL, in our case “{{Page Hostname}}{{JS – Cleaned Page}}”

How to test this in GTM

  • Open up a preview session in Google Tag Manager (more info here if you need). When specifying which URL to open, append the test parameters to your home page domain URL, eg. “[email protected]&phone=0400000000&test=testvalue”.
  • Click any of the events listed on the left hand side of the screen.
  • Navigate to the variables tab in the Output section of the page.
  • Check through the list of variables for the “JS – Cleaned Page” variable that we had to create, and check the value. It should be “”. The email and phone number values have been removed, but the other parameters are kept.
  • Go to the Tags tab and click on the events that would have caused your Universal Analytics and/or GA4 tag to fire on the page, then click on the tag itself.
  • Make sure the option at the top i set to display variables as values.
  • Check that the redacted URL is the one actually being passed to Google Analytics.

Got a question?

For something quick, the best place to ask would be on Twitter or in our Facebook group (you'll need to join the group but it’s a one-click process).