Google Analytics Audit Test #

97

Sensitive Customer Information Stored in Analytics

Why It Matters:

Critical to basic setup and adhering to Google Analytics Terms of Service and privacy laws.

Industries:

All

Checks For:

Utility

How powerful is your current implementation?

Insight Category:

Behavior

Can you tell what visitors are doing?

Google Analytics Audit logo

Background

A GA4 audit is essential for uncovering missing insights—key data points that organizations don't yet know and can act upon. A well-done audit evaluates both behavioral tracking and traffic attribution, ensuring each is accurate and useful. It also assesses whether the data collected truly supports business decisions and reporting.

Test Detail

This test detects whether personally identifiable information (PII) or other sensitive customer data is being sent to Google Analytics—such as email addresses, names, phone numbers, or credit card details.

Sending PII to Google Analytics violates Google’s Terms of Service and can result in data loss, account suspension, or legal risk. It's a critical compliance and privacy issue.

Worse, if you are in the healthcare space, sending/storing personal health information (PHI) is a violation of HIPAA.

Check This Test for Free! Instantly.

Our free instant audit tool checks for 90 issues in 90 seconds.

Then gives you a prioritized list of items to tackle.

No cost, no sales call... just free goodness.

Run a free instant audit
Google Analytics audit test results.

How to Conduct This Test

Basic Tests

  • In Google Analytics > Explore or via BigQuery, scan for:
    • Values in URL query parameters or event parameters that contain @, .com, names, or phone number patterns.
    • Page paths or event parameters that include data like:
      • ?email=jane@example.com
      • /checkout?name=JohnSmith
      • /form-submit?phone=555-123-4567
  • Common places this occurs:
    • URL parameters passed from forms
    • Internal search terms that capture PII
    • Unescaped email addresses or user-entered data in event parameters

Automated, Free Audit

Want to automatically scan your GA4 setup for PII risk? Run our Instant Audit

Need legal-safe cleanup? Hire a pro who understands analytics and privacy compliance.

How To Fix

  • Immediately stop sending PII by:
    • Updating forms, search tools, and link templates to exclude or encrypt sensitive fields.
    • Ensuring GTM or your site code excludes PII from being passed into GA4 events or pageviews.
    • Adding JavaScript filters to sanitize URLs before GA4 loads.
  • Use Google Tag Manager variables and Custom JavaScript to strip or mask unsafe values before they are sent to GA4.
  • Conduct a privacy-focused tag audit and consult with legal if necessary.
  • Hire a pro to remediate PII issues, implement preventative guardrails, and protect your analytics integrity.

Tips from a Google Analytics Consultant

Focus on Insights

Every Google Analytics audit should result in a plan for more insights.

An insight is:

  • something you don't know
  • and can act on to improve performance

The Goal

Identify and remove insight blockers. Don't get tempted to track things you can't act on!

Hire a Google Analytics Consultant
Google Analytics consultant