Preventing PII from being tracked in Google Analytics

Google doesn’t allow PII (Personally Identifiable Information) to be tracked in Google Analytics. You can have your Google Analytics account suspended if you don’t abide by the rules.

This means you can’t have URLs with parameters containing usernames, email or IP addresses, phone numbers being submitted to Google Analytics (or AdWords Remarketing).

Google provide some helpful Best Practises information, but their suggestions often rely on rewriting your web application so that PPI aren’t displayed in the URL.

This work-around script works by only including Google Analytics tracking snippet if the URL does not include email, username or password strings. The exact strings could easily be modified to suit your needs (maybe add phone?)

<script>
  window.ga=function(){ga.q.push(arguments)};ga.q=[];ga.l=+new Date;
  ga('create','UA-XXXXX-Y','auto');ga('send','pageview')
</script>
<script>
  if(location.href.match(/(?:\b|_)(?:username|email|password)(?:\b|_)/i) > -1){
  document.write('<script src="https://www.google-analytics.com/analytics.js" aysnc defer><\/script>');
  }
</script>

Demo - this page loads Google Analytics as normal

If you include params with PII (email, username or password) the URL Google Analytics will not load:

• ?username=redacted%40example.com&password=Z0CS9

• ?userName=redacted%40example.com&token=9234

• ?email=redacted%40example.com&token=%3%tX

Note; the optimized Google Analytics snippet is from HTML5Boilerplate

If you have any suggestion on how to improve this - please open a PR on GitHub

Disclaimer: This should be considered a temporary workaround. PII will still be in the URLs - make sure that those URLS are not being submitted to any other third-party service.