Google Analytics (GA) is a powerful tool that provides companies with data and valuable insights. However, many companies may unknowingly be in violation of the General Data Protection Regulation↗ (GDPR) by accidentally submitting personally identifiable information (PII) to their GA platform. Google's policies aim to protect users' privacy by requiring that no PII be passed on to their platform. However, PII often gets on GA through titles or URL strings when a visitor views your web pages, fills out a form, or uses the search feature on your website. If Google identifies PII in your analytics account, it may remove all or part of your data. Fortunately, there is an easy and quick way to eliminate PII from your GA. » Are PII and personal data the same? Discover the difference between PII vs personal data↗
How to Identify PII in Google Analytics
PII is defined as any information that, on its own, has the potential to directly identify, contact, or accurately locate an individual. It includes, but is not limited to:
- Names
- Emails
- Physical addresses
- Phone numbers
Navigate to Google Analytics > Behavior > Site Content > All Pages to locate any PII on your GA platform quickly. To check if any emails have been stored, filter with "@". If you need to filter the list further, enter the following regex on the filter field:
- Names (fn|ln|lastname|firstname|name|fullname) These regexes can also be used to look for PII in reports like all pages and events reports.
- Email Addresses Use this to find emails in the full format, or “email@domain.com”. ([a-zA-Z0-9_.-]+)@([da-zA-Z.-]+).([a-zA-Z.]{2,6})
- Social Security Numbers Use this for social security numbers in the format "111-11-1111”. (d{3}-?d{2}-?d{4})
- Physical Addresses This helps search for addresses using typical address elements. You may have to specify it according to your requirements. (drive|street|road|dr.|po box|rd.)
- Phone numbers This helps search for phone numbers in this format: 000-000-0000. (d{3}-?d{3}-?d{4}) The "–" can also be removed. It should look like this: (d{3}d{3}d{4})
» Should you check GA cookies too? Learn how to make GA cookies GDPR compliant↗
How to Remove PII From Google Analytics
There are two recognized solutions. One is an extensive guide using Google Tag Manager (GTM)’s custom task feature by Simo Ahava↗, and the other is an extension of it by Brian Clifton↗. JavaScript and GTM skills are required. Alternatively, you can use the Google Analytics data deletion request↗ feature to get rid of fields that have PII on specific dates. Head over to Admin > Property > Data Deletion Requests.
Conclusion
While eliminating PII from your GA account may seem like a big task, not doing it may result in the termination of your account and even further legal consequences. » Not sure your information is protected sufficiently? Explore additional methods to protect sensitive information↗
Common Places PII Leaks Into Google Analytics for eCommerce Brands
Your eCommerce store has unique touchpoints where PII slips into GA without you realizing it. If you're running a Shopify or BigCommerce store, watch these areas closely:
Order confirmation pages often pass customer names, emails, or order IDs in the URL or page title. When GA tracks these pages, that data gets stored. Similarly, customer account pages (like /account/john-smith-12345 or /user/jane@example.com) expose identifiable information in the page path itself.
Search functionality is another silent culprit. If a customer searches for their own name or email to troubleshoot an account issue, that search query gets logged in GA. Form submissions also create risk—if your form fields (first name, email, phone) are visible in the page title or URL parameters before submission, GA captures them.
Thank you pages after checkout frequently contain customer data in the URL, like thankyou?email=customer@email.com&order=12345. Even cart abandonment flows can leak customer identifiers if your email capture happens before checkout and the data lands in a trackable URL parameter.
For DTC brands using email marketing tools like Klaviyo, the risk multiplies if you're also using GA4's audience sync features. Customer lists synced to both platforms create overlap, and if GA contains PII, you're violating data residency rules.
The fix is straightforward: audit your site architecture with a technical team member. Check page titles, URL structures, and form handling. Use your browser's developer tools (right-click → Inspect) to see what data is actually being passed to Google's servers before it reaches GA.
How GTM Custom Tasks Work vs. Data Deletion Requests
The existing post mentions two removal approaches, but they solve different problems—knowing which to use saves you time and headaches.
Google Tag Manager (GTM) custom tasks are preventative. They stop PII from ever reaching GA in the first place by filtering or masking data before it's sent. If you implement a custom task correctly, future tracking stays clean. However, this requires JavaScript knowledge or hiring a developer, and it only protects new data going forward.
Data deletion requests are reactive. You use this when PII has already been stored in GA. You navigate to Admin → Property → Data Deletion Requests and request removal of specific fields on specific dates. Google processes these requests, but the turnaround can take several days, and you lose access to that historical data for reporting.
For most mid-market eCommerce brands, the practical approach is dual-layer:
- Implement GTM filters immediately to prevent future leaks (this is your long-term solution).
- Submit a data deletion request for the past 90 days while you set up prevention (this cleans your current account).
The trade-off: GTM custom tasks require upfront technical work but protect you permanently. Data deletion requests are faster to execute but only address the past.
If your team lacks GTM experience, consider this a sign you need external support—either from a privacy specialist or a privacy-focused analytics partner.
PII Risks in GA4 vs. Universal Analytics
If you've recently migrated from Universal Analytics (UA) to GA4, your PII exposure changed slightly—but not necessarily for the better.
GA4 introduced event-based tracking, which actually creates more opportunities for PII to leak because you're sending custom events alongside standard page views. A custom event like user_signed_in or cart_recovered might include user identifiers in the event parameters if you're not careful.
Additionally, GA4's enhanced eCommerce tracking passes order data (including customer names and emails in some implementations) through transaction events. If you're using Shopify's native GA4 integration or a third-party tool like Littledata or Segment, these tools often strip PII by default—but only if configured correctly.
UA also had PII risks, but the reporting interface was different. Many brands never checked the old "All Pages" report carefully, so PII went unnoticed longer. GA4's interface is less obvious about where data lives, which ironically makes it easier to miss.
Your migration checklist should include:
- Audit all custom events you're sending to GA4 and verify no user identifiers are in the parameter names or values.
- Check if your Shopify/BigCommerce integration or third-party analytics tool has PII-stripping enabled.
- Test your checkout flow with browser developer tools open to see exactly what's being sent to Google.
- If you're still running UA alongside GA4, remove UA tracking code immediately—having duplicate tracking doubles your compliance risk.
Building a Privacy Audit Schedule for Ongoing Compliance
One audit isn't enough. PII can re-enter GA whenever you redesign your site, change your tracking setup, or add new integrations (like a new email tool or CRM sync).
Set a quarterly review cadence for your analytics setup. Assign one team member (often your marketing ops person or developer) to re-run the regex filters mentioned in the original post and spot-check a few customer journeys manually.
When you make any of these changes, conduct a mini-audit:
- New landing pages or checkout flow redesigns
- Updates to form fields or data collection
- New integrations with Klaviyo, HubSpot, or other platforms
- Changes to your Shopify/BigCommerce configuration
- Deployment of new Meta Pixel or Google Analytics events
Document your findings in a simple spreadsheet: what PII was found, where it came from, and how you fixed it. This record protects you if a regulator or customer asks whether you've taken privacy seriously.
Also, brief your team on why PII in GA matters. Many developers and marketers don't realize it's a violation until they see the consequences. A 10-minute team sync once per quarter on this topic prevents future mistakes better than any automated tool can.
As your eCommerce operations scale, manual audits become harder to maintain. A centralized system that monitors your tracking setup, flags PII automatically, and coordinates consent across all your tools—GA, Meta, email platforms, and more—shifts this from a compliance burden to a routine operational task.