How to Redact Emails from Google Analytics using Google Tag Manager

We always have to be careful with the data we send Google Analytics (and other destinations). Here, we’ll look to see if we’re sending any email to Google Analytics (we are) and then go ahead and redact the emails using Google Tag Manager before the hit is sent to Google Analytics.

Best practices to avoid sending Personally Identifiable Information (PII):
https://support.google.com/analytics/answer/6366371?hl=en

Why You Must Redact Email Addresses in Google Analytics

1. Compliance With Privacy Regulations

Privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require businesses to protect user data. Under these laws:

• Users have the right to know how their data is collected and stored.
• Businesses must obtain consent before storing personally identifiable information (PII).
• Companies that fail to comply may face severe penalties, including fines in the millions.

If email addresses are stored in Google Analytics without proper consent, your business may violate these regulations, leading to potential legal action.

2. Google’s Policies Prohibit PII Collection

Google has strict rules about what data can and cannot be collected in Google Analytics. According to Google’s policy:

• PII such as names, email addresses, and phone numbers must not be sent to Google Analytics.
• Violating this policy can result in Google deleting your data, restricting access, or even suspending your account.

If email addresses are unintentionally sent to Google Analytics, your reports can be flagged, and you may lose valuable tracking data.

3. Avoiding Data Corruption

When PII enters Google Analytics, it can pollute your data, leading to inaccurate reporting and flawed decision-making. Some key risks include:

• Messy Reports: Email addresses can appear in page URLs, events, and custom dimensions, making reports hard to interpret.
• Loss of Segmentation Capabilities: Google Analytics segments and filters may stop working properly if PII is mixed in with regular data.
• Compliance Issues: If an audit occurs and your data is found to contain PII, your organization may be forced to delete critical information.

By redacting emails before they reach Google Analytics, you protect user privacy, maintain clean data, and avoid penalties.

How Email Addresses End Up in Google Analytics

There are several ways email addresses might unintentionally be captured by Google Analytics. Understanding where PII comes from helps you identify and fix the problem.

1. URL Query Parameters

Many websites include email addresses in URLs, especially in login and sign-up processes. For example:

If Google Analytics tracks URLs automatically, email addresses might be stored in reports.

How It Happens

• Users log in or sign up using a form that redirects them to a confirmation page with an email address in the URL.
• Internal tools or CRM systems generate links that include user emails.
• Marketing campaigns use email-based tracking links, causing emails to appear in analytics reports.

2. Form Submissions

Forms on your website might be sending email addresses to Google Analytics when users submit their details.

How It Happens

• Some forms automatically track all input fields (including “email”).
• If event tracking is set up incorrectly, it may capture user input and send it to analytics.
• A custom tracking script might be storing form data without filtering out PII.

3. Custom Dimensions & User Data

Google Analytics allows businesses to track custom dimensions for better insights. However, some businesses mistakenly pass email addresses as a custom variable.

How It Happens

• Developers manually configure analytics tracking to store user emails.
• Websites use email addresses as unique user identifiers in their analytics setup.
• Businesses combine CRM data with Google Analytics, leading to accidental email collection.

If any of these issues are present, Google Tag Manager (GTM) can help redact email addresses before they reach Google Analytics.

How to Use Google Tag Manager to Redact Emails in Google Analytics

Google Tag Manager allows you to modify data before it is sent to Google Analytics. Here’s how you can remove email addresses from URLs and event tracking.

Step 1: Identify Email Data in Google Analytics

Before implementing a fix, you need to check where email addresses are appearing.

• Go to Google Analytics Reports:
  • Open Google Analytics and navigate to Behavior → Site Content → All Pages.
  • Look for URLs that contain email addresses.
  • If you see email addresses in query parameters, they need to be redacted.
• Check Event Tracking Reports:
  • Go to Google Analytics → Events → Top Events.
  • If event labels or actions contain email addresses, they must be filtered out.

Step 2: Create a Custom JavaScript Variable to Remove Emails

To automatically remove email addresses from URLs, create a Custom JavaScript Variable in GTM.

1. Open Google Tag Manager and go to Variables.
2. Click “New” → Choose “Custom JavaScript”.
3. Paste the following script:
   javascript

   CopyEdit

   function() {
var url = {{Page URL}};
var emailPattern = /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}/gi;
return url.replace(emailPattern, '[redacted_email]');
}

4. Save the variable as Redacted Page URL.

This script scans URLs for email patterns and replaces them with [redacted_email], ensuring no emails are stored.

Step 3: Apply the Redacted URL to Google Analytics Tags

Now, update your Google Analytics Tag in GTM.

1. Open your Google Analytics Tag.
2. Go to Fields to Set.
3. Add a new field:
   • Field Name: page_location
   • Value: Select Redacted Page URL.
4. Save and publish the changes.

This ensures that only sanitized URLs are sent to Google Analytics.

Step 4: Test and Validate

To confirm that emails are no longer appearing, perform these tests:

• Enable GTM Preview Mode and navigate through your website.
• Check Google Analytics real-time reports for any PII.
• Use Chrome DevTools (F12 → Network tab) to inspect what data is being sent.

Best Practices for Preventing PII in Google Analytics

• Disable Email Collection in Forms: Ensure analytics does not track form fields containing PII.
• Regularly Audit Your Data: Perform monthly checks to ensure no PII is collected.
• Use GA4’s Built-in PII Redaction: Google Analytics 4 allows automatic redaction of sensitive data.

Conclusion

Protecting user privacy is crucial for legal compliance, data integrity, and maintaining user trust. By using Google Tag Manager, you can automatically redact emails from URLs and event tracking, ensuring your analytics remain clean and secure.

Implement the step-by-step solutions outlined in this guide, and your business will be compliant, protected, and data-accurate.