Launch Offer2 free audits with all 229 checks. No credit card required.Start free audit
ga4audits

GA4 Data Redaction and PII Prevention: Keeping Personal Data Out of GA4 (2026)

Consent & Privacy10 min readIntermediate

Why is PII in GA4 a serious problem?

Sending personally identifiable information to GA4 — email addresses, phone numbers, names, national ID numbers — violates Google Analytics Terms of Service, GDPR Article 5's data minimisation principle, and creates data subject rights obligations you can't easily fulfil (you can't delete specific PII from GA4 without a formal data deletion request that removes entire user records). The most common violation: email addresses appearing in page URLs (e.g., /reset-password?email=user@example.com, /checkout?prefill_email=customer@domain.com).

GA4 collects the full page URL by default, and these query parameters are transmitted to Google's servers. The fix is a combination of GA4's built-in redaction settings and upstream sanitisation in GTM before the data reaches the GA4 tag.

The four PII leakage vectors

Vector 1 — URL query string parameters

How it happens: Web applications often include user-provided data in URLs:

  • Password reset: /reset-password?token=xxx&email=user@example.com
  • Pre-filled forms: /contact?name=John+Smith&email=john@example.com
  • Post-login redirects: /dashboard?user_id=12345&email=user@domain.com
  • E-commerce confirmations: /order-confirm?customer_email=buyer@gmail.com

GA4's page_location parameter captures the full URL including query strings by default.

Fix 1 — GA4 built-in URL redaction:

Admin → Data Streams → Web stream → Configure tag settings → More settings → Redact data

Enable:

  • Redact personal data in URL query parameters — strips recognised PII patterns (email, phone) from URLs before sending to GA4
  • Redact personal data in page title — strips PII patterns from page title (less common but possible)

Limitation: Google's built-in redaction catches common patterns (email format, phone numbers) but may miss custom parameter names that contain PII in non-standard formats.

Fix 2 — GTM variable sanitisation (more reliable):

Create a Custom JavaScript variable in GTM that strips known PII query parameters from the page URL before it's passed to GA4:

Use this variable as the page_location parameter in your GA4 Configuration tag, instead of the default {{Page URL}} built-in.

Vector 2 — Page titles containing PII

How it happens: Some CMS and application frameworks include user data in page titles:

  • <title>John Smith - Account Dashboard</title>
  • <title>Order for user@example.com - Confirmation</title>

GA4 collects document.title automatically.

Fix: GTM variable that sanitises the page title:

Override the page_title parameter in your GA4 Configuration tag with this sanitised variable.

Need to validate whether consent timing is distorting your GA4 data?

Audit consent setup

Vector 3 — Event parameters containing PII

How it happens: Developers sometimes include PII in custom event parameters:

  • generate_lead with customer_name: 'Jane Doe' parameter
  • purchase with customer_email: 'buyer@example.com' parameter
  • sign_up with email: userEmail parameter (raw, not hashed)

Fix: Code review of all GTM tags and dataLayer pushes. Specifically audit:

  • Any parameter containing email, name, phone, address, id in its key name
  • Any parameter whose value is dynamically pulled from user input fields or account data

Hashing as a last resort: If a parameter's value is useful for analytics (e.g., a user identifier) but is PII, hash it before sending:

Vector 4 — Custom dimensions containing PII

How it happens: Custom dimensions created with names like "Customer Email" or "User Name" that receive PII values from the implementation.

Fix: Audit all custom dimensions in GA4 Admin. For each dimension, verify the values it's receiving:

GA4 → Reports → Free Form Exploration → add the custom dimension as a dimension → check the values it contains for any PII patterns.

Auditing an existing property for PII

Step 1 — URL query parameter audit

GA4 → Reports → Engagement → Pages and screens → change primary dimension to Page path + query string

Scan the page path values for:

  • @ characters (email patterns)
  • Phone number patterns (10+ digit strings in query params)
  • Parameter names containing email, name, phone, id

Step 2 — Custom dimension value audit

For each registered custom dimension with a string type, run a Free Form Exploration and check sample values.

Step 3 — BigQuery audit (if export enabled)

This query surfaces any event parameters containing email-like patterns.

If PII has already been collected

If you discover PII has been sent to GA4 historically:

  1. Fix the implementation immediately (prevent future PII collection)
  2. Submit a GA4 Data Deletion Request (Admin → Data Deletion Requests → create request specifying the date range and user property/event parameter that contained PII)
  3. Document the incident for your GDPR Records of Processing Activities
  4. Assess notification obligations — if the PII leakage constitutes a personal data breach under GDPR (data sent to an unauthorised third party — which Google's servers may constitute), you may have a 72-hour DPA notification obligation. Consult your DPO.

FAQ: GA4 Data Redaction and PII Prevention: Keeping Personal Data Out of GA4

Can ga4 data redaction and pii prevention: keeping personal data out of ga4 be caused by consent timing instead of a tag bug?

Yes. Many consent-related issues come from when the signal arrives, not whether the setting exists in the interface. Browser-level validation matters more than screenshots of the CMP setup.

Should I test this only in GA4 reports?

No. Start in the browser first, then confirm the reporting impact in GA4. Otherwise you may confuse modeled-data shifts with broken implementation.

What is the fastest way to prevent this from happening again?

Create a repeatable QA step for banner changes, region logic, and container releases so consent behavior is validated before it reaches production users.

Validate GA4 Data Redaction and PII Prevention: Keeping Personal Data Out of GA4 before it becomes a compliance and reporting problem

Run a free audit to check consent timing, browser behavior, and downstream GA4 impact in one workflow.

Audit Consent Setup

These findings come from auditing thousands of GA4 properties. See how your property compares

GA4 Audits Team

GA4 Audits Team

Analytics Engineering

Specialising in GA4 architecture, consent mode implementation, and multi-layer audit frameworks.

Share

Keep reading

More guides in Consent & Privacy

Internal links should help the reader move deeper into the topic, not just pad the page. These are the next three most relevant reads from the library.

Consent & PrivacyHow to Test Consent Mode V2 in 5 Minutes: A DevTools Walkthrough (2026)Open Chrome DevTools → Network tab → filter for collect → reject all on the cookie banner → confirm GA4 hits still fire with gcs=G100 (denied) and ad_user_data=denied. Then accept all → confirm gcs=G111 (granted). If hits don't fire at all in either state, Consent Mode is misconfigured. If gcs is missing entirely…9 min readConsent & PrivacyGCS Parameter Decoded: What G100, G110, G111 Mean in GA4 HitsThe gcs parameter in GA4 network requests encodes the user's consent state for two of the four Consent Mode signals. Format: G1xy where G1 is constant, x is ad_storage (0=denied, 1=granted), y is analytics_storage (0=denied, 1=granted)…7 min readConsent & Privacy'consent_default' vs 'consent_update': Which Comes First in GTM (2026)The consent_default command must fire before any tag — typically as the first script in <head> or as a Consent Initialization tag in GTM with priority 100. The consent_update command fires after the user interacts with the cookie banner…10 min read