AdWords is now Google Ads. Our new name reflects the full range of advertising options we offer across Search, Display, YouTube, and more. Learn more

2.3K members online now
2.3K members online now
Dive into multiple domain (Cross/Sub) tracking, implementing Ecommerce and Enhanced Ecommerce, setting up Event tracking, and Universal Analytics code.
Guide Me

Personal Data in Google Analytics

Visitor ✭ ✭ ✭
# 1
Visitor ✭ ✭ ✭

I'd like to implement UserIDs on an ecommerce site - usually I can just modify the platform to push the account ID via the dataLayer and use GTM to do the rest. This time, it's a closed platform so I'll not be able to get development done on the site. I checked every page after login too - there's nothing unique we can use to push something to GA. 


But if I capture their email address on login with GTM, I could use SHA-2 (via crypto JS) to create a one way hash... and use that as the UserID.


i.e. => 6af6c6feb275b1bc8a8d721e92c3ef6fcefbd81f3ce69af7109f00bd


But the rules say....


The Google Analytics terms of service, which all Google Analytics customers must adhere to, prohibits sending personally identifiable information (PII) to Google Analytics (such as names, social security numbers, email addresses, or any similar data), or data that permanently identifies a particular device (such as a mobile phone’s unique device identifier if such an identifier cannot be reset), even in hashed form.


But this doesn't seem to be very clear. If I choose to interpret it the way I want, this only applies when the data is automatically captured without consent.... but I can guess this is pretty unlikely. 


What are my options?


1 Expert replyverified_user

Re: Personal Data in Google Analytics

[ Edited ]
Top Contributor
# 2
Top Contributor

Hi James,

privacy issues use to be tricky all the time ... My impression is that the borderline seems to be whether Google (or any third party) is able to deconstruct the ID and map it to an actual person or not. If only you and your company is able to do that match it should be okay. For example, Google actually encourages companies to submit customer IDs in the user-ID feature of cross-device tracking because that customer ID isn't deconstructable for Google in any way.