Avoiding sending Personally Identifiable Information (PII) to Google Analytics with Drupal

An article from ComputerMinds - Building with Drupal in the UK since 2005
1st Feb 2018

Mike Dixon

Senior Mind
Hey, you seem to look at this article a lot! Why not Bookmark this article so you can find it easily in the future?

Having PII in Google Analytics is a big no no, it violates their terms of service and can cause you to have to remove all your analytics data - not fun.

The good news is, most 'standard' Drupal sites using most 'standard' GA implementations avoid sending any PII with one exception - and that is the user password reset page.  

The problem occurs when a user attempts to login but enters and incorrect password.  They are then presented with a message saying "Unrecognised username or password.  Have you forgotten your password?".  The "forgotten your password" bit is a link to the user/password page - which crucially passes the user's name (or email) in a query string parameter - something like


user/password?name=mike.dixon@example.com

And there lies the issue.  That URL will be tracked by GA - and obviously that URL has a juicy bit of PII sat in it.

The quickest solution is to simply exclude the user/password page from the GA tracking.  If you are using the Google Analytics module then this is simply a case of adding the page to the list of ignored URLs.  

We often use GTM to add in the GA code, in which instance we just exclude that page from the trigger for adding the GA tracking code.

Hi, thanks for reading

ComputerMinds are the UK’s Drupal specialists with offices in Bristol and Coventry. We offer a range of Drupal services including Consultancy, Development, Training and Support. Whatever your Drupal problem, we can help.