Reader's Favorite Nuggets
Recent Hits All Time Matt's Favorites
Recent Reader's Favorites

Our Nugget List

Security Gap That Could Lose You All Your Google Analytics Data

Security Gap That Could Lose You All Your Google Analytics Data 2421-daily-golden-nugget-849Google is serious about protecting your identity. They have very strict privacy policies in place to protect people who use their services and protect all of us from having our Personally Identifiable Information, or PII for short, getting accidentally exposed to the public.

The policies they have in place are very strict, and those breaking them are likely to lose their Google Accounts. Their privacy policies are governed by local and international laws.

As a website owner, or a user of any of Google's services, you need to make sure that everything you do will not risk exposure of someone's personal information. Information stored on Google Drive needs to be protected or encrypted properly. Information shared on Google+ must not violate any user's privacy.

The biggest issue though is with Google Analytics (GA) and the tracking on your own website.

Google Analytics tracks all the users on your site, and every page they look at. The website address (the URL) of every page is recorded into your GA account for you to view and run reports on. If your website uses URL variables, like /index.php?page=contact instead of /contact-us.html, then those variables will be saved in your GA account. In that example the variable name is "page" and the value is "contact."

There are times, more frequent that any web programmer really wants to admit, when personally identifiable information will accidentally be passed on your website through the URL. When this happens, it's quite likely that GA will accidentally capture the person's information.

Here's a list of the personal information that Google does not want you to capture in GA:

* real name
* username
* password
* email address
* credit card information
* bank account information
* government ID
* IP address (allowed in the USA, but not Europe)

Remember that Google's policies must comply with local laws, and it's those laws that protect this personal information. This is the same type of information that's also protected by PCI Compliance regulations for e-commerce sites.

Pay attention to how I've said this so far... Although Google's policies set forth protections for this personal information, Google Analytics is not able to auto-detect when this information is erroneously being captured.

It's up to you, and your programmer, to prevent personal information from being captured in your GA account.

If Google discovers that you are capturing this PII then they will delete your Analytics historical data. There's no built-in ability to delete the erroneous individual captured data, and that's very unfortunate.

So how does this PII accidentally get captured? Well, websites that rely heavily on URL strings instead of static file names (that's the /index.php?page=contact vs. /contact-us.html) could be more prone to accidental leakage of personal info into the URL.

However, there's a more common way that it could happen: Through the form on the Contact Us page.

When a visitor fills out your contact form and clicks the "Submit" button all that information is sent to you using a standard internet technology. This next part is a little technical because that technology can be a "post" or a "get."

Inside the HTML code it would looks like this:

form method="post"
form method="get"

The "get" method will feed the form's information into the URL, thus making it trackable by Google Analytics. On the other hand the "post" method will hide the information from the URL and from Analytics.

The "post" method is much safer and all your website forms should be using it.

Other than your contact form, there are other places on your website that have the potential to leak sensitive information into GA. Here are a few that I can think of:

1. Single field email newsletter signup form
2. Any shopping cart checkout screen, multiple steps
3. The unsubscribe link in your email newsletter
4. Member's only area forum posts
5. Member's only area personal information edit screens
6. Contest entry registrations

If Google Analytics is tracking any of those website areas/features, then you need to make sure that customer information is not being saved. Ask your website programmer to double check all your forms.

Inside your Google Analytics you should search for the PII. The easiest is probably to search for any email addresses that might have been captured.

Here's how:

1. Log into GA
2. Select Behavior on the left
3. Select Site Content
4. Select All Pages
5. Use the search box (filter) to search for the @ character

The @ character isn't typically used in URLs for less complicated websites so this fast search will quickly reveal any email addresses that were captured by mistake. If that doesn't work then you can try other searches for words like "name" or "username." You would have to ask your programmer for the variable names that are used throughout your own CMS.

What do you do if you find this information in your account? Well, like I said, if Google finds it first they will delete your historical data in order to comply with local laws. Your best bet would be to ask your SEM Pro or your developer to download all your analytics data. Then delete that tracking account and set up a new one.

This sounds extreme, but it's better that you do this than for Google to do it to you without warning.

AT: 10/24/2013 04:52:45 AM   LINK TO THIS GOLD NUGGET
Confused and worried about your mobile website options? Click here to find out how to get your own website evaluation and a game plan to make it better.

Like This Jewelry Website SEO Gold Nugget? Please Share!

Like Our Site? Follow Us!

0 Comments on Security Gap That Could Lose You All Your Google Analytics Data

Post a Comment

Check here for Anonymous


Please contact me at the phone number and address below
Phone Number



User Verification
8 9 6 6 5 7 3
Please enter the number you see in the box.
[ What's This? ]
Sign Up For Emailed Daily Gold Nuggets

"...articles are easy to follow and seem to have information one can use right away."
-Ann, Gallery 4, Hamden CT

"...serious kudos to you. We love your straight talk, pertinent information and plain language. I don't know how many industries have something of jWAG's caliber available, but I learn from the emails every day. Really, really nice work, and very appreciated."
-Cheryl Herrick, Global Pathways Jewelry