Yes - detecting the risk of personal data leaking into GA4 is one of the checkpoints in the privacy category. And it's a checkpoint where it's especially important to understand how we operate: strictly as a signal.
What the PII problem in GA4 is about
Google Analytics' terms prohibit sending personally identifiable information (PII) into GA4: email addresses, names, phone numbers. Yet leaks happen all the time - usually unknowingly:
/thank-you?email=jan@company.com); GA4 records full URLs, so the address ends up in the reports,/account/jan.kowalski/orders.The consequences are serious: a breach of Google's terms (up to and including property termination), a GDPR problem, and personal data scattered across reports accessible to every user of the property.
How our verification works
During the audit we analyze reporting data (page dimensions and event parameters, among others) for patterns typical of personal data - above all the email address pattern in URLs and parameters.
The key principle: we act strictly as a signal.
What to do when the audit flags a PII leak
Does this replace a legal audit
No - and we draw that line honestly. Our verification detects common, technical leak patterns. It is not legal advice nor a full GDPR compliance audit; if a serious leak is detected, it's worth consulting your obligations (e.g. notification duties) with a lawyer or DPO.
Related articles: