#GTMTips: Remove Email Addresses From URL Parameters

How to purge email addresses from URL parameters when sending hits to Google Analytics. Use Google Tag Manager to fix this PII issue.

PII (Personally Identifiable Information) is something we need to actively combat against when using Google Analytics, as the platform explicitly forbids sending PII to Google Analytics properties in any size, form, or shape.

One of the most common ways of accidentally passing PII to a property is via query parameters. Many email platforms out there, for example, see no problem in including the user’s email address in the query string, especially when the user follows a link in a newsletter. This is, however, a definite no-no in Google Analytics. Thus, I wanted to create a blanket solution for proactively weeding out potential PII in your Google Analytics Tags deployed via Google Tag Manager.

Tip 25: Remove email addresses from URL parameters

For this solution to work, you’ll need to create a new user-defined variable in GTM, which returns the URL Query string. In this example, the variable is called {{URL Query}}, and it looks like this:

After this, you need to create the Custom JavaScript Variable itself. Let’s name it {{Return URL Query without email}}, and it looks like this:

function() {
  var q = {{URL Query}}.length ? '&' + {{URL Query}} : '';  
  // q = decodeURIComponent(q);
  var newQ = q.length ? '?' + q.replace(/&[^&@]+@[^&]+/g, '').substring(1) : '';
  return newQ.length <= 1 ? '' : newQ;

Thanks to Phil Pearce and David Vallejo for pointing out some errors in the original script. Also thanks to Steven J in the comments of this post for suggesting to check if the new query string just has one character (’?').

Uncomment the commented line if your URL Query strings tend to have HTML encoded characters (e.g. %3D for ‘=’, and %26 for ‘&').

The JavaScript function above is a very simple regular expression search-and-replace, which looks for an email address in the URL query string. If it finds one (or more), it simply removes the offending key-value pair(s) from the query string, and returns the stripped result.

To implement this in your Tags, you’ll need to add the following to every single Google Analytics Tag in Fields to Set.

Field name: page
Value: {{Page Path}}{{Return URL Query without email}}

It’s not perfect, it’s a bit cumbersome as you need to implement it in all Tags, but especially with large websites that invite a lot of traffic, it might save you from data loss due to Terms of Service infringement.