I have a PHP (5+) based website.
I want to track registered users of my site using Google Analytics. I basically just wish to grab their session id (or some way to identify each specific user)and view their movements and site usage from my Google Analytics dashboard.
Can this be done? If so, any guidance would be most welcome.
I believe the best way to do this is via a custom variable:
_setCustomVar(index, name, value, opt_scope)
It would be up to you to identify the 'value' as a unique session id for the user.
The scope in your case would be either session(2) or visitor(1) depending on how you want to track it.
http://code.google.com/intl/en/apis/analytics/docs/tracking/gaTrackingCustomVariables.html#setup
Technically you are able to store the username as a custom variable, but doing so violates the Google Analytics Terms of Service (ToS). Among other things, the (paraphrased) ToS states that you aren't allowed to store anything in Google Analytics that allows you to identify who the visitor is. This typically applies to usernames, IP addresses, phone numbers, etc.
If you decide to ignore the ToS and store the data anyway, it exposes YOU (not Google) to all kinds of data protection & PII laws. Especially in the EU.
If you have some budget money to work with, the best way to see the information you're looking for is to use an on premises web analytics software package that can process Google Analytics data. When you keep your data on premises, it alleviates many of the data privacy / protection / PII laws.
Related
I'm (very) new to Google Analytics and somewhat to API's - so excuse my ignorance.
I'm trying to understand if there is a way to get a list of all users (who visited our site) that have an accompanying unique ID. A unique ID that would allow me, for example, to create a relationship between the user and their location, or the user and their device.
Using the query explorer I cannot see if this is possible.
No, Google analytics does not store user identifiable information in this manner.
If you are storing your internal system user id ad a custom dimension then you could get that back.
You should consult Best practices to avoid sending Personally Identifiable Information (PII)
To protect user privacy, Google policies mandate that no data be passed to Google that Google could use or recognize as personally identifiable information (PII). PII includes, but is not limited to, information such as email addresses, personal mobile numbers, and social security numbers. Because laws across countries and territories vary, and because Google Analytics can be used in many ways, consult an attorney if you are in doubt whether certain information might constitute PII or not.
Can you set up alerts in Google Analytics to flag potential PII/NPI such as name, email address, billing address, billing details etc.? If so, how?
First I have do say I do not understand the downvote(s). For example I have seen applications with user logins where a full name was part of the page title - combined with time based dimensions that gave profile that say which user looked at what page at what time, and that would be clearly illegal. Even worse I have seen a case where security tokens were transmitted to GA that allowed access to secured resources. So clearly accidental transmission of PII to Google Analytics is a real thing.
Unfortunately there is not much you can do about it. You can either do a custom report with relevant dimensions and have it sent to you for a manual audit, or pull them via the API and have them programmatically examined via regular expressions that look for patterns like e-mail addresses etc. But by the time you can do that it is already to late, the data will already be permanently recorded in the GA property.
You have to stop this before the data is collected - if at all possible already in the website (via form validation etc), or use Google Tag Manager with custom javascript variables with validation rules, or filters in the analytics view (the latter being cumbersome and not very promising for this purpose).
The good news is that GA will not suddendly start to track PII on it's own. So you only need to check if your GA account tracks PII when you set up the account. Collect a few days data, validate that everything is okay, make changes as necessary and after all flaws are straightened out copy the view to start data collection from scratch and drop the old view if it contains PII.
The docs describe the clientId as:
This anonymously identifies a particular user, device, or browser instance.
https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters#cid
It can be used to send server side hits to analytics while still tying them to a particular user.
There is also a feature in closed beta called userId, which you will be able to pass once a user has authenticated: https://developers.google.com/analytics/devguides/collection/analyticsjs/user-id
userId is fairly self-explanatory. However, UA also allows you to pass your own clientid if you choose to. For developing CRM type tools, can one just associate the clientid with a user in the same way that you would with a userid? The goal is primarily to be able to track offline interactions and connect them with visitors in Analytics.
maembe,
clientID is a random number generated by Google Analytics, and keep in mind it's always required and its value should always be a random UUID (version 4) (you could technically use your own, but I am not sure how practical and reliable this would be). Most importantly, you can easily access it with predefined get function (see documentation).
For your needs, this is exactly what you should do -- if someone sings ups, store ClientID in your CRM and then if there is any offline purchase, record the transactions with measurement protocol using the stored clientID. Google Analytics will then make the link (attribution) with that visitor and you will see this in your reports. Also, take advantage of newly available custom metrics and dimensions which can store pretty much anything you want (think of customer segmentation etc.). Beware of storing PII though.
Hope this helps :)
I am curious how UserID is going to work, it might change everything, but for now, I wouldn't rely on it as there is very little information available.
This Analytics support page now states the differences between Client ID and User ID - https://support.google.com/analytics/answer/6205850?hl=en#clientid-userid
Essentially client IDs represent unauthenticated users, and are automatically randomly generated.
User IDs represent authenticated users, and must be set manually.
It's worth noting that user IDs cannot be things like an email address, or other data that would allow Google to identify the user
You will not upload any data that allows Google to personally identify an individual (such as certain names, Social Security Numbers, email addresses, or any similar data), or data that permanently identifies a particular device (such as a unique device identifier if such an identifier cannot be reset).
If you upload any data that allows Google to personally identify an individual, your Google Analytics account can be terminated, and you may lose your Google Analytics data.
Taken from: https://developers.google.com/analytics/devguides/collection/protocol/policy
I'd imagine User ID is designed to differentiate the behavior of an authenticated user. here
I want to track how individual user navigate through a website. Using Google Analytics I can use custom variables so in theory I can use the user ids to track individual users. However, according to the terms of service of Google Analytics I can't use GA to track, collect or upload any data that personally identifies an individual (Section 7. privacy). Does a user id classifies as data that personally identifies an individual? I merely want to use it to link the data from Google Analytics with our own data.
Storing user IDs is probably a violation of section 7, but there are other ways around this problem.
Section 7 of the ToS states:
You will not (and will not allow any third party to) use the Service to track, collect or upload any data that personally identifies an individual (such as a name, email address or billing information), or other data which can be reasonably linked to such information by Google.
While sending Google information that is personally identifiable is simply not permitted, you can instead send an identifier which is known only to you. In fact Justin Cutroni (Analytics Evangelist at Google) has confirmed this in this article.
I've recently written up my current thinking on this with some a couple of world examples:
"Identifying your users in Google Analytics while complying with section 7 of the terms of service"
I'd say it does. It doesn't matter what you intent to do or not. The fact that you have the possibilty to map the id back to the person is enough.
Additionally: I'm not a lawyer but I'd say if you are tracking such data (with whatever technical means) it has to be in the terms of your website and signed by the user.
Personally identifiable information would be something like a name, phone number or email address. You'd be okay to store hashed information about this user in Google Analytics and then decrypt offline. E.g. You can store a hash of the user's name in Google Analytics and then decrypt offline.
You also may want to check you've the correct privacy policy in place and follow these rules: https://developers.google.com/analytics/devguides/collection/protocol/policy
You can use non obfuscated alphanumeric database identifiers that you might create for your visitors. Another acceptable option is to pass to Google Analytics an encrypted identifier that is based on PII that is not Protected Health Information (as defined under HIPAA), as long as you use the proper encryption level. Google has a minimum hashing requirement of SHA256 and strongly recommends the use of a salt, minimum 8 characters.
https://developers.google.com/analytics/solutions/crm-integration#user_id
I am most interested in an answer for Android, though it would be great to know if the answer is generalizable to websites, iOS, etc. Can I anonymize IPs (using setAnonymizeIp()) in Google Analytics and still track unique visitors? I understand Google Analytics uses cookies for websites, and so I thought it might be possible (or perhaps even automatic).
Yes. The only effect that the anonymizeIp function is that it instructs Google to remove the last octet of the IP address from it's logs.
So, if your user's IP is:
123.45.678.90
And you run this function, Google will store it as:
123.45.678.XX
The only practical effect is that this results in less accurate Geographic reporting, but that's it. It won't affect counts of unique visitors in any way, and is totally unrelated to how GA tracks unique visitors, since Google Analytics does not rely on IP addresses for unique visitor identification. For websites, maintaining unique user identification is done by the Google Analytics cookies. In this specific case, the Google Analytics Android SDK handles the user session management for you using a local storage mechanism analogous to cookies.
I dont know if the accepted answer is correct. I've enabled setAnonymizeIp myself on my app, and it had a huge effect on my analytics results.
Pages/visit shot up.
Visits halfed.
Avg time on site shot up.
Ip address is not the value used to identify a unique visitor/user on Google Analytics, so it shouldn't be an issue. Analytics uses a unique identifier in a cookie or mobile app data so attach to all of the user's hits in order to identify as a unique visitor, so I don't see a reason why ip masking should affect it.