The latest release of Universal Analytics has excited many working within the industry as it addresses the use of User-Id cross device tracking, but how do these changes effect the information Google Analytics collects about us and how should sites respond?

It is important to remember that Google Analytics’ terms of service forbid users from storing personally identifiable data.

What is meant by Personally Identifiable Data?

Google Analytics stores data at three levels and all three will have their own unique identifier:

  • Hit
    This occurs with each pageview or interaction and will be associated with a Session. If the Session Identifier expires or is different with each hit, then Google Analytics will see every hit as belonging to a new Session.
  • Session
    This contains information that relates to a specific browsing session. These are associated with a User. If the User Identifier is different for each session then Google Analytics will see every Session as belonging to a different User.
  • User
    This contains information that relates to the overall User or Visitor.

Despite having their own identifiers, Google Analytics is unable to associate a Hit, Session or User with a specific person, i.e. these Hits belong to Matt Stannard. Instead, it can tell me that these belong to User 56123AE19485FF.

If we add a Name, National Insurance Number, Passport Number or E-Mail Address to any Hit, Session or User, then we are providing Personally Identifiable Data and as such Google Analytics is then able to join the Hits, Sessions or User data to Matt Stannard. However, this is against the terms of service.

So, by personally identifiable data Google actually means any information that may allow it to identify a real world individual.

Classic Analytics

Traditionally, Google Analytics stored information in a number of cookies, with varying expiry dates depending on whether the information was related to a session, or to the user.

Google Analytics would use these cookies to store whether a user was a repeat visitor, the last time they visited the website, session and custom variable data and information about the campaign, source and medium that brought the user to the site.

These cookies by default were all prefixed __utm and so websites using Google Analytics would have had a table listing them and the functions they provided within their privacy policy. A full table of these cookies can be found here.

Your privacy policy should tell users that you use Google Analytics and explain why you use it. It should explain that no personally identifiable data is stored. You could also list the cookies Google Analytics uses – shown in the table below:

Universal Analytics Cookie Privacy

Display Advertiser Support

Shortly before the release of Universal Analytics into public beta, Google announced integration with its Display network. This feature allows users of Google Analytics to integrate demographic data taken from the Google Display network into their analytics account. It also allows Google Analytics to create remarketing lists.

To use this feature a small change is required to the Google Analytics to allow it to read the appropriate cookie. It also needs to be enabled in Google Analytics itself:

Display Advertising Support

So if sites use this feature what does it mean in terms of privacy? Again, it’s important to stress that no personally identifiable data is shared between the GDN and Google Analytics.

Google give some good guidance on what this means in their support article. In summary, if you are using this feature, your privacy policy should state that your sites uses the Google Display features. This allows Google Analytics to collect data about your traffic via Google advertising cookies and anonymous identifiers.

Including the opt out link – – would also be advisable.

Universal Analytics

Universal Analytics is the next iteration of Google’s analytics product. If you have been using “Classic” Analytics then your privacy policy will already include a statement explaining your use of Google Analytics, the reason why and a list of the cookies. The amendment really is in usage of Cookies.

Universal Analytics also uses cookies, however it does not rely on them. It uses only one, which contains an anonymous identifier. The data that used to be stored in the old __utm cookies is now stored server side.

The Universal Analytics security and privacy document explains the specific features used.

Your privacy policy should still tell users that you use Google Analytics and the reasons why. Again, it should state that no personally identifiable data is stored. It should explain that a single cookie is used and that this is storing a number, which is randomly generated when a user first visits a site.

GA Universal Cookie

You could include a link to the Opt-Out plugin –


Cross device tracking is a new feature supported in Universal Analytics. In order to track a user across devices, they must identify themselves in some way. This could be through logging in or through your site’s own personalisation cookies.

The User-Id feature enables us to pass this identifier to Google Analytics so that it is able to track the user as the same person. This may sound invasive but it’s really important to stress that the identifier itself should not be a piece of personally identifiable data, it is a number.

When using the User-Id you are also able to “stitch” a session. So, without stitching, if a user visits 5 pages before logging in, then by default Google Analytics would treat this as a separate user to the one who had logged in. By stitching these, Google Analytics tags these pageviews as being made by the user who has logged in. Google Analytics will only stitch views that occur within the current session.

As a site owner, if you use User-Id you must agree to the User-ID policy:

Google Analytics User-ID Policy

If you are using this feature your privacy policy should make it clear to users that you are using this feature. You should also explain what additional data (if any) you are using in Google Analytics and how you are using this. If you are session stitching then you should explain that you are doing this and what it means.


  • Be transparent
  • Explain what technologies you are using on your website (be they Google or otherwise)
  • List the data collected by each technology and explain why and how you use this
  • If you use Display Advertiser Support include links to Opt Out
  • If you use User-Id explain how you link data together internally
  • Do not store Personally Identifiable Data