The agreement prohibits account holders from transmitting to Google any data that could identify individual users, either alone or in combination with other data Google holds or is likely to access, without Google's prior written permission. Where Google does permit PII sharing, it must comply with Google's sensitive data policy.
This analysis describes what Google's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes a contractual prohibition on transmitting personally identifiable information through the Google Analytics service, which has direct implications for analytics implementations that may inadvertently include PII in URL parameters, custom dimensions, or event parameters. The parenthetical reference to data that could identify individuals 'in combination with other information held by Google' is operationally significant because it encompasses data that may not appear identifiable in isolation.
Interpretive note: The scope of what data could identify an individual 'in combination with other information held by Google' is operationally uncertain because it depends on what data Google holds at any given time, which is not specified in the agreement.
This provision establishes that account holders are contractually prohibited from sending data that can identify individual website visitors to Google through the analytics service, providing a contractual protection for end-user identifiability. However, enforcement of this provision depends on the account holder's implementation practices rather than on any technical control Google asserts in these terms.
How other platforms handle this
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Google has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You will not (and will ensure that Third Parties do not) send to Google, or permit Google to access or process any data or information which could identify any individual User (either alone or in combination with other information held by Google or which Google is likely to have access to), unless You have obtained Google's written permission to do so. To the extent that You do share Personally Identifiable Information with Google (as permitted by Google), such sharing must comply with the applicable Google product policy on sensitive data.— Excerpt from Google's Google Analytics Terms of Service
1. REGULATORY LANDSCAPE: This provision engages GDPR data minimization principles and the prohibition on processing special categories of personal data without a valid legal basis. The FTC Act applies to account holders whose analytics implementations inadvertently transmit PII. CCPA definitions of personal information may also be relevant in assessing what data constitutes identifiable information under California law. The relevant enforcement authorities include national GDPR supervisory authorities, the FTC, and State Attorneys General. 2. GOVERNANCE EXPOSURE: High. The provision's reference to data that could identify individuals 'in combination with other information held by Google' creates a broad and operationally complex prohibition. Account holders may not have full visibility into what data Google holds that could combine with analytics parameters to create identifiable profiles, making technical compliance assessments inherently uncertain. Common implementation risks include email addresses in URL query strings, user IDs that map to identifiable records, and transaction identifiers linked to customer databases. 3. JURISDICTION FLAGS: EU/EEA entities face heightened exposure because GDPR supervisory authorities have interpreted the transmission of identifiable analytics data to Google as a potential unauthorized international data transfer. Several national DPAs have issued findings regarding standard Google Analytics implementations. In the US, the combination of analytics data with other Google-held data may engage FTC guidance on deidentification and re-identification risks. 4. CONTRACT AND VENDOR IMPLICATIONS: This provision places the compliance burden entirely on the account holder, with no Google obligation to technically prevent or detect PII transmission. Procurement teams assessing Google Analytics as a vendor should note that this liability allocation means the account holder bears the risk of inadvertent PII transmission. The provision does not specify a remediation or notification mechanism if PII is inadvertently transmitted. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should conduct a technical audit of their Google Analytics implementation to identify any URL parameters, custom dimensions, user ID fields, or event parameters that may contain or derive personally identifiable information. Data mapping documentation should reflect the contractual prohibition and any residual risk of inadvertent PII transmission. EU/EEA entities should assess whether their implementation satisfies GDPR data minimization requirements independently of the contractual prohibition.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes a contractual prohibition on transmitting personally identifiable information through the Google Analytics service, which has direct implications for analytics implementations that may inadvertently include PII in URL parameters, custom dimensions, or event parameters. The parenthetical reference to data that could identify individuals 'in combination with other information held by Google' is operationally significant because it encompasses data …
This provision establishes that account holders are contractually prohibited from sending data that can identify individual website visitors to Google through the analytics service, providing a contractual protection for end-user identifiability. However, enforcement of this provision depends on the account holder's implementation practices rather than on any technical control Google asserts in these terms.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Google.