Google Analytics, Lexbase and Personal Information: A good bad example


Lexbase have been in the news a lot. Controversially, their online search tool allows you to find people who have, or have had, convictions in your local area. It was down for several months – after intense criticism – and is now up again. Its most recent incarnation boasts a new interface and has provoked the same discussion; that a criminal record can allegedly be shown entirely out of context or, in some cases, incorrectly. Even if this is all publicly available information it’s something which is troubling for many, not least Beatrice Ask; the Swedish Justice Minister.

Not only is it an example of a contentious interpretation of Swedish law surrounding ‘yttrandefrihet’ it’s also a great example of what not to do when you install Google Analytics on your site.

The problem is this – run a search on Lexbase using someone’s name, personal number and a geographical area and all this data is sent to Google Analytics. This entirely breaks the terms and conditions of using Google Analytics which explicitly state that you cannot do this. The documentation includes the following:

“…prohibits sending personally identifiable information (PII) to Google Analytics (such as names, social security numbers, email addresses, or any similar data)…..”

Here’s what that looks like – you can see my test search terms being sent as an event, including a personal number and name:

Sceenshot from GA Debugger showing PII being passed on to Google Analytics

Lexbase’s use is an extreme example but sending PII via Google Analytics is something I see happen with websites  on a fairly regular basis, usually accidentally or in ignorance of the terms and conditions. Not only does doing so probably betray your website’s policy statement on your website, and therefore your customer’s trust, but it also risks your Google Account being terminated by Google.

4 thoughts on “Google Analytics, Lexbase and Personal Information: A good bad example

    • Hej Per! Thanks for the comment – time will tell, though I imagine the procedure is that account owner will receive a warning and a request for remedial action (that’s what happens when you exceed data limits, for example). Who knows, maybe Lexbase filter out this data – but why bother collecting it in the first place then?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s