A Practical Guide to pii identifiers

This guide explains pii identifiers in practical terms, with a focus on privacy-first analytics decisions.

Google Analytics identifiers are not just technical implementation details. They are the mechanism that lets GA4 distinguish users, connect events into sessions, power advertising features, and create reports that feel more precise than aggregate page counters.

For privacy teams, the key question is not whether an identifier looks like a name. It is whether it can single out a browser, device, app installation, account, or person. Under GDPR, online identifiers can be personal data when they relate to an identifiable person.

That does not make every analytics identifier "PII" in the narrow everyday sense of name, email, phone number, or address. A Client ID is usually pseudonymous. It still deserves controls because pseudonymous identifiers can link behavior over time and may become identifiable when combined with other data.

Client ID

For websites, Google says Analytics stores a client ID in a first-party cookie named _ga to distinguish unique users and sessions (GA4 data collection). Google also says customers can control whether cookies are used to store a pseudonymous or random client identifier (Google Analytics safeguards).

A client ID is pseudonymous, not anonymous. It may not contain a name, but it can link page views and events from the same browser over time. Combined with IP-derived location, device information, page paths, campaign data, and event details, it becomes a behavioral record.

User ID

User ID is optional, but more sensitive. It lets a site send its own identifier for authenticated users so Analytics can connect activity across devices and sessions. If implemented carelessly, this can become direct personal data or a stable internal identifier that makes re-identification easy.

Never send email addresses, usernames, phone numbers, or CRM IDs into Google Analytics as User IDs or custom dimensions unless legal review explicitly approves it. Google Analytics policies prohibit sending personally identifiable information to Analytics, and privacy risk rises sharply when analytics joins to account data.

Session ID And Event Identifiers

GA4's event model groups interactions into sessions and events. Session identifiers help reports calculate engagement, conversions, and journeys. Even when a single session ID is short-lived, it can still reveal behavior within a visit: pages viewed, files downloaded, form steps reached, and outbound clicks.

That matters on sensitive sites. A session that includes visits to mental health, legal aid, political, or medical pages can reveal more than the user intended.

App Instance ID And Mobile Identifiers

For apps, Google says the Firebase SDK automatically generates and assigns an app-instance identifier to each app instance, and the SDK can collect mobile identifiers such as Android Advertising ID and iOS Identifier for Advertisers where available (GA4 data collection).

Mobile identifiers raise additional consent and platform-policy issues. On iOS, Apple's App Tracking Transparency framework may require user authorization for tracking across apps and websites owned by other companies. On Android, advertising ID behavior depends on platform settings and permissions.

Google Signals

Google Signals is a separate privacy consideration. Google says activating Google Signals can enable remarketing, advertising reporting features, and demographics and interests from users signed into Google accounts who have Ads Personalization enabled (Google Signals documentation).

That can be useful for advertisers, but it moves analytics closer to advertising identity. If you do not need remarketing or demographic reporting, disabling Google Signals reduces risk and simplifies the explanation in your privacy notice.

IP Addresses And Location

Google says GA4 does not log or store IP addresses, and uses IP addresses for purposes such as deriving location and protecting the service (Google Analytics safeguards). That is a meaningful control, but it does not make the rest of the analytics dataset anonymous. Client IDs, event sequences, device data, and account-linked features can still be personal data.

Avoid the common mistake of saying "GA4 is anonymous because IP addresses are not stored." Privacy law looks at the full dataset and reasonable identifiability, not only one field.

Why Identifiers Trigger Consent Questions

In Europe, storing or accessing identifiers on a device can trigger ePrivacy cookie consent rules. GDPR then governs the personal data processing that follows. These are related but separate questions: ePrivacy may require consent for the storage or access mechanism, while GDPR requires a lawful basis for the subsequent processing. That lawful basis is often consent for advertising or profiling, but it is not accurate to say every identifier always requires GDPR consent in every configuration.

Valid consent, when used, must be freely given, specific, informed, and unambiguous, as the EDPB explains (EDPB consent guidance).

If GA4 is configured with advertising features, long retention, User ID, or Google Signals, the consent and transparency burden increases. If it is configured only for limited measurement behind a CMP, the risk may be lower but not zero.

Safer Configuration Checklist

For teams that keep GA4, consider these controls:

• Disable Google Signals unless specifically needed
• Do not enable ads personalization by default
• Do not send User ID unless necessary and reviewed
• Never send emails or other direct identifiers
• Remove personal data from URLs before tracking
• Keep event properties categorical and minimal
• Use Consent Mode carefully and understand basic vs advanced mode
• Shorten data retention where possible
• Exclude internal traffic
• Review linked Google Ads and BigQuery exports

For teams that only need website performance, campaigns, and conversions, consider privacy-first analytics that avoids persistent identifiers entirely.

Identifier Audit Checklist

Separate direct identifiers, pseudonymous online identifiers, and aggregate metrics. Record whether enhanced measurement, Google Signals, ads personalization, User-ID, BigQuery export, Consent Mode, cross-domain measurement, and region-specific settings are enabled. For each identifier, document its purpose, lifespan, storage location, legal basis, consent dependency, and whether it leaves your organization.

Keep GA4 only where the Google ads or reporting ecosystem justifies the privacy, consent, and maintenance cost. For baseline pages, referrers, campaigns, goals, and aggregate funnels, privacy-first analytics may answer the question with fewer identifiers.

The Bottom Line

Identifiers are what turn analytics from aggregate counting into behavioral measurement. Sometimes that is justified. Often it is more than a marketing site needs.

Before enabling another identifier, ask what decision it supports. If the answer is vague, leave it off. The cleanest analytics stack is the one that measures outcomes without accumulating identity.

Audit Custom Dimensions

Custom dimensions are where many GA4 privacy problems enter. Review every dimension and parameter for direct identifiers, internal IDs, free text, and sensitive context. If a property is only useful to identify a person or account, it probably belongs in a CRM or product database with stricter access controls, not in a marketing analytics report.