Google Analytics and Google Looker Studio Configuration Standard

These are the exact steps campus units must follow to safely configure Google Analytics 4 (GA4) and Looker Studio in compliance with Caltech's policy:

• Before You Start (Required Pre-Checks)
• GA4 Secure Configuration (Step‑by‑Step)
• Secure Google Tag Manager (GTM) Setup
• Correct How-To for Looker Studio
• Ongoing Compliance
• What You Must NEVER Do

Before You Start (Required Pre‑Checks)

Confirm the Site Is Eligible

You may not install Google Analytics if the site contains:

• Student data (FERPA)
• Advising or academic system information
• LMS content
• Human‑subjects research data
• IRB‑regulated study content
• Confidential HR, finance, or health informationhttps://www.imss.caltech.edu/admin/pages/94717/edit/preview/

If any of the above applies → Stop and request OGC/CIO/CISO review first.

Submit to IMSS - InfoSec - Analytics Request Form

The request must be submitted via ticket by emailing [email protected]:

• Purpose of analytics
• What data do you expect to collect
• URL(s) where tracking will be installed
• Who will need access to your reports

IMSS and InfoSec will approve or deny the request based on policy requirements.

GA4 Secure Configuration (Step‑by‑Step)

Once approved, follow these exact steps.

Create a GA4 Property in the Caltech Google Workspace

• Use your already created GA4 property (What is a GA4 Property? https://support.google.com/analytics/answer/9355666?hl=en) 
• Or Create a new GA4 property: https://support.google.com/analytics/answer/9355666?hl=en

Do not create a Analytics property with personal Google accounts

Configure Mandatory Privacy Settings (Admin in this context is the Analytics Admin page)

1. Disable Google Signals

In GA4:
Admin → Data Settings → Data Collection → Google Signals → OFF

This prevents Google from using Caltech traffic for cross‑site tracking.

2. Disable Advertising Features

In GA4:
Admin → Data Settings → Data Filters → Disable Ads personalization

Ensure the following are OFF:

• Google Ads linking
• Remarketing
• Interest‑based demographics

3. Turn On IP Anonymization

GA4 anonymizes IPs by default, but verify:
Admin → Data Streams → Web Stream → Configure Tag Settings → Show All → IP Anonymization = Enabled

4. Disable User‑ID and User‑Level Tracking

In GA4:
Data Streams → Web → More Tagging Settings → User‑ID → OFF

Do not create or send:

• Authentication IDs
• SSO identifiers
• Research participant IDs

5. Remove PII From URLs (Critical Requirement)

If your site uses query parameters like:

?name=John&[email protected]

You must scrub them before sending data to GA4.

Using Google Tag Manager (GTM):

• Enable URL cleaning
• Strip parameters that could contain PII
  (e.g., "email", "name", "user", "id", "token")

Secure Google Tag Manager (GTM) Setup

If GTM is used:

Use the IMSS‑Managed Container

• Add only the IMSS-approved GTM snippet to your site
  Do not:
• Install your own custom GTM container
• Add third‑party tags without review

Submit Any New Tag for IMSS-InfoSec Code Review

Examples requiring review:

• Custom JavaScript
• Third‑party trackers
• Additional analytics tools
• Pixels (Meta, LinkedIn, etc.)

IMSS-Infosec will review for:

• Security
• PII exposure
• Data-sharing risks

Correct How-To for Looker Studio

Build Dashboards Using Caltech Workspace Only

When creating reports:

• Use only your @caltech.edu Google Workspace account
• Never connect GA4 to a personal Gmail account

Apply Restricted Sharing

In any Looker Studio report:

Share → Manage Access → Only specific Caltech users
Set:

• "Anyone with link" → Disabled
• "Public" → Disabled
• "Caltech Domain Access" → Allowed only if IMSS approves

Dashboards must use least privilege (only those who truly need access).

Remove Sensitive Dimensions from Reports

Do not include:

• IP address breakdowns
• URLs containing PII
• User-level metrics
• Behavioral data tied to authentication

Use only:

• Aggregate traffic
• High-level performance indicators
• Trend data

Ongoing Compliance

Follow Required Data Retention Settings

GA4 settings:

• Events retention: Up to 12 months
• Export long-term data only to IMSS-approved storage

What You Must NEVER Do

❌ Place GA4 on systems with academic records
❌ Track individual users or research participants
❌ Use advertising features
❌ Send email addresses, names, tokens, or IDs
❌ Allow public Looker Studio dashboards
❌ Add tracking scripts without OGC and IMSS approval
❌ Create analytics using personal Gmail accounts
❌ Store analytics data outside Caltech‑approved systems