UTM and privacy: what never goes in a link
Every UTM parameter is visible in the address bar, browser history, referrer headers, and server logs. This page sets the hard rule: a campaign URL must never carry personal data or a secret, and explains exactly where these values leak so the rule is concrete, not abstract.
Where a UTM value actually travels
A campaign URL is anything but private. The moment someone clicks it, the full query string — UTM values included — is written to the browser's history, sent in your own server's access logs, and, depending on referrer policy, passed to the next site the visitor navigates to. Screenshots and shared links spread it further.
That means a UTM value is effectively a public string. Anything you would not paste into a public document does not belong in one.
The hard rule
Never encode personal data — a name, email, phone number, or account ID — in a UTM. Never encode a secret — an API key, token, or password — in one either. Both end up in logs and history where they can be read, reused, or enumerated.
Use stable, generic labels: a campaign name, a channel, a creative slug. When you need per-person attribution, keep an opaque code that your backend maps privately, and resolve identity server-side. The link stays safe to expose; the sensitive mapping never leaves your control.
How it appears in analytics and logs
If a UTM value contains an email, name, account ID, or token, that data is already exposed: in the user's history, in your logs, and in any referrer the next site receives. The leak is not hypothetical; it is wherever the URL travels.
Diagnostic use case
Apply one clear rule to every campaign link — only generic, non-identifying labels — so you never leak personal data or secrets through a URL.
What WebmasterID can help detect
WebmasterID stores only utm_* campaign fields and treats them as non-identifying labels. It is built to attribute by generic campaign data rather than by anything that identifies a person.
Common mistakes
- Templating a subscriber email or user ID into a UTM for finer attribution.
- Pasting a token or API key into a tracking URL.
- Assuming a UTM value is private because it is 'just' a campaign tag.
Privacy and accuracy notes
This page is the privacy rule itself: UTM values are public. Use stable, generic campaign and channel labels only. Personal data and secrets belong server-side, never in a link.
Related pages
- UTM parameters explained: the five tags and how to use them
UTM parameters are query-string tags you add to a link so analytics can attribute the visit to a campaign even when the referrer is missing. This page explains the five tags, a consistent naming convention, and the hard rule that UTM values are public — so they must never contain personal data or secrets.
- Referral program UTM tracking
Referral programs need their own UTM medium so referred traffic is not confused with organic referrers. This page shows how to label the referral channel and explains why you must not encode individual user IDs in UTM — it leaks personal data and invites abuse.
- Privacy-first analytics
Attribution that keeps personal data out of campaign URLs by design.
Sources and verification notes
- MDN — Referrer-PolicyExplains how query strings can be forwarded to other origins.
- MDN — URL search paramsUTM values are ordinary, public query-string parameters.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.