I think the main problem is that you have the value in the querystring.
Even if you obfuscate the values sent in the analytics payload, the
plaintext version will still be sent in the referrer. We had a similar
issue with email addresses in plaintext in URLs. The only surefire
solution is to stop putting PII in URLs.