"How do I make a Google Form private?" "How do I limit it to specific people?" — common asks. Google Forms has several access-restriction settings.
Most articles just walk through the settings. They skip the security question: what happens when the URL leaks, and is real access control even possible here? This guide separates the three distinct meanings of "private" and gets into the operational design that real-world use demands.
Three levels of "private"
"I want this private" actually conflates three different things.
| Level | Meaning | Google Forms support |
|---|---|---|
| L1: URL secrecy | Only people who have the link can access | Default behavior |
| L2: Authentication required | Must sign in with a Google account | Available in settings |
| L3: Per-user authorization | Only specific individuals can access | No built-in support |
The starting point is being clear with yourself: when you say "private," do you mean L1, L2, or L3?
L1: URL secrecy (default)
Out of the box, Google Forms is "anyone with the link can respond."
Example URL:
https://docs.google.com/forms/d/e/1FAIpQLSc.../viewform
The 36-character random ID is practically unguessable, so without the URL there's no access. This is Google Forms' baseline "private" mode.
Risks at this level
- Recipient reshares the URL on social or chat → spreads
- Email gets forwarded to a third party
- URL captured in screenshots
- Shortened URLs (bit.ly etc.) get discovered through service indexes
Assume "please keep the URL confidential" will not be honored and design accordingly.
L2: Authentication required (Google sign-in)
Settings → Responses → "Require Google sign-in." Now the form refuses to load without a Google account.
Pros:
- URL leaks don't permit anonymous responses
- Respondent email is recorded automatically
- Combined with "limit to 1 response," you get duplicate prevention
Cons:
- Assumes every respondent has a Google account
- 10–30% of users drop off if they don't want to sign in
- Personal Google accounts get tied to a work survey
See Google Forms response restriction and duplicate prevention for details.
Workspace organization restriction
On Workspace, you can further limit to "users in your organization only." Only @your-company.com accounts can access — recommended default for internal surveys.
L3: Per-user authorization (no native support)
"Only these 100 people can respond" isn't possible in Google Forms alone. Workarounds:
Approach A: Issue per-respondent URLs
Distribute distinct URL parameters to each respondent:
https://docs.google.com/forms/d/e/.../viewform?usp=pp_url&entry.123456=user_token_abc
Tie the URL parameter to the response and verify the token at aggregation time. Workable, but the URL itself is still openable by anyone who finds it.
Approach B: Apps Script + password gate
Add a password field at the top of the form and use Apps Script to validate against a known list. Possible, fiddly.
Approach C: A different tool
Use a tool with built-in "respond only via the unique link emailed to you," one-time tokens, or two-factor authentication.
The real topic — pitfalls of "private"
Pitfall 1: "Only people with the link" isn't actually privacy
In security terms, relying on "secret URLs" alone is "security through obscurity" and is generally not considered a security control.
"Only people with the link can answer" works as a business convention. It is not sufficient for surveys containing confidential data.
Pitfall 2: URLs leak more than people expect
Real-world leak vectors:
- Email quote-and-forward chains
- Accidental posts to public Slack channels
- Screenshots pasted into documents
- Browser address bar history
- URL shortener service logs and indexes
- Email gateways that scan and store URLs
Design with "P(leak) > 0" in mind, and decide what happens when it does.
Pitfall 3: Google sign-in isn't airtight either
Even at L2 (Google sign-in required):
- Anyone with a personal Gmail account can sign in (not just employees)
- Login emails are recorded, but a one-time burner account works around it
- No defense against bot-created accounts
"Sign-in required" is a trade-off against drop-off with medium-strength authentication.
Pitfall 4: "Private" and "handling confidential data" are different problems
For surveys containing internal-only or sensitive data, URL secrecy and Google sign-in aren't enough.
By sensitivity level:
| Sensitivity | Recommended controls |
|---|---|
| General | URL-only is fine |
| Internal | Google sign-in + Workspace org limit |
| Confidential | Per-user authentication + encrypted transport + audit logs |
| PII | Above + privacy policy + consent capture |
If you're running confidential surveys on "Google Forms + URL secrecy," it's worth re-evaluating against your security policy.
Decision flow
Q1: Does the survey contain data you can't afford to leak?
- Yes → L2 minimum
- No → L1 is acceptable
Q2: Are respondents internal only?
- Yes → Workspace org limit (L2)
- No → continue
Q3: Do you need per-user authorization?
- No → L2 is sufficient (require Google sign-in)
- Yes → evaluate a different tool
Q4: Optimize for response rate or auth strength?
- Response rate → L1 with careful URL hygiene
- Auth strength → L3 (dedicated auth tool)
Access controls in Repoan
Repoan implements multiple access-control levels.
- URL-only privacy — same as Google Forms baseline
- Password protection — a single shared password per form
- Per-user token authentication — accessible only via the unique link emailed to the respondent
- Scheduled open/close — no-code time-window controls
- IP restriction — accessible only from specified networks
- Full access logging — who accessed when
- Two-step verification — email verification code as identity check
Wrap-up
The real answer to "make my Google Form private" isn't the settings list — it's:
- Be clear which level of "private" you need
- Design ops assuming URLs leak
- Match authentication strength to data sensitivity
"Anyone with the link" is convenient. For forms handling confidential data, moving to an authentication-aware tool is the safer long-term choice.
Related reading: