Omit or disable the JavaScript whenever employees act on behalf of customers or spoof them to investigate their account.  This way, we don't associate IP addresses and devices with your customers that don't belong to them. Do send Events API events when employees are acting on behalf of customers, as when taking a phone order.

If an employee is placing a phone order on behalf of a user and you only fill in the $session_id variable in the JavaScript snippet (and not the $user_id), one option is to not include the $session_id field in the $create_order event that gets sent to for the order. That way, we won't link the browsing behavior that wasn't done by the user to the purchase that they did make.