Under fire for sending your readers’ Personally Identifiable Information to Google? Yeah, it’s been known to happen, quite often at that.
“In the interests of protecting end-user privacy, Google ads product policies mandate that publishers must not pass any data to Google that Google could use or recognize as personally identifiable information (PII)” — Google Publisher Policy
Google classifies names, email addresses, social security numbers, device identifiers (especially those that cannot be reset), and similar sensitive information as PII. And Google absolutely does NOT want you (accidentally or non-consensually) sending this info to it.
Those who end up passing this info through ad requests made using Google DFP, AdX for DFP or AdSense receive a policy breach notice that has the potential to scare the pants off of the most seasoned publishers.
If you have been on the receiving end of this particularly terrifying stick (partly because violating end-user privacy!, largely because Google could blacklist me forever!), I am here to tell you to keep calm and not take it personally. Google isn’t out to sue you for malpractice or human rights violation.
It simply wants you to take a thorough look at your ad requests and web pages.
What happens once you receive the PII violation notice?
Google policy team takes it upon itself to watch your account for a month. You receive weekly emails from firstname.lastname@example.org “containing a list of ad requests grouped by domain from which PII is being detected.”
How do I fix it?
You need to analyse said ad requests. Here’s a sample request, along with additional info Google will send your way in hope that you’ll investigate and fix the problem:
The Box marked “1.” is the escaped URL passing PII (between url= and &dt tags). Use any URL decoder tool to get the human-readable (aka unescaped) version. Copy-paste said URL in your address bar and go to it to see the culprit page.
Fixing this problem can be done in several ways.
AdPushup, for instance, has URL filtering capabilities which can be configured to block all ad requests on pages which pass PII.
- Check to see if the culprit URL has a form with GET submission attribute. To do so, visit the URL, right-click on the page, click ‘view source’, and look for method=get in <form> tag. If yes, any form field values your users enter in the form become part of the URL. Solution: Update the HTML and use method=post instead.
- Revise your keyword targeting and parameters. Check the source code of your pages to see what you are collecting in the key-values in various tags. Solution: Remove targeting (from tags and server) if it looks too messy to repair (or you can’t come up with alternate targeting parameters that don’t pass PII for a change).
Phew. Well, that was most of it. Next, send a response to Google about your progress through the form attached in the mail, diligently.
That 3rd option? Yeah. You may have been contacted erroneously.
Sometimes Google is Just Paranoid
- Publisher’s own “contact us” (or other similar site email addresses) being passed in the URL could trigger a false positive for PII
- Saving a page (right-click >> Save as) may trigger a false positive if said page has an email address in URL.
Once you have verified the false positives (as directed here), make sure to let Google know they contacted you in error (option #3) while filling out the PII violation response form.
Conjectures: According to AdPushup’s optimization experts, Google may have started sending PII violation notices to Indian publishers only recently.
Their advice: Buckle up and clean up your act now to avoid undue anxiety later.