Privacy & Consent

What Google Wants You to Do About Personally Identifiable Information (PII)

Pinterest LinkedIn Tumblr

Under fire for sending your readers’ Personally Identifiable Information to Google? Yeah, it’s been known to happen, quite often at that.

In the interests of protecting end-user privacy, Google ads product policies mandate that publishers must not pass any data to Google that Google could use or recognize as personally identifiable information (PII)” — Google Publisher Policy 

Google classifies names, email addresses, social security numbers, device identifiers (especially those that cannot be reset), and similar sensitive information as PII. And Google absolutely does NOT want you (accidentally or non-consensually) sending this info to it.

Those who end up passing this info through ad requests made using Google DFP, AdX for DFP or AdSense receive a policy breach notice that has the potential to scare the pants off of the most seasoned publishers.

If you have been on the receiving end of this particularly terrifying stick (partly because violating end-user privacy!, largely because Google could blacklist me forever!), I am here to tell you to keep calm and not take it personally. Google isn’t out to sue you for malpractice or human rights violation.

It simply wants you to take a thorough look at your ad requests and web pages.

What happens once you receive the PII violation notice?

Google policy team takes it upon itself to watch your account for a month. You receive weekly emails from publisher-policy-no-reply@google.comcontaining a list of ad requests grouped by domain from which PII is being detected.”

How do I fix it?

You need to analyse said ad requests. Here’s a sample request, along with additional info Google will send your way in hope that you’ll investigate and fix the problem:

Awesome. More undecipherable coding and symbols.
Awesome. More indecipherable strings of letters. (Ugh)

The Box marked “1.” is the escaped URL passing PII (between url= and &dt tags). Use any URL decoder tool to get the human-readable (aka unescaped) version. Copy-paste said URL in your address bar and go to it to see the culprit page.

Fixing this problem can be done in several ways.

AdPushup, for instance, has URL filtering capabilities which can be configured to block all ad requests on pages which pass PII.

Alternatively:

  • Check to see if the culprit URL has a form with GET submission attribute. To do so, visit the URL, right-click on the page, click ‘view source’, and look for method=get in <form> tag. If yes, any form field values your users enter in the form become part of the URL. Solution: Update the HTML and use method=post instead.
  • If your site lets visitors log in and create profiles, the problem may be URL schemes. Go through the list of URL samples (provided by Google) to see if there’s a pattern there; namely, pages like profile, settings, account, alerts, messaging/mail, login, sign up confirmation (email link), etc. passing PII. Solution: Regex search and replace, as directed here (for PHP). Or you can use Simo Ahava’s method which uses Google Tag Manager and some handiwork with JavaScript.
  • Revise your keyword targeting and parameters. Check the source code of your pages to see what you are collecting in the key-values in various tags. Solution: Remove targeting (from tags and server) if it looks too messy to repair (or you can’t come up with alternate targeting parameters that don’t pass PII for a change).

Phew. Well, that was most of it. Next, send a response to Google about your progress through the form attached in the mail, diligently.

Oh is that all.
Oh is that all.

That 3rd option? Yeah. You may have been contacted erroneously.

Sometimes Google is Just Paranoid

  • Publisher’s own “contact us” (or other similar site email addresses) being passed in the URL could trigger a false positive for PII
  • Saving a page (right-click >> Save as) may trigger a false positive if said page has an email address in URL.

Once you have verified the false positives (as directed here), make sure to let Google know they contacted you  in error (option #3) while filling out the PII violation response form.

Conjectures: According to AdPushup’s optimization experts, Google may have started sending PII violation notices to Indian publishers only recently.

Their advice: Buckle up and clean up your act now to avoid undue anxiety later.