Google Data processing & protection guide for Google Analytics User-provided data (UPD)

Google Analytics: Your Private-by-design Measurement Infrastructure

Google Analytics (GA) is a private-by-design measurement platform that enables businesses to unify disparate data from their websites, apps, and offline channels (e.g., CRM platforms) into a cohesive environment. Rather than simply collecting data, GA provides a flexible data model that makes sense of these interactions, organizing them into a structured foundation that drives actionable marketing and business intelligence.

By establishing this reliable infrastructure, GA helps companies answer critical questions regarding their marketing and media investments. GA provides the clarity needed to identify which channels drive actual revenue, where users drop off in the funnel, and how to most efficiently deploy capital to improve business outcomes, such as sales, customer lifetime value, and profit.

Within the Google Analytics environment, Google acts strictly as a service provider (Processor). The data belongs entirely to the advertiser; Google simply provides the infrastructure to process and visualize those insights for the advertiser’s exclusive benefit. More details here.

First-Party data in Google Analytics

Today’s consumers expect hyper-relevant, frictionless experiences across every touchpoint, from initial discovery to post-purchase support. However, meeting these expectations has become increasingly difficult in an environment defined by fragmented user experiences across a complex landscape of searching, scrolling, shopping and streaming.

To navigate this complexity, businesses are increasingly relying on AI as an essential engine to understand, predict, and meet customer needs. Because an AI model is only as effective as the data that fuels it, a company’s own First-Party Data (1PD) is the most accurate and effective data for AI-driven measurement for each advertiser. By building a robust 1PD foundation in Google Analytics, businesses can establish a unified view of their customers and operations directly within their Google Analytics, providing the AI with unique "Business Truths" rather than generic proxy signals.

This high-fidelity foundation ensures that marketing measurement is rooted in actual business outcomes, by powering AI with the signals most relevant to your specific goals, you ensure your marketing remains resilient, and optimized for maximum incremental ROI.

What is User-provided data (UPD)?

User-provided data (UPD) is hashed, consented customer data (e.g., email, phone, name, address) from your website or app that is sent to Google Analytics. UPD acts as a high-value first-party signal in Google Analytics. By securely matching the hashed data you send with Google's signed-in user data, UPD helps connect user interactions and conversions that occur across different devices and browsers, ensuring your business intelligence remains accurate even as the technology and privacy landscapes evolve.

Beyond internal reporting, this durable identifier plays a critical role in Ads activation and conversion measurement. By providing a consistent signal, UPD allows for the more accurate observation of customer actions across devices and sessions. This ensures that conversions are correctly attributed and that marketing campaigns are activated based on high-fidelity, representative data, rather than fragmented or incomplete digital signals. For more benefits and use cases, please see the next page.

Resources:

• About UPD

What are the main benefits of adopting UPD?

UPD facilitates several capabilities, each controlled by specific advertiser opt-ins and account linkages.

• Improved Google Ads Conversion Measurement (Enhanced Conversions): By providing hashed first-party signals, businesses can increase the observability of their customer journeys. This allows for more effective matching of conversions back to ad clicks and interactions, providing a foundational signal for Conversion modeling when privacy or technology limitations exist. Advertisers who implement Enhanced Conversions in Google Ads see an average conversion rate lift of 15% on YouTube and 10% on Search
• New Insights from Google Data (Demographics & Interest Reporting): When you adopt UPD and Google signals, you activate deeper demographic and interest reporting. This enables businesses to utilize Google’s aggregated, signed-in user data to better understand their audience and tailor marketing strategies based on privacy-safe customer trends. Example: A retailer can identify that their highest-converting segment is "Outdoor Enthusiasts" aged 25–34
• Improved Ads Personalization & Exclusions (Customer Match): UPD strengthens audience lists by enabling Customer Match. By utilizing persistent, hashed identifiers, businesses can better reach known customers or, crucially, suppress existing users from seeing redundant ads. This provides higher-fidelity signals to AI-powered campaigns, ensuring the engine optimizes for new customer acquisition rather than wasting budget on existing ones. In Google Ads, when Customer Match is applied to Smart Bidding campaigns, we see a 20% increase in conversions per dollar and a 3.6% reduction in cost per click
• Cross-Channel Conversion Measurement (In Alpha): This capability facilitates more accurate conversion measurement across integrated third-party media platforms. By acting as a persistent identifier, UPD connects media investments on multiple platforms to real-world user behavior for a more holistic view of performance
• Unified Customer View (CRM Integration in Alpha): UPD serves as a persistent "join-key" that bridges the gap between digital interactions and offline back-office results. By connecting online data to your CRM or offline stream, you create an improved, centralized view of your customers and business performance

Note: In all of these use cases, UPD is handled by Google acting as a Service Provider (Processor). The advertiser maintains full control over which features are activated. Please see more information on Processor-Controller terms, in the context of UPD here

Resources:

• Benefits of UPD

Which data is collected & used for this first-party data to function?

• Advertisers can send consented, hashed, first-party data like email addresses, phone numbers, first name, last name and addresses
• When multiple types of UPD are provided, Analytics will prioritize in the following order: email > phone > name and address
• If advertisers would only like to provide one field, we recommend sending email; however, the address and phone fields can also be helpful in improving the likelihood of matches

Resources:

• User-provided data

Is UPD enabled by default in Google Analytics?

UPD is not enabled by default in GA. GA users must opt in to enable this feature, by accepting Terms of Service. Users must also set up UPD data collection through Google Tag / Google Tag Manager or send UPD through Measurement Protocol / Server-Side GTM (sGTM) or upcoming Data Manager API.

No UPD data will be processed in GA until the Terms of Service are accepted and the UPD toggle is turned on.

Please note that Google Tag UPD data collection is enabled by default and you can disable if needed. However, this data will not be transmitted to Google Analytics until 1) the UPD Terms of service are accepted in Google Analytics and 2) the UPD toggle is turned on (ref in below image)

Resources:

• Terms of Service
• UPD Data Collection: gTag | GTM | Measurement Protocol | Server-Side Tagging

Is activating UPD a permanent enablement?

UPD enablement is not permanent. Processing, collection, and transmission of UPD can be turned off:

• Processing: If you choose to turn off UPD in the GA user interface under property settings, this will stop future processing of hashed PII within the given Google Analytics property.
• Collection & Transmission: In addition to turning off processing as described above within your Google Analytics property, you can stop the collection of UPD via the methodology used for UPD collection such as gtag, GTM, Measurement Protocol or sGTM

Note: If you continue to collect UPD in your tags and have only turned off the UPD setting in the Google Analytics user interface, we will continue to collect UPD via Google tags but it won’t be transmitted to and processed in GA.

Resources:

• Help Center article

Is Google Analytics a Processor or Controller for User-provided data?

• Google Analytics (The Processor Environment): In GA, the customer using the tool is the Data Controller. The customer dictates what data is collected, how long it is stored, and what it is used for. GA is merely the Data Processor, acting strictly on the customer’s documented instructions to crunch the numbers and provide reports
• Handoff: When a customer links GA to Google Ads and begins sharing data (like exporting audiences, etc.), the customer is explicitly instructing the Processor (GA) to send that data out of GA, where the data may be subject to different terms
• Google Ads (The Controller Environment): Customer provided UPD will be used through Confidential matching (check here for more details) to associate clicks, conversions, and Google user IDs. When an attributed conversions from Google Analytics is exported to a linked Google Ads account, only the conversion event data is sent. Crucially, the raw or hashed PII collected via UPD in GA is not sent to Google Ads with the conversion or Audience list. The attributed conversion data or Customer Match audience list received by Google Ads from GA is now governed by the Ads Controller Terms, and Google acts as a controller for this conversion data.

Resources:

• Safeguarding your data

Which privacy policy is UPD in Google Analytics subject to?

Use of UPD in GA is subject to the Measurement Protocol, SDK, and User-ID Feature Policy

Resources:

• UPD collection for User-ID Policy

How does Consent play a role for UPD collection?

• Advertisers are responsible and must obtain consent from their end users for the collection, passing and use of any hashed PII they wish to send to Google through the feature, including their consent to associate data across their unauthenticated and authenticated session activities on sites and/or apps.
• Advertisers must also obtain consent from their end users for the use of such PII sent through the API and/or through the feature, for any additional measurement, targeting, audience personalization and/or reporting activities, including those optionally enabled within Analytics and through linking integrations.

If you implement Consent Mode feature of Google Analytics and/or Google Ads, the consent you procure from your end users for your use of their PII for the feature and/or associated integrations operates independently and is not affected by end user choices over the Consent Mode ad_storage setting and/or analytics_storage, which apply only to the cookies that are set as part of the analytics service or ads service as defined here and here.

Resources:

• UPD Collection for User-ID Policy

What hashing mechanism is used for UPD?

UPD uses a secure hashing algorithm called SHA256, which is an industry standard for one-way hashing that cannot be unencrypted. When sending UPD from your website to Google, you have two options for hashing the data using the secure SHA256 algorithm:

• You hash the data: Implement the SHA256 hashing on your end before sending the data to Google.
• Google hashes the data: Rely on the Google feature to automatically apply SHA256 hashing to UPD before its sent to Google. This applies to UPD sent via gTag, GTM or server-side GTM. Choosing this method ensures that hashing always occurs within Google’s servers, with strict access controls of Googlers with data access. Raw PII is never shared with Google via UPD

Both options above result in Google receiving hashed data. The choice is about where the hashing process occurs.

Note: If you are using Measurement Protocol to send UPD to Google servers, you must hash the data using SHA256 before sending it to Google.

Google has also earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Google Analytics. Download the Google Ads/Analytics Scope Expansion Certificate - ISO 27001 (PDF).

Google Analytics is also subject to the Google Ads Data Processing Terms, and customers benefit from the privacy commitments and protections outlined in detail in those terms, including in connection with data security.

Resources:

• SHA-256 Algorithm: Definition
• SHA256 Hashing Demo
• UPD Data Collection: gTag | GTM | Measurement Protocol | Server-Side Tagging

How does Google handle advertiser’s UPD?

• Our Google tags capture the user data field you define in the conversion page and automatically format and hash it, unless the data is already hashed by the customer (business). We utilize the SHA256 algorithm, an irreversible one-way hashing mechanism. All of this happens prior to Google receiving any data. Raw PII data is never shared with Google via UPD
• When a hashed value matches a known Google user, it enables 1) accurate attribution of conversions to Google and cross channel media, 2) improved match rates for Customer Match to power Audiences, 3) improved coverage of Demographics and Interests reports. Exhaustive benefits listed here
• Hashed PII data in Google Analytics is not used by Google outside of the customer’s Google Analytics account(s) unless data sharing with Google products and services is enabled. However when you link Google Analytics to another account (e.g., Google Ads), data will flow between your Analytics account and that account, where it may be governed by other terms.
• Hashed data that does not match Google's data is deleted

Resources:

• SHA-256 Algorithm: Definition - Google Ads Help

Can Google process my first-party data to serve its own purposes?

Google Analytics is a Data Processor under GDPR because Google Analytics collects and processes data on behalf of our customers, pursuant to their instructions. Google cannot use any personal data collected by the Google Analytics customer for its own purposes unless data sharing with Google products and services is enabled. When you link Google Analytics to another account (Google Ads, GMP, etc), data can flow between your Analytics account and that account, where it may be governed by other terms.

For More information on Enhanced Conversions & Customer Match in Google Ads, please refer to the EC & Customer Match DPO Guides here (Updated Data Protection guides are coming soon to our website. In the meantime, please reach out to your Google Account Manager to receive the latest documentation)

Resources:

• Safeguarding your data
• Data Protection resources

Can we provide a formal security attestation and support for client-side encryption keys for users who view standard pseudonymization (hashing) as insufficient for cross-border data transfers?

Currently, Google Analytics protects UPD through robust client-side SHA256 hashing, a strong pseudonymization technique, ensuring Google only processes irreversible hashes, and not raw PII in Google Analytics. While this method and the EU-US Data privacy framework (here) offers substantial data protection controls suitable for cross-border transfers by minimizing data exposure, it doesn't include formal cryptographic attestation or support for customer-managed encryption keys.

We understand that some customers require even stronger technical assurances, particularly for sensitive data and cross-border transfers. Google is actively investing in and rolling out Confidential Matching technologies, using Trusted Execution Environments (TEEs), across various products such as Google Ads Data Manager and Google Tag Gateway, and we are exploring on having end user attestation for Google Analytics.

If cryptographic attestation and customer-managed encryption keys are something that you require, please reach out to your Google rep to let them know you are interested in this capability and additionally fill out this UPD feedback form. This feedback will directly inform our implementation of this feature within Google Analytics.

Resources:

• Confidential Matching
• SHA-256 Algorithm: Definition

Is data collected via UPD used to benefit Google and/or other advertisers?

Google only uses advertiser-provided UPD to provide services to that advertiser, as described in the User-provided data collection for User-ID Policy. Google does not share advertiser-provided UPD data with any other advertiser.

Resources:

• User-provided data collection for User-ID Policy.

Where is UPD stored?

UPD collected via tag (Google tag, GTM & server-side GTM) is collected in the EU servers for EU users located in the EU. Processing & Matching of hashed PII and encrypted PII data may occur on US servers, or data may be routed globally depending on load balancing requirements.

Data is stored in Google’s distributed data centre network, with servers in locations such as EMEA, US and APAC, and elsewhere. Google operates data centres globally and to maximise the speed and reliability of our services, our infrastructure is generally set up to serve traffic from the data centre that is the closest to where the traffic originates. Therefore the precise location of Google advertising and analytics personal data may vary depending on where such traffic originates, and this data may be handled by servers located in the EEA and UK or transferred to third countries. Our customers’ properties where Google advertising and analytics products are implemented are generally available globally and often attract a global audience. The technical infrastructure that supports these products is deployed globally to reduce latency and ensure redundancy of systems. Information about the locations of Google data centres is available here

Resources:

• Data Center Locations
• Data and Security
• EU-focused data and privacy

Does Google offer the option to store UPD locally?

UPD collected via tag (Google tag, GTM & server-side GTM) is collected in the EU servers for EU users located in the EU. Processing & Matching of hashed PII and encrypted PII data may occur on US servers, or data may be routed globally depending on load balancing requirements. Google Analytics operates data centers globally, including in the United States, to maximize service speed and reliability.

On 10th July 2023, the European Commission announced the adoption of the EU-U.S. Data Privacy Framework (DPF), after the Member States voted in favour of the adequacy decision on the 7th July. We welcome the framework to safeguard trans-Atlantic data flows and commend the work done by the European Commission and U.S. government to protect people’s data on both sides of the Atlantic. This framework has brought certainty around the legality of trans-Atlantic data flows; in particular, for our Google Analytics customers, who have been able to transfer data to the US with the knowledge that it is being adequately protected.

Resources:

• Data Center Locations
• External Article about Internal Data Transfers in our Advertising & Analytics products
• Data and Security

How long is UPD retained on the Google Analytics side after matching?

UPD is governed by the User scope Data Retention settings in Google Analytics where data can be retained for 2 months or 14 months depending on the option chosen by the customer.

Resources:

• Data Retention settings

How long is UPD retained on the Google Ads side after matching?

Enhanced Conversions: Google's data retention period for hashed PII provided by customers for Enhanced Conversions for Web in Google Ads & Search Ads 360 is 20 days. Customers can request to expedite deletion by reaching out to their Google sales representative.

Customer Match: Google won’t retain customer data files for any longer than necessary to create Customer Match audiences. Once those processes are complete, we'll promptly delete the data files uploaded via the Google Ads interface or the API. After the matching process and policy compliance checks are complete, which can take up to 48 hours, the data file is marked for deletion. In almost all cases, the deletion is completed within 48 hours.

Resources:

• Data Protection resources

Which controls does Google provide to customers to delete UPD?

We do not currently offer a standalone option to delete only UPD. However, using the Google Analytics User Deletion functionality will remove the specified Client ID or User ID along with all its associated UPD.

Resources:

• User Deletion

What happens to unmatched PII data?

Both matched and unmatched hashed PII data are stored in accordance with your User Retention settings in GA.

Resources:

• Google Analytics Data Retention

Can Data Retention in Google Analytics be shortened below 2 months?

UPD is governed by the User scope Data Retention Settings in Google Analytics where data can be retained for 2 months or 14 months depending on the option chosen by the customer. This can’t be reduced any further currently.

Resources:

• Google Analytics Data Retention

Is UPD a replacement for third-party cookies & does implementing UPD mean Google will be processing PII?

UPD is a first-party data solution designed to supplement, rather than replace, third-party cookies. As the digital landscape evolves, UPD becomes increasingly vital for maintaining measurement resilience and accuracy. By providing high-fidelity first-party signals, customers can build the Data Strength necessary to ensure maximum measurement coverage in a world of degrading third party signals.

First-Party vs. Third-Party: In contrast to third-party cookies, UPD consists of first-party data, such as email addresses or phone numbers, collected directly from your users with their explicit consent. This means you have a direct relationship and transparency with the user regarding this data.

Additive, not replacement: UPD works alongside other signals. It enriches your understanding and helps fill the gaps left by signal loss from cookie restrictions or other factors. It makes your overall data strategy more resilient. For instance, Demographics & Interest reports and Audiences in GA will now be powered through 3P cookies and UPD whichever one is available

Powering AI: Crucially, this consented first-party data is high-quality fuel for Google AI. It enhances capabilities like Enhanced Conversions, improving measurement accuracy, and powers more effective Customer Match audiences, even when other signals are unavailable.

Resources:

• Make the most of your Google Analytics property with first-party data and durable solutions
• Benefits of UPD

Is UPD accessible to all industries?

While UPD is available to most businesses, specific restrictions apply based on the Industry Category selected in Google Analytics property settings.

• Healthcare: This feature is strictly unavailable. If a property's industry category is set to "Healthcare," User-provided data benefits can’t be accessed.
• Finance: User-provided data usage is permitted but requires a formal attestation. If the industry category is set to "Finance," a prompt will automatically appear in the UI (screenshot below). Users must confirm they will use the data in compliance with Google’s Terms and Conditions before collection can be enabled.

Resources:

• Data and Security

Consented first-party data

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Read more.

Controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Read more.

• Google Ads Controller-Controller Data Protection Terms
• Google Measurement Controller-Controller Data Protection Terms

Conversions

An action that's counted when someone interacts with your ad or free product listing (for example, clicks a text ad or views a video ad) and then takes an action that you’ve defined as valuable to your business, such as an online purchase or a call to your business from a mobile phone. Read more

Conversion Modelling

Conversion modeling refers to the use of machine learning to quantify the impact of marketing efforts when a subset of conversions can’t be observed. With a modeling foundation in place, observable data can feed algorithms that also make use of historical trends to confidently validate and inform measurement. Read more

Cookie

A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the site again, the cookie allows that site to recognize your browser. Cookies may store user preferences and other information. You can configure your browser to refuse all cookies or to indicate when a cookie is being sent. However, some website features or services may not function properly without cookies. Learn more about how Google uses cookies and how Google uses data, including cookies, when you use our partners' sites or apps. Read more.

• Our advertising and measurement cookies

Customer data

Customer data is the customer information that you’ve collected in the first-party context—for example, information you collected from your websites, apps, physical stores, or other situations where customers shared their information directly with you.

There are many types of customer data, some of the common data types are email addresses, first names, last names, phone numbers, and country of residence. Read more.

Encrypted

As the data you create moves between your device, Google services, and our data centers, it is protected by security technology like HTTPS and Transport Layer Security. We also encrypt email at rest and in transit by default, and encrypt identity cookies by default. Read more, more and more.

First-party (1P) customer data

Data collected by the organisation itself, as permitted by the user granting consent for the data to be gathered. First-party data could include CRM related information, behavioural data, subscription/registration data. Read more.

GDPR

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, replacing the 1995 EU Data Protection Directive. The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It regulates how businesses can collect, use, and store personal data. Read more.

Google Signed-in users

Users logged in Google properties.

Hash algorithm SHA256

HA-256 stands for Secure Hash Algorithm 256-bit and it’s used for cryptographic security. Cryptographic hash algorithms produce irreversible and unique hashes. The larger the number of possible hashes, the smaller the chance that two values will create the same hash. Read more.

Hashed

Hashed data maps the original string of characters to data of a fixed length. An algorithm generates the hashed data, which protects the security of the original text. Read more.

Hashing

Hashing means you are transforming a piece of information, for example an email address, into a long code of numbers that cannot be reverted back. The hashing algorithm used in Google Products is an industry wide used and patented method called SHA-256.

ISO 27001 Certified

ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Customer Match. Our compliance with the ISO standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF).

Certificates issued by Ernst & Young CertifyPoint are recognized as valid certificates in all countries with an IAF member. Certificate can be downloaded at Google's Business Safety Compliance page. Customers should feel assured that the data provided to Google during use of Google Analytics is secured using robust information security processes and controls.

List Size

List Size is an estimate of the number of users on a list that are reachable on a particular Google property via our advertising products.

Machine Learning

The process in which a computer distils regularities from training data. An algorithm “learns” to identify patterns, like occurrence of certain elements (e.g. words, images) or combinations of elements, that determine or inform operational decisions. Read more.

Match Rate

Match Rate is a calculation of the number of rows of uploaded data for which we are able to match to a Google user.

Performance-Max

Performance Max is a new goal-based campaign type that allows performance advertisers to access all of their Google Ads inventory from a single campaign. It's designed to complement your keyword-based Search campaigns to help you find more converting customers across all of Google's channels–YouTube, Display, Search, Discover, Gmail, and Maps. Read more.

Personal Information

This is information that is provided to us which personally identifies the individual, such as name, email address, or billing information, or other data that can be reasonably linked to such information by Google, such as information we associate with the individual´s Google Account. Read more. Google’s position on what is considered Personal Data see here.

Processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Read more.

• Google Ads Data Processing Terms.

Pseudonymous data

Pseudonymous data means data which has undergone a process of ’Pseudonymisation’ as that term is defined in the GDPR: “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Purposes

The Transparency and Consent Framework (TCF) organizes data processing using “Purposes.” Each purpose has a corresponding legal basis of “Consent” or “Legitimate Interest.” Read more.

Similar Audiences

Similar audiences targeting allows you to show ads to people who share characteristics with people on your existing remarketing lists. Read more.

Smart Bidding

A subset of automated bid strategies that optimize for conversions or conversion value. Smart Bidding uses machine learning to optimize your bids to maximize conversions and conversion value across your campaign or bidding portfolio. Target CPA, Target ROAS, Maximize conversion and Maximize conversion value are all Smart Bidding strategies. Read more.