Google Data processing & protection guide for Google Tag

Why should my organisation prioritise future proofing measurement now?

Advertisers already face tracking gaps from existing restrictions on third-party cookies such as Safari ITP and Firefox ETP. Regardless of when additional privacy changes land, privacy-centric measurement solutions can already deliver performance gains. Prioritizing future proofing your measurement now can help you feel prepared for future privacy changes. It is necessary to safeguard against future disruption and ensure comprehensive conversion reporting now and in the future.

What is the main benefit of adopting this product?

Google customers use tags on web pages to enable Google advertising products and services. Instead of managing multiple tags for different Google product accounts, advertisers can use the Google tag across an entire website and connect the tag to multiple destinations. The Google tag lets you send data from your website to get linked Google product destinations to measure website activity and/or the effectiveness of ads. As website technologies such as cookies continue to evolve due to privacy, browser, and regulation changes, having high-quality, site-wide tagging across your website is important to help ensure you’re getting the most accurate measurement.

What is the use case for the Google Tag?

Google tags set and read cookies to identify unique users across browsing sessions. Cookies are small files saved on peoples' computers to help store preferences and other information that's used on web pages that they visit.

Remarketing and Google Analytics both use cookies to help do things like run your ads or measure your success. The conversion measurement features of Google Ads and Campaign Manager also use cookies. To help you measure sales and other conversions from your ad, a cookie is added to a person's computer when the person clicks an ad.

Resources:

• Cookies and user identification
• Our advertising and measurement cookies

Which data is collected / used for this first-party data product to function?

Google Tag Manager

Advertisers can control what data Google tags collect from their website but Google tags do not inherently collect any data other than the minimum needed to ensure the serviceability of the associated Google products. In order to monitor and provide diagnostics about system stability, performance, and installation quality, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data (as noted above), Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited. Learn more about our use of Google Tag Manager data in our terms of service.

gtag.js

Advertisers have control over what data Google tags collect from their website but Google tags do not inherently collect any data other than the minimum needed to ensure the serviceability of the associated Google products. In order to monitor and provide diagnostics about system stability, performance, and installation quality, the Google tag may collect some aggregated data. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data noted above, the Google tag does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited.

Resources:

• Data privacy and security

How does Google handle my data?

Google has strict security standards. Google tag only collects data on sites and apps where you have configured tracking. The data collected by the Google tag and required for measurement is dependent on the advertisers configurations in the destination product(s) and advertiser-specific use cases. The data collected by a tag can evolve over time based on advertiser-specific implementations as well as ongoing product updates.

Advertisers can use in-product settings and advanced solutions such as Server Side Tagging for additional control over how this data is utilized for measurement purposes.

Resources:

• How Google uses conversion and other event data
• Data privacy and security

Can Google process my first party data to serve its own purposes?

Google uses aggregated event data for the overall benefit of advertisers. For example, features such as automated bidding and smart pricing rely on aggregate advertiser event data to improve their overall quality and accuracy.

Resources:

• How Google uses conversion and other event data

Can you tell me where my data is stored?

Google operates a geographically distributed set of data centers that is designed to maintain service continuity in the event of a disaster or other incident in a single region. High-speed connections between the data centers help ensure swift failover. Management of the data centers is also distributed to provide location-independent, around-the-clock coverage, and system administration.

Resources:

• Data and Security

Does Google offer the option to store data locally?

Google does not localise data received from advertisers and is not stored only in a specific country or region. We own and operate data centers around the world to keep our products running 24 hours a day, 7 days a week. We distribute data across multiple data centres, so that in the event of a fire or disaster, it can be automatically shifted to stable and protected locations.

Resources:

• Data and Security

How does Google ensure my data is secure?

In web-based computing, security of both data and applications is critical. This is why Google dedicates significant resources towards securing applications and data handling to prevent unauthorized access to data.

• Google has earned ISO 27001 certification for the systems, applications, people, technology, processes, and data centers serving a number of Google products.
• Data is stored in an encoded format optimized for performance, rather than stored in a traditional file system or database manner.
• Data is dispersed across a number of physical and logical volumes for redundancy and expedient access, thereby obfuscating it from tampering.
• Google applications run in a multi-tenant, distributed environment. Rather than segregating each customer's data onto a single machine or set of machines, data from all Google users (consumers, business, and even Google's own data) is distributed among a shared infrastructure composed of Google's many homogeneous machines and located in Google's data centers.

Resources:

• Data privacy and security
• Google's Business Safety Compliance

Which controls does Google provide to customers?

Websites and apps use Google measurement services to gather and store information about user behavior. Google takes seriously the responsibility to protect the data and the privacy of our customers and their users. As a developer, you can manage privacy and user consent using the following:

• Consent mode: Adjusts cookie storage behavior based on user consent choices. Consent mode overview
• Transparency and Consent Framework (TCF): We recommend the use of consent mode, but Google-maintained tags also support the IAB Europe Transparency and Consent Framework (TCF).
• Privacy parameters: Control how data is used, such as for remarketing purposes.
• Disable advertising and personalization features: Overrides Analytics property and Google Marketing platform settings. Manage privacy settings

Resources:

• Manage privacy settings

How long does Google store our data, and how can I request deletion?

Google Tag Manager

In order to monitor and provide diagnostics about system stability, performance, and installation quality, Google Tag Manager may collect some aggregated data about tag firing. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data noted above, Google Tag Manager does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited. Learn more about our use of Google Tag Manager data in our terms of service.

Advertisers should consult destination products (e.g. Google Ads) to understand product-specific data deletion processes.

gtag.js

In order to monitor and provide diagnostics about system stability, performance, and installation quality, the Google tag may collect some aggregated data. This data does not include user IP addresses or any measurement identifiers associated with a particular individual. Other than data in standard HTTP request logs, all of which is deleted within 14 days of being received, and diagnostics data noted above, the Google does not collect, retain, or share any information about visitors to our customers’ properties, including page URLs visited.

Advertisers should consult destination products (e.g. Google Ads) to understand product-specific data deletion processes.

Resources:

• Data retention

Consented first-party data

‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Read more.

Controller

‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Read more.

• Google Ads Controller-Controller Data Protection Terms
• Google Measurement Controller-Controller Data Protection Terms

Conversions

An action that's counted when someone interacts with your ad or free product listing (for example, clicks a text ad or views a video ad) and then takes an action that you’ve defined as valuable to your business, such as an online purchase or a call to your business from a mobile phone. Read more.

Conversion Modelling

Conversion modeling refers to the use of machine learning to quantify the impact of marketing efforts when a subset of conversions can’t be observed. With a modeling foundation in place, observable data can feed algorithms that also make use of historical trends to confidently validate and inform measurement. Read more.

Cookie

A cookie is a small file containing a string of characters that is sent to your computer when you visit a website. When you visit the site again, the cookie allows that site to recognize your browser. Cookies may store user preferences and other information. You can configure your browser to refuse all cookies or to indicate when a cookie is being sent. However, some website features or services may not function properly without cookies. Learn more about how Google uses cookies and how Google uses data, including cookies, when you use our partners' sites or apps. Read more.

• Our advertising and measurement cookies

Customer data

Customer data is the customer information that you’ve collected in the first-party context—for example, information you collected from your websites, apps, physical stores, or other situations where customers shared their information directly with you.

There are many types of customer data, some of the common data types are email addresses, first names, last names, phone numbers, and country of residence. Read more.

Encrypted

As the data you create moves between your device, Google services, and our data centers, it is protected by security technology like HTTPS and Transport Layer Security. We also encrypt email at rest and in transit by default, and encrypt identity cookies by default. Read more, more and more.

First-party (1P) customer data

Data collected by the organisation itself, as permitted by the user granting consent for the data to be gathered. First-party data could include CRM related information, behavioural data, subscription/registration data. Read more.

GDPR

The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, replacing the 1995 EU Data Protection Directive. The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It regulates how businesses can collect, use, and store personal data. Read more.

Google Signed-in users

Users logged in Google properties.

Hash algorithm SHA256

HA-256 stands for Secure Hash Algorithm 256-bit and it’s used for cryptographic security. Cryptographic hash algorithms produce irreversible and unique hashes. The larger the number of possible hashes, the smaller the chance that two values will create the same hash. Read more.

Hashed

Hashed data maps the original string of characters to data of a fixed length. An algorithm generates the hashed data, which protects the security of the original text. Read more.

Hashing

Hashing means you are transforming a piece of information, for example an email address, into a long code of numbers that cannot be reverted back. The hashing algorithm used in Google Products is an industry wide used and patented method called SHA-256.

ISO 27001 Certified

ISO 27001 is one of the most widely recognized, internationally accepted independent security standards. Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving Customer Match. Our compliance with the ISO standard was certified by Ernst & Young CertifyPoint, an ISO certification body accredited by the Dutch Accreditation Council, a member of the International Accreditation Forum (IAF). Certificates issued by Ernst & Young CertifyPoint are recognized as valid certificates in all countries with an IAF member. Certificate can be downloaded at Google's Business Safety Compliance page. Customers should feel assured that the data provided to Google during use of Customer Match is secured using robust information security processes and controls.

List Size

List Size is an estimate of the number of users on a list that are reachable on a particular Google property via our advertising products.

Machine Learning

The process in which a computer distils regularities from training data. An algorithm “learns” to identify patterns, like occurrence of certain elements (e.g. words, images) or combinations of elements, that determine or inform operational decisions. Read more.

Match Rate

Match Rate is a calculation of the number of rows of uploaded data for which we are able to match to a Google user.

Performance-Max

Performance Max is a new goal-based campaign type that allows performance advertisers to access all of their Google Ads inventory from a single campaign. It's designed to complement your keyword-based Search campaigns to help you find more converting customers across all of Google's channels–YouTube, Display, Search, Discover, Gmail, and Maps. Read more.

Personally Identifiable Information

This is information that is provided to us which personally identifies the individual, such as name, email address, or billing information, or other data that can be reasonably linked to such information by Google, such as information we associate with the individual's Google Account. Read more. Google’s position on what is considered Personal Data see here.

Processor

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Read more.

• Google Ads Data Processing Terms

Pseudonymous data

Pseudonymous data means data which has undergone a process of ’Pseudonymisation’ as that term is defined in the GDPR: “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Purposes

The Transparency and Consent Framework (TCF) organizes data processing using “Purposes.” Each purpose has a corresponding legal basis of “Consent” or “Legitimate Interest.” Read more.

Similar Audiences

Similar audiences targeting allows you to show ads to people who share characteristics with people on your existing remarketing lists. Read more.

Smart Bidding

A subset of automated bid strategies that optimize for conversions or conversion value. Smart Bidding uses machine learning to optimize your bids to maximize conversions and conversion value across your campaign or bidding portfolio. Target CPA, Target ROAS, Maximize conversion and Maximize conversion value are all Smart Bidding strategies. Read more.