SUMMARY
- Advertisers and marketers need to adapt to new methods and technologies for tracking and targeting users across different websites and devices that help build trust with users.
- Google and Meta have introduced Enhanced Conversions and Advanced Matching, respectively, to improve ad targeting and conversion tracking using hashed first-party data.
- The two technologies raise serious privacy concerns connected with the potential for reidentifying users, lack of proper user consent and Google’s and Meta’s ability to reuse the data for their purposes.
- Companies should consider other options that don’t breach user privacy, such as contextual targeting for ads or privacy-compliant analytics with vendors like Piwik PRO.
Privacy regulations such as GDPR and CCPA have significantly changed how companies can track and measure user interactions online. Additionally, the rise of adblockers and browser tracking restrictions limit the use of third-party cookies on the web.
Users are blocking and deleting cookies due to a lack of trust in the AdTech industry and what happens with their data. To build trust, companies must adjust their data collection processes to be transparent and respect users’ consent choices. Advertisers and marketers need to adapt to new methods and technologies for tracking and targeting users across different websites and devices that help build trust with users.
To mitigate the impact of these privacy-facing developments, tech giants have created their own solutions – Google has introduced Enhanced Conversions, while Meta has launched Advanced Matching. They aim to enhance conversion tracking by leveraging first-party data, earning them the nickname “cookies on steroids“. However, recent guidance from the Federal Trade Commission (FTC) suggests that these solutions are not as privacy-compliant as they claim. Using them comes with significant privacy risks: once the data is captured, it is out of the user’s control, giving Google and Meta unlimited possibilities to use it to their benefit.
Today, we will explore Google’s and Meta’s initiatives more closely, looking into how they work and how privacy-compliant they actually are. We will also discuss other solutions that companies can utilize to combine privacy compliance with effective leveraging of data.
Before we dive in further, let’s explain some security concepts that will be relevant throughout this article:
- Hashing involves changing data into a random string that can’t be turned back into its original form without employing extensive resources.
- Salting refers to adding a random string of characters to a piece of data prior to hashing to add an extra layer of protection and guarantee a unique output.
- Time-to-live (TTL) counts the time until data becomes useless and needs to be refreshed or replaced.
What are Google’s Enhanced Conversions?
Google’s Enhanced Conversions are designed to improve the accuracy of conversion measurement by using hashed data from your website. Enhanced Conversions are part of the Google Privacy Sandbox initiative, which is Google’s attempt at developing measures to support advertising without relying on third-party cookies.
As part of Enhanced Conversions, Google captures the data that prospects input on your website when filling out a form or completing a purchase. Examples of this data include visitors’ names, phone numbers, and email addresses. The data is kept pseudo-anonymized with a hashing algorithm known as SHA-256. Through hashing, identifying information is transformed into a character string.
Once the hashed data is sent to Google, it is matched with signed-in Google accounts to attribute campaign conversions to ad events such as clicks or views. The platform can then attribute conversions across devices and platforms so advertisers can build retargeting audiences.
Note that the hashed first-party data referred to here doesn’t fit the standard definition of first-party data – instead, it is a concept created by Google. Google collects the hashed first-party data via gtag and doesn’t give advertisers direct access to it.
What is Meta’s Advanced Matching?
Like Google’s solution, Meta’s Advanced Matching leverages data from your site or app to enhance conversion tracking.
This feature is part of the Conversions API (CAPI), which is Meta’s response to privacy updates like Apple’s iOS 14 changes and the introduction of the App Tracking Transparency (ATT) prompt. The Conversions API allows advertisers to send data directly from their servers to Meta, bypassing the browser’s privacy features.
Advanced Matching enables a website that uses the Meta Pixel to automatically collect visitors’ data and match them with users on their platforms. If you use a form on your website, the technology gathers form data like email addresses and phone numbers, hashes it, and then transfers it to Facebook or Instagram.
Benefits of Enhanced Conversions and Advanced Matching
The two technologies come with several advantages for businesses:
Improved conversion tracking accuracy
By using first-party data, these technologies offer a more precise way to attribute conversions, even across different devices and platforms. This leads to better-informed marketing decisions and optimized ad spend.
Enhanced ROI
With more accurate conversion tracking, businesses can better measure the return on their advertising investments. This allows for more effective budget allocation and improved campaign performance.
Data security
Both Google and Facebook emphasize the privacy-safe nature of their solutions. Enhanced Conversions and Advanced Matching use secure hashing techniques like SHA-256 to anonymize personal data before transmission, safeguarding the data while enabling detailed conversion tracking.
Privacy concerns
Despite Google’s and Meta’s claims that their solutions are privacy-compliant, there have been serious concerns about the ethical implications of scraping and utilizing personal data for conversion tracking.
Many argue that while this approach can enhance ad targeting and conversion tracking, it may compromise user privacy. The balance between effective marketing and respecting user privacy is a critical issue that needs to be addressed to maintain user trust and comply with privacy regulations.
Here are some additional criticisms concerning privacy:
Potential for reidentification
The Federal Trade Commission (FTC) has highlighted that hashing does not fully protect user anonymity and can still allow user identification. Hashing transforms data into a unique string of characters, which can still be reversed or matched with sufficient computational effort and supplemental data. Thus, hashing does not fully anonymize the data, and businesses must remain vigilant in their privacy practices. This undermines the privacy safeguards that hashing is supposed to provide and raises concerns about how securely user data is being handled and stored by Google and Meta.
GDPR compliance
There are also concerns about GDPR compliance when using Google’s Enhanced Conversions and Meta’s Advanced Matching. GDPR mandates that personal data be processed lawfully, fairly, and transparently. Businesses must ensure data minimization – collecting only what is necessary for the intended purpose – and that they only use the data for the specific purposes for which consent was given.
Privacy experts argue that Google’s and Meta’s practice of scraping form data and using it for ad conversion tracking may not fully align with these principles, particularly if users are not adequately informed or do not have a straightforward way to opt out of tracking.
On top of that, even though the data is hashed, it does not eliminate the privacy risks associated with collecting and processing personal data without explicit user consent. Under GDPR, businesses must obtain clear and explicit consent from users before collecting their data and be transparent about how this data will be used. Consequently, companies that are subject to the relevant privacy regulations and want to adopt these technologies must ensure they obtain the necessary user consent.
Implementation challenges
Next to privacy concerns, Google’s and Meta’s technologies may come with implementation challenges. More advanced configurations require technical knowledge. Additional expertise might also be required to configure tags and manage data privacy settings. In practice, this rarely happens as decisions are left to those with technical knowledge of how both platforms work rather than privacy teams that should oversee the setup process.
Adding a salt to the wound
A salt is a random value added to the data before hashing, meaning that even identical inputs produce different hashes. Adding a salt to the hash could enhance privacy by making it significantly more challenging to reidentify users. This approach mitigates the risk of attackers using precomputed tables to reverse-engineer the original data, thereby providing stronger protection against reidentification.
However, this added privacy measure would lead to lost revenue for companies like Google and Meta. The reason is that salting would disrupt their ability to effectively match hashed data across different sessions and devices. Without consistent hashes, it’s impossible to track user behavior accurately and attribute conversions, which is critical for optimizing ad targeting and measuring campaign performance. Consequently, the precision of ad targeting would decrease, leading to less effective advertising strategies and reduced ad revenue for these platforms.
How hashing works in Piwik PRO
Google and Facebook operate an ad business, while Piwik PRO provides analytics. Hence we can’t directly compare their features. However, we’re still able to contrast their approaches to privacy.
Unlike Google and Facebook, which store hashed emails or phone numbers, Piwik PRO temporarily only links events with one visitor session.
Google and Facebook use hashed data to track and reidentify users across different platforms, such as websites and mobile apps. Meanwhile, at Piwik PRO, temporary linking is utilized for pre-consent data tracking to ensure user data cannot be reidentified across sessions.
Here’s how hashing works in Piwik PRO:
- Data protection: When users visit a site, their personal data is hashed and salted using secure techniques.
- Active session detection: Piwik PRO maintains a session hash, which is a mechanism linking the visitor and session in memory for up to 30 minutes from the last update.
- No reidentification: Unlike Google and Facebook, Piwik PRO drops the link between the visitor and their session (usually after around 30 minutes, which is the session hash’s time-to-live (TTL)). This means that once the data has been processed – for example, a visitor’s session has ended – for its intended purpose – such as anonymized analytics – the session hash is discarded, making reidentification of the user impossible.
- User consent: Before any data that could identify a user across sessions is collected or processed, explicit consent is obtained from the user. This aligns with GDPR and other privacy regulations prioritizing user control over personal data.
This methodology ensures that Piwik PRO’s use of hashing adheres to privacy best practices, offering a robust solution for businesses that need to track user interactions without compromising privacy.
Experts opinion
Brian Clifton
Digital analytics and privacy expert
A business thrives by encouraging people to buy, subscribe, and make contact. A big part of that process is giving people plenty of reasons to trust you. A remarketing approach based on a surveillance economy breaks that trust. Contextual remarketing is an alternative – it has been around for decades and works without profiling your customers. Whether you use remarketing or not, I would posit that the gains of building long-term trust with your customers and prospects, will far outway the short-term benefits of remarketing by stealth.
The bottom line
Google and Meta are pushing advertisers to adopt their technologies – without that, they will lose huge amounts of data that they currently use for their own purposes to target individuals for ads.
Let’s not forget that having explicit and informed user consent makes it possible to track users through access to their hashed first-party data and send it to Google or Meta. However, each business should individually assess its compliance and whether they have valid consent for such data processing purposes.
Substituting third-party cookies with hashed first-party data, as applied by Google and Meta, carries privacy concerns. Businesses should be aware of the negative privacy implications of Google’s and Meta’s technologies and consider more privacy-friendly options rather than risk loss of customer trust.
Without hashed first-party data, it will be harder for companies to perform personalized advertising due to the limited ability to stitch user sessions together, resulting in less personalized ads, though contextual advertising alternatives do exist (ironically, Google was an early leader in the field of contextual advertising until it changed its approach).
However, businesses can still collect vital data with platforms like Piwik PRO Analytics Suite. They can successfully use it to optimize their website or app, improve user experience, and inform marketing campaigns or content initiatives. They’re also still able to run ad campaigns through Google or Facebook or turn to other forms of advertising, such as contextual targeting.
Learn more about using Piwik PRO with Google Ads:
Learn more about how you can effectively collect and analyze user data while maintaining privacy compliance with Piwik PRO: