Google has mistakenly send email notifications about their user end policy on personally identifiable information (PII) to Google Adsense publishers. A sample email that I also received from email@example.com with a title Policy Breach Notice.
Publisher ID: xxx
Dear Publisher, We have now verified that we are no longer detecting PII being passed to Google from the account(s) under your control. Thank you for helping to resolve this matter.
The Google Policy Team
Google Adsense has already apologized about the matter and was sorry for it. I would quoted the message found below from Google Adsense Forum post:
This weekend the Google Ads Policy system inadvertently sent publishers a message informing them that they had resolved a violation of the Identifying Users policy, or that Google had not seen PII sent from their account for a certain number of days.
The message was sent in error; we would like to convey our sincerest apologies for the alarm that this must have caused you and your colleagues.
You do not need to take specific action on this erroneous message however, due to the dynamic nature of publisher monetization we encourage you to periodically review our resources regarding PII.
As you know, our policies prohibit partners from sending us data that could be recognized or used by our systems as personally identifiable information. When we learn of violations, we notify the publisher and take swift action.
We know that you take user data and our program policies very seriously, and this message must have caught you off guard. For more information about the specific policies that govern passing PII to Google, and tips for continuing to keep your account compliant, please visit our help center.
The Google Policy Team
Why Google Adsense Publishers Should Not Disregard This Notice?
Goolge has taken it seriously when it comes protecting towards user end data, if not Google will face multiple charges not only in the US but through-out the world for not protecting the end users sensitive information. Just imagine Google will be devastated. Even that notice was simply an error being a Google publisher it is also your responsibility that your website is designed to protect sensitive from your users. Below is a video from Google’s DoubleClick Publisher Training’s channel about the best practices to prevent sending Personally Identifiable Information (PII) to Google.
For those who has difficulty playing the video, I have transcribed it to text that is found below:
At Google, we believe that user privacy is extremely important, and when it comes to Google’s ad products, like Ad Exchange, DoubleClick for Publishers, and AdSense, states that publishers must not send any data to Google that Google could use or recognize as personally identifiable information, also referred to as PII. This would include, for example, sending a user’s email address as part of a URL.
Since we don’t want publishers to violate our policies, we’ll show you some checks you can make to ensure you’re not sending PII about your users to Google.
Here’s a list of scenarios to watch out for, to ensure that you don’t unwittingly send PII in your ad requests:
- Use the POST method of form implementation on a website instead of the GET method.
- Make sure your site’s URL schemes don’t contain PII.
- Make sure you’re not sharing links via email that contain PII.
- And finally, make sure you don’t use keywords that contain PII for targeting purposes
Let’s dig a bit deeper into each of these scenarios so we can provide you guidance on how to avoid revealing PII in your ad requests.
Do you have a form on your site?
If the answer is yes, please ensure that you’re using the POST HTTP method. When creating a form, HTTP protocol allows forms to be submitted as POST or GET, POST being the preferred method.
If GET is used, the parameters of the form will end up as part of the URL in the address bar, and if the form is asking for personally identifiable information, then that PII might be included in the URL.
If there are Google ads on the post-submit page, the URL including the form’s parameters will be sent to Google as part of the ad request.
If you’re not sure which type of method you’re currently using on your site, try running this classification check.
Start by viewing the source of the form. The HTML for the FORM tag, which is visible through ‘view source’, will state method=’get’. If you don’t see any method defined in the source, the default method is ‘get’. In addition, when the form is submitted, the entered values will show in the post-submit page’s URL.
Here’s your solution:
Update the page source or the component generating the HTML to have method=’post’ in the form tag. Our second scenario involves ensuring your URL schemes don’t contain personally identifiable information. Some sites, especially those with user profiles or user logins, use URL patterns that include PII as part of the design.
For instance, a site that requires a login might have a link to “My Settings” with a URL like http://firstname.lastname@example.org. If these result pages are monetized by showing Google ads, PII would end up being sent to Google via the ad request. To check and see if you’re revealing PII via URL schemes, we recommend that you navigate around your site and carefully inspect URLs for any PII. The most common links or pages with PII are profile pages, settings, account pages, notifications or alerts, messaging or mail, registration pages, and login pages.
In most cases, the PII in the URL can be replaced with a unique site-specific identifier or a UUID, which is a universally unique identifier. For instance, email@example.com could be changed to site.com/settings/43231, where 43231 is a number that uniquely identifies the account instead of using the user’s email address. Oh, and 43231 is just a random number that we chose for this example.
The third scenario deals with links in emails. Email is often used for verification as part of a site registration process. Some of these verification emails include PII in the registration confirmation link.
For example, Ads on the confirmation page would result in PII in the URL, which in turn ends up in the ad request. This is also found in newsletter signups and ‘forgot password?’ links. Please note that there may also be third party newsletters linking to your site. This is typically the case if you as the publisher don’t recognize the parameters in the url. To check and see if this is an issue on your site, sign up for an account and check if the URL in the confirmation email includes an email address, or any other PII.
If the confirmation email does include PII, the solution listed here is the same as recommended in the “URL schemes with PII” that we just talked about. The best practice would be to remove any personally identifiable information from the link, and use identifiers or tokens to associate the verification email with the user account.
The final scenario that we wanted to discuss was using keywords for targeting purposes. It’s a common practice to use custom key-value and keyword targeting to target specific placements on a page or, in some cases, specific users. Because the parameters of keywords and key-values, along with the values passed into the parameters, are entirely up to the publisher, every publisher must take care to avoid PII being passed into keywords or key-values. To check and see if this is an issue on your site, run a report in your ad server for the values of the custom targeting field.
Additionally, you can check the source code of your pages to see if you are collecting PII in the key-values in your tags. To remedy this situation, remove the targeting parameter from both the ad tags and the ad server, or change the targeting values so that PII is not passed into the ad call.
This bring us to the end of our tutorial on personally identifiable information. As previously stated, Google takes user privacy very seriously. If your account reveals PII to Google, account termination is possible. So we urge every publisher to be vigilant and ensure you are not passing PII in any ad requests.
For more information please refer
Publisher University at g.co/PublisherU, or the Help Center. From all of us at Google, happy ad serving.
To learn more on how you can implement the some ways on your website that lets your abide on Google policy.