Removing PII from Google Adwords and Remarketing using Google Tag Manager

Sending PII (personally identifiable information) to Google Analytics, Adwords or Remarketing can get your Google account suspended. A common scenario is for an email address to be passed in the query string by a CRM or Email Service Provider. But what if you need that to happen for business reasons, so it’s not an option to suppress the inclusion of that data getting passed in to your website?

Ironically it’s Google’s own javascript code for Analytics, Adwords and Remarketing that sends this data over, without any easy way to have it suppress query string parameters or filter out certain key pairs. Even our Google Account Managers could offer no solution for how to get our Adwords and Remarketing tags to stop sending over PII to them.

Furthermore it can be hard to detect what you’re actually sending to Google using their own tools like the Google Tag Assistant, and the preview mode of Google Tag Manager.

When we first faced this challenge and the threat of suspension by Google we tried several things, like this approach from Simo Ahava to remove PII from Google Analytics. But Google kept telling us our Remarketing and Adwords were still receiving PII, which we eventually determined was because the raw URL was also being sent to those two regardless of what we tried to feed to them as “location” values and such through Google Tag Manager.

But finally our team member Jose Oronoz, with the help of Simo Ahava’s post on the Google Tag Manager History Listener, came up with a way to overwrite the URL stored in the browser history before any other calls are made, so there’s no chance of sending any PII to any external services. The approach uses a custom event trigger firing on the gtm.load event and then it searches for and replaces any PII and overwrites the value the browser stores using the history.replaceState method of the HTML DOM.

After implementing this solution our clients were cleared by Google.

Here’s a step by step explanation of how to implement this using Google Tag Manager.

Create a Custom Event Trigger

Create a new trigger of type “Custom Event”:

Create a custom event trigger - Step 1

Then in the Trigger configuration set the “Event Name” to “gtm.load” which will result in this trigger firing every time Google Tag Manager is fired:

Create a custom event trigger - Step 2

Create a New Custom HTML Tag:

Now we’ll create a new Tag of type “Custom HTML” and connect our trigger to it:

Create New Custom HTML Tag - Step 1

After creating the tag, enter the following javascript in the “HTML” section:


It will look like this:

Create New Custom HTML Tag - Step 2

We set our “Tag Firing Priority” to 100 to make sure it got priority to fire before any other tag:

Create New Custom HTML Tag - Step 3

Then in the “Triggering” section choose the Trigger you created in the previous step:

Create New Custom HTML Tag - Step 4

Verify PII is Being Removed

The final step is to test the removal of PII using the Google Tag Assistant - in our case we were removing the key “email” so we append a simple “email=test@test.com” to the URL of one of our websites running Google Tag Manager to see what the Google Tag Assistant will pick up:

Verify PII is Being Removed - Step 1

Submitting that request to the website, and with Google Tag Manager in “Preview” mode, we see that our script is triggered in the windows load event, removing the email before any other tags fire:

Verify PII is Being Removed - Step 2

Once you confirm that the script is being executed in the windows load event, you can review the values being sent to Google Analytics and Remarketing, using the Google Tag Asistant extension:

Verify PII is Being Removed - Step 3

To check the URL being sent to Google Remarketing, click on “Remarketing Tag”, and then click “Requests”:

Verify PII is Being Removed - Step 4

Then click on the URL and confirm that the PII you entered on the URL in the browser has been removed:

Verify PII is Being Removed - Step 5

Wait For Your Policy Breach Resolved Email

Then hopefully a few days later you will receive a Policy Breach Resolved notice from Google, and you can breathe easier:

Wait For Your Policy Breach Resolved Email

Conclusion

Some businesses have good reasons for passing personally identifiable information between various systems, and there are reasons that data can’t be passed via POST or easily encoded at origin. If you find yourself in this situation with Google please add your voice to ours in asking them to think about why they would suspend paying merchants for data that Google’s own scripts are sending. Instead of hacking the DOM history to get this done, Google’s scripts should be updated to only pass data that can be controlled within Google Tag Manager or by configuration changes to the tags themselves.

Please drop us a line if this helped you!

Leave a Reply

Your email address will not be published. Required fields are marked *