Integrating Google tag gateway for advertisers with a trusted execution environment (TEE) provides added security to the user-provided data collected by advertiser’s first-party tags.
On this page
What is a TEE
A TEE is a secure environment on a device that can be used to execute code and store data securely. It is a special configuration of computer hardware and software that uses a hardware root-of-trust to provide confidentiality of data processing and prevent observation or tampering.
TEEs allow external parties to verify that the software does exactly what the software developer claims it does, nothing more or less. TEEs are infrastructure, like a virtualized server, that provide an isolated environment to process data like personal information.
How it works
User-provided data collected by the Google tag gateway for advertisers will be encrypted before it is sent to a TEE.
- For advertisers who upgraded their client-side tag to Google tag gateway for advertisers, the user-provided data will be encrypted before it leaves the browser.
- For advertisers who enabled Google tag gateway for advertisers through server-side Google Tag Manager, the user-provided data will be encrypted before it leaves the server container.
In both cases, the encrypted data will be sent to a TEE for processing.
Frequently asked questions
Who’s eligible to use a TEE?
Advertisers who are using Google tag gateway for advertisers are eligible to use a TEE. A TEE will be enabled automatically for advertisers who use Google Ads as a destination, and there’s no option to opt out. Learn how to Set up Google tag gateway for advertisers in the Google tag with Cloudflare.
Which platforms use a TEE?
Currently, only Google Ads uses a TEE to process customer data for conversion tracking. Floodlight and Google Analytics do not use a TEE.
Does a TEE process customer data from conversion-based customer lists?
Yes. Encryption of user data is enabled for advertisers who use Google tag gateway for advertisers and have implemented conversion-based customer lists.
When a conversion event occurs, the following happens:
- The tag will send the traditional enhanced conversion measurement pings.
- In parallel, the tag will asynchronously encrypt the user data and send an additional enhanced ping to populate Customer Match lists. This ping will be sent from the browser with a new URL parameter
&mt=2, and will be followed by redirects todoubleclick.netandgoogle.com.
Advertisers can verify this change in their browser’s developer tools. Additionally, a “Confidential matching” badge will appear on the “Enhanced conversions” page of Google Ads to indicate that the feature is active.
Advertisers who use client-side tagging will not observe an increase in bills since the encryption is done in the browser, when the user sends data.
How does a TEE impact network requests?
The &em parameter will be changed to &eme parameter, and additional network requests are sent due to the enablement of a TEE. Follow the instructions below to verify these parameters:
Using Tag Assistant
- Open Tag Assistant and enter your website URL to create the connection.
- Navigate through your website to trigger a conversion.
- In the “Summary” screen of Tag Assistant, go to the Hits Sent tab and select the conversion hit you want to inspect.
- Locate the
emeparameter in the “Conversion” panel. This parameter replaces theemparameter, and its value should be an alphanumeric string.
Using Chrome Developer Tools
- In your Chrome browser, open the website URL that you want to validate.
- Once the website has loaded, right-click anywhere on the page and select Inspect to open Chrome Developer Tools.
- Navigate through the website to trigger a conversion.
- Go to the Network tab in the Chrome Developer Tools and add a filter for “googleadservices.com”.
- Click on the conversion request and go to Payload. The
emeparameter should be present instead of theemparameter. The&emeparameter represents encryption happening within the browser before the data is sent for processing in a TEE.