User ID encryption

Ensuring privacy for cookies and device IDs
As of July 1, 2020, user IDs won't be populated in Data Transfer or the %m macro for users in California. Learn more about changes to Data Transfer.

To ensure user privacy, all user IDs in Campaign Manager 360 are encrypted whenever they're made visible to you, the customer. These user IDs can include cookies as well as device IDs.

You will never be able to decrypt user IDs, and Google will not disclose the encryption method. No encryption keys will ever be provided to any Campaign Manager 360 customer or any third-party partner. The keys are used only as a means of providing encrypted IDs that can be shared by multiple Google or third-party accounts. 

User IDs in Campaign Manager 360

Campaign Manager 360 provides user IDs in two locations:

Regardless of the original format, the encrypted user ID values are alphanumeric, with a maximum of 50 characters.

By default, the %m match macro is encrypted at the Campaign Manager 360 advertiser level, meaning it may be different from your Data Transfer encryption.

If your primary encryption for Data Transfer files is not designated as the Campaign Manager 360 advertiser level, then the %m macro will not match. That means that in each case, the same user would be identified differently.

If you want these values to match in your Campaign Manager 360 account, contact your Google Marketing Platform representative.

User ID = 0

A user ID can = 0 for a variety of reasons, including but not limited to:  

  • User has blocked cookies or opted out. This includes all users of the Apple Safari browser, including iOS, who haven't changed the default settings to allow third-party cookies.
  • There is a check-permissions cookie/sentinel
  • There is a COPPA-flagged event

Share IDs

To make it easier to compare user interactions across accounts and platforms, you can share encrypted IDs across Campaign Manager 360 accounts and with Display & Video 360 and Ad Exchange, so that you'll see the same encrypted ID values for the same users across all your accounts and platforms.

Keep in mind that the values you see are never the actual user ID (cookie or mobile ID). Rather, they're encrypted values that use the same encryption across your multiple accounts and products.

You can also work with your Google Marketing Platform representative to set up shared encryption for third-party partners, which will enable those partners to match users across multiple Campaign Manager 360 accounts and other Google platforms. Again, partners will never see actual user IDs, only encrypted values.

Share IDs across Campaign Manager 360 accounts, with Display & Video 360, and with Ad Exchange

IDs are encrypted with a private, securely stored encryption key that's unique to your account. However, because your organization might work with multiple accounts, Campaign Manager 360 lets you share the same encryption key with all of your Campaign Manager 360 accounts, ensuring that your data matches across accounts.

Similarly, if you use Display & Video 360 or Ad Exchange, you can match IDs across products.

Share IDs with third-party partners

If you use an approved third-party service such as BlueKai or [x+1] for data processing, you can share your data with them. If this feature is enabled, we will provide partner-specific encryptions in your Data Transfer files in two additional columns that are added to the end of your Data Transfer files, called PartnerId1 and PartnerId2Third parties will never be able to decrypt user IDs to reveal their original, unencrypted format. 

The encrypted user IDs in these partner columns will match across all properties, including accounts that belong to other customers. In other words, the third party will see the same encrypted ID for the same user, whether that user has seen one of your Campaign Manager 360 ads, one of your Display & Video 360 ads, or an ad belonging to a different customer. These shared encrypted user IDs enable third parties to aggregate data more effectively. (You won't be able to download data for properties that you don't own.)

For example, your partner needs a unified view of users across your programmatic (Display & Video 360) and reservation (Campaign Manager 360) buys. You submit that partner as your first partner. In the PartnerId1 column, the encrypted user IDs will match across your different properties, and those are the values that your partner will receive. The encrypted user ID ALMkneg00m5gCSyo04jpQregmURw, which corresponds to a given cookie ID, always shows in the PartnerId1 column as BV2487nkq5590poMmUR6, whether the data is from your Campaign Manager 360 or your Display & Video 360 partner.

If another Google Marketing Platform customer has also set up user ID sharing with the same third-party partner, and the same user—represented by the same cookie ID—sees one of that customer's ads, that customer's Data Transfer files will represent the cookie with the same encrypted ID, BV2487nkq5590poMmUR6.

If you need to make a change to your two partners, simply contact us, and we'll update your partners.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Clear search
Close search
Google apps
Main menu