User ID encryption

Ensuring privacy for cookies and mobile user IDs
As of May 25, user IDs won't be populated in Data Transfer or the %m macro for users in the European Economic Area. Learn more

To ensure user privacy, all user IDs in Campaign Manager are encrypted whenever they're made visible to you, the customer. These user IDs can include cookies as well as mobile IDs in the IDFA, Android ID, and AdID formats.

You will never be able to decrypt user IDs, and Google will not disclose the encryption method. No encryption keys will ever be provided to any Campaign Manager customer or any third-party partner. The keys are used only as a means of providing encrypted IDs that can be shared by multiple Google or third-party accounts. 

User IDs in Campaign Manager

Campaign Manager provides user IDs in two locations:

Regardless of the original format, the encrypted user ID values are alphanumeric, with a maximum of 50 characters.

By default, the %m match macro is encrypted at the Campaign Manager advertiser level, meaning it may be different from your Data Transfer encryption.

If your primary encryption for Data Transfer files is not designated as the Campaign Manager advertiser level, then the %m macro will not match. That means that the same user would be identified differently in each case.

If you want these values to match in your Campaign Manager account, you can make a request to your Google Marketing Platform representative.

User ID = 0

A user ID can = 0 for a variety of reasons, including but not limited to:  

  • User has blocked cookies or opted out. This includes all users of the Apple Safari browser, including iOS, who haven't changed the default settings to allow third-party cookies.
  • There is a check-permissions cookie/sentinel
  • There is a COPPA-flagged event

Share IDs

To make it easier to compare user interactions across accounts and platforms, you can share encrypted IDs across Campaign Manager accounts and with Display & Video 360 and Ad Exchange, so that you'll see the same encrypted ID values for the same users across all your accounts and platforms.

Keep in mind that the values you see are never the actual user ID (cookie or mobile ID). Rather, they're encrypted values that use the same encryption across your multiple accounts and products.

You can also work with your Google Marketing Platform representative to set up shared encryption for third-party partners, which will enable those partners to match users across multiple Campaign Manager accounts and other Google platforms. Again, partners will never see actual user IDs, only encrypted values.

Share IDs across Campaign Manager accounts, with Display & Video 360, and with Ad Exchange

IDs are encrypted with a private, securely stored encryption key that's unique to your account. However, because your organization might work with multiple accounts, Campaign Manager lets you share the same encryption key with all of your Campaign Manager accounts, ensuring that your data matches across accounts.

Similarly, if you use Display & Video 360 or Ad Exchange, you can match IDs across products.

Share IDs with third-party partners

If you use an approved third-party service such as BlueKai or [x+1] for data processing, you can share your data with them. If this feature is enabled, we will provide partner-specific encryptions in your Data Transfer files in two additional columns that are added to the end of your Data Transfer files, called PartnerId1 and PartnerId2Third parties will never be able to decrypt user IDs to reveal their original, unencrypted format. 

The encrypted user IDs in these partner columns will match across all properties, including accounts that belong to other customers. In other words, the third party will see the same encrypted ID for the same user, whether that user has seen one of your Campaign Manager ads, one of your Display & Video 360 ads, or an ad belonging to a different customer. These shared encrypted user IDs enable third parties to aggregate data more effectively. (You won't be able to download data for properties that you don't own.)

For example, your partner needs a unified view of users across your programmatic (Display & Video 360) and reservation (Campaign Manager) buys. You submit that partner as your first partner. In the PartnerId1 column, the encrypted user IDs will match across your different properties, and those are the values that your partner will receive. The encrypted user ID ALMkneg00m5gCSyo04jpQregmURw, which corresponds to a given cookie ID, always shows in the PartnerId1 column as BV2487nkq5590poMmUR6, whether the data is from your Campaign Manager or your Display & Video 360 partner.

If another Google Marketing Platform customer has also set up user ID sharing with the same third-party partner, and the same user—represented by the same cookie ID—sees one of that customer's ads, that customer's Data Transfer files will represent the cookie with the same encrypted ID, BV2487nkq5590poMmUR6.

If you need to make a change to your two partners, simply contact us, and we'll update your partners.

Was this helpful?
How can we improve it?