.svg)
After shelving its initial plans to phase out third-party cookies, Google has announced a new feature in Google Ads Data Manager called Confidential Matching.
The technology allows advertisers to use first-party data for audience targeting and campaign measurements without sacrificing data privacy within the Google Marketing Platform (“GMP”). The development is especially crucial for advertisers, as they now seek seamless solutions that respect user privacy while aiming for effective ad campaigns.
This article will explain the new feature and how its underlying technology works. It’ll also discuss what this means for advertisers, especially within the wider context of the evolving patchwork of privacy regulations that push for more responsibility on the part of data handlers.
Customer matching: an overview
In modern advertising, a common strategy is identifying specific user segments likely to realize a conversion goal or exhibit a certain customer behavior. Advertisers need to know, for instance, whether a customer is likely to buy a new product/service, churn, or convert based on a set goal.
The need for this insight points advertisers to the value that lies in their datasets. Specifically, their customer lists. These lists, built over time, often include personal data that contain valuable insights about prospects, driving more personalized, profitable ad campaigns.
To extract this insight, advertisers use the Customer Match tool. The advertiser uploads the file manually through APIs, CSV format files, or the Google Ads Data Manager feature. Google then “matches” this data with its database to create a “Customer Match Audience” list of overlapping users. This list suggests a subset of customers whose profiles fit well with the new conversion goal.
The new audience is then targeted with campaigns and very tailored messaging. Users on this new audience list who have previously signed into Google services like Gmail or YouTube and consented to the use of their data may see these personalized ads. This lets advertisers re-engage existing customers while targeting new prospects with similar traits with relevant ads.
What is confidential matching?
Think of Confidential Matching as Customer Matching, using a framework that prioritizes user privacy. Confidential Matching requires customer data (namely, the ‘matching’) to be processed in a secluded digital environment designed to ensure privacy.
This digital enclave is called the Trusted Execution Environment (TEE). This configuration is enabled by default and is free for advertisers. It ensures only the necessary data is used, creating a matched audience list for targeted advertising without exposing sensitive user data.
What is the difference between customer matching and confidential matching?
While Customer Matching and Confidential Matching share a certain degree of similarity (for example, the data matching process is basically the same), there are crucial differences between the two frameworks — especially in how they handle user data:
Data control
Once data is shared for Customer Matching, advertisers have no control over its further use by Google, leading to potential misuse of data beyond the intended purpose. Conversely, Confidential Matching’s use of TEEs means advertisers can ensure only necessary matched data is exposed.
Data sharing requirements
In a Customer Match, advertisers must share user data such as email addresses and phone numbers directly with Google. This is unlike Confidential Matching, where advertisers can match their customer data with Google's datasets without directly sharing raw personal information.
Ease of implementation
During a Customer Match, advertisers need to navigate Google's privacy policies and requirements, which could be complex. Confidential Matching, on the other hand, simplifies the process for advertisers, as it automatically applies confidentiality measures by default, and at no cost to them.
Compliance
Direct data sharing in Customer Match means compliance with strict privacy regulations like GDPR and CCPA tends to be low. Confidential Matching, on the other hand, aligns with data privacy regulations as it minimizes exposure of user data and adopts a robust security framework, keeping advertisers in sync with privacy regulations.
How does confidential matching work?
Confidential Matching introduces a new method for handling customer data with enhanced privacy protections. But it’s important to consider how this technology works. At the heart of this technology is the concept of Trusted Execution Environments (“TEEs”).
In terms of how they work, TEEs function based on the principles of “Confidential Computing,” which involves using an isolated digital environment to execute code and process data in a manner that preserves their privacy.
TEEs use built-in hardware security (namely, a hardware root-of-trust, which is a key security component placed on computer hardware to serve as a trusted source for data processing) to keep data safe and allow others to verify that the software works exactly as intended, without doing anything extra or harmful.
You may think of TEEs as a secure vault where sensitive operations occur. In the context of Confidential Matching, it’s like handing your audience list to the vault, where the matching process is conducted behind locked doors. The vault ensures that only the necessary matches come out, while all other data remains unseen and untouched, safeguarding privacy throughout the process.
When a data owner loads data into the TEE, the data will first be encrypted using a secure encryption protocol using a shared key. Google also loads its data into the TEE, after which both data sources are decrypted for processing (i.e., customer matching). This matching process results in a report of data points about the customer matches, which is then made available in the GMP.
Overall, Google’s implementation of the TEEs ensures the following:
- Data isolation: User data remains isolated from Google throughout the processing phase.
- Attestation: As the name suggests, Attestation is a confidential computing feature that produces cryptographic signatures to help advertisers know that their data is indeed processed within the TEE.
- Transparency: Advertisers can review code used in processing to ensure compliance with their security standards.
You may find more about the underlying infrastructure that powers the technology in the Google Cloud Documentation.
Implications of confidential matching for advertisers
Customer matching creates a ‘purpose-limitation problem’. A cardinal principle of data privacy, purpose limitation dictates that a data handler uses data solely to fulfill the purpose for which it was collected. Once this purpose has been fulfilled, a data handler is precluded from using the data for unrelated or new purposes — except, of course, a new additional user consent or legal basis is obtained to justify its use.
This meant that before Confidential Matching, advertisers often courted data privacy risks. Relying on Google not to use uploaded data for purposes the users had not consented to was always a matter of uncertainty. The use of sensitive data (e.g., Phone numbers and Emails) in Customer Match (CM) and Enhanced Conversion (EC) also presented risks of a breach, leading to potential data misuse, identity theft, or violation of data privacy laws.
Confidential Matching provides a fix for these issues. Advertisers can now ‘match’ their customer data with Google’s datasets without having to disclose user data to third parties, including Google. This safe and secure way to extract insights will impart user confidence and build trust, which advertisers depend on to obtain more data to finetune their marketing strategy lawfully.
By shielding the user’s PII (Personal Identifiable Information) from access by both Google and the Advertiser, Google ensures a higher privacy threshold that helps all stakeholders in the data processing chain stay compliant.
Future developments in confidential matching
According to Google, Confidential Matching will not only be limited to Customer Match but also expand to other products like Enhanced Conversions. This rollout will include add-ons such as optional encryption support, further enhancing the security framework available to advertisers.
Google is implementing new privacy technologies that may influence broader practices in digital advertising. The tech giant plans to share its TEE architecture openly (by way of Open Source), to encourage adoption from other players in the advertising ecosystem.
Implications of confidential matching on data privacy regulation
We’ve addressed how TEEs help Google comply with purpose limitation requirements in their data privacy practices. Another way the technology also aligns with data privacy regulations is in the context of data minimization requirements.
Excessive data sharing is an underlying cause of most data breach incidents. By locking Google out of accessing the raw customer data, TTEs ensure that Google is only exposed to the matched data — which is no more than the data it needs to access.
As with most innovations of this nature, speculations on whether Google will adhere to its Confidential Matching design, especially when it comes to purpose limitation, may arise. However, one may argue that since Google obtained separate consent from users for their specific purposes, they may not be in breach — so far, they process the user data according to the purpose for which consent was first sought.
As privacy laws like the GDPR are enforced globally, solutions like Confidential Matching become more relevant. Advertisers must now navigate a sea of regulations requiring them to comply with user consent while still chasing effective marketing outcomes.
How Didomi can help with confidential matching
Regulators have yet to take a stance on whether or not this technology meets data privacy compliance standards. However, given the current state of play, advertisers should consider how matched data is processed downstream (after the Confidential Matching occurs.)
To sustain the privacy focus that comes with Confidential Matching, a Consent Management Platform (CMP) would be helpful. Since user consent is the lifeblood of processing, advertisers would benefit from a CMP to manage and respect consent choices of their new “Match Audience” when retargeting.
If you have questions or want to discuss your data privacy and compliance needs, get in touch with our team.
{{talk-to-an-expert}}
Frequently asked questions (FAQ)
How is confidential matching any different from customer match?
Unlike Customer Match, where advertisers are required to share sensitive personal data directly with Google, Confidential Matching allows for matching without disclosing raw data, thereby enhancing privacy and security.
Does confidential matching mean less targeting accuracy for advertisers?
No. Confidential Matching aims to provide comparable targeting capabilities while reducing direct personal data exposure.
How can I enable confidential matching?
There would be no need to take any action to enable the feature, as it is already set as your default matching option. When using Customer Match through a “Direct connection” in Google Ads Data Manager or Audience Manager, data is automatically processed with Confidential Matching.
Which data sources in Google Ads Data Manager work with confidential matching?
All data sources support Confidential Matching in Google Ads Data Manager. For a more comprehensive list of supported data sources, check out Google’s Supported Data Sources page.
How do I know if confidential matching is active?
Look out for the Confidential Matching badge, which confirms your data will be processed using confidential computing. If missing, the feature might not be available for your selected use case.
How much does the confidential matching feature cost?
Confidential Matching is integrated into Google’s existing tools at no extra cost to advertisers. It automatically activates when using Customer Match or other audience targeting solutions.
.png)
.avif.avif){kind=tracking}
.avif)
.png)