Page Summary
-
End-user privacy is foundational to Ads Data Hub, leading to checks and restrictions to prevent individual user data transmission.
-
Ads Data Hub utilizes static checks, data access budgets, aggregation checks, difference checks, and noise injection to enforce privacy.
-
Rows omitted from results due to privacy restrictions are referred to as filtered rows.
-
Aggregation checks ensure that each row contains a minimum number of users to protect end-user privacy, typically 50 or more users, or 10 or more for queries accessing only clicks and conversions.
-
Filtered row summaries can be used to tally data that was filtered due to privacy checks, providing an overview of how much data was excluded.
End-user privacy is at the core of everything that Ads Data Hub does; it's the foundation that our platform is built upon. In order to help maintain that privacy and help our customers with regulatory compliance, we impose certain checks and restrictions, designed to help prevent the transmission of data about individual users 1 in the data that you get out of the platform.
Here is an overview of Ads Data Hub's privacy features, with more detail in the sections that follow:
- Static checksexamine the statements in your queries to look for obvious and immediate privacy concerns.
- Data access budgetslimit the total number of times that you can access a given piece of data.
- Aggregation checksensure that every row contains a large enough number of users to protect end-user privacy.
- Noise injectionadds precisely calibrated random noise to an aggregating
SELECTclause to protect user privacy while providing reasonably accurate results. - Difference checks(or "diff checks") is a legacy alternative to noise injection that compares result sets to help prevent combinations that could identify individual users. This avoids noise but often leads to significant and unpredictable data redaction.
Static checks
Static checks examine the statements in your queries to look for obvious and immediate privacy concerns, such as exporting user identifiers, any function of user identifiers, or using disallowed functions over fields that contain user-level data. To avoid query errors from static checks, review the best practices and understand which functions are allowed .
Data access budget
Your data access budget limits the total number of times that you can access a
given piece of data. Users approaching the end of their budget will be notified
with a privacy message
with
type DATA_ACCESS_BUDGET_IS_NEARLY_EXHAUSTED
. You may monitor the budget using
the data access budget
entry point
or by observing budget notifications in the UI.
Aggregation requirements
At the core of Ads Data Hub's privacy checks is the user aggregation threshold. The specific threshold depends on privacy mode and accessed data:
- Noise injection requires approximately 20 unique users per result row.
- Difference checks require approximately 50 unique users per result row.
- Queries of only click and conversion data require approximately 10 unique users per result row.
In the following example (using noise injection), the row containing campaign 125 would be filtered from the final results, because it aggregates results from 18 users, which is below the 20-user minimum.
| Campaign ID | Users | Impressions |
|---|---|---|
|
123
|
314 | 928 |
|
124
|
2718 | 5772 |
|
125
|
18 | 45 |
Privacy modes
Ads Data Hub offers two privacy modes— noise injection and difference checks . See the following pages for details on each mode:
- Noise injection (Default)
- Difference checks (Legacy)
Compare difference checks to noise injection
ANON_COUNT
)Explicit privacy filtering
In cases where you need to break your query up but want to combine the aggregated results, you can explicitly apply privacy checks to several smaller queries and then aggregate those results together in a privacy-safe way.
Example use cases:
- You are an advertiser looking for all conversions by attribution event type in your linked Google Ads account, which includes EEA data.
- You are a measurement partner looking for all conversions by attribution event type in your linked Google Ads account.
To get the sum of conversions for your Google Ads account, you can rewrite the
query using an OPTIONS(privacy_checked_export=TRUE)
clause to apply privacy
checks to each Google service individually.
The example rewrite in this section does the following:
- It queries each Google service individually, explicitly applying privacy checks to each intermediate results set.
- It creates a separate temp table for the privacy-checked results of each Google service: YouTube, Gmail, and Network.
- It aggregates and sums the privacy-checked conversion counts from the temp tables.
CREATE
TEMP
TABLE
youtube_agg
OPTIONS
(
privacy_checked_export
=
TRUE
)
AS
SELECT
impression_data
.
campaign_id
,
attribution_event_type
,
COUNT
(
1
)
AS
num_convs
FROM
adh
.
google_ads_conversions_policy_isolated_youtube
WHERE
impression_data
.
campaign_id
IN
UNNEST
(
@
campaign_ids
)
AND
conversion_type
IN
UNNEST
(
@
conversion_type_list
)
GROUP
BY
campaign_id
,
attribution_event_type
;
CREATE
TEMP
TABLE
network_agg
OPTIONS
(
privacy_checked_export
=
TRUE
)
AS
SELECT
impression_data
.
campaign_id
,
attribution_event_type
,
COUNT
(
1
)
AS
num_convs
FROM
adh
.
google_ads_conversions_policy_isolated_network
WHERE
impression_data
.
campaign_id
IN
UNNEST
(
@
campaign_ids
)
AND
conversion_type
IN
UNNEST
(
@
conversion_type_list
)
GROUP
BY
campaign_id
,
attribution_event_type
;
CREATE
TEMP
TABLE
gmail_agg
OPTIONS
(
privacy_checked_export
=
TRUE
)
AS
SELECT
impression_data
.
campaign_id
,
attribution_event_type
,
COUNT
(
1
)
AS
num_convs
FROM
adh
.
google_ads_conversions_policy_isolated_gmail
WHERE
impression_data
.
campaign_id
IN
UNNEST
(
@
campaign_ids
)
AND
conversion_type
IN
UNNEST
(
@
conversion_type_list
)
GROUP
BY
campaign_id
,
attribution_event_type
;
SELECT
campaign_id
,
attribution_event_type
,
SUM
(
num_convs
)
AS
num_convs
FROM
(
SELECT
*
FROM
youtube_agg
UNION
ALL
SELECT
*
FROM
network_agg
UNION
ALL
SELECT
*
FROM
gmail_agg
)
GROUP
BY
campaign_id
,
attribution_event_type
Note that this query does not use a JOIN
to directly combine data between the
tables, but instead performs the query for each table first, applies privacy
checks to each intermediate table, then uses a UNION
to sum the
privacy-checked values.
Query advisor
If your SQL is valid but might trigger privacy issues, the query advisorsurfaces actionable advice during the query development process, to help you avoid undesirable results.
To use the query advisor:
- UI. Recommendations will be surfaced in the query editor, above the query text.
- API. Use the
customers.analysisQueries.validatemethod.
-
Other than data they have consented to share, such as in the case of panelists. ↩
