Confidential matching is a feature of Google Ads Data Manager that allows marketers to use their first-party data for matching using confidential computing. This article explains the purpose of confidential matching and how to use the feature.
In this article:
- About confidential matching
- How confidential matching works
- Frequently asked questions
- Where in Google Ads can I use confidential matching?
- Which Google Ads Data Manager Data Sources support confidential matching?
- How can I tell whether confidential matching is being used?
- Where is confidential matching data stored?
- How can I delete my customers’ data?
- What technical assurances are provided by confidential matching?
- What is a trusted execution environment (TEE)?
- Which Google Ads Data Manager Data Sources support encryption?
- What is attestation?
- How can I review the code to verify how data is processed in the TEE?
About confidential matching
Confidential matching is a feature of Google Ads Data Manager that enables customers to match offline first-party data with Google data using confidential computing technology. This feature is designed to bring added transparency for advertisers into the underlying infrastructure Google uses to collect and process data.
Google always collects, processes and stores data in accordance with our terms of service. Confidential matching helps advertisers understand the properties of Google’s data handling.
How confidential matching works
Confidential matching is a data processing feature that identifies the overlap between an audience list you create and upload, and Google’s data using a trusted execution environment (TEE). Confidential matching removes unused identifiers from audience lists uploaded to Google’s measurement and audience solutions. It is enabled by default, and at no cost to advertisers. As an advertiser, you don’t need to do anything to use it. If you use your data with Customer Match via a “Direct connection” in Google Ads Data Manager or Audience manager, your data will be processed using confidential matching automatically.
Data is matched using the same process for Customer Match generally: the input is a customer list data file you create using contact information your customers have given you, and the output of confidential matching is a list of matched Google users in the form of an audience list in your Google Ads account. You may apply this list to campaigns as you wish for use-cases such as to reach, re-engage or find new customers like them across Search, Shopping, Gmail, YouTube, and Display.
Optional encryption support
Confidential matching provides verifiable technical assurances for data restriction while information is being processed. You also have the option to encrypt your data for additional assurances over access control and processing. By encrypting your data, you can specify the conditions for access to the data, including a technical assurance that only confidential matching can be used to process the data. Encryption is not required to use confidential matching. If your organization requires encryption, refer to the encryption setup guide to learn how to prepare your environment and encrypt your data.
Frequently asked questions
Where in Google Ads can I use confidential matching?
Confidential matching is currently available for Customer Match when you use the “direct connection” option to connect a data source.
Which Google Ads Data Manager Data Sources support confidential matching?
All data sources supported by Ads Data Manager for Customer Match support confidential matching. To see a complete list, visit the Supported data sources page.
How can I tell whether confidential matching is being used?
When you see the confidential matching badge, it means that your data will be processed using confidential computing. If you do not see the badge, confidential matching may not be available for the use case you have selected.
Where is confidential matching data stored?
Information about the locations of Google data centers is available here. Read more: Safeguards on international data transfers and Google Ads data processing terms.
How can I delete my customers’ data?
Advertisers control what user data is uploaded and can delete/remove user data at any time. Advertisers may also decide and choose which campaign types Customer Match lists will be applied to in their Google Ads account. Advertisers may remove and/or replace an existing Customer Match audience by uploading a new audience. Google Ads Data Manager supports scheduling audience refreshes on a regular basis (including daily, weekly, and ad hoc).
Google users can manage their personalized ads settings in ’My Ad Center’. If you have consent for a specific user’s data but Google does not have consent from that specific user, that user will not be eligible for Customer Match. Google will not include them in audience lists.
Customer Match policies require that advertisers obtain consent from their users for sharing their personal information with Google, where that is legally required. This is consistent with their obligations under existing law in the EU. For more information on deletion in Customer Match, please see About the customer matching process - Google Ads HelpWhat technical assurances are provided by confidential matching?
Confidential matching follows the same data processing terms as Customer Match. Confidential matching processes data in a Trusted Execution Environment (TEE) that limits how data can be used and who can access it, while enabling additional transparency to the process through cryptographic attestation. Your organization can choose to optionally encrypt and share data. If you choose to do so, you’ll receive attestation that guaranteeing that only confidential matching logic was used for matching. To learn more before making a determination, reach out to your account manager.
What is a trusted execution environment (TEE)?
A trusted execution environment is a special configuration of computer hardware and software that uses a hardware root-of-trust to provide confidentiality of data processing and prevent observation or tampering. TEEs allow external parties to verify that the software does exactly what the software developer claims it does—nothing more or less. At their core, TEEs are infrastructure, like a virtualized server, that provide an isolated environment to process data like personal information.
Confidential matching is built using Google Cloud’s Confidential Space product, a TEE. You can read the independent security review of Confidential Space by NCC group here, and you can read in-depth about how the underlying technologies work in the Cloud documentation.
Which Google Ads Data Manager Data Sources support encryption?
The confidential matching with encryption article provides an overview of how to encrypt data using a comma-separated value (CSV) file.
Confidential matching will accept data from any data source supported by Data Manager, however you must be able to store encrypted data in the source you’d like to use. Some data sources may not allow you to upload custom fields needed to store encrypted data in the relevant records. In other words, it may be complex or infeasible to use encryption if your preferred data source is not an object store. Google Cloud Storage is one example of an object store that supports storage of encrypted data.
What is attestation?
Attestation is a confidential computing feature that allows a TEE to prove it's running particular software by producing a cryptographic signature. In the case of confidential matching, customers may encrypt their data and require attestation from a TEE running confidential matching before allowing their data to be decrypted and processed.
To learn more about attestation, see Confidential Space security overview.
How can I review the code to verify how data is processed in the TEE?
To review the code that performs data processing for confidential matching, please ask your Google account representative to participate in the confidential matching code review program.