Confidential matching is a feature of Google Ads Data Manager that allows marketers to use their first-party data for matching using confidential computing. This article explains the purpose of confidential matching and how to use the feature.
In this article:
- About confidential matching
- How confidential matching works
- Frequently asked questions
- Which Google products use confidential matching?
- How can I tell whether confidential matching is being used?
- Where is confidential matching data stored?
- How long is my customer’s data retained?
- How can I delete my customers’ data?
- What technical assurances are provided by confidential matching?
- What is a trusted execution environment (TEE)?
About confidential matching
Confidential matching is a feature of Google Ads Data Manager that enables customers to match offline first-party data with Google data using confidential computing technology. This feature is designed to bring added transparency for advertisers into the underlying infrastructure Google uses to collect and process data.
Google always collects, processes and stores data in accordance with our terms of service. Confidential matching helps advertisers understand the properties of Google’s data handling.
How confidential matching works
Confidential matching is a data processing feature that identifies the overlap between an audience list you create and upload, and Google’s audience data using a trusted execution environment (TEE). Confidential matching removes unused identifiers from audience lists uploaded to Google’s measurement and audience solutions. It is enabled by default, and at no cost to advertisers. As an advertiser, you don’t need to do anything to use it. For example, if you use your data with Customer Match via a "Direct connection" in Google Ads Data Manager or Audience manager, your data will be processed using confidential matching automatically.
Data is matched using the same process for Customer Match generally: the input is a customer list data file you create using contact information your customers have given you, and the output of confidential matching is a list of matched Google users in the form of an audience list in your Google Ads account. You may apply this list to campaigns as you wish for use-cases such as to reach, re-engage or find new customers like them across Search, Shopping, Gmail, YouTube, and Display.
Frequently asked questions
Where in Google Ads can I use confidential matching?
Confidential matching is currently available for Customer Match.
Where is confidential matching data stored?
Data is stored in Google’s distributed data center network, with servers in locations such as EMEA, US, APAC.
Information about the locations of Google data centers is available here. Read more: Safeguards on international data transfers and Google Ads data processing terms.
How long is my customer’s data retained?
Google does not retain customer data files for longer than necessary to create Customer Match audiences and ensure compliance with our policies. Once those processes are complete, we promptly delete the uploaded data files. After the matching process and policy compliance checks are complete, which can take up to 48 hours, the data file is marked for deletion. In almost all cases, the deletion is completed within 48 hours.
If you use Google Ads Data Manager to upload your data, data is matched in a trusted execution environment (TEE), isolating Google from the matching process. Advertiser data never leaves the TEE, and is never stored by confidential matching.
How can I delete my customers’ data?
Advertisers control what user data is uploaded and can delete/remove user data at any time. Advertisers may also decide and choose which campaign types Customer Match lists will be applied to in their Google Ads account. Advertisers may remove and/or replace an existing Customer Match audience by uploading a new audience. Google Ads Data Manager supports scheduling audience refreshes on a regular basis (including daily, weekly, and ad hoc).
Google users can manage their personalized ads settings in My Ad Center. If you have consent for a specific user’s data but Google does not have consent from that specific user, that user will not be eligible for Customer Match. Google will not include them in audience lists.
Customer Match policies require that advertisers obtain consent from their users for sharing their personal information with Google, where that is legally required. This is consistent with their obligations under existing law in the EU.
For more information on deletion in Customer Match, please see About the customer matching process - Google Ads Help
What technical assurances are provided by confidential matching?
Confidential matching follows the same data processing terms as Customer Match. Confidential matching processes data in a trusted execution environment (TEE) that limits how data can be used and who can access it.
What is a trusted execution environment (TEE)?
A trusted execution environment is a special configuration of computer hardware and software that uses a hardware root-of-trust to provide confidentiality of data processing and prevent observation or tampering. TEEs allow external parties to verify that the software does exactly what the software developer claims it does—nothing more or less. At their core, TEEs are infrastructure, like a virtualized server, that provide an isolated environment to process data like personal information.
Confidential matching is built using Google Cloud’s Confidential Space product, a TEE. You can read the independent security review of Confidential Space by NCC group here, and you can read in-depth about how the underlying technologies work in the Cloud documentation.