Privacy checks in Ads Data Hub

Page Summary

End-user privacy is central to Ads Data Hub, with checks and restrictions in place to prevent the transmission of individual user data.
Filtered rows are data rows omitted from results due to privacy restrictions.
Ads Data Hub employs several privacy features including static checks, data access budgets, aggregation checks, difference checks, and noise injection.
If a result fails privacy checks, a privacy message is displayed, and a filtered row summary can help account for the omitted data.
The user aggregation threshold, typically 50 users, is a core component of Ads Data Hub's privacy checks, with a lower threshold for queries only accessing clicks and conversions.

End-user privacy is at the core of everything that Ads Data Hub does; it's the foundation that our platform is built upon. In order to help maintain that privacy and help our customers with regulatory compliance, we impose certain checks and restrictions, designed to help prevent the transmission of data about individual users¹ in the data that you get out of the platform.

Here is an overview of Ads Data Hub's privacy features, with more detail in the sections that follow:

Static checks examine the statements in your queries to look for obvious and immediate privacy concerns.
Data access budgets limit the total number of times that you can access a given piece of data.
Aggregation checks ensure that every row contains a large enough number of users to protect end-user privacy.
Noise injection adds precisely calibrated random noise to an aggregating SELECT clause to protect user privacy while providing reasonably accurate results.
Difference checks (or "diff checks") is a legacy alternative to noise injection that compares result sets to help prevent combinations that could identify individual users. This avoids noise but often leads to significant and unpredictable data redaction.

Static checks

Static checks examine the statements in your queries to look for obvious and immediate privacy concerns, such as exporting user identifiers, any function of user identifiers, or using disallowed functions over fields that contain user-level data. To avoid query errors from static checks, review the best practices and understand which functions are allowed.

Data access budget

Your data access budget limits the total number of times that you can access a given piece of data. Users approaching the end of their budget will be notified with a privacy message with type DATA_ACCESS_BUDGET_IS_NEARLY_EXHAUSTED. You may monitor the budget using the data access budget entry point or by observing budget notifications in the UI.

Aggregation requirements

At the core of Ads Data Hub's privacy checks is the user aggregation threshold. The specific threshold depends on privacy mode and accessed data:

Noise injection requires approximately 20 unique users per result row.
Difference checks require approximately 50 unique users per result row.
Queries of only click and conversion data require approximately 10 unique users per result row.

In the following example (using noise injection), the row containing campaign 125 would be filtered from the final results, because it aggregates results from 18 users, which is below the 20-user minimum.

Campaign ID	Users	Impressions
123	314	928
124	2718	5772
125	18	45

Privacy modes

Ads Data Hub offers two privacy modes—noise injection and difference checks. See the following pages for details on each mode:

Noise injection (Default)
Difference checks (Legacy)

Compare difference checks to noise injection

Actual data
Campaign ID	Impression count
101	35
102	63
201	142
202	21
301	56
302	99

Results using difference checks
Campaign ID	Impression count
101	35
102	63
201	142
202	21
301	56
302	99

Results using noise injection
Campaign ID	Impression count
101	37.8373
102	60.9104
201	182.0955
202	26.2332
301	58.0871
302	97.5018

Example of Campaign 101 in noise mode
Campaign ID	Actual impressions	Noise added	Returned impressions (`ANON_COUNT`)
101	35	2.8373	37.8373

Explicit privacy filtering

In cases where you need to break your query up but want to combine the aggregated results, you can explicitly apply privacy checks to several smaller queries and then aggregate those results together in a privacy-safe way.

Example use cases:

You are an advertiser looking for all conversions by attribution event type in your linked Google Ads account, which includes EEA data.
You are a measurement partner looking for all conversions by attribution event type in your linked Google Ads account.

To get the sum of conversions for your Google Ads account, you can rewrite the query using an OPTIONS(privacy_checked_export=TRUE) clause to apply privacy checks to each Google service individually.

The example rewrite in this section does the following:

It queries each Google service individually, explicitly applying privacy checks to each intermediate results set.
It creates a separate temp table for the privacy-checked results of each Google service: YouTube, Gmail, and Network.
It aggregates and sums the privacy-checked conversion counts from the temp tables.

CREATE TEMP TABLE youtube_agg OPTIONS(privacy_checked_export=TRUE) AS
SELECT
 impression_data.campaign_id,
 attribution_event_type,
 COUNT(1) AS num_convs
FROM adh.google_ads_conversions_policy_isolated_youtube
WHERE impression_data.campaign_id IN UNNEST(@campaign_ids)
 AND conversion_type IN UNNEST(@conversion_type_list)
GROUP BY campaign_id, attribution_event_type;

CREATE TEMP TABLE network_agg OPTIONS(privacy_checked_export=TRUE) AS
SELECT
 impression_data.campaign_id,
 attribution_event_type,
 COUNT(1) AS num_convs
FROM adh.google_ads_conversions_policy_isolated_network
WHERE impression_data.campaign_id IN UNNEST(@campaign_ids)
 AND conversion_type IN UNNEST(@conversion_type_list)
GROUP BY campaign_id, attribution_event_type;

CREATE TEMP TABLE gmail_agg OPTIONS(privacy_checked_export=TRUE) AS
SELECT
 impression_data.campaign_id,
 attribution_event_type,
 COUNT(1) AS num_convs
FROM adh.google_ads_conversions_policy_isolated_gmail
WHERE impression_data.campaign_id IN UNNEST(@campaign_ids)
 AND conversion_type IN UNNEST(@conversion_type_list)
GROUP BY campaign_id, attribution_event_type;

SELECT
 campaign_id,
 attribution_event_type,
 SUM(num_convs) AS num_convs
FROM (
 SELECT * FROM youtube_agg
 UNION ALL
 SELECT * FROM network_agg
 UNION ALL
 SELECT * FROM gmail_agg
)
GROUP BY campaign_id, attribution_event_type

Note that this query does not use a JOIN to directly combine data between the tables, but instead performs the query for each table first, applies privacy checks to each intermediate table, then uses a UNION to sum the privacy-checked values.

Query advisor

If your SQL is valid but might trigger privacy issues, the query advisor surfaces actionable advice during the query development process, to help you avoid undesirable results.

To use the query advisor:

UI. Recommendations will be surfaced in the query editor, above the query text.
API. Use the customers.analysisQueries.validate method.

Other than data they have consented to share, such as in the case of panelists. ↩