When using PII (Personally Identifiable Information), such as the User email, the User phone number or the Location data of the user, when using a sGTM setup only with webhooks, should this data be hashed before sending it to the webhook endpoint or can this data be hashed in server Google Tag Manager?
If it can be hashed in the server Google Tag Manager, how should we do it? Is this done automatically by the Tag Template (for example, by the Facebook Tag Template), or should we use some kind of transformation to it (normalizing and hashing)?
Usually all tags check the data before sending and if it is not hashed - it is hashed in the required format. So, usually plain data is used in data layers / requests.
Yeah, I can’t remember a single tag that doesn’t do that.
This is hashed according to the documentation of each platform and only for data that requires hashing according to the documentation.
Firestore Writer simply writes the provided data, there is no hashing requirements
That would be a question for a DPO and/or legal department. If you’re concerned about privacy here nothing is stopping you from storing hashed data. There are variables in GTM that will hash things for you.