sGTM with webhook - Hashed PII - Before or After?

When using PII (Personally Identifiable Information), such as the User email, the User phone number or the Location data of the user, when using a sGTM setup only with webhooks, should this data be hashed before sending it to the webhook endpoint or can this data be hashed in server Google Tag Manager?

If it can be hashed in the server Google Tag Manager, how should we do it? Is this done automatically by the Tag Template (for example, by the Facebook Tag Template), or should we use some kind of transformation to it (normalizing and hashing)?

Usually all tags check the data before sending and if it is not hashed - it is hashed in the required format. So, usually plain data is used in data layers / requests.

1 Like

Got it! So the tag will take care of itself for the hashing of PII.

@Alex What about the “Firestore Writer” Tag (Firestore Writer tag solution - Stape)? Does it has the PII data as well?

Yeah, I can’t remember a single tag that doesn’t do that.
This is hashed according to the documentation of each platform and only for data that requires hashing according to the documentation.

Firestore Writer simply writes the provided data, there is no hashing requirements

1 Like

Got it! So the following question would be…is it safe (according to user data protection laws) to store PII in Firestore without hashing it?

That would be a question for a DPO and/or legal department. If you’re concerned about privacy here nothing is stopping you from storing hashed data. There are variables in GTM that will hash things for you.