sGTM with webhook - Hashed PII - Before or After?

hustleou · May 17, 2024, 2:24pm

When using PII (Personally Identifiable Information), such as the User email, the User phone number or the Location data of the user, when using a sGTM setup only with webhooks, should this data be hashed before sending it to the webhook endpoint or can this data be hashed in server Google Tag Manager?

If it can be hashed in the server Google Tag Manager, how should we do it? Is this done automatically by the Tag Template (for example, by the Facebook Tag Template), or should we use some kind of transformation to it (normalizing and hashing)?

Alex · May 20, 2024, 10:03am

Usually all tags check the data before sending and if it is not hashed - it is hashed in the required format. So, usually plain data is used in data layers / requests.

hustleou · May 20, 2024, 10:10am

Got it! So the tag will take care of itself for the hashing of PII.

hustleou · May 20, 2024, 10:14am

@Alex What about the “Firestore Writer” Tag (Firestore Writer tag solution - Stape)? Does it has the PII data as well?

Alex · May 20, 2024, 10:14am

Yeah, I can’t remember a single tag that doesn’t do that.
This is hashed according to the documentation of each platform and only for data that requires hashing according to the documentation.

Firestore Writer simply writes the provided data, there is no hashing requirements

hustleou · May 20, 2024, 10:18am

Got it! So the following question would be…is it safe (according to user data protection laws) to store PII in Firestore without hashing it?

Dan · May 21, 2024, 11:52am

That would be a question for a DPO and/or legal department. If you’re concerned about privacy here nothing is stopping you from storing hashed data. There are variables in GTM that will hash things for you.