Google AdSense Publishers Receive Personally Identifiable Information (PII) Breach Notifications

May 21, 2014 • 8:13 am | comments (8) by twitter Google+ | Filed Under Google AdSense

Google AdSense logoA Google AdSense Help thread has well over a hundred posts from AdSense publishers complaining they received a serious notification from Google that they are in "breach" of "passing personally identifiable information (PII) to Google."

This email was sent from the Google Policy Team and reads:

Dear customer:

It has come to our attention that you are passing personally identifiable information (PII) to Google through your use of one or more of Google\'s advertising products -- DFP, AdSense, and/or Doubleclick AdExchange.

Our systems have detected PII, including email addresses and/or passwords, being passed from each of the domain names below. We have also included below an example of an ad request that we received from your account (from which the PII detected has been redacted).

Our contracts and policies prohibit information being passed to us that we could use or recognize as PII. Sending us PII has put you in breach of those terms.

You should review your implementation of Google tags on your pages, including whether PII of any nature may feature in the URLs of such pages.

Please give this matter your immediate attention. You should submit your response in this form.

If you fail to achieve compliance with your contract within 30 days we may disable ad serving on your account(s). If you fail to submit any response within 14 days, access to your account will be suspended.

Domain names at issue:

Again, there are a tremendous number of AdSense publishers complaining they received this violation notice and are clueless as what to do.

Despite there being hundreds of posts in the thread, not a single Google representative has responded about the issue since it was posted on May 19th.

This may just be Google starting to enforce a policy they had in place for a while, but this is the first time they are enforcing it?

Again, Google needs to chime in and help these publishers.

Forum discussion at Google AdSense Help.

Update: Google has responded telling publishers to take action.

Previous story: Google Spam Algorithm Version 2.0 Released Over Weekend


Michael Martinez

05/21/2014 02:44 pm

How does one pass personally identifying information to Google AdSense and WHY would anyone do that? I don't see many details in that discussion and the Top Contributors -- as usual -- are totally unhelpful.


05/21/2014 02:48 pm

What does this mean? Are all the people with the messages cunning spammers that have been caught, or clueless websmasters (like me!) who have no idea what Google is talking about? If information is passing through and Adwords advert from a website to Google, isn't that something Google needs to fix? #confused (again)


05/21/2014 10:20 pm

An update to the thread has been posted: * Check the URLs of pages where you’ve implemented Google ads to ensure they do not contain visitors’ usernames, passwords, email addresses, or other PII. * If you’re using a Google product that allows you to add macros, such as the key-values feature of DFP, check that you’re not placing any information into these macros that Google would consider PII. * If your site includes an HTML form, consider using the method=POST implementation instead of the method=GET implementation, which is more likely to pass PII to the URL.


05/22/2014 12:01 am

I received the email and from the forum it is apparent that there are several variations of the violation. The email sent to me by Google had the ad request code that was in violation. Examining the request and converting some of from hex I was able to determine the page in question. The page in question was not on my site! It was a teacher's website that had what they called teaching tracks for students that had links to websites. Clicking the link displayed the website in an iframe. One of the links was my website. I clicked the link an my website showed up in the frame. The issue Google had with the URL was that it had a "password=" at the tail end of it. This particular track didn't have a password in it but I assume since there was a password= at the end of the URL that a teacher could put a password on a track. So basically a lot of others and I have spent a lot of time trying to figure out if the violation is real (since it came via email rather than in the Policy Violation section of Adsense), what to do about it, and are website's responsible for the actions of other websites. And yes there was a response from Google that wasn't much different than what was in the violation notice and no mention about other sites that display your site in an iframe.

Michael Martinez

05/22/2014 03:39 am

In that case maybe adding some simple frame-busting code to your pages will help resolve the problem for you. Since AdSense is served through Javascript you can use Javascript to bust the frame. Any browser that isn't using Javascript won't fire the AdSense.

Terry Burton

05/22/2014 11:05 am

The problem is that frame-busting is trivial to prevent and occurs frequently in practise leading to an arms race of sorts: [1] If the user does not require their content to render when framed then a better approach is to add an X-Frame-Options: SAMEORIGIN header to the HTTP response - however this may be unpalatable for some publishers.

Michael Martinez

05/22/2014 02:22 pm

Regardless of whether frame-busting leads to an arms race, no one has the right to control your Website content. And if that external control is causing people to receive warnings from Google then they need to take appropriate and prudent steps to protect themselves. And there are other ways to stop Javascript-forced framing, such as blocking page loads by referrer. The answer is not to make excuses for doing nothing or sitting around and complaining. The answer is to take action to protect your Website, or to live with the consequences of doing nothing.


05/23/2014 01:17 am

That worked great, thanks! IE even printed a message saying the content cannot be displayed in a frame. IE also put in a link that opens my site in a new window which is nice for the students using the educational track the teacher created.

blog comments powered by Disqus