Online Ad Policies Related to Email List Uploads

August 30, 2019

With so much concern over data privacy of users, there are a lot of questions related to Google and Facebook policies on CRM uploads (email addresses) that advertisers have. These CRM contacts are used for ad target purposes as well as similar audience creation, and, for most advertisers, are an important part of their strategy. 

Below are the most relevant links and facts related to CRM list targeting. 


Google allows upload of CRM list uploads to its platform. This allows for targeting the following networks

  • Gmail
  • YouTube
  • Search

This means it does not allow for targeting on GDN (consider using adRoll for this instead)

An overview of Google’s  ‘customer match’ can be found here

Policies related to customer match can be found here. Within that, Google notes the following criteria

Customer Match is not available for all advertisers. To use Customer Match, your account must have:

  • A good history of policy compliance.
  • A good payment history.
  • At least 90 days history in Google Ads.
  • More than USD 50,000 total lifetime spend. For advertisers whose accounts are managed in currencies other than USD, your spend amount will be converted to USD using the average monthly conversion rate for that currency. 

If you want to start using Customer Match and you meet the requirements above, you’ll need to contact your assigned account manager to request access to Customer Match. 

Regarding the data source, the official language is the following

When using Customer Match, you may only upload customer information that you collected in the first-party context—i.e., information you collected from your websites, apps, physical stores, or other situations where customers shared their information directly with you.

Penalties for violating this are minor

  • Compliance review: We may review your business for compliance with the Customer Match policy at any time. If we contact you to request information related to compliance, you’re required to respond in a timely manner and swiftly take any corrective action needed to comply with our policies. If you’re a manager account, we may also contact your managed accounts to verify compliance.
  • Notification of non-compliance: If we believe that you’re violating Customer Match policy, we’ll contact you to request corrective action. If you fail to make the requested corrections within the time period given, you may be denied the ability to use Customer Match, or your access to your Google Ads accounts may be suspended. In cases of serious or repeated violations, your account may be suspended immediately and without notification. Learn more about suspended accounts.

Operationally, Google supports hashed file uploads. Google also has partners approved who handle this data found here. Google’s matching can be improved if given extra data such as phone number. Expected match rates vary, but at Four15 Digital we typically see 30% – 70%. 


The complete terms of hashing are found here. Advertisers must agree to these terms before being allowed to serve ads through the platform

Facebook terms are more vague than Google, and simply says things like this relating to custom audience upload

You represent and warrant, without limiting anything in these terms, that you have all necessary rights and permissions and a lawful basis to disclose and use the Hashed Data in compliance with all applicable laws, regulations, and industry guidelines. If you are using a Facebook identifier to create a custom audience, you must have obtained the identifier directly from the data subject in compliance with these terms.

That said, their UI points towards a much more flexible acceptable use policy that doesn’t require the data be 1st party.

Shown in the UI it looks like this

Users will have information about this ad, which looks like this

Both of the above images are taken from this blog post from Facebook.


Facebook is a bit more lenient then Google, however Google’s penalties are rather minor. 

Advertisers can email agencies hashed data, and both Google and FB have hashing practices in place to make data harder to intercept once it’s on the platform. Neither support downloading of original lists. 

A third party data handler, like LiveRamp, can be used to minimize risk as they can hash data at every step of the way, though these vendors are certainly not required.

In short, Google and Facebook take a pretty passive role in prohibiting advertisers from different customer match options. As long as data is handled with care, and used to support advertising that is compliant (does not call out sensitive or PII data) advertisers can proceed. FB’s “why am I seeing this ad” disclosure, however, is perhaps reason for some concern for major brands who may not want users to be aware of their method of targeting.

If you need help with your CRM user’s ad serving strategy, contact Four15 Digital here