At its core, secure signals (also called “encrypted signals from publishers” or “encrypted first-party data”) is a mechanism for publishers to send obfuscated, encrypted first-party data or identifiers from the browser or app to demand buyers via Google Ad Manager — while maintaining privacy and control.
Instead of giving bidders raw user data, secure signals act as a “black box” relay: the publisher decides what to collect, bidders decrypt only what they’re permitted to see, and Google simply passes the information along without accessing it.
Typical examples of secure signals include encrypted identity tokens like Unified ID 2.0, ID5, or other hashed first-party identifiers. These are passed securely to approved bidders, giving them the ability to recognize valuable audiences without exposing user-level data.
In short: secure signals enable publishers to safely activate their first-party data in the programmatic auction while preserving privacy and data ownership.
Secure Signals vs. Other Identity and Data Tools
It’s important to understand how secure signals differ from other tools in the ecosystem:
Tool | Purpose | Difference |
PPID (Publisher Provided Identifier) | An anonymized user identifier shared with Google demand. | Secure signals, by contrast, allow sharing encrypted identifiers with non-Google bidders while keeping control. |
Publisher Provided Signals (PPS) | A way to share structured first-party audience or contextual data. | PPS describes audiences; secure signals deliver encrypted identity tokens or data payloads. |
Third-Party Cookies | Legacy cross-site tracking mechanism. | Being phased out. Secure signals replace them with a privacy-centric, publisher-owned solution. |
Secure signals aren’t a replacement for identity systems — they’re the bridge that lets you activate them securely within Google’s ecosystem.
Why Publishers Should Adopt Secure Signals
1. Maintain Demand Diversity and Control
Secure signals help you share valuable identifiers with multiple demand partners, not just Google’s own. This creates stronger competition for your inventory, improving fill rates and CPMs.
2. Better Monetization of Addressable Inventory
When bidders have access to reliable, privacy-safe identifiers, they can bid more accurately. This typically results in higher CPMs and improved yield on addressable impressions.
3. Enhanced Privacy and Data Governance
You decide what data to collect, who can decrypt it, and under what circumstances. Google cannot read or use the encrypted payload, ensuring your first-party data remains protected.
4. Future-Proofing Against Third-Party Cookie Loss
As browsers phase out cookies and regulations tighten, secure signals provide a compliant, sustainable way to deliver user identifiers and maintain audience recognition.
5. Gradual Implementation and Testing
Secure signals can be rolled out progressively. Start with key bidders, monitor results, and expand once you’ve confirmed performance uplift.
How Secure Signals Work — Step by Step
- Enable Secure Signals in Google Ad Manager
Within Ad Manager, publishers activate secure signals and select which identity providers and bidders can participate. - Deploy the Signal Collector Script
Publishers can deploy scripts automatically through Google tags, integrate directly, or use Prebid modules already handling identity. - Generate and Encrypt Signals
The signal collector gathers identifiers or tokens on the page, encrypts them, and stores them temporarily on the client side. - Send Signals During the Ad Request
When the ad request is triggered, encrypted signals are passed to Google Ad Manager and then routed to approved demand partners. - Bidders Decrypt and Use Signals
Authorized bidders decrypt the signal and use the identifier to inform their bidding logic — improving precision without compromising privacy. - Reporting and Optimization
Publishers can track how often secure signals are sent, which partners are using them, and what impact they have on performance.
Implementation Checklist
- Enable the Feature
Access the Secure Signals settings in Google Ad Manager and enable sharing for approved identity providers and bidders. - Integrate the Collector Script
Use Google’s deployment, your own tag, or the Prebid UserID integration depending on your existing setup. - Test and Validate
Verify that signals are being encrypted and transmitted correctly. Check reporting metrics to ensure delivery and bidder adoption. - Monitor and Expand
Start small, test CPM impact, and expand to more bidders once proven. Review which partners are using the data effectively.
Risks, Caveats, and Best Practices
- Permissions: Only certain account roles can enable or view secure signal settings. Ensure you have admin-level access.
- Bidder Adoption: Not all demand partners currently support decryption; focus on those that do.
- Performance: Keep scripts lightweight to avoid slowing page loads.
- Data Control: Grant decryption permissions only to trusted partners.
- Compliance: Even though signals are encrypted, they still involve user data. Maintain consent management compliance under GDPR and CCPA.
- Testing: Use A/B testing to quantify the revenue impact before full rollout.
Conclusion
The digital advertising ecosystem is shifting toward privacy-first identity frameworks. Third-party cookies are disappearing, and publishers that fail to adapt risk losing audience addressability and revenue.
Secure signals allow you to leverage your first-party data safely, enhance yield, and maintain control over who accesses your information. They’re a critical tool for publishers who want to remain competitive and compliant in a privacy-centric world.
