Privacy regulations like GDPR, CCPA, and ePrivacy mandate the protection of Personally Identifiable Information (PII) in marketing and analytics platforms. But anonymizing user data doesnβt mean losing conversion accuracy.
π What is Considered PII?
| Data Type | Classification | Action Required |
|---|---|---|
| Email Address | PII | Hash or drop |
| Phone Number | PII | Hash or drop |
| IP Address | Pseudonymous | Mask or drop |
| Names | PII | Drop or hash (rare) |
π§° Prerequisites
| Tool / Feature | Description |
|---|---|
| OpenCart (3.x or 4.x) | Your eCommerce platform |
| Google Tag Manager | For data layer & tag handling |
| GA4, Meta, Ads | For conversion attribution |
| SHA-256 Hash Function | For hashing emails/phones |
| Consent Framework (optional) | Compliant data handling |
π¦ Step 1: Hash PII Before Sending to GTM
Edit your success.twig or wherever you inject Data Layer variables.
<script>
function sha256(str) {
const encoder = new TextEncoder();
return crypto.subtle.digest('SHA-256', encoder.encode(str)).then(buf => {
return Array.from(new Uint8Array(buf)).map(b => b.toString(16).padStart(2, '0')).join('');
});
}
const emailRaw = '{{ email | lower }}';
const phoneRaw = '{{ telephone | replace(" ", "") }}';
sha256(emailRaw).then(function(emailHash) {
sha256(phoneRaw).then(function(phoneHash) {
window.dataLayer = window.dataLayer || [];
dataLayer.push({
event: 'purchase',
email_hash: emailHash,
phone_hash: phoneHash,
transaction_id: '{{ order_id }}',
value: {{ order_total }},
currency: '{{ currency }}'
});
});
});
</script>
Note: This uses the browser-native crypto.subtle API for SHA-256.
π Step 2: Pass Hashed Data to Tags in GTM
Example: Meta (Facebook) Advanced Matching
Tag Type: Custom HTML or Meta Pixel Tag
Trigger: purchase
<script>
fbq('track', 'Purchase', {
value: {{DL - value}},
currency: '{{DL - currency}}',
external_id: '{{DL - email_hash}}',
phone: '{{DL - phone_hash}}'
});
</script>
Example: GA4 User Properties (hashed email)
Tag Type: GA4 Event
User Properties:
| Property Name | Value |
|---|---|
| user_email | {{DL - email_hash}} |
You may also set this as a User Property in the GA4 Config tag.
π Step 3: Anonymize IP Addresses in GA4
GA4 automatically anonymizes IPs by default, but for server-side implementations, ensure you’re not forwarding full IPs.
In server-side GTM, exclude IP address from request forwarding or mask using:
requestHeaders['x-forwarded-for'] = null;
π Step 4: Consent-Controlled Exposure
If the user declines consent, donβt collect any PIIβeven hashed.
Add a check before pushing to the Data Layer:
if (window.consent_granted === true) {
dataLayer.push({
event: 'purchase',
email_hash: 'HASHED_EMAIL',
phone_hash: 'HASHED_PHONE'
});
}
Or use GTM Consent Mode v2 and only fire marketing tags with ad_user_data consent.
π§ͺ Step 5: QA & Validation
Check Tags:
| Platform | Tool to Test |
|---|---|
| Meta | Facebook Pixel Helper |
| GA4 | GA4 DebugView, Realtime tab |
| GTM | Preview Mode, Variables tab |
| Network | DevTools β Filter on collect |
Ensure:
- Only hashed data is sent
- No plain text emails/phones in network payloads
- Tags honor consent status
π§ Strategic Tips
- Hash client-side: Avoid sending raw PII to GTM or servers
- Use same hashing method across tools to enable matching
- Document hashing logic for audits
- Rotate hashing logic if breach is suspected (advanced)
Related posts:
Data Governance and Consent Management in Server-Side Tagging
Integrating Meta Pixel and Conversions API with Google Tag Manager
Server-Side Tracking for Enhanced Attribution in a Privacy-First World
Building a GDPR-Compliant Server-Side Data Collection Stack
π OpenCart Server-Side Tagging: Capturing Email & Phone as First-Party Data
Google Ads Enhanced Conversions with Server-Side Tagging
π Facebook Pixel + Conversions API (CAPI) Setup in OpenCart via GTM (Web + Server-Side)
Consent Mode v2 Implementation in OpenCart Using GTM