What are you using as far as Google products on your site? Are you using DFP? Google Tag Manager?

(I've never seen this particular notification before)

Here's a long discussion on the Adsense forum -- looks like it just started yesterday

[productforums.google.com...]

[edited by: alika at 1:08 pm (utc) on May 20, 2014]

@alika i already read this discussion and also mention in my post but get no proper answer from this discussion

@netmeg this is the other part of email

You should review your implementation of Google tags on your pages, including whether PII of any nature may feature in the URLs of such pages.

Please give this matter your immediate attention. You should submit your response in this form.

If you fail to achieve compliance with your contract within 30 days we may disable ad serving on your account(s). If you fail to submit any response within 14 days, access to your account will be suspended

[edited by: incrediBILL at 5:42 pm (utc) on Jun 3, 2014]
[edit reason] thread cleanup [/edit]

I don't think you can get any advice here either because no one has encountered this previously, including the long time Adsense users. It seems that this is the first time Google ever sent out these notifications.

The best advice is to wait for any response from Adsense. The top contributors over there already flagged the issue to the Google employees last night, and people over there are just awaiting for any response

I've been looking at the thread to see commonalities. Some say their sites are Wordpress but there are also hard coded sites (so it's not a platform issue). Many are saying they don't have login pages that will pass along the PII.

What some people have done are:

- respond to the Google form included in the email and say that either they need need additional information or fixed the problem (no one posted that they responded to the form by saying they were contacted in error)

- some have block in their HTACCESS file the URL included in the GET code included in the email. Several have said it came from Stumbleupon, some educational site, some CRM sites, etc

- many are just adopting a wait and see attitude. After all, the email said you have 14 days to respond

One of the things that came out of the thread is that the PII can come from an external site framing your site while passing PII. Stumbleupon was cited as one of the culprits.

For me, this raises the concern that some could jeopardize your Adsense account simply by passing some PII while framing your site.

It is important to make sure your site does not pass PII. This includes making sure that your site cannot be put in an iframe. Another thing, if you have a search box or HTML form that is using method=GET instead of the recommended method=POST implementation, you are more likely to pass PII to the URL.

get no proper answer from this discussion

Because the AdSense employees don't seem to answer questions anymore, they used to, that was then, this is now.

BTW, do you have AdSense installed on any login, registration or account update pages? Any page on your website that displays the a user member information, if you allow registration, with AdSense on the same page would technically violate that policy.

Why? Because the media bot spider coming to get data from the page could potentially get user identifiable data in that page depending on how it's implemented.

I would have someone do a security review of your site just for your peace of mind as it sounds like you've done it and missed it and need a new set of eyeballs to take a look that might spot something you've overlooked.

There are some pages on any site you do not want to have advertising, especially any page that accepts registration or login information of any kind. And certainly not on your ecarts!

In theory your data shouldn't be exposed to a bot because the session file tracking your data should be private to you via your cookie.

However, some software uses session IDs as a URL parameter and if they aren't blocking on IP changes (which used to log AOL users off), those kinds of URLs could easily expose everything.

In other words, an ecommerce novice implementing a cart for the first time, not truly knowing the technology risks, could easily have data breaches.