Solved: Data Hashing Requirements for Meta Ads Attribution

Hi there,

Thanks for reaching out! Happy to give you some initial thoughts and guidance on your Meta CAPI question. It's a good question and one that trips a lot of people up, so you're right to be digging into the details. Getting this stuff right from the start saves a world of pain later on.

The technical setup is definately one piece of the puzzle, but the real value, the thing that actually moves the needle on performance, is what you *do* with that data once it's flowing correctly. So I'll give you my take on the hashing question first, and then maybe we can broaden out a bit and look at how this all fits into a strategy that actually gets you the results your after. It's all connected at the end of the day.

You definetely need to hash your data...

Alright, let's get straight to it. Your main question about whether to hash before sending data to the sGateway. The short answer is: yes, absolutely, one hundred percent. You MUST hash all personally identifiable information (PII) on your side, within your server-side GTM container, *before* you send it to Meta. Don't even think about sending it raw.

The confusion you've seen online is understandable, because Meta's documentation can be a bit dense and people often misinterpret it. Here's the simple way to think about it. Your responsibility, as the one collecting the data, is to protect your user's privacy. Under regulations like GDPR in Europe and similar laws elsewhere, you can't just be slinging people's personal details across the internet unencrypted. It's a massive legal and ethical liability. Hashing the data before it leaves your server is how you meet that obligation. It turns "john.doe@email.com" into a meaningless string of characters that can't be reversed.

So why do people say "Meta will hash it"? Because they do, but it's a different step for a different reason. Meta needs the data in a very specific, standardised format (SHA-256) so it can effectively match that hashed string from you against the hashed data it has for its own users. When your hashed data arrives, Meta takes it and re-hashes it using their own system to ensure it's in the perfect format for their matching process. It's a verification and standardisation step on their end.

Think of it like this: you're sending a sensitive document by post. Your job is to put the document inside a secure, sealed envelope (that's your hashing). You then give that sealed envelope to the post office. The post office might then put your envelope into a special, tracked mailbag along with other sealed envelopes (that's Meta's process). You wouldn't just hand the postman the loose pages of your document and hope for the best, would you? It's the same principle. You do your part first, then they do theirs. Relying on Meta to do the initial hashing for you is a disaster waiting to happen and, frankly, its just not how the system is designed to work. To be on the save side, you always, always hash first.

I'd say you should hash all PII...

So, your next question was what data actually needs to be hashed. Looking at the list you've got in your screenshot, my advice would be to hash pretty much all of it. When it comes to user privacy, the best approach is to be over-cautious rather than under-cautious.

Let's go through the list:

-> Email (em) & Phone Number (ph): These are the big ones. Non-negotiable. They must be hashed. They are the strongest unique identifiers for Meta's matching process, so getting these right and sending them securely is probably the most important part of the whole setup. This is where you'll get the biggest uplift in your match quality score.

-> First Name (fn) & Last Name (ln): Again, absolutely hash these. This is core PII. You need to lowercase them and remove any punctuation before hashing to give Meta the best chance of a match.

-> City (ct), State/Province (st), Post Code (zp), Country (country): Yep, hash these as well. While a single piece of location data like 'London' isn't unique, a combination of city, postcode, and country can become quite specific. Best practice is to treat all of it as sensitive and hash it. It all helps the algorithm build a more confident picture of the user without you ever exposing their raw data.

-> Client IP Address & Client User Agent: These are also considered PII under most data privacy laws. The IP address in particular is a strong location and user signal. Hash 'em. No question.

The main goal here is to send as many of these signals as you can, because the more hashed data points Meta can use to triangulate a user, the higher your Event Match Quality score will be. A higher score means Meta is more confident that the user who filled out your form is the same user they saw an ad. This leads to better attribution, which means you can actually trust your reporting, and more importantly, it gives the algorithm much more accurate data to optimise your campaigns with. So the rule is simple: if it can be used to identify a person, even indirectly, you should hash it.

We'll need to look at why this setup is so important...

Okay, so we've covered the 'how'. Now let's talk about the 'why', because understanding this is what seperates people who just run ads from people who build profitable advertising systems. The reason you're going through all this hassle with server-side GTM and CAPI is to solve a huge problem that has been getting worse for years: the unreliability of browser-based tracking.

With things like Apple's iOS14 updates, Intelligent Tracking Prevention (ITP) in Safari and Firefox, and the rise of ad blockers, the standard Meta Pixel that runs in a user's browser is becoming blind. It gets blocked, its cookies get deleted, and a huge chunk of your conversion data simply vanishes. You might get a form fill, but the Pixel never fires, so Meta never knows about it. The result? Your reported CPA (Cost Per Acquisition) goes through the roof, you can't tell which ads are working, and the algorithm is starved of the data it needs to find you more customers. It's trying to fly a plane with a blindfold on.

The Conversions API is the solution. Because it sends data from your server directly to Meta's server, it's immune to all that browser-level interference. It's a clean, reliable, unbreakable data pipeline. When a user fills out your form, your server knows it happened. By sending that event via CAPI, you guarantee Meta knows it too.

This has a massive impact. I remember we were working with a client in the medical recruitment space, a kind of job matching SaaS platform. When they came to us, their CPA was around £100 per user acquisition, which was just crippling them. The first thing we did was a full audit of their tracking. It was a mess, relying solely on a patchy pixel implementation. We rebuilt the entire thing using a server-to-server approach, much like what you're doing now. Once we had that reliable data flowing, we could actually start optimising properly. We were able to reduce their CPA from £100 all the way down to just £7. That's not a typo. A 93% reduction. Of course we worked on ads and targeting too, but none of it would have been possible without fixing the data foundation first. The reliable data from CAPI was the bedrock of that success.

You probably should structure your campaigns to use this data...

So, you're building this brilliant, robust data pipeline. Now what? The biggest mistake I see people make is they set up CAPI and then just carry on running their campaigns the same way they did before. You've just upgraded from a horse and cart to a Formula 1 car; you need to learn how to drive it properly to get the benefit.

The real power of your CAPI data comes to life in your audience strategy. With accurate, server-verified conversion events, your ability to create custom audiences becomes a superpower. This is where you can implement a proper funnel-based campaign structure – what some people call Top-of-Funnel (ToFu), Middle-of-Funnel (MoFu), and Bottom-of-Funnel (BoFu).

Your "form fill on a subdomain" event is a perfect, high-intent signal. Here's how you use it across the funnel:

-> ToFu (Prospecting): This is where you find new customers. The single most powerful audience you can now create is a Lookalike Audience based on the people who have completed your form fill. Because your CAPI data is accurate, you're feeding Meta a clean, high-quality list of your most valuable leads. The algorithm is brilliant at finding patterns, and it will go and find millions of other people who share the same characteristics. A Lookalike of actual leads is infinitely more powerful than a Lookalike of 'all website visitors'. You should test different percentages (1%, 1-3%, 3-5%) to see what works best for you.

-> MoFu (Consideration/Retargeting): This is for people who've shown interest but haven't converted yet. You can now create a custom audience of everyone who visited the landing page with your form on it, but then *exclude* the custom audience of people who successfully submitted the form (your CAPI event). This lets you run specific ads to those people who dropped off, maybe addressing common objections or reminding them of the benefit of filling out the form.

-> BoFu (Conversion/Exclusion): At the bottom of the funnel, you need to be efficient. You should be using your CAPI-powered 'form fill' audience as a master exclusion list across all of your ToFu and MoFu campaigns. There is no point continuing to spend money showing ads to people who have already done the thing you're asking them to do. It's wasted money and it annoys your new leads. Clean exclusions are a sign of a professionally managed account.

To make it clearer, here is a simplified way I'd think about structuring things based on your setup:

By structuring your account this way, you're not just 'running ads'. You're building a machine. Each part has a specific job, and your clean CAPI data is the fuel that makes the whole thing run smoothly. Your gonna see much better results when every part of your spend has a clear purpose.

You'll need an offer that actually converts...

Now for some brutal honesty. This might be the most important part of this entire letter. You can have the most perfectly configured server-side tracking in the world, and the most sophisticated campaign structure known to man, but if your *offer* is wrong, none of it matters. The best tracking in the world can't fix a bad offer.

You mentioned your funnel is a "form fill on a subdomain". I have to ask: what is that form for? What are you asking people to do? In my experience, especially in B2B, the default offer is often a "Request a Demo" or "Book a Consultation" button. Let me be blunt: this is one of the worst, most arrogant calls to action you can have. It's high-friction and low-value. You're asking a busy person to commit their valuable time to be sold to, before you've given them anything of real value. It instantly positions you as just another vendor begging for their time.

Your offer's only job is to deliver an "aha!" moment. A moment of undeniable value that makes the prospect sell themselves on your solution. You have to solve a small, real problem for them for free to earn the right to solve the big one for a price.

If you're a SaaS company, this is your unfair advantage. The gold standard is a free trial, no credit card required. Let them get their hands on the product. Let them feel the transformation. When the product itself proves its value, the sale becomes a formality. We've worked with numerous B2B SaaS clients, and the ones that scale fastest are almost always the ones with a seamless free trial or freemium plan. We took one SaaS client from zero to 1535 trials by focusing the entire ad strategy around a frictionless self-serve trial. No demos, no salespeople. Just pure value first.

If you're not a SaaS company, you're not exempt. You must bottle your expertise into a tool or an asset that provides instant value. For an agency, it could be a free, automated website audit. For a data analytics company, a free 'Data Health Check' that finds issues in their database. For us, as a B2B advertising consultancy, it's this kind of advice and the free 20-minute strategy sessions we offer where we audit failing ad campaigns. We solve a small problem for free. You must do the same.

Think about what you can give away that demonstrates your expertise and solves a real pain point for your ideal customer. A checklist? A calculator? A short video course? A template? When you switch from a high-friction "Request a Demo" to a low-friction, high-value offer, your conversion rates will skyrocket. And what happens when your conversion rate goes up? You get more CAPI events, which feeds the algorithm better data, which creates better Lookalikes, which lowers your CPA. It is a virtuous cycle that all starts with having an offer people actually want.

I'd say you need to work out your numbers...

The final piece of the puzzle is understanding the economics of your own business. It's great that you're focused on the technicals of tracking leads, but a lead is only useful if you know what it's worth. The real question isn't "How low can my Cost Per Lead (CPL) go?" but "How high a CPL can I afford to acquire a truly great customer?" The answer to that lies in calculating your Customer Lifetime Value (LTV).

It's simpler than it sounds. You just need three numbers:

1. Average Revenue Per Account (ARPA): What do you make per customer, per month/year? Let's use a simple example and say it's £500 per month.

2. Gross Margin %: What's your profit margin on that revenue? After your cost of goods or cost of service. Let's say it's 80%.

3. Monthly Churn Rate: What percentage of customers do you lose each month? Let's say it's 4% (meaning the average customer stays for 25 months).

Now, the calculation is straightforward:

LTV = (ARPA * Gross Margin %) / Monthly Churn Rate

Using our examples:

LTV = (£500 * 0.80) / 0.04
LTV = £400 / 0.04 = £10,000

In this scenario, every new customer you acquire is worth £10,000 in gross margin to your business over their lifetime. This number changes everything. A healthy business often aims for a 3:1 LTV to Customer Acquisition Cost (CAC) ratio. This means for a £10,000 LTV customer, you can afford to spend up to £3,333 to acquire them and still have a very healthy, profitable business.

Now let's bring it back to your form fill. If your sales process converts, say, 1 in 10 of these qualified leads into a paying customer, you can do the math: £3,333 CAC / 10 leads = £333 per lead. You can afford to pay up to £333 for one of those form fills you're tracking with CAPI.

Suddenly, a lead that costs £50 or £100 doesn't look so expensive, does it? It looks like a bargain. This is the math that unlocks aggressive, intelligent growth. It frees you from the tyranny of chasing cheap, low-quality leads and allows you to confidently pay what's necessary to acquire high-quality leads that turn into valuable customers. Knowing your numbers is what turns advertising from a cost centre into a predictable profit engine.

This is the main advice I have for you:

I know that was a lot to take in, so I've put the main points into a table to summarise my recommendations for you. This is the path I'd suggest to go from having a technical question to building a proper, scalable advertising system.