Why does this policy exist and where does it apply?
The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA) and the UK. The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.
The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force.
Do I need to follow this policy for all users if I’m an EEA- or a UK-based publisher or advertiser?
Google’s EU User Consent Policy applies only to end users located in the EEA or the UK.
How will Google ensure compliance with this policy?
Our approach to compliance is to conduct reviews of sites and apps that use our advertising services, as we have done since the Policy was introduced in 2015. Our reviewers visit a site or app as a consumer would visit it, and we look at the information provided and the consents obtained.
Our first priority will always be to work with our partners to get compliance right. We recognize that there may be diverse approaches to gaining consent and we are not prescriptive about this, provided our policy requirements are met. If we find that a partner is not following our policy, our first step will be to contact the partner to indicate an issue, and we will then try to work with them to achieve compliance.
As has been the case since 2015, we give sites or apps a reasonable timeframe to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension.
What disclosures to end users do I need to make?
Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google’s uses of data, we recommend linking to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.
Checklist for partners to avoid common mistakes when implementing a consent mechanism
These are examples only and this is not intended to be an exhaustive list. Always take care to ensure your implementation meets all the requirements of Google’s policies.
- Have you explained to users how their personal data will be used when they give their consent to collect them on your site/app e.g. are they aware that their personal data will be used for personalization of ads and that cookies may be used for personalized and non-personalized advertising?
- Have you checked that your consent notice is being displayed when your site/app is accessed by users from all EEA countries?
- Have the users been given the option to take affirmative action to indicate consent e.g. clicking an “OK” button or an “I agree” button?
- Have you disclosed which third parties (including Google) will also have access to the user data you collect on your site/app?
- Have you informed users about how Google will use their personal data when they give consent on your site/app e.g. by including a link to Google’s Privacy & Terms site? What about how other third parties will use their personal data?
- If you monetize only with Non Personalized Ads – have you checked that you obtain users’ consent to the use of cookies or other local storage (like mobile device identifiers), where legally required? Please note that the non-personalized ads that we serve on websites still require cookies to operate.
- If you monetize Ad Manager and AdMob impressions only with limited ads, in addition to disabling the collection, sharing, and use of personal data for personalization of ads, Google does not access cookies, user identifiers, or equivalent local storage on the end user’s device. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users’ browsers and mobile operating systems. This feature does not use cookies or other local storage as referenced in Google’s EU User Consent policy, meaning you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager and AdMob Help Centers for more details on this feature.
- If you use an IAB certified CMP have you included “Google Advertising Products” as a vendor?
What if I don’t want to have end users’ personal data used for personalization of ads?
We have launched new functionality that allows you to disable personalized ads. Please note that the non-personalized ads that we serve on websites or apps still require cookies or mobile identifiers to operate. You are required to obtain consent for the use of cookies or mobile identifiers, where legally required.
For Ad Manager and AdMob impressions, you may also choose to monetize with limited ads. When limited ads are enabled, in addition to disabling the collection, sharing, and use of personal data for personalization of ads, Google does not access cookies, user identifiers, or equivalent local storage on the end user’s devices. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users’ browsers and mobile operating systems. This feature does not use cookies or other local storage as referenced in Google’s EU User Consent policy, meaning you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager and AdMob Help Centers for more details.
What instructions do I give to end users for revocation of consent?
The policy requires that end users are told how to revoke consent to ads personalization. At a minimum, end users need to have information sufficient to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device.
What are the other Google products that incorporate this policy?
In addition to ads and measurement products, this policy is referenced in other Google products such as the Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.
What types of ads are considered “personalized” for purposes of this policy?
Personalized advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. Our publisher products, depending how they’re used, can make inferences about a user’s interests based on the sites they visit or the apps they use, allowing advertisers to target their campaigns according to these interests. This provides an improved experience for users and advertisers alike. You can see our advertiser policies for personalized ads to learn more.
Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user’s previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, and targeting audience lists uploaded in Google Marketing Platform.
What types of ads are considered “non-personalized” in this policy?
Non-personalized ads will use only contextual information, including coarse general (city-level) location, and content on the current site or app; targeting is not based on the profile or past behavior of a user.
What types of ads are considered “limited ads” in this policy?
When limited ads are enabled for Ad Manager and AdMob impressions, in addition to disabling the collection, sharing, and use of personal data for personalization of ads, Google does not access cookies, user identifiers, or equivalent local storage on the user’s device. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users’ browsers and mobile operating systems. See the Ad Manager and AdMob Help Centers for more details.
Can I use limited ads if users opt out of, or object to, using their personal data for legitimate interest purposes?
No, limited ads would not be an appropriate solution in these circumstances. Google’s limited ads solution doesn’t rely on cookies or mobile identifiers, but we do require a legal basis to carry out functions like basic ad serving and measurement.
Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?
Cookies or mobile identifiers are used to support personalized and non-personalized ads served by Google, to combat fraud and abuse, for frequency capping, and for aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply and the UK. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.” With Ad Manager and AdMob, publishers may also choose to use our limited ads feature in the absence of consent for cookies or other local storage. (In addition to disabling the collection, sharing, and use of personal data for personalization of ads, this feature does not use cookies or other local storage as referenced Google’s EU User Consent policy, meaning you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction.) See the Ad Manager and AdMob Help Centers for more details.
What if I’m an advertiser using Google’s products on my site?
If you use tags for advertising products like Google Ads or Google Marketing Platform on your pages, you’ll need to obtain consent from your EEA and UK users to comply with Google’s EU User Consent Policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalized ads – for instance if you have remarketing tags on your pages.
What should I say in my consent notice?
The text of your consent notice will depend on the choices you wish to present to your users and your other uses of data (e.g. for your own purposes, or to support other services that you work with).
What if I’m a publisher serving only non-personalized ads to EEA and UK users?
If you do not serve personalized ads to users that visit your site, and visits to your site do not influence the ads served elsewhere, you are still required to obtain consent for the use of cookies or mobile identifiers, where legally required. Consent for cookies or mobile identifiers is still required because non-personalized ads still use cookies or mobile identifiers to combat fraud and abuse, for frequency capping, and for aggregated ad reporting.
For Ad Manager and AdMob impressions, you may also choose to monetize with limited ads. When limited ads are enabled, in addition to disabling the collection, sharing, and use of personal data for personalization of ads, Google does not access cookies, user identifiers, or equivalent local storage on the end user’s device. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users’ browsers and mobile operating systems. This feature does not use cookies or other local storage as referenced in Google’s EU User Consent policy, meaning you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager and AdMob Help Centers for more details.
What choices do I need to present to my users?
Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalized and non-personalized ads; others may wish to present different choices to their users.
What if I’m writing a consent notice for an app?
Mobile apps generally don’t use cookies. Google Ad Manager and AdMob products support in-app advertising using dedicated advertising IDs that are made available by the Android and iOS operating systems. Therefore, you might want your notice to say that you use “an identifier on your device” rather than cookies. This will help you to meet the requirements of Google’s policy where it refers to seeking consent for the use of “other local storage”.
Does Google require a particular form of consent message for apps?
The law says a user’s consent should be freely given, specific, informed and unambiguous to be legally valid, but does not require a particular form of consent message. Our EU User Consent Policy allows flexibility in the design of the consent message and the choices presented to users.
Where can I get a consent solution?
There are features in AMP that can be used to build a consent solution. We have also developed a consent solution for Google Ad Manager and AdMob. However, you may prefer to build your own consent solution or use another vendor’s solution.
If you’re using products like Google AdSense or Google Ad Manager on your site, you’ll need to take steps to integrate your preferred solution with the advertising tags on your pages to make sure your users’ preferences are respected. Each vendor offers instructions or support services for doing this. If you don’t follow these steps for all the tags on your pages, you risk misleading your users: they will think they’re switching off advertising cookies when in fact advertising cookies will still be used. Therefore, test carefully any implementation of these tools on your own site.
How should partners choose which Consent Management Platform (CMP) provider to adopt?
Partners can consider building their own consent solution, using the consent messaging tools in the Privacy & messaging tab in Ad Manager, AdSense and AdMob, or use a third party CMP solution. If using an already available CMP, they should consult their legal department as to the proper consent solution for their circumstances as well as ensure that the solution allows the level of customization to reflect those circumstances.
There are external resources available to help you choose the appropriate CMP provider, including the list of CMPs that have registered with the IAB’s Transparency and Consent Framework. Note, this list is not exhaustive of all CMPs available, nor does adopting any of these CMPs guarantee compliance with Google’s EU User Consent Policy, as this depends on the specific consent message presented to users (for more guidance on this, please refer to the question above “Checklist for partners to avoid common mistakes when implementing a consent mechanism”).
In May 2023, we announced in this blogpost that later this year, we will require partners using our publisher products — Google AdSense, Ad Manager, or AdMob — to use a Google-certified CMP that integrates with IAB Europe’s Transparency and Consent Framework (TCF) when serving ads to users in the European Economic Area or the UK. Further information can be found in our Help Center (Ad Manager, AdMob, AdSense).
What other parties collect end users’ personal data, and how should I identify these third parties?
Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products. Controls in AdSense, Google Ad Manager and AdMob are available to allow you to choose the vendors permitted to collect data on your site or app.
My site is not based in Europe. Does this policy apply to me?
Yes, if you use Google products that incorporate the policy and you intend for users in the EEA or the UK to access your services.
As a publisher, none of my campaigns are targeted to EEA or the UK. Does this consent requirement still apply to me?
Consent would not be required if Google services were removed from the site for users in these countries. However, consent would still be required if Google services are still used but no ads are served. This is because Google Ad Manager uses cookies and our policy still requires consent for cookies that are used for measurement purposes. Google Ad Manager also collects personal data, unless the request is for a non-personalized ad and indicated in the EU User Consent Settings or in the request itself.
How do I build a consent mechanism?
If you’re not sure where to start, consider using a consent management platform. Several providers are available.
In May 2023, we announced in this blogpost that later this year, we will require partners using our publisher products — Google AdSense, Ad Manager, or AdMob — to use a Google-certified CMP that integrates with IAB Europe’s Transparency and Consent Framework (TCF) when serving ads to users in the European Economic Area or the UK. Further information, including a list of certified CMPs, can be found in our Help Center (Ad Manager, AdMob, AdSense).
Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?
Google is committed to complying with the GDPR, including to the extent transposed into UK law, across all of the services we provide in Europe. The changes to our EU User Consent Policy reflect that commitment and guidance from European data protection authorities. We do however want to work with publishers and partners in the broader industry to support them through these changes. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.
Why do we need consent to ads measurement — isn’t that legitimate interests?
Google uses cookies or mobile ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalization and ads measurement where applicable, even if ads measurement can, for GDPR purposes, be supported under a controller’s legitimate interests.
Do I need the consent before the tags fire or can the consent come afterwards?
Our understanding of GDPR requirements is that consent for personalized ads should be obtained before Google’s tags are fired on your pages. The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.” Some regulators have issued guidance specifically requiring user action prior to setting of cookies, while others have permitted consent concurrent with the setting of cookies.
Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalized ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations.
What about using click trackers?
Where advertisers choose to use third-party click-tracking technologies (i.e. where an ad click directs the user’s browser to a third-party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.
What records do I need to keep?
Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.
Why has my consent mechanism been deemed as non compliant, I use an IAB certified Consent Management Platform (CMP)?
You may use whichever CMP you wish, provided that you ensure all the requirements of the EU User Consent Policy are complied with. In the case of an IAB Framework CMP, prior to August 2020, Google had not integrated with the IAB Transparency & Consent framework and it may be that Google did not appear in the list of vendors your CMP shows to users. This means that the consent policy requirement to “identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product” may not have been complied with.
As of August 2020, Google integrated with V2 of the IAB Transparency & Consent framework so “Google Advertising Products” will be available as a vendor to select on the IAB Global Vendor List.
Do I need to follow this policy if I participate in the Privacy Sandbox origin trial?
Yes. Google is experimenting with new ways of supporting the delivery and measurement of digital advertising in ways that better protect people’s privacy online via Chrome’s Privacy Sandbox initiative. When accessing certain Sandbox APIs as part of the Privacy Sandbox origin trial (including Topics, Fledge, and the Attribution Reporting API) you may be using personal data for ads personalization and/or accessing local storage. The EU User Consent Policy requires you to obtain valid user consent for these actions in the same way as you rely on consent today for ads personalization and the use of non-essential local storage in the European Economic Area and the UK.
Does this policy apply in addition to the new Consent Management Platform requirements for serving ads in the EEA and UK?
Yes, in May 2023, we announced in this blog post that later this year, we will require partners using our publisher products — Google AdSense, Ad Manager, or AdMob — to use a Google-certified CMP that integrates with IAB Europe’s Transparency and Consent Framework (TCF) when serving ads to users in the European Economic Area or the UK. This new requirement is additive to the EU User Consent Policy. Further information can be found in our Help Center (Ad Manager, AdMob, AdSense). Our priority is to support publishers with this transition and we will follow up with more details, including updates to the questions and responses above, later this year.
Updates to this policy
Google’s original EU User Consent Policy was updated on 25 May 2018. To reflect the UK’s evolving relationship with the European Union, minor changes were made on 31 October 2019. No further changes to the policy are anticipated at this time but, as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.
About the author