Help with the EU user consent policy
Why does this policy exist and where does it apply?
The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA). The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.
The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force.
Do I need to follow this policy for all users if I’m an EEA-based publisher or advertiser?
Google’s EU User Consent Policy applies only to EEA-based end users.
How will Google ensure compliance with this policy?
Our approach to compliance is to conduct manual reviews of sites and apps that use our advertising services, as we have done since the Policy was introduced in 2015. Our reviewers visit a site or app as a consumer would visit it, and we look at the information provided and the consents obtained. This is not an automated process.
Our first priority will always be to work with our partners to get compliance right. We recognize that there may be diverse approaches to gaining consent and we are not prescriptive about this, provided our policy requirements are met. If we find that a partner is not following our policy, our first step will be to contact the customer to indicate an issue, and we will then try to work with them to achieve compliance.
As has been the case since 2015, we give sites or apps a reasonable timeframe to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension.
What disclosures to end users do I need to make?
Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's uses of data, we recommend linking to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.
What if I don’t want to have end users’ personal data used for personalization of ads?
What instructions do I give to end users for revocation of consent?
The policy requires that end users are told how to revoke consent to ads personalization. At a minimum, end users need to have information sufficient to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device.
What are the other Google products that incorporate this policy?
In addition to ads and measurement products, this policy is referenced in the Google Maps APIs Terms of Service, the YouTube API Services Terms of Service, the G+ Buttons policy, the reCAPTCHA Terms of Service, and in Blogger.
What types of ads are considered “personalized” for purposes of this policy?
Personalized advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. In all our publisher products, we make inferences about a user’s interests based on the sites they visit or the apps they use allowing advertisers to target their campaigns according to these interests, providing an improved experience for users and advertisers alike. You can see our advertiser policies for personalized ads to learn more.
Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user's previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, targeting audience lists uploaded in Google Marketing Platform.
What types of ads are considered “non-personalized” in this policy?
Non-Personalized ads will use only contextual information, including coarse general (city-level) location, and content on the current site or app; targeting is not based on the profile or past behavior of a user.
Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?
As a publisher or app developer, do I still need a consent message if requesting non-personalized ads only?
What if I’m an advertiser using Google’s products on my site?
If you use tags for advertising products like Google Ads or Google Marketing Platform on your pages, you’ll need to obtain consent from your EEA users to comply with Google’s user consent policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads – for instance if you have remarketing tags on your pages.
What should I say in my consent notice?
While the text of your consent notice will depend on the choices you wish to present to your users and your other uses of data (e.g. for your own purposes, or to support other services that you work with), we provide a suggested notice that might be appropriate at CookieChoices.org, a site run by Google.
What if I’m a publisher serving only non-personalised ads to EEA users?
What choices do I need to present to my users?
Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalized and non-personalized ads; others may wish to present different choices to their users.
What if I’m writing a consent notice for an app?
Does Google require a particular form of consent message for apps?
The law says a user’s consent should be freely given, specific, informed and unambiguous to be legally valid, but does not require a particular form of consent message. Our EU User Consent Policy allows flexibility in the design of the consent message and the choices presented to users.
Our CookieChoices.org site offers some examples of publisher and advertiser consent messages that might be appropriate for your app. Implementing these messages can help you meet the requirements of our policy when using mobile device identifiers, including for personalizing ads. We recognize that some app developers may adopt these examples, while others may simply provide a notice when an app is first opened that users should uninstall the app if they do not agree to sharing their device identifiers and/or receiving personalized ads.
Where can I get a consent solution?
There are features in AdMob and AMP that can be used to build a consent solution. We have developed a consent solution for Google Ad Manager and AdMob. However, you may prefer to build your own consent solution or use another vendor’s solution. CookieChoices.org lists some vendors that offer solutions that we believe can be used to build a consent solution that will meet the requirements of Google’s policy.
If you're using products like Google AdSense or Google Ad Manager on your site, you'll need to take steps to integrate your preferred solution with the advertising tags on your pages to make sure your users' preferences are respected. Each vendor offers instructions or support services for doing this. If you don't follow these steps for all the tags on your pages, you risk misleading your users: they will think they’re switching off advertising cookies when in fact advertising cookies will still be used. Therefore, test carefully any implementation of these tools on your own site.
What other parties collect end users’ personal data, and how should I identify these third parties?
Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products. Controls in AdSense, Google Ad Manager and AdMob are available to allow you to choose the vendors permitted to collect data on your site or app.
My site is not based in Europe. Does this policy apply to me?
Yes, if you use Google products that incorporate the policy and have users in the EEA that can access your services.
As a publisher, none of my campaigns are targeted to EEA. Does this consent requirement still apply to me?
How do I build a consent mechanism?
If you’re not sure where to start, take a look at CookieChoices.org. It offers resources for putting in place consent mechanisms on websites and apps.
Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?
Google is committed to complying with the GDPR across all of the services we provide in Europe. The changes to our EU User Consent Policy reflect that commitment and guidance from EU data protection authorities. We do however want to work with publishers and partners in the broader industry to support them through these changes. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.
Why do we need consent to ads measurement — isn’t that legitimate interests?
Do I need the consent before the tags fire or can the consent come afterwards?
Our understanding of GDPR requirements is that consent for personalized ads should be obtained before Google’s tags are fired on your pages. The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.” Some regulators have issued guidance specifically requiring user action prior to setting of cookies, while others have permitted consent concurrent with the setting of cookies.
Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalized ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations.
What about using click trackers?
Where advertisers choose to use third-party click-tracking technologies (i.e. where an ad click directs the user’s browser to a third- party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.
What records do I need to keep?
Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.
Updates to this policy
Google’s original EU User Consent Policy was updated on May 25. We published the proposed text of the new policy on March 21, 2018. That text called for, among other things, consent to the "use of personal data for personalization of ads or other services.” Based on feedback from publishers and advertisers, we removed the words “or other services” on May 21, 2018. No further changes to the policy are anticipated at this time, but as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.