Help with the EU user consent policy
Why does this policy exist and where does it apply?
The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA). The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.
The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force.
Do I need to follow this policy for all users if I’m an EEA-based publisher or advertiser?
Google’s EU User Consent Policy applies only to EEA-based end users.
How will Google ensure compliance with this policy?
Our approach to compliance is to conduct manual reviews of sites and apps that use our advertising services, as we have done since the Policy was introduced in 2015. Our reviewers visit a site or app as a consumer would visit it, and we look at the information provided and the consents obtained. This is not an automated process.
Our first priority will always be to work with our partners to get compliance right. We recognize that there may be diverse approaches to gaining consent and we are not prescriptive about this, provided our policy requirements are met. If we find that a partner is not following our policy, our first step will be to contact the customer to indicate an issue, and we will then try to work with them to achieve compliance.
As has been the case since 2015, we give sites or apps a reasonable timeframe to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension.
What disclosures to end users do I need to make?
Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's uses of data, we recommend linking to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.
What if I don’t want to have end users’ personal data used for personalization of ads?
What instructions do I give to end users for revocation of consent?
The policy requires that end users are told how to revoke consent to ads personalization. At a minimum, end users need to have information sufficient to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device.
What are the other Google products that incorporate this policy?
In addition to ads and measurement products, this policy is referenced in the Google Maps APIs Terms of Service, the YouTube API Services Terms of Service, the G+ Buttons policy, the reCAPTCHA Terms of Service, and in Blogger.
What types of ads are considered “personalized” for purposes of this policy?
Personalized advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. In all our publisher products, we make inferences about a user’s interests based on the sites they visit or the apps they use allowing advertisers to target their campaigns according to these interests, providing an improved experience for users and advertisers alike. You can see our advertiser policies for personalized ads to learn more.
Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user's previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, targeting audience lists uploaded in Google Marketing Platform.
What types of ads are considered “non-personalized” in this policy?
Non-Personalized ads will use only contextual information, including coarse general (city-level) location, and content on the current site or app; targeting is not based on the profile or past behavior of a user.
Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?
As a publisher or app developer, do I still need a consent message if requesting non-personalized ads only?
What if I’m an advertiser using Google’s products on my site?
If you use tags for advertising products like Google Ads or Google Marketing Platform on your pages, you’ll need to obtain consent from your EEA users to comply with Google’s user consent policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads – for instance if you have remarketing tags on your pages.
What should I say in my consent notice?
While the text of your consent notice will depend on the choices you wish to present to your users and your other uses of data (e.g. for your own purposes, or to support other services that you work with), we provide a suggested notice that might be appropriate at CookieChoices.org, a site run by Google.
What if I’m a publisher serving only non-personalised ads to EEA users?
What choices do I need to present to my users?
Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalized and non-personalized ads; others may wish to present different choices to their users.
What if I’m writing a consent notice for an app?
Does Google require a particular form of consent message for apps?
The law says a user’s consent should be freely given, specific, informed and unambiguous to be legally valid, but does not require a particular form of consent message. Our EU User Consent Policy allows flexibility in the design of the consent message and the choices presented to users.
Our CookieChoices.org site offers some examples of publisher and advertiser consent messages that might be appropriate for your app. Implementing these messages can help you meet the requirements of our policy when using mobile device identifiers, including for personalizing ads. We recognize that some app developers may adopt these examples, while others may simply provide a notice when an app is first opened that users should uninstall the app if they do not agree to sharing their device identifiers and/or receiving personalized ads.
Where can I get a consent solution?
There are features in AdMob and AMP that can be used to build a consent solution. We have developed a consent solution for Google Ad Manager and AdMob. However, you may prefer to build your own consent solution or use another vendor’s solution. CookieChoices.org lists some vendors that offer solutions that we believe can be used to build a consent solution that will meet the requirements of Google’s policy.
If you're using products like Google AdSense or Google Ad Manager on your site, you'll need to take steps to integrate your preferred solution with the advertising tags on your pages to make sure your users' preferences are respected. Each vendor offers instructions or support services for doing this. If you don't follow these steps for all the tags on your pages, you risk misleading your users: they will think they’re switching off advertising cookies when in fact advertising cookies will still be used. Therefore, test carefully any implementation of these tools on your own site.
What other parties collect end users’ personal data, and how should I identify these third parties?
Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products. Controls in AdSense, Google Ad Manager and AdMob are available to allow you to choose the vendors permitted to collect data on your site or app.
My site is not based in Europe. Does this policy apply to me?
Yes, if you use Google products that incorporate the policy and have users in the EEA that can access your services.
As a publisher, none of my campaigns are targeted to EEA. Does this consent requirement still apply to me?
How do I build a consent mechanism?
If you’re not sure where to start, take a look at CookieChoices.org. It offers resources for putting in place consent mechanisms on websites and apps.
Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?
Google is committed to complying with the GDPR across all of the services we provide in Europe. The changes to our EU User Consent Policy reflect that commitment and guidance from EU data protection authorities. We do however want to work with publishers and partners in the broader industry to support them through these changes. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.
Why do we need consent to ads measurement — isn’t that legitimate interests?
Do I need the consent before the tags fire or can the consent come afterwards?
Our understanding of GDPR requirements is that consent for personalized ads should be obtained before Google’s tags are fired on your pages. The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.” Some regulators have issued guidance specifically requiring user action prior to setting of cookies, while others have permitted consent concurrent with the setting of cookies.
Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalized ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations.
What about using click trackers?
Where advertisers choose to use third-party click-tracking technologies (i.e. where an ad click directs the user’s browser to a third- party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.
What records do I need to keep?
Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.
Why has my consent mechanism been deemed as non compliant, I use an IAB certified Consent Management Platform (CMP)?
You may use whichever CMP you wish, provided that you ensure all the requirements of the EU User Consent Policy are complied with. In the case of an IAB Framework CMP, it may be that Google does not appear in the list of vendors your CMP shows to users, meaning the consent policy requirement to “identify each party that may collect, receive, or use end users’ personal data as a consequence of your use of a Google product” is not complied with. As Google is not yet registered with the IAB framework, it is not included on the IAB Global Vendor List, so will not be listed by default.
How can I make sure that Google is listed as a vendor in my IAB certified CMP?
There are three options that you may consider:
- Check with your current CMP provider if they can accommodate consent collection for non-IAB registered vendors (e.g. Google) in the same CMP UI.
- If your provider doesn’t support non-GVL vendors, consider implementing a different consent mechanism to surface and collect user consent for Google.
- Build your own CMP or own consent request for Google.
As a publisher or app developer, do I still need a consent message if requesting non-personalized ads only?
Checklist for partners to avoid common mistakes when implementing a consent mechanism
- These are examples only and this is not intended to be an exhaustive list. Always take care to ensure your implementation meets all the requirements of Google’s policies."
- Have you explained to users how their personal data will be used when they give their consent to collect them on your site/app e.g. are they aware that their personal data will be used for personalization of ads and that cookies may be used for personalized and non-personalized advertising
- Have you checked that your consent notice is being displayed when your site/app is accessed by users from all EEA countries?
- Have the users been given an option to take affirmative action to indicate consent e.g. clicking an “OK” button or an “I agree” button
- Have you disclosed which third parties (including Google) will also have access to the user data you collect on your site/app?
- Have you informed users about how Google will use their personal data when they give consent on your site/app e.g. by including a link to Google’s Privacy & Terms site? What about how other third parties will use their personal data?
- If you use an IAB certified CMP - have you customized the list of third parties that you disclose to users to include Google on this list (note that Google is not currently an IAB framework vendor, so does not appear on the IAB Global Vendor List)?
Updates to this policy
Google’s original EU User Consent Policy was updated on May 25. We published the proposed text of the new policy on March 21, 2018. That text called for, among other things, consent to the "use of personal data for personalization of ads or other services.” Based on feedback from publishers and advertisers, we removed the words “or other services” on May 21, 2018. No further changes to the policy are anticipated at this time, but as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.