[go: up one dir, main page]

Help with the EU user consent policy

Why does this policy exist and where does it apply?

The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. This policy applies to end users located in the EEA, the UK and Switzerland. The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.

The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation came into effect. The policy was last updated on 31 July 2024 to apply to users located in Switzerland.

Do I need to follow this policy for all users if I’m an EEA, UK or Swiss-based publisher or advertiser?

Google’s EU User Consent Policy applies only to end users located in the EEA, the UK, or Switzerland.

How will Google ensure compliance with this policy?

Our approach to compliance is to conduct periodic audits of websites and apps that use our advertising services, as we have done since the Policy was introduced in 2015. Our reviewers visit a website or app as a user would visit it, and we look at the information provided and the consents obtained.

Our first priority will always be to work with our partners to get compliance right. If we find that a partner is not following our policy, our first step will be to contact the partner to indicate an issue, and we will then try to work with them to achieve compliance.

As has been the case since 2015, we give websites and apps a reasonable timeframe to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension of audience functionalities including ad personalization (e.g. remarketing) and conversion measurement capabilities for advertisers; for publishers only Limited Ad/ programmatic limited ads will be eligible to serve (if programmatic limited ads are enabled).

In addition to conducting audits of websites and apps, we require publishers to adopt a Certified CMP when serving ads to users in the EEA, the UK, and Switzerland in order to comply with this policy. Google will continue to run audits on our publisher partner sites and apps where a Certified CMP has been adopted.

For advertisers with EEA traffic, if a user from the EEA is using your website or app and you measure user behavior with Google tags or SDKs and/ or you leverage audience functionality/ad personalisation functionality , you need to pass through end-user consent choices to Google (e.g. via consent mode or TCF). If you load the Google tag and haven’t implemented the latest version of consent mode we recommend working with a CMP in the Google CMP Partner Program. This list is not exhaustive of all CMPs available and Google does not require advertisers to use a CMP from the partner Program.

What disclosures to end users do I need to make?

Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's use of data, publishers and advertisers are required to link to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.

Checklist for partners to avoid common mistakes when implementing a consent mechanism

These are examples only and this is not intended to be an exhaustive list. Always take care to ensure your implementation meets all the requirements of Google’s policies.

  • Have you implemented a consent mechanism/banner? For publisher partners, has the consent mechanism/ banner been certified by Google?
  • Have you explained to users how their personal data will be used on your website/app e.g. are they aware that their personal data will be used for personalisation of ads and that cookies/mobile ad identifiers may be used for personalised and non-personalised advertising?
  • Have you checked that your consent mechanism/banner is being displayed when your website/app is accessed by users from all EEA countries as well as from the UK and Switzerland?
  • Have users been given an option to take affirmative action to indicate consent e.g. clicking an “OK” button or an “I agree” button?
  • Have you disclosed which third parties (including Google) will also have access to the user data you collect on your website/app?
  • Have you informed users about how Google will use their personal data when they give consent on your site/app by including a link to Google’s Business Data Responsibility Site? What about how other third parties will use their personal data?
  • For advertisers, for your users in the EEA: are you sending validated consent signals to Google that reflect end user preferences? Have you appropriately implemented the latest version of consent mode or TCF?
  • Have you ensured no cookies are set in the absence of consent to the extent consent is required? Please note that the non-personalised ads that we serve on websites still require cookies to operate.
  • For Publishers, have you adopted a Google certified CMP in accordance with TCF requirements? To the extent you leverage Additional Consent, have you correctly implemented it?

What are Limited Ads?

If you are a publisher, when you monetize impressions only with Limited Ads, in addition to disabling the collection, sharing, and use of personal data for personalisation of ads, Google disables features that require use of a local identifier like frequency capping. Only when Programmatic Limited Ads are turned on, invalid traffic detection-only cookies & local storage will be used to help defend against fraud and abuse. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager, AdMob and Adsense Help Centers for more details on this feature.

What instructions do I give to end users for withdrawal of consent?

The policy requires that end users are told how to revoke consent. It needs to be as easy for a user to revoke consent as it was to initially provide consent. At a minimum, end users need to have sufficient information to easily reach their ad controls for your website or app, in order to amend their consent preferences.

What are the other Google products that incorporate this policy?

In addition to ads and measurement products, this policy is referenced in other Google products such as the Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.

What types of ads are considered “personalised” for purposes of this policy?

Personalised advertising provides an improved experience for users (i.e. improves advertising relevance) and advertisers/ publishers alike. Google considers ads to be personalised when they are based on personal data which is used to determine or influence ad serving. Further information can be found here.

My consent banner was flagged as non-compliant as part of the audit. What is the best way to resolve this?

If we identify non-compliance with this policy, our priority will be to support our partners in coming back into compliance. Our audit team will provide you with details of the failure and information on the steps that need to be taken to bring your website/app into compliance with the policy.

To support advertisers’ compliance with this policy, we encourage advertisers to work with their CMP partner (where applicable), review appropriate consent settings management documentation, make sure they are appropriately integrated with Consent Mode or the TCF, and to check out this troubleshooter.

We encourage publishers to work with their Google certified CMP, and to check out this troubleshooter in order to resolve non-compliance.

Why does the policy require consent for cookies, even if used for purposes other than personalisation, such as ads measurement?

Cookies or mobile identifiers are used to support personalised and non-personalised ads served by Google, for frequency capping, and for aggregated ad reporting. Our policy requires consent to the use of cookies or mobile identifiers for users in countries in which consent to cookies or mobile identifiers is legally required.

What if I’m an advertiser using Google’s products on my website/app?

If you use tags for advertising products like Google Ads, or Google Marketing Platform on your pages/app, you’ll need to obtain consent from your EEA, UK and Swiss users to comply with Google’s EU User Consent Policy. Our policy requires consent for cookies, mobile identifiers or other local storage where legally required, and consent for the use of personal data for personalised ads – for instance if you have remarketing tags on your pages/app.

What should I say in my consent mechanism/banner?

We encourage you to review the checklist above to avoid common mistakes when implementing a consent mechanism/banner as this checklist will support your compliance with this policy.

Google’s policy does not dictate the choices that should be offered to users as the text of your consent notice will depend on your uses of data (e.g. if you use data for your own purposes or to support other services that you work with).

Does Google require a particular form of consent message for apps?

For publishers, yes. Google’s publishers are required to adopt a Google Certified CMP when serving personalised ads to users in the EEA, the UK and Switzerland.

For Google’s advertiser partners, for EEA traffic, advertisers are required to send signals to Google that reflect end user preferences via consent mode or TCF. The CMP partner program was created to assist advertisers in building and configuring consent banners. Note: This list is not exhaustive of all CMPs available and Google does not require advertisers to use a CMP from the partner Program.

How should partners choose which Consent Management Platform (CMP) provider to adopt?

For advertiser partners, the CMP partner program was created to assist advertisers in configuring consent banners on web/app and can support consent mode or TCF integration. Note: This list is not exhaustive of all CMPs available. Adopting any of these CMPs does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

For publisher partners, publishers are required to adopt a CMP that has been certified by Google and has integrated with the IAB Europe Transparency and Consent Framework (TCF) when serving personalized ads to users in the EEA, the UK and Switzerland.

What other parties collect end users’ personal data, and how should I identify these third parties?

Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products.

My website/app is not based in Europe. Does this policy apply to me?

Yes, if you use Google products that incorporate the policy. The Policy applies only to end users located in the EEA, the UK, and Switzerland.

As a publisher, none of my campaigns are targeted to EEA, the UK or Switzerland. Does this consent requirement still apply to me?

This policy applies to end users in the EEA, the UK, and Switzerland. The policy does not apply if Google services were removed from the website/app for users in these countries.

Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?

Google is committed to complying with the GDPR, including to the extent transposed into UK law, across all of the services that we provide in Europe. Our EU user consent policy reflects that commitment and guidance from European data protection authorities. While partners may have a different interpretation of laws we require our partners to meet the expectations of this policy. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.

Why do we need consent to ads measurement — isn’t that legitimate interest?

Google uses cookies and various ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalisation and consent for ads measurement where legally required.

Do I need the consent before the Google Advertiser tags fire or can the consent come afterwards?

Consent for personalised ads, and the use of cookies or other local storage where legally required should be obtained before Google’s Advertiser tags are fired on your web pages or apps.

What about using click trackers?

Where advertisers choose to use third-party click-tracking technologies (i.e. where an ad click directs the user’s browser to a third-party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.

What records do I need to keep?

Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.

Why has my publisher CMP been deemed as non compliant, I use a Certified CMP which has also been certified by the IAB?

Adopting a Certified CMP does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

Why has my website/app been deemed as non compliant, I use a Google Partner CMP?

For advertiser partners, the CMP partner program was created to assist advertisers in building and configuring consent banners on web/app and can support with consent mode integration. Working with any of these CMPs does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

Do I need to follow this policy if I am using products that are using Privacy Sandbox APIs?

Yes. When using Privacy Sandbox APIs (Topics, Protected Audience and Attribution Reporting) you may be using personal data for ads personalisation and/or accessing local storage. The EU User Consent Policy requires you to obtain valid user consent for these actions in the same way as you rely on consent today for ads personalisation and the use of non-essential local storage to the extent legally required. More information on the Privacy Sandbox.

For advertisers, is a valid consent signal (via TCF or consent mode) required for users in the UK and Switzerland?

No, we do not have an expectation for advertisers to send a verified consent signal to Google for UK or Swiss traffic (either via consent mode, or TCF). Note: the requirement to send verified consent signals does apply to advertisers with traffic from end users in the European Economic Area (EEA). We recommend working with a Google CMP Partner for implementation guidance. Note: This list is not exhaustive of all CMPs available and Google does not require advertisers to use a CMP from the partner Program.

Updates to this policy

Google’s original EU User Consent Policy was updated on 25 May 2018. To reflect the UK’s evolving relationship with the European Union, minor changes were made on 31 October 2019.

In July 2024, we updated and expanded the EU User Consent Policy to include Switzerland.

No further changes to the policy are anticipated at this time but, as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.