Help with the EU user consent policy

Why does this policy exist and where does it apply?

The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA) and the UK. The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.

The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force.

Do I need to follow this policy for all users if I’m an EEA- or a UK-based publisher or advertiser?

Google’s EU User Consent Policy applies only to end users located in the EEA or the UK.

How will Google ensure compliance with this policy?

Our approach to compliance is to conduct reviews of sites and apps that use our advertising services, as we have done since the Policy was introduced in 2015. Our reviewers visit a site or app as a consumer would visit it, and we look at the information provided and the consents obtained.

Our first priority will always be to work with our partners to get compliance right. If we find that a partner is not following our policy, our first step will be to contact the partner to indicate an issue, and we will then try to work with them to achieve compliance.

As has been the case since 2015, we give sites or apps a reasonable timeframe to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension.

In addition to conducting reviews of sites and apps, in May 2023 we announced that beginning 16 January 2024, publishers will be required to adopt a Certified CMP when serving ads to users in the EEA and the UK in order to comply with this policy. Google will continue to run audits on our publisher partner sites and apps where a Certified CMP has been adopted.

What disclosures to end users do I need to make?

Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's use of data, publishers and advertisers are required to link to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.

Checklist to avoid common mistakes when implementing a consent mechanism

These are examples only and this is not intended to be an exhaustive list. On the publisher side, if you have adopted and correctly implemented a certified CMP, then you should already be in compliance with this checklist. Always take care to ensure your implementation meets all the requirements of Google’s policies.

  • Have you explained to users how their personal data will be used when they give their consent to collect them on your site/app e.g. are they aware that their personal data will be used for personalisation of ads and that cookies may be used for personalised and non-personalised advertising?
  • Have you checked that your consent notice is being displayed when your site/app is accessed by users from all EEA countries?
  • Have the users been given an option to take affirmative action to indicate consent e.g. clicking an “OK” button or an “I agree” button?
  • Have you disclosed which third parties (including Google) will also have access to the user data you collect on your site/app?
  • Have you informed users about how Google will use their personal data when they give consent on your site/app e.g. by including a link to Google’s Business Data Responsibility Site? What about how other third parties will use their personal data?
  • If you monetize only with Non Personalised Ads - have you checked that you obtain users’ consent to the use of cookies or other local storage (like mobile device identifiers), where legally required? Please note that the non-personalised ads that we serve on websites still require cookies to operate.
  • If you monetize impressions only with Limited ads, in addition to disabling the collection, sharing, and use of personal data for personalisation of ads, Google disables features that require use of a local identifier like frequency capping. Only when Programmatic Limited ads are turned on, invalid traffic detection-only cookies & local storage will be used to help defend against fraud and abuse. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager, AdMob Help Centers and Adsense for more details on this feature.
  • If you use an IAB certified CMP have you included “Google Advertising Products” as a vendor?
  • Have you ensured no Google Ads cookies are set in the absence of consent, and that the default state of NPA has not been changed in the absence of consent?

What if I don’t want to have end users’ personal data used for the personalisation of ads?

You can choose whether or not you want to use end users´ personal data for the personalisation of ads. Please note that the non-personalised ads that we serve on websites or apps still require cookies or mobile identifiers to operate. You are required to obtain consent for the use of cookies or mobile identifiers, where legally required.

For Ad Manager, Adsense and AdMob impressions, you may also choose to monetize with limited ads. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction for serving limited ads and non-personalised ads.

What instructions do I give to end users for revocation of consent?

The policy requires that end users are told how to revoke consent to ads personalisation. It needs to be as easy for a user to revoke consent as it was to initially provide consent. At a minimum, end users need to have sufficient information to easily reach their ad controls for your site or app, in order to amend their consent preferences.

What are the other Google products that incorporate this policy?

In addition to ads and measurement products, this policy is referenced in other Google products such as the Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.

What types of ads are considered “personalised” for purposes of this policy?

Personalised advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. Our publisher products, depending how they’re used, can make inferences about a user’s interests based on the sites they visit or the apps they use, allowing advertisers to target their campaigns accordingly. This provides an improved experience for users and advertisers alike. You can see our advertiser policies for personalised ads to learn more.

Google considers ads to be personalised when they are based on previously collected or historical data to determine or influence ad selection, including a user's previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, and targeting audience lists uploaded in Google Marketing Platform.

My consent banner was flagged as non-compliant as part of the audit. What is the best way to resolve?

If we identify non-compliance with this policy, our priority will be to support our partners in coming back into compliance. Our audit team will provide you with details of the failure and information on the steps that need to be taken to bring your site/ app into compliance with the policy.

To ensure a banner is appropriately configured to respect user choices, we encourage advertisers to work with their 3rd party CMP, or review appropriate consent settings management documentation, and make sure they are appropriately integrated with Consent Mode.

Why does the policy require consent for cookies, even if used for purposes other than personalisation, such as ads measurement?

Cookies or mobile identifiers are used to support personalised and non-personalised ads served by Google, to combat fraud and abuse, for frequency capping, and for aggregated ad reporting. Our policy requires consent to the use of cookies or mobile identifiers for users in countries in which consent to cookies or mobile identifiers is legally required.

What if I’m an advertiser using Google’s products on my site?

If you use tags for advertising products like Google Ads or Google Marketing Platform on your pages, you’ll need to obtain consent from your EEA and UK users to comply with Google’s EU User Consent Policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads – for instance if you have remarketing tags on your pages.

What should I say in my consent notice?

Google’s policy does not dictate the choices that should be offered to users as the text of your consent notice will depend on your uses of data (e.g. if you use data for your own purposes or to support other services that you work with).

Does Google require a particular form of consent message for apps?

Yes, in May 2023 we announced that beginning 16 January 2024, publishers will be required to adopt a Certified CMP when serving ads to users in the EEA and the UK. If your CMP is not on this list, we would encourage you to work with your CMP to obtain certification.

For advertiser partners, the CMP partner program was created to assist advertisers in building and configuring consent banners. Note: This list is not exhaustive of all CMPs available.

How should partners choose which Consent Management Platform (CMP) provider to adopt?

For advertiser partners, the CMP partner program was created to assist advertisers in building and configuring consent banners. Note: This list is not exhaustive of all CMPs available. Adopting any of these CMPs does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

What other parties collect end users’ personal data, and how should I identify these third parties?

Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products. Controls in AdSense, Google Ad Manager and AdMob are available to allow you to choose the vendors permitted to collect data on your site or app.

My site is not based in Europe. Does this policy apply to me?

Yes, if you use Google products that incorporate the policy and you intend for users in the EEA or the UK to access your services.

As a publisher, none of my campaigns are targeted to EEA or the UK. Does this consent requirement still apply to me?

Consent would not be required if Google services were removed from the site for users in these countries. However, consent would still be required if Google services are still used but no ads are served. This is because Google Admob, Adsense and Google Ad Manager uses cookies and our policy still requires consent for cookies that are used for measurement purposes. Google Ad Manager also collects personal data, unless the request is for a non-personalised ad and indicated in the EU User Consent Settings or in the request itself.

Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?

Google is committed to complying with the GDPR, including to the extent transposed into UK law, across all of the services that we provide in Europe. Our EU user consent policy reflects that commitment and guidance from European data protection authorities. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.

Why do we need consent to ads measurement — isn’t that legitimate interest?

Google uses cookies and various ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalisation and ads measurement. This is inclusive of offline measurement use cases (e.g. Store Sales).

Do I need the consent before the tags fire or can the consent come afterwards?

Consent for personalised ads should be obtained before Google’s tags are fired on your pages.

What about using click trackers?

Where advertisers choose to use third-party click-tracking technologies (i.e. where an ad click directs the user’s browser to a third-party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.

What records do I need to keep?

Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.

Why has my publisher CMP been deemed as non compliant, I use a Certified CMP which has also been certified by the IAB?

Adopting a certified CMP does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

Do I need to follow this policy if I am using products that are using Privacy Sandbox APIs?

Yes. When using Privacy Sandbox APIs (Topics, Protected Audience and Attribution Reporting) you may be using personal data for ads personalisation and/or accessing local storage. The EU User Consent Policy requires you to obtain valid user consent for these actions in the same way as you rely on consent today for ads personalisation and the use of non-essential local storage in the European Economic Area and the UK. More information on the Privacy Sandbox.

Updates to this policy

Google’s original EU User Consent Policy was updated on 25 May 2018. To reflect the UK’s evolving relationship with the European Union, minor changes were made on 31 October 2019. No further changes to the policy are anticipated at this time but, as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.