Help with the EU user consent policy
This page addresses questions you may have about updates we are making to Google’s existing EU User Consent Policy. The new version will go live on May 25, 2018. We will add more content to this page in the weeks leading up to May 25, 2018.
Why does this policy exist and where does it apply?
The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA). The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.
Do I need to follow this policy for all users if I’m an EEA-based publisher or advertiser?
Google’s EU User Consent Policy applies only to EEA-based end users.
What disclosures to end users do I need to make?
Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's uses of data, we recommend linking to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.
What if I don’t want to have end users’ personal data used for personalization of ads?
We will be launching new functionality that allows you to disable personalized ads. Please note that the non-personalized ads that we serve on websites still require cookies to operate.
What instructions do I give to end users for revocation of consent?
The policy requires that end users are told how to revoke consent to ads personalization. At a minimum, end users need to have information sufficient to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device.
What are the other Google products that incorporate this policy?
In addition to ads and measurement products, this policy is referenced in the Google Maps APIs Terms of Service, the YouTube API Services Terms of Service, the G+ Buttons policy, the reCAPTCHA Terms of Service, and in Blogger.
What types of ads are considered “personalized” for purposes of this policy?
Personalized advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. In all our publisher products, we make inferences about a user’s interests based on the sites they visit or the apps they use allowing advertisers to target their campaigns according to these interests, providing an improved experience for users and advertisers alike. You can see our advertiser policies for personalized ads to learn more.
Google considers ads to be personalized when they are based on previously collected or historical data to determine or influence ad selection, including a user's previous search queries, activity, visits to sites or apps, demographic information, or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists, targeting audience lists uploaded in DoubleClick Bid Manager or Campaign Manager.
What types of ads are considered “non-personalized” in this policy?
Non-Personalized ads will use only contextual information, including coarse general (city-level) location, and content on the current site or app; targeting is not based on the profile or past behavior of a user.
Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?
Cookies or mobile identifiers are used to support personalized and non-personalized ads served by Google to combat fraud and abuse, frequency capping, and aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.”
What if I’m an advertiser using Google’s products on my site?
If you use tags for advertising products like AdWords or DoubleClick Campaign Manager on your pages, you’ll need to obtain consent from your EEA users to comply with Google’s user consent policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads -- for instance if you have remarketing tags on your pages.
What should I say in my consent notice?
While the text of your consent notice will depend on the choices you wish to present to your users and your other uses of data (e.g. for your own purposes, or to support other services that you work with), we provide a suggested notice that might be appropriate at CookieChoices.org, a site run by Google.
What choices do I need to present to my users?
Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalized and non-personalized ads; others may wish to present different choices to their users.
What if I’m writing a consent notice for an app?
Mobile apps generally don’t use cookies. Google’s DFP and AdMob products support in-app advertising using dedicated advertising IDs that are made available by the Android and iOS operating systems. Therefore, you might want your notice to say that you use “an identifier on your device” rather than cookies. This will help you to meet the requirements of Google’s policy where it refers to seeking consent for the use of “other local storage”.
Where can I get a consent solution?
There are features in AdMob and AMP that can be used to build a consent solution. We are also developing a consent solution for DFP and AdSense that will become available more widely soon. However, you may prefer to build your own consent solution or use another vendor’s solution. Cookiechoices.org lists some vendors that offer solutions that we believe can be used to build a consent solution that will meet the requirements of Google’s policy.
If you're using products like Google AdSense or DFP on your site, you'll need to take steps to integrate your preferred solution with the advertising tags on your pages to make sure your users' preferences are respected. Each vendor offers instructions or support services for doing this. If you don't follow these steps for all the tags on your pages, you risk misleading your users: they will think they’re switching off advertising cookies when in fact advertising cookies will still be used. Therefore, test carefully any implementation of these tools on your own site.
What other parties collect end users’ personal data, and how should I identify these third parties?
Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products. New controls in AdSense, DFP, AdX and AdMob will be available in advance of May 25, 2018 to allow you to choose the vendors permitted to collect data on your site or app.
My site is not based in Europe. Does this policy apply to me?
Yes, if you use Google products that incorporate the policy and have users in the EEA that can access your services.
How do I build a consent mechanism?
If you’re not sure where to start, take a look at cookiechoices.org. It offers resources for putting in place consent mechanisms on websites and apps.
Our organization has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?
Google is committed to complying with the GDPR across all of the services we provide in Europe. The changes to our EU User Consent Policy reflect that commitment and guidance from EU data protection authorities. We do however want to work with publishers and partners in the broader industry to support them through these changes. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.
Why do we need consent to ads measurement — isn’t that legitimate interests?
Google uses cookies or mobile ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalization and ads measurement where applicable, even if ads measurement can, for GDPR purposes, be supported under a controller’s legitimate interest.
Do I need the consent before the tags fire or can the consent come afterwards?
Our understanding of GDPR requirements is that consent for personalized ads should be obtained before Google’s tags are fired on your pages. The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.” Some regulators have issued guidance specifically requiring user action prior to setting of cookies, while others have permitted consent concurrent with the setting of cookies.
Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalized ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations.
What about using click trackers?
Where advertisers choose to use third-party click-tracking technologies (i.e., where an ad click directs the user’s browser to a third- party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.
What records do I need to keep?
Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.
Updates to this policy
Google’s original EU User Consent Policy will be updated on May 25. We published the proposed text of the new policy on March 21, 2018. That text called for, among other things, consent to the use of personal data for personalization of ads or other services.” Based on feedback from publishers and advertisers, we removed the words “or other services” on May 21, 2018. No further changes to the policy are anticipated at this time, but as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.