Which of the following requires companies to get users consent before using cookies to track their information?

Why does this policy exist and where does it apply?

The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. The ePrivacy Directive should not be confused with the proposed ePrivacy Regulation, currently under discussion. These laws apply to end users in the European Economic Area (EEA) and the UK. The EEA comprises the EU Member States and Iceland, Liechtenstein and Norway.

The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation (GDPR) came into force.

Do I need to follow this policy for all users if I’m an EEA- or a UK-based publisher or advertiser?

Google’s EU User Consent Policy applies only to end users located in the EEA or the UK.

How will Google ensure compliance with this policy?

Our approach to compliance is to conduct reviews of sites and apps that use our advertising services, as we have done since the policy was introduced in 2015. Our reviewers visit a site or app as a consumer would visit it, and we look at the information provided and the consents obtained.

Our first priority will always be to work with our partners to get compliance right. We recognise that there may be diverse approaches to gaining consent and we are not prescriptive about this, provided that our policy requirements are met. If we find that a partner is not following our policy, our first step will be to contact the partner to indicate an issue, and we will then try to work with them to achieve compliance.

As has been the case since 2015, we give sites or apps a reasonable time frame to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension.

What disclosures to end users do I need to make?

Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's uses of data, we recommend linking to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.

Checklist for partners to avoid common mistakes when implementing a consent mechanism

These are examples only and this is not intended to be an exhaustive list. Always take care to ensure that your implementation meets all the requirements of Google’s policies.

• Have you explained to users how their personal data will be used when they give their consent to collect it on your site/app; for example, are they aware that their personal data will be used for personalisation of ads and that cookies may be used for personalised and non-personalised advertising?
• Have you checked that your consent notice is being displayed when your site/app is accessed by users from all EEA countries?
• Have the users been given an option to take affirmative action to indicate consent, for example, clicking an 'OK' button or an 'I agree' button?
• Have you disclosed which third parties (including Google) will also have access to the user data that you collect on your site/app?
• Have you informed users about how Google will use their personal data when they give consent on your site/app; for example, by including a link to Google’s Privacy and Terms site? What about how other third parties will use their personal data?
• If you monetise only with non-personalised ads – have you checked that you obtain users’ consent to the use of cookies or other local storage (like mobile device identifiers), where legally required? Please note that the non-personalised ads that we serve on websites still require cookies to operate.
• If you monetise Ad Manager and AdMob impressions only with limited ads, in addition to disabling the collection, sharing and use of personal data for personalisation of ads, Google does not access cookies, user identifiers or equivalent local storage on the end user’s device. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. This feature does not use cookies or other local storage as referenced in Google's EU user consent policy, meaning that you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager and AdMob Help Centres for more details on this feature.
• If you use an IAB-certified CMP have you included 'Google Advertising Products' as a vendor?

What if I don’t want to have end users’ personal data used for personalisation of ads?

We have launched new functionality that allows you to disable personalised ads. Please note that the non-personalised ads that we serve on websites or apps still require cookies or mobile identifiers to operate. You are required to obtain consent for the use of cookies or mobile identifiers, where legally required.

For Ad Manager and AdMob impressions, you may also choose to monetise with limited ads. When limited ads are enabled, in addition to disabling the collection, sharing and use of personal data for personalisation of ads, Google does not access cookies, user identifiers or equivalent local storage on the end user’s devices. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. This feature does not use cookies or other local storage as referenced in Google's EU user consent policy, meaning that you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager and AdMob Help Centres for more details.

What instructions do I give to end users for revocation of consent?

The policy requires that end users are told how to revoke consent to ads personalisation. At a minimum, end users need to have sufficient information to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device.

What are the other Google products that incorporate this policy?

In addition to ads and measurement products, this policy is referenced in other Google products such as the Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service and in Blogger.

What types of ads are considered 'personalised' for the purposes of this policy?

Personalised advertising (formerly known as interest-based advertising) is a powerful tool that improves advertising relevance for users and increases ROI for advertisers. Our publisher products, depending on how they’re used, can make inferences about a user’s interests based on the sites that they visit or the apps that they use, allowing advertisers to target their campaigns according to those interests. This provides an improved experience for users and advertisers alike. You can see our advertiser policies for personalised ads to learn more.

Google considers ads to be personalised when they are based on previously collected or historical data to determine or influence ad selection, including a user's previous search queries, activity, visits to sites or apps, demographic information or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists and targeting audience lists uploaded in Google Marketing Platform.

What types of ads are considered 'non-personalised' in this policy?

Non-personalised ads will use only contextual information, including coarse general (city-level) location, and content on the current site or app; targeting is not based on the profile or past behaviour of a user.

What types of ads are considered 'limited ads' in this policy?

When limited ads are enabled for Ad Manager and AdMob impressions, in addition to disabling the collection, sharing and use of personal data for personalisation of ads, Google does not access cookies, user identifiers or equivalent local storage on the user’s device. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. See the Ad Manager and AdMob Help Centres for more details.

Can I use limited ads if users opt out of, or object to, using their personal data for legitimate interest purposes?

No, limited ads would not be an appropriate solution in these circumstances. Google’s limited ads solution doesn't rely on cookies or mobile identifiers, but we do require a legal basis to carry out functions like basic ad serving and measurement.

Why does the policy require consent for cookies, even if used for purposes other than personalisation, such as ads measurement?

Cookies or mobile identifiers are used to support personalised and non-personalised ads served by Google, to combat fraud and abuse, for frequency capping and for aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply and the UK. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers 'where legally required'. With Ad Manager and AdMob, publishers may also choose to use our limited ads feature in the absence of consent for cookies or other local storage. (In addition to disabling the collection, sharing and use of personal data for personalisation of ads, this feature does not use cookies or other local storage as referenced in Google's EU user consent policy, meaning that you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction.) See the Ad Manager and AdMob Help Centres for more details.

What if I’m an advertiser using Google’s products on my site?

If you use tags for advertising products like Google Ads or Google Marketing Platform on your pages, you’ll need to obtain consent from your EEA and UK users to comply with Google’s EU user consent policy. Our policy requires consent for cookies that are used for measurement purposes and consent for the use of personal data for personalised ads – for instance, if you have remarketing tags on your pages.

What should I say in my consent notice?

While the text of your consent notice will depend on the choices that you wish to present to your users and your other uses of data (e.g. for your own purposes, or to support other services that you work with), we provide a suggested notice that might be appropriate at CookieChoices.org, a site run by Google.

What if I’m a publisher serving only non-personalised ads to EEA and UK users?

If you do not serve personalised ads to users that visit your site, and visits to your site do not influence the ads served elsewhere, you are still required to obtain consent for the use of cookies or mobile identifiers, where legally required. Consent for cookies or mobile identifiers is still required because non-personalised ads still use cookies or mobile identifiers to combat fraud and abuse, for frequency capping and for aggregated ad reporting. CookieChoices.org also provides an example of a notice that might be appropriate in this case.

For Ad Manager and AdMob impressions, you may also choose to monetise with limited ads. When limited ads are enabled, in addition to disabling the collection, sharing and use of personal data for personalisation of ads, Google does not access cookies, user identifiers or equivalent local storage on the end user’s device. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. This feature does not use cookies or other local storage as referenced in Google's EU user consent policy, meaning that you can use this feature under the policy even when end-user consent hasn’t been requested or has been declined. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager and AdMob Help Centres for more details.

What choices do I need to present to my users?

Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalised and non-personalised ads; others may wish to present different choices to their users.

What if I’m writing a consent notice for an app?

Mobile apps generally don’t use cookies. Google Ad Manager and AdMob products support in-app advertising using dedicated advertising IDs that are made available by the Android and iOS operating systems. Therefore, you might want your notice to say that you use 'an identifier on your device' rather than cookies. This will help you to meet the requirements of Google’s policy where it refers to seeking consent for the use of 'other local storage'.

Does Google require a particular form of consent message for apps?

The law says that a user’s consent should be freely given, specific, informed and unambiguous to be legally valid, but does not require a particular form of consent message. Our EU user consent policy allows flexibility in the design of the consent message and the choices presented to users.

Our CookieChoices.org site offers some examples of publisher and advertiser consent messages that might be appropriate for your app. Implementing these messages can help you meet the requirements of our policy when using mobile device identifiers, including for personalising ads. We recognise that some app developers may adopt these examples, while others may simply provide a notice when an app is first opened that users should uninstall the app if they do not agree to sharing their device identifiers and/or receiving personalised ads.

Where can I get a consent solution?

There are features in AMP that can be used to build a consent solution. We have also developed a consent solution for Google Ad Manager and AdMob. However, you may prefer to build your own consent solution or use another vendor’s solution. CookieChoices.org lists some vendors that offer solutions that we believe can be used to build a consent solution that will meet the requirements of Google’s policy.

If you're using products like Google AdSense or Google Ad Manager on your site, you'll need to take steps to integrate your preferred solution with the advertising tags on your pages to make sure that your users' preferences are respected. Each vendor offers instructions or support services for doing this. If you don't follow these steps for all the tags on your pages, then you risk misleading your users: they will think that they’re switching off advertising cookies when in fact advertising cookies will still be used. Therefore, carefully test any implementation of these tools on your own website.

How should partners choose which Consent Management Platform (CMP) provider to adopt?

Partners can consider building their own consent solution, using Funding Choices (please refer here for more information) or a third-party CMP solution. If using an already available CMP, they should consult their legal department as to the proper consent solution for their circumstances as well as ensure that the solution allows the level of customisation to reflect those circumstances.

There are external resources available to help you choose the appropriate CMP provider, including the list of CMPs that have registered with the IAB’s Transparency and Consent Framework. Note: This list is not exhaustive of all CMPs available, nor does adopting any of these CMPs guarantee compliance with Google’s EU user consent policy, as this depends on the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

What other parties collect end users’ personal data, and how should I identify these third parties?

Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive and/or use end users’ personal data as a result of your use of Google products. Controls in AdSense, Google Ad Manager and AdMob are available to allow you to choose the vendors permitted to collect data on your site or app.

My site is not based in Europe. Does this policy apply to me?

Yes, if you use Google products that incorporate the policy and you intend for users in the EEA or the UK to access your services.

As a publisher, none of my campaigns are targeted to EEA or the UK. Does this consent requirement still apply to me?

Consent would not be required if Google services were removed from the site for users in these countries. However, consent would still be required if Google services are still used but no ads are served. This is because Google Ad Manager uses cookies and our policy still requires consent for cookies that are used for measurement purposes. Google Ad Manager also collects personal data, unless the request is for a non-personalised ad and indicated in the EU user consent settings or in the request itself.

How do I build a consent mechanism?

If you’re not sure where to start, take a look at CookieChoices.org. It offers resources for putting in place consent mechanisms on websites and apps.

Our organisation has a different view of the law, and would like to apply a different approach to disclosure and consent. Can we do that?

Google is committed to complying with the GDPR, including to the extent transposed into UK law, across all of the services that we provide in Europe. The changes to our EU user consent policy reflect that commitment and guidance from European data protection authorities. We do however want to work with publishers and partners in the broader industry to support them through these changes. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.

Why do we need consent to ads measurement – isn’t that legitimate interests?

Google uses cookies or mobile ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalisation and ads measurement where applicable, even if ads measurement can, for GDPR purposes, be supported under a controller’s legitimate interests.

Do I need consent before the tags fire or can the consent come afterwards?

Our understanding of GDPR requirements is that consent for personalised ads should be obtained before Google’s tags are fired on your pages. The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers 'where legally required'. Some regulators have issued guidance specifically requiring user action prior to setting of cookies, while others have permitted consent concurrent with the setting of cookies.

Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalised ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations.

What about using click trackers?

Where advertisers choose to use third-party click-tracking technologies, i.e. where an ad click directs the user’s browser to a third-party measurement vendor en route to the advertiser’s landing page, they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click-tracking technologies.

What records do I need to keep?

Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.

Why has my consent mechanism been deemed as non-compliant if I use an IAB-certified Consent Management Platform (CMP)?

You may use whichever CMP you wish, provided that you ensure that all the requirements of the EU user consent policy are complied with. In the case of an IAB Framework CMP, prior to August 2020, Google had not integrated with the IAB Transparency and Consent Framework and it may be that Google did not appear in the list of vendors that your CMP shows to users. This means that the consent policy requirement to 'identify each party that may collect, receive or use end users’ personal data as a consequence of your use of a Google product' may not have been complied with.

As of August 2020, Google integrated with V2 of the IAB Transparency and Consent Framework so that 'Google Advertising Products' will be available as a vendor to select on the IAB Global Vendor List.

Do I need to follow this policy if I participate in the Privacy Sandbox origin trial?

Yes. Google is experimenting with new ways of supporting the delivery and measurement of digital advertising in ways that better protect people's privacy online via Chrome's Privacy Sandbox initiative. When accessing certain sandbox APIs as part of the Privacy Sandbox origin trial (including Topics, Fledge and the Attribution Reporting API) you may be using personal data for ads personalisation and/or accessing local storage. The EU user consent policy requires you to obtain valid user consent for these actions in the same way as you rely on consent today for ads personalisation and the use of non-essential local storage in the European Economic Area and the UK.

Updates to this policy

Google’s original EU user consent policy was updated on 25 May. To reflect the UK’s evolving relationship with the European Union, minor changes were made on 31 October 2019. No further changes to the policy are anticipated at this time, but as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.