GDPR FAQs

Why is Google a "controller" under the GDPR as opposed to a "processor" of data?

We examined all of our products and assessed whether we act as a controller or a processor for each of them. We operate as a controller for our publisher products because we regularly make decisions on the data to deliver and improve the product.

For example, if you're an AdSense publisher, we'll serve ads to your visitors. If your site is about, say, gardening, then we might infer that your visitors are gardening enthusiasts. We'll use that data to benefit advertisers: a maker of lawnmowers might want its ads served to gardening enthusiasts, even when they're visiting sites that have nothing to do with gardening. Our uses of that data, to benefit different parties, mean that we are data controllers, not processors. For a publisher using our Ad Manager or Ad Exchange products, the publisher has more controls over the use of data. They can opt in to the same sort of data uses as AdSense and AdMob. Or they can make choices that will limit Google's uses of the data, meaning their pages about, for example, skiing won't inform the ads that serve on another publisher's site. There are some limits to those controls: we use data across Ad Manager and Ad Exchange publishers for purposes of product improvement, including to test ad serving algorithms, to monitor end-user latency, and to ensure the accuracy of our forecasting system. Again, it's for these reasons that we're a controller, not a processor, for Ad Manager and Ad Exchange.

The designation of Google's publisher products as a controller does not give Google any additional rights over data derived from a publisher's use of Ad Manager and Ad Exchange. Google's use of data continue to be controlled by the terms of its contract with its publishers, and any feature-specific settings chosen by a publisher through the user interface of our products.

Which services require consent from end users?

Our EU User Consent Policy provides details on where consent is required. We have also updated our help page for the EU User Consent Policy to address questions we have received from our customers.

Our EU User Consent Policy also requires publishers to give users information about how their data will be used. To explain how Google's products use data, we encourage publishers to link to this user-facing page. Doing so will meet this requirement of our policy.

How does Google plan to enforce consent?

Our first priority will always be to work with our customers to get compliance right. We recognize that there will be diverse approaches to gaining consent and we are not prescriptive about the approach, provided our policy is met. For example, we know that publishers want to present different choices to their visitors. We have offered suggestions for what consent might look like at cookiechoices.org and that reflects an approach we've taken with our Funding Choices consent tool; but publishers may prefer to take a different approach. We don't envision a one-size-fits-all approach. Our policy applies to publishers and advertisers that use our products and have end users in the EEA. However, as with our enforcement of our existing policy, our first step is not a 'decision' as such; rather, we contact the customer to indicate an issue, and we will try to work with them to achieve compliance.

Can a publisher use your products without gaining consent and if so, how would it work?

We developed a non-personalized ads mode to allow publishers to either 1) present EEA users with a choice between personalized ads and non-personalized ads or 2) choose to serve only non-personalized ads to all users in the EEA.

Although non-personalized ads don't use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive's cookie provisions apply.

What is Google's solution for non-personalized ads?

Non-Personalized Ads allow publishers to present EEA users with a choice between personalized ads and non-personalized ads, or to choose to serve only non-personalized ads to all users in the EEA. Non-Personalized Ads only use contextual information, including coarse general (city-level) location.

For non-personalized ads, isn't Google a processor versus a controller?

Under this solution, Google will continue to serve in the role of a controller, as we will continue to make decisions on the data as mentioned above to optimize across publishers and improve the product.

Google relies on legitimate interests as a legal basis when using personal data for activities such as serving contextual ads, ads reporting and to combat fraud and abuse.

Although non-personalized ads don't use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. While we rely on legitimate interests for this processing under the GDPR, consent is still required to use cookies for those purposes from users in countries to which the ePrivacy Directive's cookie provisions apply.

If a publisher uses the IAB framework, what options do they have to use Google's publisher products before full sell-side integration?

We have not yet integrated with the IAB Transparency & Consent Framework (TCF). We have been working with IAB Europe over the last several months to explore how our products and policies can support the TCF, but our full technical integration is not complete. 

Until Google’s IAB integration is complete, Google will return personalized ads for the Ad Technology Providers selected in the publisher ATP controls. Publishers will continue to have the option to include the non-personalized ad signal in their ad request or choose to serve only non-personalized ads to all users in the EEA in the Ad Manager UI. Also note that the IAB TCF technical specifications support web; the specifications for mobile app are not finalized. 

If Google makes future policy changes, how will you communicate these changes to publishers?

We are sensitive to the impact of any changes we make to our EU User Consent Policy. However, if regulatory guidance changes in some significant way (for example, if that guidance were to say that in fact personalized ads can rely on legitimate interests), we would expect to reflect that in our policy. While we don't give advance notice of all changes to our policies, we made an exception for those that we're introducing to our EU User Consent Policy. In the event of further significant changes, we would want to do the same.

We will continue to have active discussions with our publisher partners, as we've been doing for months, to share the latest updates and incorporate partner feedback.

Was this article helpful?
How can we improve it?