Helping publishers comply with U.S. states privacy laws

Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we do not sell personal information. We give users transparency and control over their ad experiences via My Ad Center, My Account and several other features to help you manage your account. Per our Personalized advertising policy, we don't use sensitive information like health, race, religion, or sexual orientation to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative, and ads.txt to support a healthy and sustainable ads ecosystem.

Google welcomes privacy laws that protect consumers. In May 2018, we launched several updates to help publishers comply with the General Data Protection Regulation (GDPR) in the EEA.

We’re building on that feature set by offering restricted data processing, which will operate as set forth below, to help publishers manage their compliance with U.S. states privacy laws. 

Service provider terms

Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms, which will supplement those existing data protection terms, effective January 1, 2023. For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.

Select a data processing setting

By default, data processing in Ad Manager isn't restricted and personalized ads will be shown to users on your site or app. To restrict data processing and only show non-personalized ads to eligible users in applicable U.S. states, you need to change the CPRA settings. These settings don't control data you may be sharing outside of your account, for example through mediation.

To change the data processing settings for your entire account, complete the following steps:

1. Sign in to Google Ad Manager.
2. Click Privacy & Messaging CPRA  Settings.
3. Select the option you want to apply to your Ad Manager network.
   • Don't restrict data processing: Google will show personalized ads to eligible users in the applicable U.S. states.
   • Restrict data processing: Google will only show non-personalized ads from Google demand to eligible users in the applicable U.S. states.
4. Click Save.

Don’t restrict data processing

If you choose “Don’t restrict data processing”, you can select the advertising partners that are eligible to receive bid requests for users Google determines are in the applicable U.S. states.

Complete the following steps to specify eligible advertising partners.

1. Sign in to Google Ad Manager.
2. Click Admin  CPRA settings.
3. In the “Review your ad partners” section, click  select the list you want to use.
   • Use active ad partners: Use the list of all available advertising partners provided within this feature’s setting. All active advertising partners are eligible for bid requests from users Google determines are in the applicable U.S. states. 
   • Custom ad partner: Customize the list of all available advertising partners to create your own custom list. Only selected advertising partners are eligible for bid requests from users Google determines are in the applicable U.S. states. Under this option, users in your Ad Manager network are notified when new advertising partners join the platform. New advertising partners are not automatically added to your custom list and can be manually included.
4. Click Save.

Restrict data processing

When a publisher enables restricted data processing, on the publisher’s instruction Google will further limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms. Google disallows all interest-based audience targeting, including demographic targeting and user list targeting when in restricted data processing mode.

Restricted data processing options:

Publishers must decide for themselves when and how to enable restricted data processing mode, based on their own compliance obligations and legal analysis. Two common scenarios are below.

1. Some publishers may choose not to display a “Do Not Sell My Personal Information” link on their properties. Such publishers may choose to enable restricted data processing for all of their programmatic traffic for users in applicable U.S. states via a network control. If they select this option, Google will use user IP addresses to determine the location of users and enable restricted data processing mode for any users we can detect have an IP address in applicable U.S. states. 
   If there are multiple IPs (such as in the header and the ad request) and any of them are from applicable U.S. states, the network control will restrict data processing for those requests. If you are using third party Server Side Ad Insertion (SSAI) technology, please be aware that enabling the network level CPRA restricted data processing control will restrict serving where the SSAI IP is based in applicable U.S. states. You may consider implementing Restricted Data Processing settings for pages using Google Publisher Ad Tags as an alternative as then you can identify the ad requests to which restricted data processing should be applied (for example, based on user signals).
2. Alternatively, other publishers may choose to display a “Do Not Sell My Personal Information” link. Such publishers may choose to send a restricted data processing signal on a per-request basis once a user has opted out of the sale of their personal information.

Restricted data processing for programmatic

When restricted data processing mode is enabled using the network control or when a restricted data processing signal is passed in the tag, the following happens for programmatic transactions: *

• Ads that serve do not use information based on the user’s past behavior.
• Google does not record information against user identifiers for the purposes of personalized ads measurement or targeting.
• No ads serve using interest-based audience targeting (including demographic targeting and remarketing list targeting).
• Ads served via Google Ads and Display & Video 360 will only use contextual and placement targeting. These ads may use IP address for very coarse level geo-targeting (city-level) and to prevent invalid activity. These ads also use cookies and/or IDFA and AdIDs for frequency capping, aggregated ad reporting, and to combat fraud and abuse.
• Restricted data processing ad requests are sent to third-party RTB bidders if they are selected in the 'Review your ad partners" list. Refer to this article for more detail.

Restricted data processing for non-programmatic

When restricted data processing mode is enabled using the publisher network controls or a restricted data processing signal is passed in the tag, the following happens for non-programmatic line items:

• No ads serve using interest-based audience targeting (including demographic targeting and remarketing list targeting)
• Google does not record information against user identifiers for the purposes of personalized ads measurement or targeting.

Line items that do not meet the criteria above will be eligible for requests with Restricted data processing enabled. Restricted data processing doesn't extend to the sending or disclosure of personal information to third parties that you may have otherwise enabled in our products and services, and you should ensure that you’ve taken any measures with respect to such third parties as required to meet your compliance needs.

Restricted data processing for mediation and yield groups

When restricted data processing mode is enabled using either the network control or a restricted data processing signal is passed via the SDK, the following happens for Open Bidding and mediation for mobile apps:

• Restricted data processing ad requests are made to Open Bidders.
• Mediation is not disabled *

Features impacted by restricted data processing (RDP) mode

• Audience Solutions targeting will not be available for RDP requests
• Ad Manager mobile carrier targeting will not be available for RDP requests
• Ad Manager bandwidth targeting will not be available for RDP requests
• Deals with non-Display & Video 360 buyers will not be able to transact for RDP requests
• Deals with Display & Video 360 buyers may be impacted if they use third-party pixels or audience targeting for RDP requests

Restricted data processing ads changes in reporting

• For restricted data processing ad traffic, certain Ad Manager Data Transfer fields will be blank, including UserId, AudienceSegmentIds, Bandwidth, and MobileCarrier.
• Accuracy of Ad Manager Reach Reporting may be impacted.