EU user consent policy

GDPR FAQs

Why is Google a 'controller' under the GDPR as opposed to a 'processor' of data?

We examined all of our products and assessed whether we act as a controller or a processor for each of them. We operate as a controller for our publisher products because we regularly make decisions on the data to deliver and improve the product.

For example, if you're an AdSense publisher, we'll serve ads to your visitors. If your site is about, say, gardening, then we might infer that your visitors are gardening enthusiasts. We'll use that data to benefit advertisers: a maker of lawnmowers might want its ads served to gardening enthusiasts, even when they're visiting sites that have nothing to do with gardening. Our uses of that data, to benefit different parties, mean that we're data controllers, not processors. For a publisher using our Ad Manager or Ad Exchange products, the publisher has more controls over the use of data. They can opt in to the same sort of data uses as AdSense and AdMob. Or they can make choices that will limit Google's uses of the data, meaning that their pages about, for example, skiing won't inform the ads that serve on another publisher's site. There are some limits to those controls: we use data across Ad Manager and Ad Exchange publishers for purposes of product improvement, including to test ad serving algorithms, to monitor end-user latency and to ensure the accuracy of our forecasting system. Again, it's for these reasons that we're a controller, not a processor, for Ad Manager and Ad Exchange.

The designation of Google's publisher products as a controller does not give Google any additional rights over data derived from a publisher's use of Ad Manager and Ad Exchange. Google’s uses of data continue to be controlled by the terms of its contract with its publishers, and any feature-specific settings chosen by a publisher through the user interface of our products.

Which services require consent from end users?

Our EU User Consent Policy provides details on where consent is required. We've also updated our help page for the EU User Consent Policy to address questions that we've received from our customers.

Our EU User Consent Policy also requires publishers to give users information about how their data will be used. To explain how Google's products use data, we encourage publishers to link to this user-facing ​page​. Doing so will meet this requirement of our policy.

How does Google plan to enforce consent?

Our first priority will always be to work with our customers to get compliance right. We recognise that there will be diverse approaches to gaining consent and we're not prescriptive about the approach, provided that our policy is met. For example, we know that publishers want to present different choices to their visitors. We have offered suggestions for what consent might look like at cookiechoices.org and that reflects an approach that we've taken with our Funding Choices consent tool; but publishers may prefer to take a different approach. We don't envision a one-size-fits-all approach. Our policy applies to publishers and advertisers that use our products and have end users in the EEA. However, as with our enforcement of our existing policy, our first step is not a 'decision' as such; rather, we contact the customer to indicate an issue, and we'll try to work with them to achieve compliance. If you find a site that does not meet Google’s EU User Consent Policy, you can let us know via our Report policy violation form.

Can a publisher use your products without gaining consent and if so, how would it work?

We developed a non-personalised ads mode to allow publishers to either 1) present EEA users with a choice between personalised ads and non-personalised ads or 2) choose to serve only non-personalised ads to all users in the EEA.

Although non-personalised ads don't use cookies for ads personalisation, they do use cookies to allow for frequency capping, aggregated ad reporting and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive's cookie provisions apply.

What is Google's solution for non-personalised ads?

Non-personalised ads allow publishers to present EEA users with a choice between personalised ads and non-personalised ads, or to choose to serve only non-personalised ads to all users in the EEA. Non-personalised ads only use contextual information, including coarse general (city-level) location.

For non-personalised ads, isn't Google a processor versus a controller?

Under this solution, Google will continue to serve in the role of a controller, as we'll continue to make decisions on the data as mentioned above to optimise across publishers and improve the product.

Google relies on legitimate interests as a legal basis when using personal data for activities such as serving contextual ads, ads reporting and to combat fraud and abuse.

Although non-personalised ads don't use cookies for ads personalisation, they do use cookies to allow for frequency capping, aggregated ad reporting and to combat fraud and abuse. While we rely on legitimate interests for this processing under the GDPR, consent is still required to use cookies for those purposes from users in countries to which the ePrivacy Directive's cookie provisions apply.

If a publisher uses the IAB framework, what options do they have to use Google's publisher products before full sell-side integration?

We haven't yet integrated with the IAB Transparency & Consent Framework (TCF). We've been working with IAB Europe over the last several months to explore how our products and policies can support the TCF, but our technical integration isn't complete. 

Until Google’s IAB integration is complete, Google will return personalised ads for the Ad Technology Providers selected in the publisher ATP controls. Publishers will continue to have the option to include the non-personalised ad signal in their ad request or choose to serve only non-personalised ads to all users in the EEA in the Ad Manager UI. Also note that the IAB TCF technical specifications support web; the specifications for mobile app aren't finalised. 

If Google makes future policy changes, how will you communicate these changes to publishers?

We're sensitive to the impact of any changes that we make to our EU User Consent Policy. However, if regulatory guidance changes in some significant way (for example, if that guidance were to say that in fact personalised ads can rely on legitimate interests), we would expect to reflect that in our policy. While we don't give advance notice of all changes to our policies, we made an exception for those that we're introducing to our EU User Consent Policy. In the event of further significant changes, we'd want to do the same.

We'll continue to have active discussions with our publisher partners, as we've been doing for months, to share the latest updates and incorporate partner feedback.

Was this helpful?
How can we improve it?