Data collection and use

We want users to trust that information about them will be respected and handled with appropriate care. As such, our advertising partners should not misuse this information, nor collect it for unclear purposes or without appropriate security measures.

Below are some examples of what to avoid in your ads. Learn about what happens if you violate our policies.

Inadequate data security

The following is not allowed:

Using security measures inappropriate for the type of information being collected

Examples: Collecting numbers for credit or debit cards, bank and investment accounts, wire transfers, national identity, GST ID, pension, healthcare, driving licence or Australian Tax File Number over an unsecured page which is not SSL protected and without a valid certificate

Troubleshooter: Inadequate data security
  1. Fix the ad's destination. Either stop collecting personal information from users or collect that personal information through a secure SSL server to keep it safe.
    • Option 1: Use a secure server.
      Use a secure processing server (called SSL) when collecting personal information. With SSL, your webpage URL will appear with https:// instead of http://. Learn how to set up SSL on your site.
    • Option 2: Don't collect user data.
      Change your website or app so that it doesn't ask for personal information when users access your content.
  2. Edit the ad. This will resubmit the ad and its destination for review.

    Most ads are reviewed within 1 working day, though some can take longer if they need a more complex review.

Unacceptable information sharing

The following is not allowed:

Sharing personally identifiable information (PII) with Google through remarketing tags, conversion tracking tags, or through any product data feeds that might be associated with ads

Example: Sharing users' email addresses through URLs that have remarketing tags

Note: This requirement does not apply to Google services subject to the Google Ads Data Processing Terms.

Troubleshooter: Unacceptable information sharing
  1. Identify the source. Use the breach notice email provided by Google to identify which URLs are violating the policy. Frequently, PII is accidentally included in URLs that are passed to Google from web forms, login pages and custom email marketing campaign parameters.
  2. Remove PII in shared data. Update your systems so that PII is not included in URLs. Below are the most common methods for removing PII from URLs.

    Web forms: HTML forms should be submitted with the POST protocol. If the GET protocol is used, the parameters of the form will end up as part of the URL in the address bar. Update the page source or the component generating the HTML so the form tag has method=”post” in the attribute. Learn more about the form method.

    Login pages: Some sites, especially those with user profiles or user login, use URL patterns that include PII as part of the design. Replace the PII in the URL with a unique site-specific identifier or a unique user ID (UUID).

    Custom email marketing campaign parameters: Examine the URLs generated by a test email marketing campaign to identify email addresses or other PII in URL parameters. Assign each user a unique site-specific identifier or a unique user ID (UUID) and track the UUID through URL parameters.

    You can implement a UUID to prevent PII from being passed to Google. For example, could be changed to, where 43231 is a number that uniquely identifies the account with the address
  3. Fill in the response form. Use the form to indicate that you have taken steps to fix the issue. The form helps Google know where you are in the process.
  4. Verify the problem is fixed. After you respond through the form, Google will verify that the changes that you made to your site addressed the issue. Within two weeks, you’ll receive another notice to confirm that the issue is fixed or to let you know if PII is still being shared from URLs associated with your account. If PII is still detected, examine the updated list of URLs that don’t comply with the policy to determine the cause of the issue.

    Note that you can verify that your changes work on a test site before pushing code changes to your live site. Tag your test site with tags from the same Google Ads customer ID that you use for personalised advertising. Once your test site shows up in the list of URLs where PII was detected, you can make test changes. If we stop detecting PII from your test site, it will drop off reports. Then you can push changes to your live site.

Remarketing lists and other lists based on remarketing, such as custom combination lists or similar audiences, will be disabled if they don’t comply with this policy. Learn more about what happens if you violate our policies.

Misusing personal information

The following is not allowed:

Using personal information in ways that users have not consented to

Examples: Re-selling users' contact information, using images of users in ads without their consent

Promotions that directly address the user using personal information

Examples: Ads addressing a user by name, title or job position

Specific example: "Hello John Smith – buy flowers here!"

Promotions that use, or imply knowledge of, a user's personal information

Examples: Promotions that claim to know your financial status or political affiliations

Specific example: "You're buried in debt. Get help today."

European Union user consent

The following is not allowed:

Promotions that violate our policy on consent for cookies from EU users

Example: Using Google Ads features such as remarketing or conversion tracking without obtaining appropriate consent from EU users for using cookies

Unauthorised cookies on Google domains

The following is not allowed:

Setting a cookie on a Google domain

Example: Allowing a third-party to set a cookie on or

Need help?

If you have questions about our policies, let us know: Contact Google Ads Support
Was this helpful?
How can we improve it?