Data collection and use

Google provides translated versions of our Help Centre, though they are not meant to change the content of our policies. The English version is the official language we use to enforce our policies. To view this article in a different language, use the language dropdown at the bottom of the page.

For subtitles in your language, turn on YouTube captions. Select the settings icon Image of YouTube settings icon at the bottom of the video player, then select 'Subtitles/CC' and choose your language.


We want users to trust that information about them will be respected and handled with appropriate care. As such, our advertising partners should not misuse this information, nor collect it for unclear purposes or without appropriate disclosures or security measures.

Note that additional policies apply when using personalised advertising, which includes remarketing and custom audiences. If you use personalised advertising targeting features, make sure that you review the personalised ads data collection and use policies.

Below are some examples of what to avoid in your ads. Learn about what happens if you violate our policies.

Violations of the policies below will not lead to immediate account suspension without prior warning. A warning will be issued, at least seven days, prior to any suspension of your account. Learn more about suspended accounts.

Inadequate data security

The following is not allowed:

Failing to use appropriate security measures for the type of information being collected based on relevant industry standards

Examples (non-exhaustive): Collecting numbers for credit or debit cards, bank and investment accounts, wire transfers, national identity, tax ID, pension, healthcare, driving licence or tax file number over an unsecured page that is not SSL (Secure Sockets Layer) protected and without a valid SSL certificate

Troubleshooter: Inadequate data security
  1. Fix the ad's destination. Either stop collecting personal information from users or collect that personal information through a secure SSL server to keep it safe.
    • Option 1: Use a secure server.
      Use a secure processing server (called SSL) when collecting personal information. With SSL, your web page URL will appear with https:// instead of http://. Learn how to set up SSL on your site.
    • Option 2: Don't collect user data.
      Change your website or app so that it doesn't ask for personal information when users access your content.
  2. Edit the ad. This will resubmit the ad and its destination for review.

    Most ads are reviewed within 1 working day, though some can take longer if they need a more complex review.

Unacceptable information sharing

The following is not allowed:

Sharing personally identifiable information (PII) with Google through remarketing tags, conversion tracking tags or through any product data feeds that might be associated with ads

Example (non-exhaustive): Sharing user’s email addresses through URLs that have remarketing tags

Note: This requirement does not apply to Google Ads services subject to the Google Ads Data Processing Terms. (Enhanced Conversions, Google Ads Customer Match, Google Ads Store sales, Google Ads Store sales (direct upload))

Troubleshooter: Unacceptable information sharing
  1. Identify the source. Use the breach notice email provided by Google to identify which URLs are violating the policy. Frequently, PII is accidentally included in URLs that are passed to Google from web forms, login pages and custom email marketing campaign parameters.
  2. Remove PII in shared data. Update your systems so that PII is not included in URLs. Below are the most common methods for removing PII from URLs.

    Web forms: HTML forms should be submitted with the POST protocol. If the GET protocol is used, the parameters of the form will end up as part of the URL in the address bar. Update the page source or the component generating the HTML so the form tag has method=”post” in the attribute. Learn more about the form method.

    Login pages: Some sites, especially those with user profiles or user login, use URL patterns that include PII as part of the design. Replace the PII in the URL with a unique site-specific identifier or a unique user ID (UUID).

    Custom email marketing campaign parameters: Examine the URLs generated by a test email marketing campaign to identify email addresses or other PII in URL parameters. Assign each user a unique site-specific identifier or a unique user ID (UUID) and track the UUID through URL parameters.

    You can implement a UUID to prevent PII from passing to Google. For example, site.com/my_settings/sample@email.com could be changed to site.com/my_settings/43231, where 43231 is a number that uniquely identifies the account with address sample@email.com.
  3. Fill out the response form. Use the form to indicate that you have taken steps to fix the issue. The form helps Google know where you are in the process.
  4. Verify the problem is fixed. After you respond through the form, Google will verify that the changes that you made to your site addressed the issue. Within two weeks, you’ll receive another notice to confirm that the issue is fixed or to let you know if PII is still being shared from URLs associated with your account. If PII is still detected, examine the updated list of URLs that don’t comply with the policy to determine the cause of the issue.

    Note that you can verify that your changes work on a test site before pushing code changes to your live site. Tag your test site with tags from the same Google Ads customer ID that you use for personalised advertising. Once your test site shows up in the list of URLs where PII was detected, you can make test changes. If we stop detecting PII from your test site, it will drop off reports. Then you can push changes to your live site.

Remarketing lists and other lists based on remarketing, such as custom combination lists or similar audiences, will be disabled if they don’t comply with this policy. Learn more about what happens if you violate our policies.

Misusing personal information

The following is not allowed:

Using personal information in ways that users have not consented to

Examples (non-exhaustive): Re-selling users' contact information, using images of users in ads without their consent

Ads that directly address the user using their personal information

Example (non-exhaustive): Ads addressing a user by name, title or job position

Specific example: 'Hello John Smith – buy flowers here!'

Ads that imply knowledge of a user's personal information

Example (non-exhaustive): Ads that claim to know your financial status or political affiliations

Specific example: 'You're buried in debt. Get help today.'

Learn how to fix a disapproved ad or asset.

European user consent

The following is not allowed:

red cross (x) Promotions that violate our policy on consent from European users

Example (non-exhaustive): Using Google Ads features, such as remarketing or conversion tracking, without obtaining appropriate consent from European Economic Area or UK users for using cookies or (in the case of remarketing) the use of personal data for personalised ads.

Learn how to fix a disapproved ad or asset.

Unauthorised cookies on Google domains

The following is not allowed:

Setting a cookie on a Google domain

Examples (non-exhaustive): Any entity other than Google setting a cookie on doubleclick.net or googlesyndication.com, or enabling any other entity to set such a cookie

Learn how to fix a disapproved ad or asset.

Need help?

If you have questions about our policies, contact Google Ads Support

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu