Data collection and use

We want users to trust that information about them will be respected and handled with appropriate care. As such, our advertising partners shouldn't misuse this information, nor collect it for unclear purposes or without appropriate disclosures or security measures.

Note that additional policies apply when using personalised advertising, which includes remarketing and custom audiences. If you use personalised advertising targeting features, make sure that you review the personalised ads data collection and use policies.

Below are some examples of what to avoid in your ads. Learn about what happens if you violate our policies.

Violations of the policies below will not lead to immediate account suspension without prior warning. A warning will be issued at least seven days prior to any suspension of your account. Learn more about suspended accounts.

Inadequate data security

The following isn't allowed:

Failing to use appropriate security measures for the type of information being collected based on relevant industry standards

Examples (non-exhaustive): Collecting numbers for credit or debit cards, bank and investment accounts, bank transfers, national identity, tax ID, pension, healthcare, driving licence or national insurance numbers over an unsecured page that isn't SSL (Secure Sockets Layer) protected and without a valid SSL certificate

Troubleshooter: Inadequate data security
  1. Fix the ad's destination. Either stop collecting personal information from users or collect that personal information through a secure SSL server to keep it safe.
    • Option 1: Use a secure server.
      Use a secure processing server (called SSL) when collecting personal information. With SSL, your web page URL will appear with https:// instead of http://. Learn how to set up SSL on your site.
    • Option 2: Don't collect user data.
      Change your website or app so that it doesn't ask for personal information when users access your content.
  2. Edit the ad. This will resubmit the ad and its destination for review.

    Most ads are reviewed within one working day, though some can take longer if they need a more complex review.

Unacceptable information sharing

The following isn't allowed:

Sharing personally identifiable information (PII) with Google through remarketing tags, conversion tracking tags or through any product data feeds that might be associated with ads

Example (non-exhaustive): Sharing user’s email addresses through URLs that have remarketing tags

Note: This requirement does not apply to Google services subject to the Google Ads Data Processing Terms.

Troubleshooter: Unacceptable information sharing
  1. Identify the source. Use the breach notice email provided by Google to identify which URLs are violating the policy. Frequently, PII is accidentally included in URLs that are passed to Google from web forms, login pages and custom email marketing campaign parameters.
  2. Remove PII in shared data. Update your systems so that PII is not included in URLs. Below are the most common methods for removing PII from URLs.

    Web forms: HTML forms should be submitted with the POST protocol. If the GET protocol is used, the parameters of the form will end up as part of the URL in the address bar. Update the page source or the component generating the HTML so the form tag has method=”post” in the attribute. Learn more about the form method.

    Login pages: Some sites, especially those with user profiles or user login, use URL patterns that include PII as part of the design. Replace the PII in the URL with a unique site-specific identifier or a unique user ID (UUID).

    Custom email marketing campaign parameters: Examine the URLs generated by a test email marketing campaign to identify email addresses or other PII in URL parameters. Assign each user a unique site-specific identifier or a unique user ID (UUID) and track the UUID through URL parameters.

    You can implement a UUID to prevent PII from passing to Google. For example, site.com/my_settings/sample@email.com could be changed to site.com/my_settings/43231, where 43231 is a number that uniquely identifies the account with address sample@email.com.
  3. Fill in the response form. Use the form to indicate that you have taken steps to fix the issue. The form helps Google know where you are in the process.
  4. Verify the problem is fixed. After you respond through the form, Google will validate that the changes you made to your site addressed the issue. Within two weeks, you’ll receive another notice to confirm that the issue is fixed or let you know if PII is still being shared from URLs associated with your account. If PII is still detected, examine the updated list of URLs that don’t comply with the policy to determine the cause of the issue.

    Note that you can verify that your changes work on a test site before pushing code changes to your live site. Tag your test site with tags from the same Google Ads customer ID that you use for personalised advertising. Once your test site shows up in the list of URLs where PII was detected, you can make test changes. If we stop detecting PII from your test site, it will drop off reports. Then you can push changes to your live site.

Remarketing lists and other lists based on remarketing, such as custom combination lists or similar audiences, will be disabled if they don’t comply with this policy. Learn more about what happens if you violate our policies.

Misusing personal information

The following isn't allowed:

Using personal information in ways that users haven't consented to

Examples (non-exhaustive): Re-selling users' contact information, using images of users in ads without their consent

Ads that directly address the user using their personal information

Example (non-exhaustive): Ads addressing a user by name, title or job position

Specific example: 'Hello John Smith – buy flowers here!'

Ads that imply knowledge of a user's personal information

Example (non-exhaustive): Ads that claim to know your financial status or political affiliations

Specific example: 'You're buried in debt. Get help today'.

European Union user consent

The following isn't allowed:

Promotions that violate our policy on consent for cookies from EU users

Example (non-exhaustive): Using Google Ads features, such as remarketing or conversion tracking, without obtaining appropriate consent from EU users for using cookies

Unauthorised cookies on Google domains

The following isn't allowed:

Setting a cookie on a Google domain

Examples (non-exhaustive): Any entity other than Google setting a cookie on doubleclick.net or googlesyndication.com, or enabling any other entity to set such a cookie

Need help?

If you have questions about our policies, let us know: Contact Google Ads Support
Was this helpful?
How can we improve it?