Helping advertisers comply with the GDPR

Google has a long history of taking a user-first approach in everything that we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features. Per our Personalised advertising policy, we never use sensitive information to personalise ads. We also invest in initiatives such as the Coalition for Better Ads, the Digital News Initiative, the Google News Initiative and ads.txt in order to support a healthy, sustainable ads ecosystem.

In August 2017, we announced our commitment to comply with the European Union's new General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA). This article provides additional details about how we are supporting advertisers and marketers with the changes that the GDPR brings.

Contract updates

We have been rolling out updates to our contracts for many products since August 2017, reflecting Google's status as either a processor or a controller under the new law.

Find out more about how we use data in DoubleClick Digital Marketing and AdWords:

Consent support

The GDPR introduces significant new obligations for the ecosystem, and the changes that we announced to our EU User Consent Policy reflect this. Under this policy, advertisers that implement remarketing tags are required to obtain consent from users for the collection of data for personalised ads and advertisers that implement conversion tags for measurement purposes are required to obtain consent for the use of cookies.

To address questions that we have received from our customers, we have updated cookiechoices.org with examples of consent language and available third-party consent solutions.

If you use Google ads products that receive data from your site or app, we encourage you to link to How Google uses information from sites or apps that use our services, which explains how Google manages data in our ads products. Doing so will meet the requirement of our updated EU User Consent Policy to give users information about Google's uses of their personal data.

Third-party ad serving and measurement changes

On DoubleClick for Publishers, DoubleClick Ad Exchange, AdSense and AdMob

To help publishers choose the ad technology providers that can serve and measure ads on their sites and apps for users in the EEA, we have launched Ad Technology Provider Controls for publishers (DFP/AdX, AdMob, AdSense). If a publisher doesn't engage with these controls to choose their own list, we will apply a list of commonly used Ad Technology Providers.

In practice, this means that your AdWords and DoubleClick Bid Manager campaigns will only serve on an ad impression in the EEA where a given publisher has selected (and has received user consent for) the Ad Technology Providers that you use. All providers listed have shared with Google a link explaining their data usage and provided certain information that is required by the GDPR, and have agreed to comply with our data usage policy. Any providers that you work with can contact Google to seek certification to be included in the Ad Technology Providers list.

As previously announced, we're also launching a Non-Personalised Ads solution (DFP/AdX, AdMob, AdSense) to enable publishers to present EEA users with a choice between personalised ads and non-personalised ads (or to choose to serve only non-personalised ads to users in the EEA). Campaigns that reach users based on demographics and categories of apps they've installed, for instance, are not eligible to serve on non-personalised inventory. The choices that users make on publisher sites that offer non-personalised ads will determine the availability of personalised and non-personalised inventory for these sites. We encourage AdWords and DoubleClick Bid Manager advertisers to closely monitor campaign delivery after 25 May and consider alternative campaign criteria as needed.

On YouTube

In January 2017, we announced that YouTube will stop accepting most third-party measurement pixels globally starting 21 May 2018. We also announced that we are working with a small group of vendors (including comScore, DoubleVerify, IAS, MOAT, Nielsen, Kantar and Research Now) to evaluate the re-certification of their pixels. Additionally, advertisers can enable YouTube reporting via the partners we have integrated with Ads Data Hub (ADH).

Data collection, deletion and retention controls

Audience lists in AdWords / DoubleClick Digital Marketing

  • AdWords Customer Match Audiences: We won't retain data files that advertisers upload for any longer than necessary to create Customer Match audiences and ensure compliance with our policies (see How Google uses Customer Match data). Once those processes are complete, we'll promptly delete the data files uploaded in AdWords or the AdWords API. For information on how to update or replace an existing Customer Match audience, see Update your customer list.
  • Remarketing with AdWords or DoubleClick Floodlight tags: Advertisers control which users are added to remarketing lists and which are not, as well as the duration that users stay on a list. Today, if you use the AdWords or DoubleClick Floodlight tag for remarketing, you need to ensure that the tag is not active for users who have indicated they do not want to receive personalised ads. There are many ways to achieve this. We recommend that you consult your webmaster on possible solutions, including Google Tag Manager. If you use the Google Analytics tag for AdWords remarketing, please see the 'Google Analytics data' section below.
  • DoubleClick Campaign Manager provided lists: Advertisers control how long cookies remain on a given audience list. To remove a user from a list, you can add a '1' next to the identifier associated with the cookie that you would like to remove from the list. To learn more, see File formatting > File headers > Delete in the Provided lists Help Centre article.

Google Analytics data

Google Analytics has long provided features and policies to help you safeguard your data. The following features, in particular, may prove useful as you evaluate the impact of the GDPR for your company's unique situation and Analytics implementation.

  • Data retention: Use the Data Retention controls to manage how long your user and event data is held on our servers.
  • Users: The User Deletion API lets you manage the deletion of all data associated with individual users (e.g. site visitors) from your Google Analytics and/or Analytics 360 properties.
  • Properties and accounts: Google Analytics customers can also delete data for their properties and/or accounts.
  • Remarketing: Advertisers control which users are added to remarketing lists and which are not. If you use Google Analytics, you can ensure that advertising features are disabled for users who have indicated they do not want to receive personalised ads. To disable advertising features for those users, including remarketing and advertising reporting features, see 'Disable advertising features' in the Display Features guide.

Working with the IAB Transparency & Consent Framework

Buying inventory from DoubleClick for Publishers, DoubleClick Ad Exchange and AdSense:

  • Once Google is registered on the IAB's Global Vendor List, Bid Manager will serve programmatic non-personalised ads to publishers on DoubleClick Ad Exchange provided that a user has given consent to Google for Purpose 1 ('Information storage and access') and Purpose 3 ('Ad selection, delivery, reporting') of the IAB Europe's Transparency & Consent Framework.

  • DoubleClick Ad Exchange will add support for personalised ad serving for publishers using the IAB Europe's Transparency & Consent Framework by early June. This will be an interim solution that translates the consent information collected by the IAB's Framework to DFP Ad Technology Provider settings. When consent has been given to all of the publishers selected for Purpose 1, Purpose 2 and Purpose 3 of the Transparency & Consent Framework, personalised ads may be served.

  • We expect to fully integrate DoubleClick Ad Exchange with the IAB Europe's Transparency & Consent Framework by August. This will enable publishers to serve personalised ads based on consent passed by a user, per vendor, or serve non-personalised ads.

Buying inventory from third-party exchanges:

Once Google has been registered on the IAB's Global Vendor List, Bid Manager users will be able to purchase inventory from our third-party exchange partners, who are also subject to Google's EU User Consent Policy, provided the third-party exchange sends us requests that contain explicit purpose and vendor consent in the bid request (utilising the IAB's framework). When valid consent is provided, Bid Manager can serve personalised ads through these exchanges.

Was this article helpful?
How can we improve it?