Search
Clear search
Close search
Google apps
Main menu

Data collection and use

We want users to trust that information about them will be respected and handled with appropriate care. As such, our advertising partners should not misuse this information, nor collect it for unclear purposes or without appropriate security measures.

Below are some examples of what to avoid in your ads. Learn about what happens if you violate our policies.

If you think your ad was incorrectly disapproved, you can request a review through the Disapproved ads and policy questions form.

Note that there are separate policies for remarketing lists and personalized ads (formerly known as interest-based ads). If you use personalized ads, be sure to review the additional data collection policies that also apply to how you use personal information in advertising.

Inadequate data security

The following is not allowed:

Using security measures inappropriate for the type of information being collected

Examples: Collecting numbers for credit or debit cards, bank and investment accounts, wire transfers, national identity, tax ID, pension, healthcare, driver's licence, or social security numbers over an unsecured page which is not SSL protected and without a valid certificate

Troubleshooter: Inadequate data security
  1. Change your website or app. To run your ad, you'll need to change your website or app so that you either stop collecting personal information from users or collect that personal information through a secure SSL server to keep it safe.
    • Option 1: Use a secure server.
      If you need to collect personal information from customers, make sure that you use a secure processing server (called SSL) when collecting this information. With SSL, your webpage URL will appear with https:// instead of http://.

      Here's some help to set up SSL on your site.
    • Option 2: Don't collect user data.
      You can also change your website or app so that it doesn't ask for personal information, allowing users to access content without you collecting their data.
  2. Request a review once your site or app is fixed. After you make changes, use this link to let us know:


    We'll review your site, usually within 3 business days, though some can take longer if they need a more complex review. If we find that your site meets all of our policy requirements, we can approve it so your ads can start running.
If you aren't able to fix these violations or choose not to, please remove your ad to help prevent your account from becoming suspended in the future for having too many disapproved ads.

Unacceptable information sharing

The following is not allowed:

Sharing personally identifiable information (PII) with Google through tags or any product data feeds that might be associated with ads

Example: Sharing PII through remarketing tags or conversion tags

Troubleshooter: Unacceptable information sharing
  1. Identify the source. Use the breach notice email provided by Google to identify which URLs are violating the policy. Frequently, PII is accidentally included in URLs that are passed to Google from web forms, login pages, and custom email marketing campaign parameters.
  2. Remove PII in shared data. Update your systems so that PII is not included in the data you share with Google. Below are the most common methods for removing PII from URLs.

    Web forms: HTML forms should be submitted with the POST protocol. If the GET protocol is used, the parameters of the form will end up as part of the URL in the address bar. Update the page source or the component generating the HTML so the form tag has method=”post” in the attribute. Learn more about the form method.

    Login pages: Some sites, especially those with user profiles or user login, use URL patterns that include PII as part of the design. Replace the PII in the URL with a unique site-specific identifier or a unique user ID (UUID).

    Custom email marketing campaign parameters: Examine the URLs generated by a test email marketing campaign to identify email addresses or other PII in URL parameters. Assign each user a unique site-specific identifier or a unique user ID (UUID) and track the UUID through URL parameters.

    You can implement a UUID for a string using libraries available in Java, Python, and other languages. For example, site.com/my_settings/sample@email.com could be changed to site.com/my_settings/43231, where 43231 is a number that uniquely identifies the account with address sample@email.com.
  3. Fill out the response form. Use the form to indicate that you have taken steps to fix the issue. The form helps Google know where you are in the process.
  4. Verify the problem is fixed. After you respond through the form, Google will validate that the changes you made to your site addressed the issue. Within two weeks, you’ll receive another notice to confirm that the issue is fixed or let you know if PII is still being shared from URLs associated with your account. If PII is still detected, examine the updated list of URLs that don’t comply with the policy to determine the cause of the issue.

    Note that you can verify that your changes work on a test site before pushing code changes to your live site. Tag your test site with tags from the same AdWords customer ID that you use for personalized advertising. Once your test site shows up in the list of URLs where PII was detected, you can make test changes. If we stop detecting PII from your test site, it will drop off reports. Then you can push changes to your live site.

Remarketing lists that don’t comply with this policy will be disabled. Learn more about what happens if you violate our policies.

Misusing personal information

The following is not allowed:

Using personal information in ways that users have not consented to

Examples: Re-selling users' contact information, using images of users in ads without their consent

Promotions that directly address the user using personal information

Example: Ads addressing a user by name, title, or job position

Specific example: "Hello John Smith - buy flowers here!"

Promotions that use, or imply knowledge of, a user's personal information

Example: Promotions that claim to know your financial status or political affiliations

Specific example: "You're buried in debt. Get help today."

Learn how to fix a disapproved ad or extension. If your ad was disapproved because of the ad's destination, learn how to fix a suspended site or app.

European Union user consent

The following is not allowed:

Promotions that violate our policy on consent for cookies from EU users

Example: Using AdWords features such as remarketing or conversion tracking without obtaining appropriate consent from EU users for using cookies

Learn how to fix a disapproved ad or extension. If your ad was disapproved because of the ad's destination, learn how to fix a suspended site or app.

Unauthorized cookies on Google domains

The following is not allowed:

Setting a cookie on a Google domain

Example: Allowing a third-party to set a cookie on doubleclick.net or googlesyndication.com

Learn how to fix a disapproved ad or extension. If your ad was disapproved because of the ad's destination, learn how to fix a suspended site or app.

Need help?

If you have questions about this policy, let us know:
Contact AdWords Support
Was this article helpful?
How can we improve it?