Helping advertisers comply with the GDPR & AADC

Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features. Per our Personalized advertising policy, we never use sensitive information to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Digital News Innovation Fund, the Google News Initiative and ads.txt in order to support a healthy, sustainable ads ecosystem.

In August 2017, we announced our commitment to comply with the European Union's new General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA) and the UK.

This article provides additional details about how we are supporting impacted advertisers and marketers.

References to Search Ads 360 include both the old and new versions of the product.

Contract updates

We rolled out updates to our contracts for many products starting in August 2017, reflecting Google's status as either a processor or a controller under the new law.

Find out more about how we use data in Google Marketing Platform advertising products and Google Ads:

Consent support

The GDPR introduced significant new obligations for the ecosystem, and the changes we announced to our EU User Consent Policy reflect this. Under this policy, advertisers that implement remarketing tags are required to obtain consent from users for the collection of data for personalized ads and advertisers that implement conversion tags for measurement purposes are required to obtain consent for the use of cookies.

To address questions we received from our customers, we updated with examples of consent language and available third-party consent solutions.

Google advertising services is experimenting with new ways of supporting the delivery and measurement of digital advertising in ways that better protect people’s privacy online via the Privacy Sandbox initiative on Chrome and Android. Users with the relevant Privacy Sandbox settings enabled in Chrome or Android may see relevant ads from Google advertising services based on Topics or Protected Audience data stored on their browser or mobile device. Google advertising services may also measure ad performance using Attribution Reporting data stored on their browser or mobile device. You can find more information on the Privacy Sandbox. The EU User Consent Policy requires you to obtain valid user consent for these actions in the same way as you rely on consent today for ads personalisation and the use of non-essential local storage in the European Economic Area and the UK.

If you use Google advertising products that receive data from your site or app, we encourage you to link to How Google uses information from sites or apps that use our services, which explains how Google manages data in our ads products. Doing so will meet the requirement of our updated EU User Consent Policy to give users information about Google's uses of their personal data.

Third-party ad serving and measurement changes

On Google Ad Manager, Ad Exchange, AdSense, and AdMob

To help publishers choose the ad technology providers that can serve and measure ads on their sites and apps for users in the EEA and the UK, we have launched Ad Technology Provider Controls for publishers (Ad Manager/AdX, AdMob, AdSense). If a publisher doesn't engage with these controls to choose their own list, we will apply a list of commonly used Ad Technology Providers.

In practice, this means your Google Ads and Display & Video 360 campaigns will only serve on an ad impression in the EEA or the UK where a given publisher has selected (and has received user consent for) the Ad Technology Providers you use. All providers listed have shared with Google a link explaining their data usage and provided certain information that is required by the GDPR, and have agreed to comply with our data usage policy. Any providers you work with can contact Google to seek certification to be included in the Ad Technology Providers list.

As previously announced, we're also launching a Non-Personalized Ads solution (Ad Manager/AdX, AdMob, AdSense) to enable publishers to present EEA and UK users with a choice between personalized ads and non-personalized ads (or to choose to serve only non-personalized ads to users in the EEA and the UK). Campaigns that reach users based on demographics and categories of apps they've installed, for instance, are not eligible to serve on non-personalized inventory. The choices users make on publisher sites that offer non-personalized ads will determine the availability of personalized and non-personalized inventory for these sites. We encourage Google Ads and Display & Video 360 advertisers to closely monitor campaign delivery and consider alternative campaign criteria as needed.

On YouTube

In January 2017, we announced that YouTube will stop accepting most third-party measurement pixels globally starting May 21, 2018. We also announced that we are working with a small group of vendors (including comScore, DoubleVerify, IAS, MOAT, Nielsen, Kantar, and Dynata) to evaluate the re-certification of their pixels. Additionally, advertisers can enable YouTube reporting via the partners we have integrated with Ads Data Hub (ADH).

Data collection, deletion and retention controls

Audience lists in Google Ads / Google Marketing Platform advertising products

  • Google Ads Customer Match Audiences: We won't retain data files advertisers upload for any longer than necessary to create Customer Match audiences and ensure compliance with our policies (see How Google uses Customer Match data). Once those processes are complete, we'll promptly delete the data files uploaded in Google Ads or the Google Ads API. For information on how to update or replace an existing Customer Match audience, see Update your customer list.
  • Remarketing with Google Ads or Floodlight tags: Advertisers control which users are added to remarketing lists and which are not, as well as the duration users stay on a list. Today, if you use the Google Ads or Floodlight tag for remarketing, you need to ensure that the tag is not active for users who have indicated they do not want to receive personalized ads. There are many ways to achieve this. We recommend that you consult your web developer on possible solutions, including Google Tag Manager. If you use the Google Analytics tag for Google Ads remarketing, please see the "Google Analytics data" section below.
  • Campaign Manager 360 provided lists: Advertisers control how long cookies remain on a given audience list. To remove a user from a list, you can add a "1" next to the identifier associated with the cookie that you would like to remove from the list. To learn more, see File formating > File headers > Delete in the Provided lists Help Center article.

Google Analytics data

Google Analytics has long provided features and policies to help you safeguard your data. The following features, in particular, may prove useful as you evaluate the impact of the GDPR for your company's unique situation and Analytics implementation.

  • Data retention: Use the Data Retention controls to manage how long your user and event data is held on our servers.
  • Users: The User Deletion API lets you to manage the deletion of all data associated with individual users (for example site visitors) from your Google Analytics and/or Analytics 360 properties.
  • Properties and accounts: Google Analytics customers can also delete data for their properties and/or accounts.
  • Remarketing: Advertisers control which users are added to remarketing lists and which are not. If you use Google Analytics, you can ensure that advertising features are disabled for users who have indicated they do not want to receive personalized ads. To disable advertising features for those users, including remarketing and advertising reporting features, see "Disable advertising features" in the Display Features guide.

European child privacy regulations

In August 2020, we announced our commitment to comply with the Age Appropriate Design Code (AADC) which applies to users in the United Kingdom, and additional child privacy regulations applicable to users in the European Economic Area (EEA) and Switzerland.

Under the Age Appropriate Design Code and related child privacy regulations, advertisers may not target or personalize ads to users under 18 years of age in the European Economic Area, United Kingdom, or Switzerland. Additionally, Google will implement safeguards to prevent age-sensitive ad categories from being shown to children and teens. As an advertiser, you can also request to have your ads excluded from showing to signed-in users under 17 years of age through this form. This exclusion will apply to your Search, Display, YouTube and Shopping campaign ads in Google Ads when Google systems indicate that a user is under 17 years of age in the regions mentioned above, or the applicable age in their country.

Working with the IAB Transparency & Consent Framework

Google now supports the IAB Transparency & Consent Framework (TCF) v2.0. Learn more about how Google Marketing Platform advertising products and Google Ads integrate with the IAB TCF v2.0:

Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu