Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features. Per our Personalized advertising policy, we never use sensitive information to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Digital News Innovation Fund, the Google News Initiative and ads.txt in order to support a healthy, sustainable ads ecosystem.
In August 2017, we announced our commitment to comply with the European Union's new General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA) and the UK.
This article provides additional details about how we are supporting impacted advertisers and marketers.
Contract updates
We rolled out updates to our contracts for many products starting in August 2017, reflecting Google's status as either a processor or a controller under the new law.
Find out more about how we use data in Google Marketing Platform advertising products and Google Ads:
- How Google uses Google Marketing Platform advertising product data (Display & Video 360, Campaign Manager 360, Search Ads 360)
- How Google uses Customer Match data
- How Google uses remarketing data
- How Google uses conversion event data
Consent support
The GDPR introduced significant new obligations for the ecosystem, and the changes we announced to our EU User Consent Policy reflect this. Under this policy, advertisers that implement remarketing tags are required to obtain consent from users for the collection of data for personalised ads and advertisers that implement conversion tags for measurement purposes are required to obtain consent for the use of cookies.
To address questions that we received from our customers, we updated cookiechoices.org with examples of consent language and available third-party consent solutions.
Google advertising services is experimenting with new ways of supporting the delivery and measurement of digital advertising in ways that better protect people’s privacy online via the Privacy Sandbox initiative on Chrome and Android. Users with the relevant Privacy Sandbox settings enabled in Chrome or Android may see relevant ads from Google advertising services based on Topics or Protected Audience data stored on their browser or mobile device. Google advertising services may also measure ad performance using Attribution reporting data stored on their browser or mobile device. You can find more information on the Privacy Sandbox. The EU User Consent Policy requires you to obtain valid user consent for these actions in the same way you rely on consent today for ads personalisation and the use of non-essential local storage in the European Economic Area and the UK.
If you use Google advertising products that receive data from your site or app, we encourage you to link to How Google uses information from sites or apps that use our services, which explains how Google manages data in our ads products. Doing so will meet the requirement of our updated EU user consent policy to give users information about Google's uses of their personal data.
Third-party ad serving and measurement changes
On Google Ad Manager, Ad Exchange, AdSense and AdMob
To help publishers choose the ad technology providers that can serve and measure ads on their sites and apps for users in the EEA and the UK, we have launched Ad Technology Provider Controls for publishers (Ad Manager/AdX, AdMob, AdSense). If a publisher doesn't engage with these controls to choose their own list, we will apply a list of commonly used ad technology providers.
In practice, this means your Google Ads and Display & Video 360 campaigns will only serve on an ad impression in the EEA or the UK where a given publisher has selected (and has received user consent for) the Ad Technology Providers you use. All providers listed have shared with Google a link explaining their data usage and provided certain information that is required by the GDPR, and have agreed to comply with our data usage policy. Any providers you work with can contact Google to seek certification to be included in the ad technology providers list.
As previously announced, we're also launching a Non-Personalised Ads solution (Ad Manager/AdX, AdMob, AdSense) to enable publishers to present EEA and UK users with a choice between personalised ads and non-personalised ads (or to choose to serve only non-personalised ads to users in the EEA and the UK). Campaigns that reach users based on demographics and categories of apps they've installed, for instance, are not eligible to serve on non-personalised inventory. The choices that users make on publisher sites that offer non-personalised ads will determine the availability of personalised and non-personalised inventory for these sites. We encourage Google Ads and Display & Video 360 advertisers to closely monitor campaign delivery and consider alternative campaign criteria as needed.
On YouTube
In January 2017, we announced that YouTube will stop accepting most third-party measurement pixels globally starting 21 May 2018. We also announced that we are working with a small group of suppliers (including comScore, DoubleVerify, IAS, MOAT, Nielsen, Kantar and Dynata) to evaluate the re-certification of their pixels. Additionally, advertisers can enable YouTube reporting via the partners we have integrated with Ads Data Hub (ADH).
Data collection, deletion and retention controls
Audience lists in Google Ads/Google Marketing Platform advertising products
- Google Ads Customer Match Audiences: We won't retain data files advertisers upload for any longer than necessary to create Customer Match audiences and ensure compliance with our policies (see How Google uses Customer Match data). Once those processes are complete, we'll promptly delete the data files uploaded in Google Ads or the Google Ads API. For information on how to update or replace an existing Customer Match audience, see Update your customer list.
- Remarketing with Google Ads or Floodlight tags: Advertisers control which users are added to remarketing lists and which are not, as well as the duration users stay on a list. Today, if you use the Google Ads or Floodlight tag for remarketing, you need to ensure that the tag is not active for users who have indicated they do not want to receive personalised ads. There are many ways to achieve this. We recommend that you consult your web developer on possible solutions, including Google Tag Manager. If you use the Google Analytics tag for Google Ads remarketing, please see the 'Google Analytics data' section below.
- Campaign Manager 360 provided lists: Advertisers control how long cookies remain on a given audience list. To remove a user from a list, you can add a '1' next to the identifier associated with the cookie that you would like to remove from the list. To learn more, see File formatting > File headers > Delete in the Provided lists Help Centre article.
Google Analytics data
Google Analytics has long provided features and policies to help you safeguard your data. The following features, in particular, may prove useful as you evaluate the impact of the GDPR for your company's unique situation and Analytics implementation.
- Data retention: Use the Data Retention controls to manage how long your user and event data is held on our servers.
- Users: The User Deletion API lets you manage the deletion of all data associated with individual users (for example site visitors) from your Google Analytics and/or Analytics 360 properties.
- Properties and accounts: Google Analytics customers can also delete data for their properties and/or accounts.
- Remarketing: Advertisers control which users are added to remarketing lists and which are not. If you use Google Analytics, you can ensure that advertising features are disabled for users who have indicated they do not want to receive personalised ads. To disable advertising features for those users, including remarketing and advertising reporting features, see 'Disable advertising features' in the Display Features guide.
European child privacy regulations
In August 2020, we announced our commitment to comply with the Age Appropriate Design Code (AADC) which applies to users in the United Kingdom, and additional child privacy regulations applicable to users in the European Economic Area (EEA) and Switzerland.
Under the Age Appropriate Design Code and related child privacy regulations, advertisers may not target or personalise ads to users under 18 years of age in the European Economic Area, United Kingdom, or Switzerland. Additionally, Google will implement safeguards to prevent age-sensitive ad categories from being shown to children and teens. As an advertiser, you can also request to have your ads excluded from showing to signed-in users under 17 years of age through this form. This exclusion will apply to your Search, Display, YouTube and Shopping campaign ads in Google Ads when Google systems indicate that a user is under 17 years of age in the regions mentioned above, or the applicable age in their country.
Working with the IAB Transparency & Consent Framework
Google now supports the IAB Transparency & Consent Framework (TCF) v2.0. Learn more about how Google Marketing Platform advertising products and Google Ads integrate with the IAB TCF v2.0: