Helping advertisers comply with the U.S. states' privacy laws in Google Ads

Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information. We give users transparency and control over their ad experiences via My Ad Center, My Account and several other features to help you manage your account. Per our Personalized advertising policy, we never use sensitive information like health, race, religion, or sexual orientation to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative, and ads.txt to support a healthy and sustainable ads ecosystem.

Google welcomes privacy laws that protect consumers. In May 2018, we launched several updates to help advertisers and publishers comply with the General Data Protection Regulation (GDPR) in the EEA and the UK.

In 2019, Google began offering restricted data processing (RDP) to help advertisers, publishers, and partners manage their compliance with the California Consumer Privacy Act (CCPA). In January 2023, we expanded the operation of restricted data processing to help customers and partners manage their compliance with the new U.S. state privacy laws.

Updates to restricted data processing and CCPA service provider status (July 2023)

Starting July 1, 2023 Google will no longer act as your service provider (in California) under the California Privacy Rights and Enforcement Act of 2020 for cross-context behavioral advertising. This means restricted data processing will no longer be offered for Customer Match.

These changes will be reflected in the existing U.S. State Privacy Laws Addendum to the  Google Ads Data Processing Terms and the Google Ads Controller-Controller Data Protection Terms.

About restricted data processing

With restricted data processing, Google restricts the way it uses certain unique identifiers and other data processed in the provision of services to you to undertake certain activities.

With respect to data to which restricted data processing applies, these activities include the following feature:

  • Ad delivery
  • Debugging
  • Improving and developing
  • Reporting and measurement
  • Security and fraud detection

Subject to the terms of our relevant U.S. State Privacy Laws Addenda, we'll act as your service provider with respect to data processed while restricted data processing is enabled.

Restricted data processing operates differently across our products. Advertisers, publishers, and partners should ensure that use of Google products and services, including restricted data processing, meets their compliance requirements. For products where action is required to enable restricted data processing, partners must decide for themselves when and how to enable it. Some may decide to enable restricted data processing on a per-user basis (for example, following a user opt-out by clicking on a “Do Not Sell My Personal Information” link). Alternatively, for products that support it, some partners may decide to enable restricted data processing for all users in applicable U.S. states.

Colorado has determined that the specific universal opt-out mechanism to be utilized is Global Privacy Controls (GPC). Google will turn off personalized ads targeting and activate restrictive data processing (RDP) if we receive a GPC from a user or advertiser/publisher in Colorado. In all other US states with regulations impacting ad targeting, partners who have implemented the Global Privacy Control may choose to turn on restricted data processing when they receive a GPC opt-out signal.

Colorado Universal Opt-Out Mechanism provisions require that Global Privacy Control (GPC) signals opt the user out of Ad Targeting, Sale, or Share of data. For users in Colorado, Google will receive GPC signals directly and trigger RDP mode for those ad requests.
 

Restricted data processing does not extend to the sending or disclosure of data to third parties that you may have enabled in our products and services, and you should ensure that you’ve taken all measures with respect to such third parties as required to meet your compliance needs. If you've shared data from one Google product with another via product integrations or through other means, data will be subject to the terms of the recipient product once shared. For example, if you build an audience with enhanced conversions or offline conversion imports, and you export it to another product for personalized advertising, restricted data processing may not be available.

Products and features that already operate using restricted data processing

These Google Ads products and features already operate using restricted data processing:

Users of the above-mentioned products and features require no action to enable restricted data processing.

If you have shared data from one Google product with another via product integrations or through other means, data will be subject to the terms of the recipient product once shared.

*Starting July 1, 2023, restricted data processing will not be available in California where the advertiser engages in cross-context behavioral advertising, including Customer Match. For more information, please see this article.

Products and features that require action to enable restricted data processing

When you enable restricted data processing, Google will limit how it uses data. Certain features will be unavailable, including adding users to remarketing lists, adding users to similar audience remarketing seed lists, and related functionality. For App campaigns, enabling restricted data processing may mean that the users who install your app will continue to see ads for that app following installation.

Even when you've enabled restricted data processing, ads with third-party ad tracking or third-party ad serving, where eligible to serve (for example, on the Google Display Network), will serve unless disabled by a publisher. Google’s contractual commitments regarding restricted data processing do not apply to such third-party tracking and serving vendors. You should ensure that you’ve taken appropriate measures with respect to such third parties as required to meet your compliance needs. For ads serving via cross-exchange for display, Google won't bid on bid requests where a publisher has sent an opt-out signal.

Note: Even when restricted data processing is enabled, features, such as conversion tracking and campaign measurement, will continue to function as normal.
Enable restricted data processing
Product Enable restricted data processing
Google Ads

Google Ads offers you 2 options to enable restricted data processing:

  1. A new “restricted_data_processing” parameter which can be set in your global site tag, to enable restricted data processing for particular users on your site.
  2. A checkbox in the Google Ads interface where you configure your Google Ads remarketing tag to enable restricted data processing for all users located in applicable U.S. states.
Google Analytics, Google Analytics for Firebase

If you are a Google Analytics or Google Analytics for Firebase customer, subject to the “U.S. State Privacy Laws Service Provider and Processor Addendum”, Google Analytics will act as a service provider unless you’ve enabled sharing with Google products and services.

If you export data from Google Analytics or from Google Analytics for Firebase to other products (like Google Ads) as a result of product integrations, that data is subject to the terms of services of those products.

Google Analytics offers a collection of tools that enable you to control how data is collected, and whether it is used for advertising personalization. To learn more, read the Audience list sharing section below or visit the “Advertising Personalization” section in the Google Analytics help center.
App campaigns

If you measure app conversions using Google Analytics for Firebase SDK, you've 2 options:

  1. You can disable personalized advertising features at the user level, which enables restricted data processing for particular users of your app.
  2. You can disable personalized advertising features for a particular geographical region to enable restricted data processing for all users of your app located in those regions.
Google Tag Manager A new “Enable Restricted Data Processing” field is available in the Google Ads tags (Conversion and Remarketing) in Google Tag Manager. Follow these instructions to set it up.

*Note: Customers currently using the allow_ad_personalization_signals parameter to enable restricted data processing can continue to do so. However, Google may require use of the restricted_data_processing parameter in the future.

Audience list sharing

If restricted data processing is enabled in Google Ads, it only applies to audience lists created with the Google Ads tag. If you've audience lists shared with Google Ads from either Google Analytics, Display & Video 360, or Search Ads 360, you’ll need to go to those products to enable restricted data processing for the data that is exported to Google Ads. See the table below for additional details:

Enable restricted data processing for the data that is exported to Google Ads

Product How to enable restricted data processing for the data that is exported to Google Ads
Google Analytics

You can control whether your Google Analytics data is used for ads personalization with the following options in the Analytics interface:

  1. Turn off per (end user) region or for your entire property via these property settings.
  2. Exclude specific events or user properties via these settings (App and Web only).
Dynamically disable ads personalization per session or event by making these tag configuration changes.
Display & Video 360

If you want to disable audience list sharing to Google Ads from Display & Video 360 you've 3 options in Display & Video 360:

  1. You can disable ads personalization via the global site tag parameter.
  2. You can exclude Floodlight activities from personalized ads.
  3. You can disable audience list sharing.
Search Ads 360 Search Ads 360 doesn't currently enable exporting audiences to Google Ads for Search. In addition, users located in California won't be added to search-to-display and social-to-display remarketing lists. You can learn more by reading this article.

About IAB privacy strings

Google is a certified partner under IAB Privacy’s Multi-State Privacy Agreement (MSPA) Certified Partner Program (CPP) and has integrated with the IAB CCPA Framework v1.0 Technical Specifications. Additionally, Google Ads is planning to expand support for IABs US National String in late 2024.

Currently Google’s Display and Video 360 supports IAB’s CA, CO, CT, and VA State Strings via GPP.

Google doesn’t require partners to sign the IAB Multi-State Privacy Agreement (MSPA) in order to work with Google. MSPA Certified Partners are permitted to process MSPA covered transactions without signing the MSPA. We have integrated with IAB’s Global Privacy Platform (GPP).

Note: Use of GPP isn’t required by Google, and is just one of multiple methods that partners can use to support their compliance with US state privacy laws.

Advertisers who choose to use the IAB signal should follow the technical specification provided by the IAB Tech Lab to implement the us_privacy string on their pages. Our Google Ads tags will interact with the advertisers page to retrieve the us_privacy string and apply restricted data processing when the string indicates a user has opted out.

  • When the IAB string indicates a user has not opted out, there will be no changes to behavior.
  • When the IAB string indicates a user has opted out, Google will enable restricted data processing.
Note: Google also offers data deletion and retention controls. Subject to the terms of our U.S. State Privacy Laws Addenda, our data deletion and retention commitments apply when we act as your service provider with respect to data processed while restricted data processing is enabled, on a backwards-looking basis. Learn more about data deletion and retention controls

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu