Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features to help you manage your account. Per our Personalised advertising policy, we never use sensitive information to personalise ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative and ads.txt in order to support a healthy, sustainable ads ecosystem.
Today, we’re building on that feature set by offering restricted data processing, which will operate as set forth below, to help advertisers, publishers and partners manage their compliance with the California Consumer Privacy Act (CCPA).
About the California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) is a new data privacy law that establishes various rights for California state residents. The law applies to companies that do business in California and meet one of several criteria related to revenue, data processing, and other factors. CCPA requires giving residents the right to opt out of the “sale” of their “personal information” (as the law defines those terms), with the opt-out offered via a prominent “Do Not Sell My Personal Information” link on the “selling” party’s homepage. CCPA does recognise certain exceptions to the definition of “sale”, such that not all transfers of personal information are “sales”. For example, transferring personal information to a “service provider” under the law is not a sale.
About restricted data processing
Restricted data processing is intended to help advertisers, publishers and partners meet their CCPA compliance needs. With restricted data processing, Google restricts how it uses certain unique identifiers, and other data processed in the provision of services to you, to only undertake certain business purposes. With respect to data to which restricted data processing applies, these business purposes include ad delivery, reporting and measurement, security and fraud detection, debugging, and improving and developing features for the products that we offer you. Subject to the terms of our CCPA service provider addendum, we will act as your service provider with respect to data processed while restricted data processing is enabled.
Restricted data processing operates differently across our products. Advertisers, publishers and partners should ensure that use of Google products and services, including restricted data processing, meets their CCPA compliance requirements. For products where action is required to enable restricted data processing, partners must decide for themselves when and how to enable it. Some may decide to enable restricted data processing on a per-user basis (for example, following a user opt-out by clicking on a “Do Not Sell My Personal Information” link). Alternatively, for products that support it, some partners may decide to enable restricted data processing for all users in California.
Restricted data processing does not extend to the sending or disclosure of data to third parties that you may have enabled in our products and services, and you should ensure that you’ve taken all measures with respect to such third parties as required to meet your CCPA compliance needs. If you have shared data from one Google product with another via product integrations or through other means, data will be subject to the terms of the recipient product once shared.
Products and features that already operate using restricted data processing
These Google Ads products and features already operate using restricted data processing:
No actions are required by users of these products and features.
If you have shared data from one Google product with another via product integrations or through other means, data will be subject to the terms of the recipient product once shared.
Products and features that require action to enable restricted data processing
When you enable restricted data processing, Google will limit how it uses data. Certain features will be unavailable, including adding users to remarketing lists, adding users to similar audience remarketing seed lists and related functionality. For App campaigns, enabling restricted data processing may mean that the users who install your app will continue to see ads for that app following installation.
Even when you have enabled restricted data processing, ads with third-party ad tracking or third-party ad serving, where eligible to serve (e.g. on the Google Display Network), will serve unless disabled by a publisher. Google’s contractual commitments regarding restricted data processing do not apply to such third-party tracking and serving vendors. You should ensure that you’ve taken appropriate measures with respect to such third parties as required to meet your CCPA compliance needs. For ads serving via cross-exchange for display, Google will not bid on bid requests where a publisher has sent an opt-out signal.
How to enable restricted data processing
|Product||Enable restricted data processing|
|Google Ads||You can set the allow_ad_personalization_signals parameter once and apply it across all products configured through the global site tag. The default value of the parameter will be set to true. When you set the parameter’s value to false, it will enable restricted data processing. To ensure that the parameter's value is available in a given Google Ads account, you should add it using the gtag('set') command. For further details, including examples, please see this article.|
|Google Analytics, Google Analytics for Firebase||If you are a Google Analytics or Google Analytics for Firebase customer, subject to the CCPA service provider addendum, Google Analytics will act as a service provider where you have disabled sharing with Google products and services. Google Analytics offers a collection of tools that enable you to control how data is collected, and whether it is used for advertising personalisation. To learn more, please visit the Google Analytics help centre.|