Customer support handbook

Helping advertisers comply with the GDPR

Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we never sell personal information and we give users transparency and control over their ad experiences via My Account and several other features. Per our Personalized advertising policy, we never use sensitive information to personalize ads. We also invest in initiatives such as the Coalition for Better Ads, the Digital News Initiative, the Google News Initiative and ads.txt in order to support a healthy, sustainable ads ecosystem.

In August 2017, we announced our commitment to comply with the European Union's new General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA). This article provides additional details about how we are supporting advertisers and marketers with the changes the GDPR brings.

Contract updates

We have been rolling out updates to our contracts for many products since August 2017, reflecting Google's status as either a processor or a controller under the new law.

Find out more about how we use data in DoubleClick Digital Marketing and AdWords:

Consent support

The GDPR introduces significant new obligations for the ecosystem, and the changes we announced to our EU User Consent Policy reflect this. Under this policy, advertisers that implement remarketing tags are required to obtain consent from users for the collection of data for personalized ads and advertisers that implement conversion tags for measurement purposes are required to obtain consent for the use of cookies.

To address questions we have received from our customers, we have updated cookiechoices.org with examples of consent language and available third-party consent solutions.

If you use Google ads products that receive data from your site or app, we encourage you to link to How Google uses information from sites or apps that use our services, which explains how Google manages data in our ads products. Doing so will meet the requirement of our updated EU User Consent Policy to give users information about Google's uses of their personal data.

Third-party ad serving and measurement changes

On DoubleClick for Publishers, DoubleClick Ad Exchange, AdSense, and AdMob

To help publishers choose the ad technology providers that can serve and measure ads on their sites and apps for users in the EEA, we have launched Ad Technology Provider Controls for publishers (DFP/AdX, AdMob, AdSense). If a publisher doesn't engage with these controls to choose their own list, we will apply a list of commonly used Ad Technology Providers.

In practice, this means your AdWords and DoubleClick Bid Manager campaigns will only serve on an ad impression in the EEA where a given publisher has selected (and has received user consent for) the Ad Technology Providers you use. All providers listed have shared with Google a link explaining their data usage and provided certain information that is required by the GDPR, and have agreed to comply with our data usage policy. Any providers you work with can contact Google to seek certification to be included in the Ad Technology Providers list.

As previously announced, we're also launching a Non-Personalized Ads solution (DFP/AdX, AdMob, AdSense) to enable publishers to present EEA users with a choice between personalized ads and non-personalized ads (or to choose to serve only non-personalized ads to users in the EEA). Campaigns that reach users based on demographics and categories of apps they've installed, for instance, are not eligible to serve on non-personalized inventory. The choices users make on publisher sites that offer non-personalized ads will determine the availability of personalized and non-personalized inventory for these sites. We encourage AdWords and DoubleClick Bid Manager advertisers to closely monitor campaign delivery after May 25 and consider alternative campaign criteria as needed.

On YouTube

In January 2017, we announced that YouTube will stop accepting most third-party measurement pixels globally starting May 21, 2018. We also announced that we are working with a small group of vendors (including comScore, DoubleVerify, IAS, MOAT, Nielsen, Kantar, and Research Now) to evaluate the re-certification of their pixels. Additionally, advertisers can enable YouTube reporting via the partners we have integrated with Ads Data Hub (ADH).

Data collection, deletion and retention controls

Audience lists in AdWords / DoubleClick Digital Marketing

  • AdWords Customer Match Audiences: We won't retain data files advertisers upload for any longer than necessary to create Customer Match audiences and ensure compliance with our policies (see How Google uses Customer Match data). Once those processes are complete, we'll promptly delete the data files uploaded in AdWords or the AdWords API. For information on how to update or replace an existing Customer Match audience, see Update your customer list.
  • Remarketing with AdWords or DoubleClick Floodlight tags: Advertisers control which users are added to remarketing lists and which are not, as well as the duration users stay on a list. Today, if you use the AdWords or DoubleClick Floodlight tag for remarketing, you need to ensure that the tag is not active for users who have indicated they do not want to receive personalized ads. There are many ways to achieve this. We recommend that you consult your webmaster on possible solutions, including Google Tag Manager. If you use the Google Analytics tag for AdWords remarketing, please see the "Google Analytics data" section below.
  • DoubleClick Campaign Manager provided lists: Advertisers control how long cookies remain on a given audience list. To remove a user from a list, you can add a "1" next to the identifier associated with the cookie that you would like to remove from the list. To learn more, see File formating > File headers > Delete in the Provided lists Help Center article.

Google Analytics data

Google Analytics has long provided features and policies to help you safeguard your data. The following features, in particular, may prove useful as you evaluate the impact of the GDPR for your company's unique situation and Analytics implementation.

  • Data retention: Use the Data Retention controls to manage how long your user and event data is held on our servers.
  • Users: The User Deletion API lets you to manage the deletion of all data associated with individual users (e.g., site visitors) from your Google Analytics and/or Analytics 360 properties.
  • Properties and accounts: Google Analytics customers can also delete data for their properties and/or accounts.
  • Remarketing: Advertisers control which users are added to remarketing lists and which are not. If you use Google Analytics, you can ensure that advertising features are disabled for users who have indicated they do not want to receive personalized ads. To disable advertising features for those users, including remarketing and advertising reporting features, see "Disable advertising features" in the Display Features guide.

Working with the IAB Transparency & Consent Framework

We have not yet integrated with the IAB Transparency & Consent Framework (TCF). We've been working with IAB Europe over the last several months to explore how our products and policies can support the TCF, but our technical integration is not complete.

This integration will allow either personalized ad serving or non-personalized ad serving aligned to the consent signals passed for impressions from both Google’s DoubleClick Ad Exchange and third-party exchanges when IAB’s TCF is used. Additional details will be available as we finalize our technical support.

Until Google’s IAB integration is complete, on third-party exchanges, Google will bid with personalized ads that do not include third-party pixels unless our third-party exchange partner contacts us to put in place a predefined list of third parties for whom they will ensure consent is collected. Google will match the list of providers that third party exchanges send with the list of certified third parties in our Ad Technology Provider (ATP) list (certifications process guide) and serve personalized ads where there is a match based on the exchange confirming appropriate consent. On Google’s DoubleClick Ad Exchange, AdMob and AdSense, we will bid based on the vendors for which the publisher has affirmed consent (i.e., the ad technology partners included in the publishers’ settings).

Once Google is listed in the IAB’s Global Vendor List, publishers and other technology providers may also solicit consent for use of DoubleClick Campaign Manager tags via the IAB's TCF.

Was this article helpful?
How can we improve it?