What is a personalized ad

Help - EU User Consent Policy

What is this policy for and where does it apply?

The directive on EU user consent reflects certain requirements of two European data protection regulations: the EU General Data Protection Regulation (GDPR) and the data protection directive for electronic communications (the so-called e-privacy directive). All relevant UK law is also taken into account. The e-privacy directive should not be confused with the so-called e-privacy regulation, which is currently being discussed as a legislative proposal. These rules apply to end users in the European Economic Area (EEA) and the United Kingdom. The EEA includes the EU member states as well as Iceland, Liechtenstein and Norway.

The original version of this directive was published in 2015 and updated on May 25, 2018 with the entry into force of the EU General Data Protection Regulation (GDPR).

Do I have to follow this policy for all users if I am a publisher or advertiser based in the EEA or the UK?

Google's EU User Consent Policy only applies to end users located within the EEA or the UK.

How does Google ensure that this policy is followed?

We manually check websites and apps for which our advertising services are used. We have been following this approach since the directive was introduced in 2015. Our auditors visit or use a website or app just as a user would. In doing so, they pay attention to what information is available to them and what consents are obtained.

Our top priority will always be to work closely with our partners to comply with all guidelines. We are aware that there are different approaches to obtaining consent and we do not provide any requirements in this regard, provided that the requirements set out in our policy are met. If we discover that a partner is not complying with our policy, the first thing we will contact them and notify them. Then we will try to fix the problem together.

We have been giving website owners and app developers sufficient time to make the necessary changes since 2015. However, if the partner does not work with us or does not endeavor in good faith to implement the requirements within a reasonable period of time, this can lead to measures against the accounts in question, up to and including blocking.

What information do I have to disclose to my end users?

Our guideline provides for the naming of every natural and legal person who receives personal data from end users due to the use of a Google service. In addition, our policy requires the provision of clearly visible and easily accessible information about the use made of end-users' personal data. We have published information about the use of data by Google. We recommend adding a link to this page in order to comply with the disclosure obligations with regard to the use of data by Google. We also ask other providers of ad technology that are integrated into Google services to provide information about their own use of personal data.

Checklist for partners to implement a consent mechanism

These are only examples and there is no claim to be complete. Always make sure that your implementation meets all of the requirements of the Google guidelines.

  • Have you explained to users how their personal data will be used if they consent to this data being collected via your website / app? For example, are users aware that their personal data is used to personalize advertisements and that cookies can be used for both personalized and non-personalized advertising?
  • Have you checked that your declaration of consent is shown to users from all EEA countries when they access your website / app?
  • Do users have the opportunity to actively give their consent - e.g. B. by clicking a button like “OK” or “I agree”?
  • Have you disclosed which third parties, including Google, also have access to the user data that you collect through your website / app?
  • Do you have the users - e. B. by means of a link to the Google website Privacy Policy & Terms of Use - informed about how Google uses your personal data if you consent to it via your website / app? What about the way other third parties use this personal data?
  • If you only generate income with non-personalized ads: Do you obtain consent from users to use cookies or other forms of local data storage (e.g. mobile device IDs) if this is required by law? Please note that non-personalized advertisements that we deliver on websites continue to require cookies in order to function.
  • If the collection, transfer and use of personal data for the personalization of ads has been deactivated and you also monetize Ad Manager and AdMob impressions with limited ad targeting, Google will not access cookies, user IDs or other locally stored identifiers on the device of the End user too. Ad serving technologies such as our JavaScript tags and / or our SDK code will continue to be cached or installed as part of normal use of browsers and mobile operating systems. With the restricted ad targeting, neither cookies nor other forms of local data storage within the meaning of the Google EU User Consent Directive are used, so that you can use them in accordance with the directive even if you have not asked the end user for his or her consent Has declined the request. Find out exactly which legal obligations apply in your case law, including required information requirements and consents. For more information on this feature, see Ad Manager Help and AdMob Help.
  • If you are using an IAB-certified consent management platform (CMP): Have you specified Google Advertising Products as the provider?

What options do I have if I do not want to collect personal data from end users for the personalization of advertisements?

We have introduced a new feature that allows you to turn off personalized ads. Please note, however, that non-personalized ads that we serve on websites and in apps still require cookies or mobile identifiers in order to work. You must obtain consent for the use of cookies or mobile identifiers if this is required by law.

Ad Manager and AdMob impressions can also be monetized with limited ad targeting. If the collection, transfer and use of personal data for the personalization of advertisements has been deactivated and restricted advertisement targeting has also been activated, Google will not access cookies, user IDs or other locally stored identifiers on the end user's devices. Ad serving technologies such as our JavaScript tags and / or our SDK code will continue to be cached or installed as part of normal use of browsers and mobile operating systems. With the restricted ad targeting, neither cookies nor other forms of local data storage within the meaning of the Google EU user consent directive are used, so that you can use them in accordance with the directive even if you have not asked the end user for their consent or if the end user has requested it Has declined the request. Find out exactly which legal obligations apply in your case law, including required information requirements and consents. See Ad Manager Help and AdMob Help for more details.

What information should I provide end users with to withdraw their consent?

The guideline stipulates that end users must be explained how to withdraw their consent to personalization of advertisements. At a minimum, they need information on how to easily access the advertising settings for your website or app, or the general settings of Google or the device they are using.

What other Google products are covered by this policy?

What type of advertising is "personalized" for the purposes of this policy?

Personalized ads (formerly known as “interest-based advertising”) are an effective way for advertisers to increase the relevance of ads to users and increase their ROI. In all of our publisher products, depending on how they are used, we draw conclusions about the interests of users based on the websites they visit or the apps they use. Advertisers can thus tailor their campaigns precisely to the interests of the users, which is advantageous for users and advertisers alike. For more information, see our personalized ads policy.

For Google, advertisements are personalized if collected or historical data determine or influence the selection of advertisements. This includes previous searches, activities, website visits, the use of apps, and demographic and location information. In particular, this includes remarketing, demographic orientation and the orientation towards interest categories, customer comparison lists and target group lists that have been uploaded via the Google Marketing Platform.

What type of advertising does this policy define as "non-personalized"?

For non-personalized ads, only context-related data is collected, such as the approximate general location (at city level) and the content of the current website or app. Targeting is not based on a user's profile or previous activity.

What does “Limited Ad Targeting” fall under this Policy?

If the collection, transfer and use of personal data for personalized advertising has been deactivated and the restricted ad targeting for Ad Manager and AdMob impressions is also activated, Google will not access cookies, user IDs or other locally stored identifiers on the user's device to. Ad serving technologies such as our JavaScript tags and / or our SDK code will continue to be cached or installed as part of normal use by browsers and mobile operating systems. See Ad Manager Help and AdMob Help for more details.

Can I use restricted ad targeting if users object to the use of their personal data for legitimate interests or deactivate the use for this purpose?

No, restricted ad targeting would not be an appropriate solution in these cases. Although no cookies or mobile IDs are required for this, a legal basis is required that covers functions such as the basic provision and success measurement of advertisements.

Why do you have to consent to the use of cookies, even if they are not used for personalization, but for other purposes, e.g. B. for measuring the success of advertisements?

Cookies or mobile identifiers are used for personalized and non-personalized ads served by Google and help fight fraud and abuse. They are also used for frequency capping and generating aggregated ad reports. Our policy also requires consent to the use of cookies or mobile identifiers for users residing in countries that apply the cookie provisions of the EU Electronic Communications Directive and for users in the UK. We know that the e-privacy laws are not implemented or applied uniformly within the EU. Therefore, our policy limits the scope for consent to cookies and mobile identifiers to "when required by law". With Ad Manager and AdMob, publishers can also use our limited ad targeting feature. This function does not use cookies or other forms of local data storage within the meaning of the Google EU user consent directive, so that you can use them in accordance with the directive even if you have not asked the end user for their consent or if they have not asked for their consent has refused, provided that you have deactivated the collection, disclosure and use of personal data for the personalization of advertisements. Find out exactly which legal obligations apply in your case law, including required information requirements and consents. See Ad Manager Help and AdMob Help for more details.

What if i'm an advertiser using Google products on my website?

If you use tags for advertising products such as Google Ads or the Google Marketing Platform on your pages, you must obtain consent from your users in the EEA and the UK in order to comply with the Google EU User Consent Policy. In accordance with the requirements of our policy, you must obtain consent to the use of cookies to measure the success of advertisements and consent to the use of personal data for personalized advertising - for example, if you use remarketing tags on your pages.

What should my declaration of consent contain?

The content of your declaration of consent depends on the options you give your users and how you want to use the data (e.g. for your own purposes or to support other services with which you work). You can find an example of such a declaration of consent on the Google-operated website CookieChoices.org.

What if I, as a publisher, only serve non-personalized ads to users in the EEA and the UK?

If you do not deliver personalized advertisements to users who visit your website and visits to your website do not affect the advertisements displayed elsewhere, you must still obtain consent for the use of cookies or mobile identifiers if this is required by law. Such consent is required because, even with non-personalized ads, cookies will continue to be used to combat fraud and abuse, as well as for frequency capping and the creation of aggregated ad reports. At CookieChoices.org you can find an example of a declaration of consent that might be suitable in this case.

Ad Manager and AdMob impressions can also be monetized with limited ad targeting. If the collection, transfer and use of personal data for the personalization of advertisements has been deactivated and restricted advertisement targeting has also been activated, Google will not access cookies, user IDs or other locally stored identifiers on the end user's device. Ad serving technologies such as our JavaScript tags and / or our SDK code will continue to be cached or installed as part of normal use of browsers and mobile operating systems. With the restricted ad targeting, neither cookies nor other forms of local data storage within the meaning of the Google EU user consent directive are used, so that you can use them in accordance with the directive even if you have not asked the end user for their consent or if the end user has requested it Has declined the request. Find out exactly which legal obligations apply in your case law, including required information requirements and consents. See Ad Manager Help and AdMob Help for more details.

Which options do I have to make available to my users?

The Google Policy does not contain any guidelines on possible choices that you should offer users. Publishers can let their users choose between personalized and non-personalized advertising, while others may want to give their users different choices.

What if I want to create a declaration of consent for an app?

Cookies are generally not used in mobile apps. Google Ad Manager and AdMob provide support for in-app advertising and use special advertising IDs provided by the Android and iOS operating systems. For this reason, your message should contain the information that identifiers are used on the device instead of cookies. In this way, you comply with the requirements of the Google guideline, which relate to the consent to the use of "other forms of local data storage".

Does Google require a special form of user consent for apps?

In order for it to be legally valid, the consent of a user must be given voluntarily for a specific purpose and in an informed and unambiguous manner in accordance with the law. However, no particular form is specified. Our guideline on EU user consent allows us to flexibly design the notification of EU user consent and the options offered to users.

On our website CookieChoices.org you can find some examples of communications from publishers and advertisers that you can use for your app. Such a notification will help you to comply with our guidelines if you use mobile device identifiers, for example to personalize advertisements. App developers can either use one of these examples or, for example, simply display a notification when opening an app for the first time, in which users are advised that they should uninstall the app if they do not agree to their device ID being passed on and / or not a personalized one Want to receive advertising.

Where can I get a consent solution?

There are some features in AMP that you can use to create a consent solution yourself. We have also developed a consent solution for Google Ad Manager and AdMob. However, you may also want to create your own consent solution or use one from another provider. At CookieChoices.org you will find a list of providers who offer solutions for creating a declaration of consent that meets the requirements of the Google Directive.

If you use products such as Google AdSense or Google Ad Manager on your website, you must combine your consent solution with the advertising tags on your pages. In this way you ensure that the wishes of your users are implemented. The individual providers offer instructions and support for this purpose. If you do not make the appropriate configurations for all tags on your pages, you run the risk of misleading users: They think they have deactivated cookies for ad preferences, even though they are still in use. Because of this, all implementations of these tools on your website must be thoroughly tested.

How should partners choose a Consent Management Platform (CMP) provider?

Partners can use Funding Choices to create their own consent solution (more information here) or use a third-party CMP solution. However, if you decide to use a third-party CMP, you should seek legal advice so that the consent solution both meets individual requirements and can be further customized.

There are a number of external resources that can help you find the right CMP provider, such as a list of CMPs that are registered with the IAB Transparency and Consent Framework. Please note, however, that this is not an exhaustive list and that choosing a CMP from this list does not automatically guarantee compliance with Google's EU User Consent Policy. Ultimately, this always depends on the specific notification of EU user consent that is displayed to users. Further information can be found on this page in the “Checklist for partners to implement a consent mechanism”.

Which third party providers use personal data of end users and how should I identify them?

Many advertisers and publishers who use Google advertising formats use third-party providers to serve ads and analyze the effectiveness of their advertising campaigns on websites or in apps. The guideline stipulates that, in addition to Google, you must clearly name every provider who may collect, receive and / or use personal data from end users in the context of your use of Google products. In AdSense, Google Ad Manager and AdMob you can select providers who are authorized to collect data on your website or in your app.

My website is not hosted in Europe. Am I bound by this policy?

If you use Google products covered by this policy and you target users in the EEA or the UK, you are bound by this policy.

I'm a publisher, but none of my campaigns target the EEA or the UK. Does this duty of consent still apply to me?

Consent would only be unnecessary if you removed all Google services for users in these countries from the website. However, it would still be mandatory if Google services were used but no ads were displayed. This is because Google Ad Manager uses cookies and our policy also requires consent for the use of cookies that are used to measure success. Google Ad Manager also collects personal data, unless it is a request for a non-personalized ad and this is specified in the settings for EU user consent or in the request itself.

How do I create a consent mechanism?

You can get a first impression on the CookieChoices.org website. There you will also find resources for implementing consent mechanisms on websites and in apps.

Our company interprets the law differently and would like to take a different approach to consent and disclosure. Is that possible?

Google is committed to following the requirements of the GDPR for all services we offer in Europe, including to the extent that these requirements have been incorporated into UK law. This obligation is also reflected in the fact that we have adapted our guideline on EU user consent in accordance with the requirements of the European data protection supervisory authorities. But we would also like to work with publishers and partners in the industry and support them in implementing these changes. We will continuously monitor the law and industry best practices and adjust our recommendations and requirements accordingly.

Why do we need to get consent to measure the success of ads - aren't they legitimate interests?

Google uses cookies and mobile ad identifiers to enable the success of ads to be measured. Consent is required for this use in countries where the electronic communications privacy policy applies. Accordingly, our guideline requires consent for the personalization of advertising and, if necessary, for measuring the success of advertisements, if required by law. This also applies if the measurement of the success of advertisements within the meaning of the GDPR may fall under the legitimate interests of the data controller.

Do I need consent before the tags are triggered, or is it enough to obtain consent afterwards?

Our understanding of the GDPR requirements is that consent for personalized advertising should be obtained before the tags are triggered by Google on your pages. The privacy policy for electronic communications requires consent for the storage of or access to cookies. However, since the data protection requirements are not implemented or applied uniformly within the EU, our guideline limits the scope of the consent to cookies and mobile IDs to "if this is required by law". Some supervisory authorities have issued guidelines in which it is expressly stated that the storage of cookies must be preceded by a user action, while with others it is permissible if the consent is given at the same time as the setting of cookies.

Statements from supervisory authorities suggest that the GDPR also has an impact on cookie consent under the privacy policy for electronic communications, but there are still no clear statements about the relationship between these two pieces of legislation. We look forward to the publication of further information and documents from supervisory authorities on this topic and will then update our help pages accordingly. For customers who have decided not to obtain consent for the use of personalized advertising at the moment, we will continue to apply the respective national legal standards for consent to cookies and will not request any changes to their current implementation of cookie consent solutions.

What about the use of click trackers?

If advertisers use third-party click tracking technologies (e.g. if the user's browser is not forwarded directly to the provider's landing page by clicking on an advertisement, but first to the provider of a measurement service), they must comply with the applicable laws adhere to. The setting options for third-party providers that Google Publishers make available are not intended to cover click tracking technologies.

What records do I need to keep?

Our policy requires customers to keep records of consents. These should at least include the text and choices that were displayed to users in the consent solution, as well as the date and time at which the user gave their consent.

Why was my consent mechanism found to be non-compliant even though I am using an IAB-certified consent management platform?

You can use any CMP as long as it meets all the requirements of the EU User Consent Directive. Until August 2020, Google was not part of the IAB Transparency and Consent Framework. In the case of a CMP registered with the framework, it could therefore be that Google did not appear on the list of providers that was displayed to users by the CMP. This means that the requirement of the Consent Policy to disclose every natural or legal person who may collect, receive or use personal data from end users as a result of your use of the respective Google service may not have been met.

Since August 2020, Google has been integrated in version 2 of the IAB Transparency and Consent Framework, so that Google advertising products (“Google Advertising Products”) can be selected as providers from IAB's Global Vendor List.

Updates to this Policy

Google's original EU user consent policy was updated on May 25, 2018. Other minor adjustments were made on October 31, 2019 to reflect changes in the relationship between the UK and the EU. At this point in time we do not expect any further changes to the policy, but as mentioned above, we will continue to monitor legal developments and best practices in the industry and adjust our recommendations and requirements accordingly.