General Information and GDPR Compliance Guidelines

At Google, user privacy is a top priority. We are committed to transparency and providing users with the control they need to manage their advertising experiences through tools like My Account, Why this ad?, and Keep this ad hidden. We also invest in initiatives such as the Coalition for Better Ads, Digital News Initiative, Google News Initiative, and ads.txt to support a sustainable advertising ecosystem that benefits our publishers.

In August 2017, we announced our commitment to comply with the European Union’s General Data Protection Regulation (GDPR), which applies to users in the European Economic Area (EEA) and the United Kingdom.

This article provides information on how we assist publishers affected by the GDPR, along with answers to frequently asked questions.

Data Controller Responsibilities

Within our suite of publisher products (Google Ad Manager, Ad Exchange, AdMob, and AdSense), both you and Google serve as independent data controllers. Google acts as a data controller because we regularly make decisions on data usage to improve our products—for example, by testing ad-serving algorithms, monitoring user latency, and ensuring accurate forecasting. Additionally, we use data to deliver relevant, high-performing ads when features like optimized pricing in the open auction are utilized.

The designation of Google’s publisher products as data controllers does not grant us any additional rights over data derived from your use of these products. Our data usage remains subject to the contractual terms we have with our publishers and any function-specific settings they choose via our product interfaces.

While you are not required to obtain user consent for activities on our websites (since Google secures this consent upon site visits), we do ask that you obtain the necessary consent for your use of our advertising products on your platforms. Currently, you are already required to obtain certain consents from users in the EEA and the UK, and we will update these requirements in accordance with the GDPR. We encourage you to include a link to this page, which explains how Google handles data in its advertising products. This will help you meet the requirement to inform your users about how Google uses their personal data, as mandated by our European Union User Consent Policy.

Data Processor Responsibilities

Google also acts as a data processor for certain functions within Ad Manager, Ad Exchange, and AdMob. As such, Google processes data on behalf of relevant publishers when requested.

Assistance with Obtaining Consent

The GDPR introduces significant obligations within the ecosystem, which we have incorporated into the European Union User Consent Policy. Refer to the following guidance on GDPR legal and regulatory directives. We’ve updated the help page for this policy to address the concerns raised by our clients.

Additionally, we offer a set of optional resources to help you obtain user consent on your websites and apps, including:

  • “Privacy & Messaging” from Funding Choices: A consent tool available for both web and mobile in the following products:
    • Privacy & Messaging for AdMob
    • Privacy & Messaging for Ad Manager
    • Privacy & Messaging for AdSense
  • The updated consent message recommended at cookiechoices.org, where we offer alternative consent solutions.
  • A consent component for inclusion in Accelerated Mobile Pages (AMP).

We will continue working with IAB Europe on their Transparency and Consent Framework and ensuring that industry solutions function seamlessly with our ad-serving products for publishers (Ad Manager and AdSense).

Control Over Ad Personalization

We also provide publishers with tools to manage ad personalization:

  • Ad Technology Provider Management (Help Centers for Ad Manager, AdMob, and AdSense): This allows you to select which partners can measure and display ads to users in the EEA and the UK on your websites and apps when inventory is sold through programmatic channels (including guaranteed programmatic). You can choose your preferred partners from a list of companies that have provided compliance information not only with GDPR but also with our data usage policy, which is necessary to protect your users’ data. The list of included providers can be found in the Help Centers for Ad Manager, AdSense, and AdMob. Ad technology and measurement partners that have not yet provided this data should contact us by completing this form.
  • A non-personalized ads solution (Help Centers for Ad Manager and AdSense): This allows you to offer EEA and UK users the option to choose between personalized and non-personalized ads (or exclusively serve non-personalized ads to all EEA and UK users). For non-personalized ads, only contextual information, including approximate general location at the city level, is used.

While these ads are not personalized via cookies, cookies are still used to enable frequency capping, generate aggregated ad reporting, and combat fraud and misuse. Therefore, user consent is required to use cookies for these purposes in countries where the ePrivacy Directive’s cookie provisions are in effect.

European Child Privacy Regulations

In August 2020, we announced our commitment to comply with the UK’s Age Appropriate Design Code (AADC), applicable to users in the UK, and other child privacy regulations relevant to users in the EEA and Switzerland.

Under the AADC and related child privacy regulations, publishers cannot show personalized ads to users under the age of 18 in the EEA or Switzerland. Publishers can use the “underage consent” tag to mark ad requests as restricted and indicate that they pertain to users under 18. Additionally, Google will implement protections to prevent sensitive ad categories from being shown to underage users, and creatives will be filtered according to our policies.

References to GDPR Legal and Regulatory Guidelines

For more information on the GDPR and its application in the context of publishers and digital advertising, refer to the following documents:

  • Article 29 Working Party Recommendations on GDPR Compliance (2018)
  • Article 29 Working Party Recommendations on Transparency under the GDPR (2018)
  • Opinion 06/2014 on the Concept of Legitimate Interest of the Data Controller under Article 7 of the GDPR
  • IAB Europe Recommendations: Five Practical Steps to Comply with the EU Privacy and Electronic Communications Directive (2015)

For information on regulatory guidelines related to consent for using cookies in advertising, refer to the following documents:

  • Working Document 02/2013 providing guidelines on obtaining consent for using cookies (PDF, 2013)
  • Opinion 04/2012 on the Exemption from Consent for Cookies Requirement (PDF, 2012)
  • Opinion 2/2010 on Online Behavioral Advertising (PDF, 2010)