The policy reflects certain requirements of two European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. This policy applies to end users located in the EEA, the UK and Switzerland. The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway.

The original version of this policy was introduced in 2015 and was updated on 25 May 2018 when the General Data Protection Regulation came into effect. The policy was last updated on 31 July 2024 to apply to users located in Switzerland.

Google’s EU User Consent Policy applies only to end users located in the EEA, the UK, or Switzerland.

Our approach to compliance is to conduct periodic audits of websites and apps that use our advertising services, as we have done since the Policy was introduced in 2015. Our reviewers visit a website or app as a user would visit it, and we look at the information provided and the consents obtained.

Our first priority will always be to work with our partners to get compliance right. If we find that a partner is not following our policy, our first step will be to contact the partner to indicate an issue, and we will then try to work with them to achieve compliance.

As has been the case since 2015, we give websites and apps a reasonable timeframe to make any necessary changes; but if the partner fails to engage with us or fails to demonstrate a good faith effort to achieve compliance within a reasonable time frame, this might result in action on the account(s) in scope, including suspension of audience functionalities including ad personalisation (e.g. remarketing) and conversion measurement capabilities for advertisers; for publishers only Limited Ad/ programmatic limited ads will be eligible to serve (if programmatic limited ads are enabled).

In addition to conducting audits of websites and apps, we require publishers to adopt a Certified CMP when serving ads to users in the EEA, the UK, and Switzerland in order to comply with this policy. Google will continue to run audits on our publisher partner sites and apps where a Certified CMP has been adopted.

For advertisers with EEA traffic, if a user from the EEA is using your website or app and you measure user behavior with Google tags or SDKs and/ or you leverage audience functionality/ad personalisation functionality , you need to pass through end-user consent choices to Google (e.g. via consent mode or TCF). If you load the Google tag and haven’t implemented the latest version of consent mode we recommend working with a CMP in the Google CMP Partner Program. This list is not exhaustive of all CMPs available and Google does not require advertisers to use a CMP from the partner Program.

Our policy requires identification of each party that receives end users’ personal data as a consequence of using a Google product. It also requires prominent and easily accessible information about the use of end users’ personal data. We have published information about Google’s uses of information. To comply with the disclosure obligations with respect to Google's use of data, publishers and advertisers are required to link to that page. We are also asking other ad technology providers with which Google’s products integrate to make available information about their own uses of personal data.

App developers should encourage users to download the most recent version of their app for the most up-to date user disclosures.

These are examples only and this is not intended to be an exhaustive list. Always take care to ensure your implementation meets all the requirements of Google’s policies.

1. Consent Mechanism/Banner Implemented: Have you implemented a consent mechanism/banner? For publisher partners, has the consent mechanism/ banner been certified by Google? Have you checked that your consent mechanism/banner is being displayed when your website/app is accessed by users from all EEA countries as well as from the UK and Switzerland?
   
2. Personal Data Use Disclosure: Have you explained to users how their personal data will be used on your website/app? For example, are they aware that their personal data will be used for personalisation of ads - with specific reference to ‘ads personalisation’ on the first layer of your consent mechanism/banner - and that cookies/mobile ad identifiers may be used for personalised and non-personalised advertising?
   
3. User Affirmative Action: Have users been given an option to take affirmative action to indicate consent e.g. clicking an “OK” button or an “I agree” button?
   
4. Data Sharing Disclosure: Have you disclosed which third parties (including Google) will also have access to the user data you collect on your website/app?
   
5. Link to Google’s Business Data Responsibility Site: Have you informed users about how Google will use their personal data when they give consent on your site/app by including a link to Google’s Business Data Responsibility Site? You should link to the Business Data Responsibility Site either directly on your consent notice, or via a link to your privacy policy page (provided that the link is visible on the first layer of that page), or under “More Info” or a similar link in the consent notice. Have you informed users about how other third parties will use their personal data?
   
6. Consent Signal Set Up Correctly: For advertisers, for your users in the EEA: are you sending validated consent signals to Google that reflect end user preferences? Have you appropriately implemented the latest version of consent mode or TCF?
   
7. Consent for Setting Cookies: Consent for Setting Cookies: Have you ensured no cookies are set in the absence of consent to the extent consent is required? Please note that the non-personalised ads that we serve on websites still require cookies to operate.
   
8. Consent Management Platform Set Up Correctly: For Publishers, have you adopted a Google certified CMP in accordance with TCF requirements? To the extent you leverage Additional Consent, have you correctly implemented it?

You can find more information on how to fix issues with your EU User Consent Policy audit for advertisers here and for publishers here.  

If you are a publisher, when you monetize impressions only with Limited Ads, in addition to disabling the collection, sharing, and use of personal data for personalisation of ads, Google disables features that require use of a local identifier like frequency capping. Only when Programmatic Limited Ads are turned on, invalid traffic detection-only cookies & local storage will be used to help defend against fraud and abuse. Note that ad-serving technologies (our JavaScript tags and/or our SDK code) will still be cached or installed as part of the normal operation of users' browsers and mobile operating systems. You should assess for yourself your compliance obligations, including required notice and consent, based on local law in your jurisdiction. See the Ad Manager, AdMob and Adsense Help Centers for more details on this feature.

The policy requires that end users are told how to revoke consent. It needs to be as easy for a user to revoke consent as it was to initially provide consent. At a minimum, end users need to have sufficient information to easily reach their ad controls for your website or app, in order to amend their consent preferences.

In addition to ads and measurement products, this policy is referenced in other Google products such as the Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.

Personalised advertising provides an improved experience for users (i.e. improves advertising relevance) and advertisers/ publishers alike. Google considers ads to be personalised when they are based on previously collected or historical data to determine or influence ad selection, including a user's previous search queries, activity, visits to sites or apps, demographic information or location. Specifically, this would include, for example: demographic targeting, interest category targeting, remarketing, targeting Customer Match lists and targeting audience lists uploaded in Google Marketing Platform. Further information can be found here.

If we identify non-compliance with this policy, our priority will be to support our partners in coming back into compliance. Our audit team will provide you with details of the failure and information on the steps that need to be taken to bring your website/app into compliance with the policy.

To support advertisers’ compliance with this policy, we encourage advertisers to work with their CMP partner (where applicable), review appropriate consent settings management documentation, make sure they are appropriately integrated with Consent Mode or the TCF, and to check out this troubleshooter.

We encourage publishers to work with their Google certified CMP, and to check out this troubleshooter in order to resolve non-compliance.

Cookies or mobile identifiers are used to support personalised and non-personalised ads served by Google, for frequency capping, and for aggregated ad reporting. Our policy requires consent to the use of cookies or mobile identifiers for users in countries in which consent to cookies or mobile identifiers is legally required.

If you use tags for advertising products like Google Ads, or Google Marketing Platform on your pages/app, you’ll need to obtain consent from your EEA, UK and Swiss users to comply with Google’s EU User Consent Policy. Our policy requires consent for cookies, mobile identifiers or other local storage where legally required, and consent for the use of personal data for personalised ads – for instance if you have remarketing tags on your pages/app.

We encourage you to review the checklist above to avoid common mistakes when implementing a consent mechanism/banner as this checklist will support your compliance with this policy.

Google’s policy does not dictate the choices that should be offered to users as the text of your consent notice will depend on your uses of data (e.g. if you use data for your own purposes or to support other services that you work with).

For publishers, yes. Google’s publishers are required to adopt a Google Certified CMP when serving personalised ads to users in the EEA, the UK and Switzerland.

For Google’s advertiser partners, for EEA traffic, advertisers are required to send signals to Google that reflect end user preferences via consent mode or TCF. The CMP partner program was created to assist advertisers in building and configuring consent banners. Note: This list is not exhaustive of all CMPs available and Google does not require advertisers to use a CMP from the partner Program.

For advertiser partners, the CMP partner program was created to assist advertisers in configuring consent banners on web/app and can support consent mode or TCF integration. Note: This list is not exhaustive of all CMPs available. Adopting any of these CMPs does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

For publisher partners, publishers are required to adopt a CMP that has been certified by Google and has integrated with the IAB Europe Transparency and Consent Framework (TCF) when serving personalised ads to users in the EEA, the UK and Switzerland.

Many advertisers and publishers using Google’s advertising systems use third parties to serve ads and measure the efficacy of their ad campaigns on websites and in apps. The policy requires you to clearly identify each party, in addition to Google, that may collect, receive, and/or use end users’ personal data as a result of your use of Google products.

Yes, if you use Google products that incorporate the policy. The Policy applies only to end users located in the EEA, the UK, and Switzerland.

This policy applies to end users in the EEA, the UK, and Switzerland. The policy does not apply if Google services were removed from the website/app for users in these countries.

Google is committed to complying with the GDPR, including to the extent transposed into UK law, across all of the services that we provide in Europe. Our EU user consent policy reflects that commitment and guidance from European data protection authorities. While partners may have a different interpretation of laws we require our partners to meet the expectations of this policy. We will continue to evaluate the law and industry practice, and update our recommendations and requirements accordingly.

Google uses cookies and various ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalisation and consent for ads measurement where legally required.

Consent for personalised ads, and the use of cookies or other local storage where legally required should be obtained before Google’s Advertiser tags are fired on your web pages or apps.

Where advertisers choose to use third-party click-tracking technologies (i.e. where an ad click directs the user’s browser to a third-party measurement vendor en route to the advertiser’s landing page), they must do so in compliance with applicable law. Google’s vendor controls for publishers are not designed to cover click- tracking technologies.

Our policy requires that customers retain records of consent. At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.

Why has my publisher CMP been deemed as non compliant, I use a Certified CMP which has also been certified by the IAB?

Adopting a Certified CMP does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

Why has my website/app been deemed as non compliant, I use a Google Partner CMP?

For advertiser partners, the CMP partner program was created to assist advertisers in building and configuring consent banners on web/app and can support with consent mode integration. Working with any of these CMPs does not guarantee compliance with Google’s EU user consent policy, as this depends on the implementation of the CMP and the specific consent message presented to users (for more guidance on this, please refer to the question above 'Checklist for partners to avoid common mistakes when implementing a consent mechanism').

Do I need to follow this policy if I am using products that are using Privacy Sandbox APIs?

Yes. When using Privacy Sandbox APIs (including Topics, Protected Audience and Attribution Reporting) you will be accessing local storage. Since ePrivacy laws do not differentiate between personal and non-personal data, you will need to obtain consent regardless of your assessment on the nature of the data. The EU User Consent Policy requires you to obtain valid user consent for these actions in the same way as you rely on consent today for ads personalisation and the use of non-essential local storage to the extent legally required. More information on the Privacy Sandbox.

No, we do not have an expectation for advertisers to send a verified consent signal to Google for UK or Swiss traffic (either via consent mode, or TCF). Note: the requirement to send verified consent signals does apply to advertisers with traffic from end users in the European Economic Area (EEA). We recommend working with a Google CMP Partner for implementation guidance. Note: This list is not exhaustive of all CMPs available and Google does not require advertisers to use a CMP from the partner Program.

Google’s EU User Consent Policy has long required customers using our advertising products to obtain legally valid consent for the use of cookies or other local storage where legally required. Note this obligation is not limited to cookies and mobile IDs. Based on our understanding of applicable law in the EEA and the UK, this obligation will apply, for example, to fingerprinting used for ads personalisation or ads measurement.

We recommend working with your legal team to understand your obligations under applicable data protection and ePrivacy regulatory guidance and the EU User Consent Policy as it applies to your use of local storage. To the extent that you rely on the Transparency and Consent Framework (TCF) to send consent signals to Google, you may also find these resources helpful in understanding how the TCF can support you with compliance.

Google’s original EU User Consent Policy was updated on 25 May 2018. To reflect the UK’s evolving relationship with the European Union, minor changes were made on 31 October 2019.

In July 2024, we updated and expanded the EU User Consent Policy to include Switzerland.

No further changes to the policy are anticipated at this time but, as noted above, we will continue to evaluate the law and industry practice and update our recommendations and requirements accordingly.