The Google EU user consent policy is a component of online data privacy compliance requirements for businesses that use Google’s services in the European Union and European Economic Area. The policy aligns with the requirements set forth by two significant European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Additionally, the policy takes the Data Protection Act into account, which is the UK’s equivalent regulatory implementation to the GDPR.
Google introduced the EU user consent policy in 2015, with a significant update on May 25, 2018 when the GDPR came into force.
This policy is especially significant in digital advertising. For marketers and pay-per-click specialists, it sets the foundation for responsible data handling, ethical marketing practices, respect for user privacy, and building trust in digital markets.
We explore who the EU user consent policy applies to, what its requirements are, and how to take corrective steps if you’ve received a notice of noncompliance from Google.
Who does the EU user consent policy apply to?
The Google EU user consent policy applies specifically to data collected from end users located in the European Union (EU), European Economic Area (EEA), and/or the United Kingdom (UK), if the business collecting the data:
- has an agreement with Google that includes the policy
- uses Google products that incorporate the policy
A common misconception is that businesses outside the EU, EEA and/or UK don’t need to comply with the policy. The EU user consent policy applies to end users located in these regions, regardless of where the business aiming to collect their data is based.
Google’s advertising and measurement products and services, including AdSense, AdManager, AdMob and Google Analytics Advertising Features, require businesses to meet the specifications of this policy.
Other Google products that come under the scope of this policy are Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.
The EU user consent policy impacts websites and apps that meet two specific criteria:
- they use cookies or other local storage where legally required
- they collect, share, and use personal data for ad personalization
Google defines ads as personalized when they rely on previously collected or historical data to influence ad selection. This encompasses factors like a user’s past search queries, online activity, site or app visits, demographic details, and location.
If a website or app serves non-personalized ads using only contextual information, but uses cookies or mobile identifiers where legally required, this policy still applies.
Requirements for Google business users under the EU user consent policy
Google has separate requirements under the policy based on who is collecting the data, which it defines as “properties under your control” and “properties under a third party’s control”.
If you use a Google product and this results in the sharing of a third party’s end-user personal data with Google, you must employ “commercially reasonable efforts” to ensure that the third party adheres to this policy.
For properties that are under your control, or under the control of an affiliate or client, Google has laid out several requirements.
1. Obtaining legally valid consent
Legally valid consent under the GDPR (Art. 7) means users must actively agree to the collection and use of their personal data. Under both the GDPR and the Data Protection Act, consent should be freely given, specific, informed and unambiguous (Recital 32). Explicit consent is valid consent under the applicable data privacy laws.
2. Retaining consent records
Businesses must keep detailed records of how and when consent was obtained from users. Google has specified that, at a minimum, this includes documenting the text and consent choices presented to users, and the date and time when users gave their consent.
3. Providing clear instructions for revocation of consent
Users must be informed about how they can withdraw their consent to receive personalized ads. Minimum expectations include having easy access to ad controls on the website or app, or through general settings provided by Google or on their device.
4. Identifying each party involved in data handling
The user consent policy mandates the identification of every party that has access to the user’s personal data as a result of using a Google product, including in the collection, reception, or use of personal data.
There must also be transparent and accessible information regarding how each party uses personal data.
What happens if you don’t comply with the EU user consent policy?
Noncompliance with Google’s EU user consent policy carries significant consequences that affect both the operation of websites and apps and their broader legal standing.
Suspension of Google services or termination of agreement
Google reviewers regularly visit websites and apps that use its advertising services to assess whether they are providing clear information and obtaining proper consent as per the policy guidelines. If a website or app is found to be noncompliant, it will receive a notification from Google with a deadline to rectify these issues.
Failing to address the concerns within this period can lead to more severe measures. Google may suspend the noncompliant entity from using its advertising services, which can significantly affect its ability to generate revenue through these channels.
Websites or apps that have received a noncompliance notice must take corrective measures to comply with the policy. Among these measures is using a consent management platform (CMP), which can help you:
- obtain legally valid consent as per the policy’s consent requirements
- securely store and maintain records of consent that the policy requires
- identify and communicate information about all parties with access to user data
- provide clear and accessible mechanisms for users to withdraw consent
Legal and financial ramifications of noncompliance
Noncompliance with the EU user consent policy also poses a significant risk under the GDPR and/or Data Protection Act, including incurring substantial penalties for not obtaining compliant consent.
For first-time or less severe infractions, penalties can be as high as € 10 million or 2% of the company’s global annual revenue for the preceding financial year. For repeat violations or more severe breaches, penalties may escalate to € 20 million or 4% of global annual revenue, whichever is higher.
How Usercentrics can help enable compliance with the EU user consent policy
In a move that specifically impacts digital advertising, Google announced on May 16, 2023 that publishers and advertisers using Google AdSense, Ad Manager, or AdMob must use a certified consent management platform that integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) v2.2 as of January 16, 2024 to serve ads to end users in the EU/EEA and UK.
A Google-certified CMP enables websites and apps to comply with the EU user consent policy’s requirements, including obtaining legally valid user consent, enabling revocation of consent, and disclosure about collection and use of personal data.
Usercentrics’ consent management platform (CMP) was among the first certified CMPs when Google launched its CMP Partner Program for Google Consent Mode in September 2022. All our CMP products—Usercentrics Web and App CMPs and Cookiebot CMP—are certified by Google for this purpose.
Here’s how Usercentrics CMP makes Google consent compliance simpler and more effective.
1. Simplifying consent collection
Usercentrics CMP streamlines securing legally valid end-user consent. It enables obtaining GDPR-compliant consent with explicit opt-in and granular consent mechanisms, and full consent banner customization.
2. Easy consent withdrawal options
Usercentrics CMP enables your website or app users to update or revoke their consent just as easily as they gave it. This aligns with the user consent policy’s specific requirement of consent withdrawal options for users.
3. Transparent data usage information
With Usercentrics CMP, you can identify, for each of your websites and apps, all parties that may collect, receive, or use personal data, and lay out how and why data is being used as per the policy’s requirements for sharing clear information about the use of personal data.
4. WordPress plugin and content management system (CMS) integrations
Usercentrics CMP offers seamless integrations, including a dedicated WordPress Plugin, which simplifies implementation and consent management for WordPress-powered websites.
Other CMS and ecommerce platform integrations include Adobe Experience Manager, Shopify, Typo3, among others.
Besides CMS systems, Usercentrics integrates with a variety of ecommerce marketing tools, like Stripe, Zapier or HubSpot. This simplifies managing consent across different websites and online services.
5. Google platform integrations
For businesses using Google products and services, such as AdSense, AdManager, AdMob, Google Analytics 4 (GA4), Google Consent Mode, and Google Tag Manager, Usercentrics CMP seamlessly integrates with these platforms. This makes it easy to set up and use without disrupting advertising campaigns and analytics.
6. Access to a partner network
For additional support, Usercentrics offers a global partner network that serves as a valuable resource for prospects and customers.
Connect with marketing agencies and legal service providers that implement, maintain, optimize and support the Usercentrics Web and App CMPs. This network provides an extra layer of support for navigating the complexities of data privacy compliance.
7. Free trial option
Curious about how Usercentrics CMP can help you continue using the Google products you love and depend on, while maintaining compliance with privacy regulations and Google’s own consent policy? What better way to explore our platform capabilities than through a free trial?
This 30-day trial period will grant you full access to all advanced features in the Starter Plan, as well as full access to ticket support, guides, and documentation. The trial expires automatically after 30 days so there’s zero risk and no commitment required from your side upfront.
8. Demos and consultations
If you’re looking for more in-depth information or personalized guidance, you can choose to book a demo or an expert consultation and have all your consent management questions answered. We want you to have a better understanding of how Usercentrics CMP can be tailored to your specific data privacy compliance and business requirements.
A practical guide for complying with the Google EU user consent policy
The easiest way to comply with the Google EU user consent policy, GDPR, and other privacy regulations is through a consent management platform. Use Usercentrics consent management platform (CMP) with your website or app to enable:
- compliance with the GDPR, DMA, CCPA, and other privacy laws
- application of privacy requirements based on user geolocation
- obtaining consent before your or third-party scripts load
- platform flexibility for desktop and mobile devices, as well as for mobile apps, games and connected TV apps.
- consent banner customization to match your brand style
You can also create a privacy policy for your website or app easily through our dynamic privacy policy generator. With this integration with Termageddon, you’re able to set up your Privacy Policy, Terms of Service, and other policies in less than 30 minutes.
For more on how to generate comprehensive and easy to understand policies, check these additional resources:
For more support resources and implementation documentation, check our support page.
Get compliant consent under the EU user consent policy
FAQs
You can find more detailed information on Google’s dedicated pages below:
Google’s EU user consent policy is a crucial element of achieving GDPR compliance. It requires that Google’s service users reveal their cookie usage and secure permission from users accessing a website or app within the European Union (EU), European Economic Area (EEA), and/or the United Kingdom (UK).
The policy calls for consent to utilize cookies, personalize advertisements, or otherwise gather user data. Certain consent management platforms (CMPs), like Usercentrics, provide handy tools like consent banners and privacy policy generators to seamlessly integrate Google and other third-parties’ EU user consent policies into your privacy policy.
Google’s consent policy helps businesses operate transparently and ethically while navigating European digital markets.
You need to ensure the site or app mentioned in the email complies with the Google EU user consent policy. The key aspects to consider in implementing valid consent are:
- How you inform users about how and why their data is collected.
- Make sure you identify all the ways you may be collecting, receiving or using end users’ data through Google products.
- How and when you inform users that you use Data Processing Services like cookies and other tracking technologies on your website or app
- Check that your consent notice is being displayed when your site or app is accessed by users from all EU/EEA countries, ensuring it’s clearly visible and easily readable.
- Ensure users can choose to accept or reject consent at a granular level, and that for rejections, all collection, sharing, and usage of users’ data stops automatically.
- Include a link to Google’s and other third-party privacy & Terms of Use sites.
- If you use an IAB TCF-compliant CMP, include “Google Advertising Products” as a vendor.
No, Google is not in a position to validate whether your consent notices are following the GDPR, as it lacks knowledge about the unique circumstances of every company. Instead, you might want to consider leveraging Usercentrics’ consent management platform. This tool can help ensure your consent notices are fully GDPR-compliant. It’s a handy solution that can simplify this complex compliance aspect for you.
Interactive Advertising Bureau (IAB) Europe, the digital marketing and advertising industry’s association, has developed a brilliant answer to the GDPR compliance conundrum — the Transparency and Consent Framework (TCF). Now in version 2.2, the TCF serves as a standardized process to gather user consent, ensuring businesses operate within the GDPR’s requirements.
It’s crucial to pick a consent management platform (CMP) that’s registered with the IAB to help ensure smooth sailing. One such registered CMP is Usercentrics CMP, which not only integrates seamlessly with the TCF 2.2, but also keeps pace with the ever-changing EU regulations.
Plus, Usercentrics easily integrates with the most popular CMS platforms, including WordPress, Adobe Experience Manager, Shopify, Typo3, and others.
Yes, if your app or website incorporates Google Ads, you must secure consent from your European users for the usage of cookies and other tracking technologies by third-party entities, including Google. This concept of ‘cookie consent’ is particularly pertinent for users within countries that fall under the jurisdiction of the EU ePrivacy Directive’s cookie stipulations.
Google Ads gathers the page URL you are visiting and your IP address. Apps that utilize Google’s advertising services also share information with Google, like the app’s name and a unique identifier for advertising. Learn more about Google Ads and other Google services, as well as how to implement Google Consent Mode.
As Google Consent Mode-certified consent management platform (CMP) partner, Usercentrics CMP supports Google Consent Mode V2 signaling as launched in November 2023, to ensure our customers using Google products experience seamless integration with our standard CMP implementation.