Google has a long history of taking a user-first approach in everything we do. As a part of our commitment to users, we do not sell personal information. We give users transparency and control over their ad experiences via My Ad CentreMy Account and several other features to help you manage your account.

Per our Personalised advertising policy, we don’t use sensitive information like health, race, religion or sexual orientation to personalise ads. We also invest in initiatives such as the Coalition for Better Ads, the Google News Initiative, and ads.txt to support a healthy and sustainable ads ecosystem.

Google welcomes privacy laws that protect consumers. In May 2018, we launched several updates to help publishers comply with the General Data Protection Regulation (GDPR) in the EEA.

We’re building on that feature set by offering restricted data processing, which will operate as set forth below, to help publishers manage their compliance with US states privacy laws.

Service provider terms

Google already offers data protection terms pursuant to the General Data Protection Regulation (GDPR) in Europe. We are now also offering service provider terms, which will supplement those existing data protection terms, effective 1 January 2023.

For customers on our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms. For such customers, there is no action required on your part to add the service provider terms into your contract.

Select a data processing setting

By default, data processing in AdSense isn’t restricted and personalised ads will be shown to users on your site or app. To restrict data processing and only show non-personalised ads to eligible users in applicable US states, you need to change the CPRA settings.

These settings don’t control data you may be sharing outside of your account, for example through mediation.

Note: Though the AdSense UI indicates CPRA settings, the setting will apply to all US states covered by privacy legislation.

To change the CPRA data processing settings for your entire account, complete the following steps:

  1. Sign in to your AdSense account.
  2. Click Blocking Controls and then Content and then All sites.
  3. Click Manage CPRA settings.
  4. Select the option you want to apply to your AdSense account.
  5. Click Save changes.
Tip: If you choose not to restrict data processing across your account, you can restrict processing at an ad request level.

Don’t restrict data processing

If you choose ‘Don’t restrict data processing’, you can select the advertising partners that are eligible to receive bid requests for users that Google determines are in California.

Complete the following steps to specify eligible advertising partners.

  1. Sign in to your AdSense account.
  2. Click Blocking Controls and then Content and then All sites.
  3. Click Manage CPRA settings.
  4. In the ‘Review your ad partners’ section, select the list you want to use.
    • Use active ad partners: Use the list of all available advertising partners provided within this feature’s setting. Google and all active advertising partners are eligible for bid requests from users Google determines are in the applicable US states.
    • Custom ad partner: Customise the list of all available advertising partners to create your own custom list. Only selected advertising partners are eligible for bid requests from users Google determines are in the applicable US states. Under this option, users in your AdSense account are notified when new advertising partners join the platform. New advertising partners are not automatically added to your custom list and can be manually included.
  5. Click Save changes.

Restrict data processing

When a publisher enables restricted data processing, on the publisher’s instruction Google will further limit how it uses data and begin serving non-personalised ads only.

Non-personalised ads are not based on a user’s past behaviour. They’re targeted using contextual information, including coarse (such as city-level, but not ZIP/postcode) geo-targeting based on current location, and content on the current site or app or current query terms. Google disallows all interest-based audience targeting, including demographic targeting and user list targeting when in restricted data processing mode.

Restricted data processing options:

Publishers must decide for themselves when and how to enable restricted data processing mode, based on their own compliance obligations and legal analysis. Two common scenarios are below.

  1. Some publishers may choose not to display a ‘Do Not Sell My Personal Information’ link on their properties. Such publishers may choose to enable restricted data processing for all of their programmatic traffic for users in the applicable US states via a network control. If they select this option, Google will use user IP addresses to determine the location of users and enable restricted data processing mode for any users we can detect have an IP address in applicable US states.
  2. Alternatively, other publishers may choose to display a ‘Do Not Sell My Personal Information’ link. Such publishers may choose to send a restricted data processing signal on a per-request basis once a user has opted out of the sale of their personal information.

Finally, partners who have implemented the Global Privacy Control may choose to enable restricted data processing when they receive a GPC opt-out signal.

 

This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics.

As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers

 

Websites in the EU which use lines of browser-readable text known as cookies can only do so with users’ consent, and they must provide information about the use to site users.

The EU’s E-Privacy Directive of 2002 required that website visitors be given certain information about cookies.

From 26 May 2011 the law changed meaning that in addition to the provision of certain information visitors must give their consent to the placing of cookies. In the UK this change was implemented by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR).

From 25 May 2018 the General Data Protection Regulation (GDPR) came into force. It says that consent for data processing has to be given by users through a “clear affirmative action” and it must be freely given, specific, informed and unambiguous.

Because each EU country has some discretion in how it implements a Directive, the cookie laws in other European countries may differ from those of the UK which are set out in PECR.

PECR

The relevant rules are found in amended regulation 6, which reads as follows:

6. – (1) Subject to paragraph (4), a person shall not store or gain information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment –

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) has given his or her consent.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information –

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

What does this mean?

PECR means that a website operator must not store information or gain access to information stored in the computer or other web-enabled device of a user unless the user “is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information” and “has given his or her consent”. The consent requirement in the UK Regulations replaces the previous position which provided that visitors should be given the option to refuse cookies.

The only cookies that do not need users’ consent are those that are necessary to fulfil the user’s request. That will cover, for example, the use of cookies to remember the contents of a user’s shopping basket as they move between pages on a website. Other cookies, including those used to count visitors to a site and those used to serve advertising, will require consent. So will third party cookies that are used on the website.

The consent requirement has been the subject of much discussion but it is difficult to see how anything other than prior consent will comply with the wording of the UK Regulations.

ICO guidance says: “If you do need consent, then – to be valid – consent must be knowingly and freely given, clear and specific…it must involve some form of very clear positive action – for example, ticking a box, clicking an icon, or sending an email – and the person must fully understand that they are giving you consent.”

The GDPR says that consent is “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

The phrase “by a statement or by a clear affirmative action” was newly introduced by the GDPR and increases the burden on organisations to ensure that a user has taken a specific, measurable action to give consent, such as ticking a box or clicking to accept a message.

Its cookies guidance says: “You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do.”

Although the ICO’s guidance suggests a number of methods to obtain consent it stops short of providing definitive guidance on how to achieve compliance, leaving it to businesses and organisations to review their use of cookies and consider how they might be able to obtain the necessary consent.

Both the ICO and the UK government have not ruled out the use of browser settings to achieve compliance in the future, but the ICO advises businesses to obtain consent some other way.

The guidance states: “At present, most browser settings are not sophisticated enough to allow you to assume that the user has given consent to allow your website to set a cookie. Also, not everyone who visits your site will do so using a browser. They may, for example, have used an application on their mobile device. So, for now we are advising organisations which use cookies or other means of storing information on a user’s equipment that they have to gain consent some other way”.

As a result, a number of companies have developed cookie tools and privacy management software which allow an individual to set their cookies preferences by enabling them, for example, to reject the use of analytical, marketing or advertising cookies. Such tools are also a mechanism through which the website owner can seek to obtain and record the individuals’ consent so that they can evidence such consent at a later date. These tools also allow an individual to change their preferences. This is important as an individual has the right to withdraw their consent as easily as they have given it. As such tools and software are relatively new to the market they have not as yet been given any regulatory or supervisory authority approval.