The EU user consent policy reflects certain requirements of 2 European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive, as well as any equivalent UK laws. This policy applies to end users located in the EEA, the UK, and Switzerland. The EEA comprises the EU Member States and Iceland, Liechtenstein, and Norway. Learn more about the EUUCP.
On this page
- What is Google’s EU User Consent Policy?
- Why does Google conduct an EU User Consent Policy audit?
- Get detailed help troubleshooting each individual issue mentioned in your audit email
- Missing consent mechanism/banner
- Missing or incomplete personal data use disclosure
- User affirmative action not set up correctly
- Missing or incomplete data sharing disclosure
- Missing link to Google’s Business Data Responsibility Site
- Consent signal not set up correctly
- Cookies set before consent
- Consent Management Platform not set up correctly
What is Google’s EU User Consent Policy?
For details on Google’s EU User Consent Policy, review the policy page, as well as additional guidance on the Help with the EU user consent policy page.
Why does Google conduct an EU User Consent Policy audit?
Since introducing our policy in 2015, Google has conducted periodic audits of websites and apps that use our advertising services. A team of reviewers visit a website or app as a user would visit it, and look at the information provided and the consents obtained.
Our first priority will always be to work with our partners to get compliance right. If we find that a partner is not following our policy, our first step will be to contact the partner to indicate an issue, and to try to work with them to achieve compliance.
We give websites and apps a reasonable timeframe to make any necessary changes, but if the partner fails to engage with us or demonstrate a good-faith effort to achieve compliance, this might result in action on the account(s) in scope. These could include suspension of audience functionalities, for example, ad personalization & remarketing, and/or conversion measurement capabilities for advertisers; for publishers, only Limited Ad / programmatic limited ads will be eligible to serve (if programmatic limited ads are enabled).
Get detailed help troubleshooting each individual issue mentioned in your audit email
Make sure you have implemented a consent mechanism/banner. For publisher partners, ensure the consent mechanism/ banner has been certified by Google. Make sure your consent mechanism/banner is being displayed when your website/app is accessed by users from all EEA countries as well as from the UK and Switzerland.
- We expect users to see a clear consent notice on your site/app so that they can take affirmative action to indicate their decision, for example, clicking an “OK” button or an “I agree” button.
- We expect users to be told how the site/app will use data. You must make clear that their personal data/Cookies may be used for personalization of ads with specific reference to "ads personalization" on the first layer of your consent mechanism/banner.
- We expect users to be informed about how Google will use their personal data when they give consent on your site/app. You must link to Google's Business Data Responsibility Sitethrough your consent notice. You should link to the Business Data Responsibility Site either directly on your consent notice, or via a link to your privacy policy page (provided that the link is visible on the first layer of that page), or under “More Info” or similar link in the consent notice.
Advertiser partners can (but are not required to) use a Consent Management Platform (CMP) that has been certified by Google in the CMP partner program. A CMP can help manage consent banners and direct the consent management process, which begins when a user lands on your site/app and makes a consent choice on a CMP banner. CMPs in the CMP partner program provide seamless integration with Google consent mode, so you can capture valuable insights while protecting user privacy and send signals to Google that reflect end user preferences. For EEA traffic, advertisers are required to send signals to Google that reflect end user preferences via consent mode or TCF.
This is not an exhaustive list so we recommend that you please refer to the external checklist to avoid common mistakes when implementing a consent mechanism. You can also update the consent notice and let us know so that we can request the Google Policy team to re-audit.
We expect users to be told how the site/app will use data. You must make clear that cookies and personal data are used for personalized advertising in your consent notice/banner with specific reference to “ads personalization” on the first layer of your consent mechanism/banner.
Update the consent notice and let us know this has been done so that we can request the Google Policy team to re-audit.
Per bullet point 3 on our Help with EU User Consent Policy page, you need to give users an option to take affirmative action to indicate consent, for example, clicking an “OK” button or an “I agree” button.
After you’ve made the appropriate changes, let us know this has been done so that we can request the Google Policy team to re-audit.
Make sure you disclose which third parties, including Google, will also have access to the user data you collect on your website/app.
We expect that you include language either in the consent mechanism/banner or in the cookie/privacy policy page that makes it explicitly clear to the site/app user that their data will be shared with Google. This should also include a link to Google’s Business Data Responsibility Site.
After you’ve made the appropriate changes, let us know this has been done so that we can request the Google Policy team to re-audit.
We expect users to be informed about how Google will use their personal data when they give consent on your site/app. You should link to Google's Business Data Responsibility Site through your consent notice. It’s fine for this link to be part of a larger document, like your Privacy Policy, as long as you link to it directly from the Consent Banner.
If you already previously included a Google policy link, make sure it directs to https://business.safety.google/privacy/.
After you’ve made the appropriate changes, let us know this has been done so that we can request the Google Policy team to re-audit.
For advertisers, for your users in the EEA: Make sure you are sending validated consent signals to Google that reflect end user preferences. Make sure you appropriately implemented the latest version of consent mode or TCF.
Review our guide for troubleshooting your consent mode implementation. For more information on configuring consent mode and Google tags in accordance with our EU User Consent Policy, review Set up consent mode. If you need additional assistance, please contact your consent management platform (CMP) or reach out to our support team via our help center.
After you’ve made the appropriate changes, let us know this has been done so that we can request the Google Policy team to re-audit.
Make sure no cookies are set in the absence of consent to the extent consent is required? Note that the non-personalised ads that we serve on websites still require cookies to operate.
For Advertisers:
In order to ensure Google Advertising cookies are not being placed before receiving user consent, we suggest you work with your consent management platform (“CMP”) provider, where applicable.
In addition, you may refer to Google developer guides, including the following developer documentation for relevant Google products. Review below for suggestions on where to begin.
Google Products:
| Product(s) | Google Ads, Analytics, and Floodlight |
| Google Developer Documentation | Set up consent mode on websites | Tag Platform | Google for Developers |
| Method |
Depending on the products and features configured, Google ads and measurement products use mechanisms such as reading and writing cookies or sending HTTP requests to support analytics, conversion measurement, and personalized advertising. It is possible to restrict the use of these mechanisms to reflect user consent choices. For example, you can configure your Google tags to not read or write cookies until consent is provided from the user by utilizing the tag command gtag('consent', 'default', ...). Review the provided developer documentation for full details. |
For Publishers:
In order to ensure Google Advertising cookies are not placed before user consent is obtained, we suggest you work with your consent management platform (“CMP”) provider.
In addition, you may refer to Google developer guides, including the following developer documentation for relevant Google products. Review below for suggestions on where to begin.
Google Products:
| Product(s) | Ad Manager |
| Google Developer Documentation | GPT Reference | Google Publisher Tag |
| Method | Review documentation to ensure that Google Publisher Tags (GPT) are correctly implemented on your page. Additionally, review documentation from your CMP to ensure that it is correctly implemented on your page. When both are correctly implemented, Google Publisher Tags will not access cookies or local storage for non-essential purposes unless the user has consented. |
| Product(s) | AdSense |
| Google Developer Documentation | |
| Method | Review documentation to ensure that AdSense code is correctly implemented on your page. Additionally, review documentation from your CMP to ensure that it is correctly implemented on your page. When both are correctly implemented, AdSense will not access cookies or local storage for non-essential purposes unless the user has consented. |
| Product(s) | AdSense for Search |
| Google Developer Documentation | |
| Method | If you don’t have consent for Google for Purpose 1 (Store and/or access information on a device), you should not call the Adsense for Search ad tag. |
After you’ve made the appropriate changes, let us know this has been done so that we can request the Google Policy team to re-audit.
For Publishers, make sure you have adopted a Google certified CMP in accordance with TCF requirements. To the extent you leverage Additional Consent, ensure you correctly implemented it.
Make sure that your website generates TC and/or AC strings which reflect a user’s consent choices and/or there are no issues with how consent choices were presented to the user.
Ensure that in your consent banner implementation end-users can give granular and specific consent choices with respect to IAB purposes (see IAB TCF Policies, Appendix A), and that these choices are reflected in the TC string. If a user has not consented to Purposes 1, 3, or 4 either no TC string should be generated, or Purposes 1, 3, or 4 should show as deconsented in the TC string.
The following is applicable only if you have integrated with Google Additional Consent technical specification. Please ensure that in your consent banner implementation:
- The UI must make it possible for users to distinguish between IAB Vendors registered with the IAB Framework, and companies that are not yet registered with the IAB Europe Global Vendor List but are on Google's Ad Tech Providers (ATP) list;
- If a user has not consented to TCF Purposes 1, 3 or 4 then either no Additional Consent (AC) string should be generated or the AC string should not show any consented vendors;
- Users can make granular and specific consent choices with respect to each Vendor;
- If a user has deconsented a vendor it should not show as consented in the AC string.
We encourage you to reach out to your CMP if you need assistance correcting your implementation.
After you’ve made the appropriate changes, let us know this has been done so that we can request the Google Policy team to re-audit.