Google's EU user consent policy

The EU user consent policy has been around since 2015. The policy is significant for the digital advertising ecosystem, as it sets out requirements for advertisers using Google products like Ads and Analytics. Here, we explore who the policy applies to, what its requirements are, and how to comply with it.

What is the EU user consent policy?

From the world’s most popular search engine to nifty weather apps gracing our phones, it’s hard to imagine a digital world without Google.

With its diverse array of applications and services, one omnipresent entity tying them all together is Google’s technology. Consequently, it’s non-negotiable for users to understand the norms governing this critical player.

Enter the EU user consent policy.

A part of Google’s broader privacy framework, the EU user consent policy, adapts the general rules of EU data protection laws to its global digital environment. Essentially, it stipulates how companies using Google’s technology should obtain and record consent from users in the European Economic Area (EEA) and United Kingdom (UK). Beginning July 31, 2024, the policy will also apply to Switzerland.

The core of the policy

At its heart, this policy emphasizes transparency, choice, and control. Any user dealing with a service using Google technology should be clear about the data collected about them, the purposes for which it’s being used, and the means available to control usage.

Fundamentally, the policy mirrors the requirements set out in the following privacy laws:
  1. The General Data Protection Regulation (GDPR)
  2. The ePrivacy Directive
  3. Any equivalent UK law

Why was the EU user consent policy introduced?

Google introduced the EU User Consent Policy in response to two critical EU data protection laws — the General Data Protection Regulation (GDPR) and the ePrivacy Directive. These laws, particularly the GDPR, marked a turning point in data privacy laws, placing heavy emphasis on user consent.

This policy is Google’s way of ensuring its numerous technologies align with these laws.

Google first introduced their policy in 2015, updated it when the GDPR came into force on May 25, 2018, and made further changes on October 31, 2019.

Who does the EU user consent policy apply to?

Quite simply, it applies to anyone, be it individuals, organizations, or developers who incorporate any Google technology in services targeted towards users in the EEA, UK, or Switzerland.

Examples of Google technologies that incorporate the EU user consent policy include:

  • Google Tag Manager
  • Google Ads
  • Google Analytics
  • Ad Manager
  • AdSense
  • AdMob

If you use Google technologies on a website, app, or any other property under your control, the policy applies to you. But, suppose your use of Google products results in the personal data of end users from a third-party property being shared with Google: in that case, you must also ensure that the third party complies with the policy.

How does the EU user consent policy affect advertisers?

While the EU User Consent Policy provides much-needed data protection for users, it also causes significant changes that advertisers must keep up with.

Advertisers can no longer conduct business as usual, and processing user data just got tougher. The policy enforces a standard that values transparency, choice, and control for users within the affected regions.

Changes in data collection and usage

The most important part lies in how data is collected and used. Advertisers need to obtain explicit consent from users before collecting their personal data. But it’s not just about getting consent; advertisers are required to provide clear information about:

  • what data is collected
  • how it is used
  • the purpose of its collection

Impact on ad targeting and personalization

One prominent side effect of the EU user consent policy is its influence on ad targeting and personalization. Previously, advertisers could blindly personalize ads based on user data collected without explicit consent. In contrast, now advertisers can only personalize ads with the user’s consent.

Every click, view, and touchpoint can no longer be used in personalization unless consent is given, meaning a potential challenge for many advertisers.

What happens if I don’t comply?

Google will ensure compliance by scanning websites that use their products. If your website or app fails to comply with the EU user consent policy, Google will notify you and work with you to help you ensure compliance. But, if you fail to ensure compliance within a reasonable timeframe, Google might take further action

These actions range from limiting your use of Google’s products, suspending your account(s), and, in extreme cases, terminating your agreement with Google.

How do you comply with the EU user consent policy?

Compliance with Google EU User Consent Policy involves a clear understanding of the terms and undertaking the necessary steps diligently. It starts with making sure any data is collected in a manner consistent with user consent.

Understand the policy

Getting acquainted with the details of Google’s EU user consent policy provides the backbone of a compliant strategy. The policy primarily revolves around the user’s right to privacy, detailing what Google considers as legal consent. Google’s official resources cover comprehensive details about the policy and explain the process of capturing user consent.

Obtain user consent

Next, finding an appropriate way to capture user consent is vital. Visibly accessible consent requests, clear language, and granular consent options are exemplary of best practices in obtaining user consent.

1. You need to get explicit consent from users to:

  • use cookies or other local storage if it’s legally required.
  • collect, share, and use their data to personalize ads.

2. When asking for their consent, you must:

  • keep records of the consent users give.
  • give users clear options for withdrawing their consent later.

3. You must tell users about every party that might collect, receive, or use their data due to your use of Google products.

4. You must make it easy for users to find information on how these parties use their data.

Google also underlines that you must include a link to Google’s Business Data Responsibility page on your cookie banner. This is to make it easy for website visitors and app users to access information on how Google might use their personal data — if they consent.

Tools for compliance

You can easily inform your users and obtain consents via a Consent Management Platform (CMP). Implementing a CMP on your website or app is a big part of complying with the EU user consent policy; as of January 16, 2024, Google requires websites using Google Ads to implement a CMP from one of their Certified CMP Partners.

Cookie Information is one of those Partners, and it’s free to try for 30 days.

However, it’s important that you ensure your CMP is set up correctly to meet all of Google’s requirements.

You can find a helpful list of common mistakes to avoid when implementing a CMP on Google’s EU user consent policy help page.