Google has informed the largest web agencies in Europe that Google will scan Ads-users to check whether they are compliant with Google’s EU User Consent Policy – an agreement that adheres to the GDPR, the ePrivacy directive and equivalent legislation in the UK.
The audit will begin on May 1 and affects Google Ads-users in EU/EES.
If the Ads-users are not compliant, they risk having their conversion tracking deactivated, their remarketing lists deactivated, and ultimately, their entire ad account suspended.
How do you know if you are cookie-compliant in adherence to Google’s EU User Consent Policy? Let’s begin by clarifying the policy.
What is Google’s EU User Consent Policy?
Google’s EU User Consent Policy is an agreement between Google and anyone using their products in the European Economic Area (EEA)* and the United Kingdom (UK) markets.
Google’s EU User Consent Policy mirrors:
*EEA is all EU-member states plus Iceland, Liechtenstein, and Norway.
Is Google’s EU User Consent Policy a brand new agreement?
No, it was first introduced in 2015 and was updated on May 25, 2018, when the General Data Protection Regulation (GDPR) was enforced. Minor changes were made on October 31, 2019.
How will Google ensure compliance with the EU User Consent Policy?
As of this latest update, sent out to the biggest agencies in Denmark, Google will ensure compliance by scanning websites that use their Google Ads product. If a site is found to have a non-compliant cookie-banner, they will be notified.
Google has informed that they will begin auditing websites that use Google Ads within the EEA and the UK as of May 1, 2024.
What do I need to do in order to adhere to Google’s EU User Consent Policy?
In short, you need to collect freely given consent in a transparent manner from your visitors or users, in accordance with the requirements in the ePrivacy directive, and in line with how the GDPR defines consent.
The policy applies to both websites and mobile applications.
To make this process easier, Google recommends that you use a Google-certified Consent Management Platform (a CMP), such as Cookie Information.
What does the need to collect consent mean in Google’s EU User Consent Policy?
1.This may go without saying, but first, your cookie banner has to be displayed when a visitor or user from the EEA accesses it.
2. Then, you have to make sure that the cookie banner informs your visitors or users how their personal data will be used if they give their consent.
So your visitors can understand what they are asked to say yes or no to, they need to be informed how you wish to use their personal data for personalized ads and that cookies may be used for both personalized and non-personalized advertising.
3. In addition to this, you also have to ensure that visitors/users can see which third parties (including Google) will have access to the user data you collect on your site/app.
4.Google also underlines that you must include a link to Google’sBusiness Data Responsibility Site on the cookie banner so your website visitors and app users can access the full disclosure of how Google will use their personal data if they answer yes on the cookie banner. The same goes for other third parties you may use, for which you thus need to collect consent.
5.No cookies are allowed to be set beforethe user/visitor has consented. Google underlines that even their non-personalized ads still require cookies to operate. So, you can never fire Google tags for personalized ads before consent is obtained.
6. Google also stresses that you have to allow the end website or app user/visitor to revoke their consent. This means that end users have to be informed how they can withdraw their consent and that it has to be just as easy to withdraw it as it was to give consent.
Do I need to keep a record of the consents?
Yes, according to Google you need to make sure that you collect and store your users/visitors consent:
“At a minimum, these should include the text and choices presented to users as part of a consent mechanism and a record of the date and time of the user’s affirmative consent.”
I use a cookie banner on my website today. Is it "EU User Consent Policy-compliant"?
As stated before, Google recommends using a certified cookie-banner provider, aka CMP-prodivider, since that will make it easier to follow Google’s requirements. It also ensures the cookie-banner is correctly integrated with Google Consent Mode v2. The latter is of utmost importance if you, as a marketer, intend to get the most out of Google Ads and Analytics while staying compliant in accordance with the EU User Consent Policy.
If you want to ensure your cookie-banner is set up correctly, you can test it here for free.
Does Google’s EU User Consent Policy apply even if I do not use personal data for personalized ads?
Yes.
Also, the non-personalized ads that Google serves on websites or apps require cookies or mobile identifiers. Hence, consent is required.
Will Google’s EU User Consent Policy still be applicable when the third-party cookie is gone?
Yes.
The new so-called Privacy Sandbox APIs in Chrome, which will replace the third-party cookie, will still require consent in accordance with the legal frameworks which Google’s EU User Consent Policy is explicitly based on.
Make sure your website is compliant today, by implementing a CMP. It’s free for 30 days, and Google Consent Mode v2 is included.