Google Ads EU User Consent Policy Update

Comply Using Termly

To comply with international law, Google Ads updated its European Union (EU) consent policy in May 2022. They had to update because Google Ads uses cookies and other methods to track users in the European Union, European Economic Area (EEA), and the UK and must gain proper and valid consent to do so.

As a result, businesses using Google Ads with actual or potential customers in the EU, EEA, or the UK must disclose and obtain affirmative consent for the purposeful use of cookies and the collection, tracking, and sharing of personal data for ads personalization.

Table of Contents
  1. Google’s New EU Consent Policy Requirements
  2. Why Is Consent Necessary?
  3. Methods of Gaining Consent
  4. Comply or Risk Losing Your Account
  5. Checklist to Ensure Compliance
  6. Summary

Google has had EU consent policies in place since 2015. These policies were updated in May 2018 when the GDPR came into effect.

However, in May of 2022, Google updated its EU user consent policy again to comply with international law.

The updated Google user consent policy aims to ensure that all EU, EEA, and UK users receive disclosures related to the specific data collected and, perhaps most importantly, with whom the data is shared and how that data is used.

Providing such detailed information as Google Ads does requires cookies and other tracking methods to collect every bit of personal data about users, whether provided automatically or voluntarily.

However, for Google and its service users to comply with the law, the updated Google Ads EU user consent policy requires that you must obtain the following:

  • EU/EEA/UK website visitors must consent to personal data collection
  • EU/EEA/UK website visitors must consent to the use of cookies to track them
  • EU/EEA/UK website visitors must consent to the sharing of personal information with Google or other third parties
  • EU/EEA/UK website visitors must consent to cross-tracking over websites

Ultimately, this places a cookie notice requirement on businesses, websites, and applications that fall under the Directive and updated policy.

Rules for Properties Under Your Control

When evaluating whether you are required to follow the Google Ads EU user consent policy, understand that it is triggered when Google services get used on websites or applications that are:

  • Under your control
  • Under the control of an affiliate
  • Under the control of any of your clients

Whenever Google Ad products get used on properties under your control, you must obtain legally valid consent from end-users in the UK and the EU/EEA. That consent covers the use of cookies, local storage where required, and the collection, sharing, and use of personal data for the personalization of ads.

Additional requirements include:

  • Retaining records of consent given by EU/EEA and UK end-users
  • Providing end-users with clear instructions for revocation of consent

As a result of your use of a Google product, the consent notification requirements attach to all properties under your control, and you must clearly identify each third party that may collect, receive, or use that same personal data. This notification also requires that you provide information about how those third parties use the personal data.

Rules for Properties Not Under Your Control

To provide some management over the use of personal data by a third party not under your control, you must use commercially reasonable efforts to ensure that the third party operator complies with consent and disclosure requirements.

If the operator is already using a Google product incorporates the updated Google Ads EU user consent policy, that burden is alleviated.

Google is so embedded in users’ online activities that it is difficult to ascertain when, where, and how it collects data and tracks user movement. This is why some countries have instituted strict disclosure and consent laws.

The overriding purpose is to empower users and give them more control over their personal information (PI).

To extend that control to users, Google Analytics offers customization to website owners on what types of data are collected. In addition, an opt-out browser extension is offered to users who don’t want to be tracked by Google.

Consent Banners

Banners are a convenient method of disclosing information to users and providing a method to gain consent. Cookies will not be placed on user’s browsers unless aspecific affirmative action is taken. This option can include setting preferences or opting out of consent completely. Users may then continue onto the site with their preferences in place.

Continued Browsing or Scrolling Is Not Consent

Under Google Ad’s EU user consent policy the consent mechanism for cookies must satisfy each member state’s requirements. Consent requires detailed disclosures and an active indication of a user’s wishes by affirmative behavior.

Note that each member state may have a consent mechanism that may exclude certain actions. For example, Germany, France, and the UK have provisions that provide that continuing navigation or scrolling is too ambiguous and not an acceptable mechanism for gaining valid consent.

As every member state can be distinct in its laws, the best method to approach consent is to have a cookie consent manager that has the option to easily disable or enable the feature that allows consent through continued browsing or scrolling.

Cookie Walls Not Allowed for Consent

In all cases, valid consent requires that users make their choices freely.

If a user is not allowed to enter your general website unless they consent to all of your cookies, your actions can make the consent invalid. Forcing a user to consent before they can have basic access to your site is considered coercive. This is because the user really has no actual choice.

Your websites should not make general access conditional on a user accepting all cookies. However, if the user does not consent to cookies, you may be able to limit certain content.  There are also exceptions for sites whose ability to provide services is directly related to consent.

Comply or Risk Losing Your Account

A violation of the updated Google’s consent policy will lead to the suspension or termination of your Google account.

However, the suspension will not be immediate. At least seven days prior, a warning will be issued and you will have the opportunity to work with Google to help you achieve compliance and demonstrate a good faith effort to do so.

It’s unclear how Google will locate violators of its updated EU Google user consent policy.

Google states that it will conduct reviews of sites and apps that employ any of its advertising services. The process involves acting as a consumer and reviewing how consent is obtained and disclosure is made.

To help to address questions and issues related to the EU user consent policy, Google has added a detailed help page.  As an added compliance measure, if your users find a site that does not meet Google’s EU user consent policy, they can let Google know by submitting a report policy violation form.

Checklist to Ensure Compliance

  • Explain how personal data will be used in an privacy policy
  • Focus on potential tracking and sharing with third parties
  • Disclose that cookies may be used for both personalized and non-personalized ads in a cookie policy
  • Disclose that access to the data may be available to Google or other third parties
  • Make sure your consent notice is clearly displayed at the first visit from users in the EU/EEA/UK
  • Provide an affirmative action to opt out, consent, or set cookie preferences


Google Ads may track your users’ personal information, including a massive quantity of critical information like how many ads your users click, how much time they spend on a given site, their entire search history, demographics, and sometimes even where they’re located.

You must make such disclosures to your users in the EU and UK and obtain their consent for the gathering of information used to produce personal ads.

By following the updated Google Ads EU user consent policy, you increase your users’ awareness of how and why their personal data is collected and what is being done with it. The updated policy creates a safer and more empowered browsing experience for your users in the UK and the EU.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources