Google’s New EU Consent Policy Requirements
Google has had EU consent policies in place since 2015. These policies were updated in May 2018 when the GDPR came into effect.
However, in May of 2022, Google updated its EU user consent policy again to comply with international law.
The updated Google user consent policy aims to ensure that all EU, EEA, and UK users receive disclosures related to the specific data collected and, perhaps most importantly, with whom the data is shared and how that data is used.
Providing such detailed information as Google Ads does requires cookies and other tracking methods to collect every bit of personal data about users, whether provided automatically or voluntarily.
However, for Google and its service users to comply with the law, the updated Google Ads EU user consent policy requires that you must obtain the following:
- EU/EEA/UK website visitors must consent to personal data collection
- EU/EEA/UK website visitors must consent to the sharing of personal information with Google or other third parties
- EU/EEA/UK website visitors must consent to cross-tracking over websites
Ultimately, this places a cookie notice requirement on businesses, websites, and applications that fall under the Directive and updated policy.
Rules for Properties Under Your Control
When evaluating whether you are required to follow the Google Ads EU user consent policy, understand that it is triggered when Google services get used on websites or applications that are:
- Under your control
- Under the control of an affiliate
- Under the control of any of your clients
Additional requirements include:
- Retaining records of consent given by EU/EEA and UK end-users
- Providing end-users with clear instructions for revocation of consent
As a result of your use of a Google product, the consent notification requirements attach to all properties under your control, and you must clearly identify each third party that may collect, receive, or use that same personal data. This notification also requires that you provide information about how those third parties use the personal data.
Rules for Properties Not Under Your Control
To provide some management over the use of personal data by a third party not under your control, you must use commercially reasonable efforts to ensure that the third party operator complies with consent and disclosure requirements.
If the operator is already using a Google product incorporates the updated Google Ads EU user consent policy, that burden is alleviated.
Why Is Consent Necessary?
Google is so embedded in users’ online activities that it is difficult to ascertain when, where, and how it collects data and tracks user movement. This is why some countries have instituted strict disclosure and consent laws.
The overriding purpose is to empower users and give them more control over their personal information (PI).
To extend that control to users, Google Analytics offers customization to website owners on what types of data are collected. In addition, an opt-out browser extension is offered to users who don’t want to be tracked by Google.
Methods of Gaining Consent
Banners are a convenient method of disclosing information to users and providing a method to gain consent. Cookies will not be placed on user’s browsers unless aspecific affirmative action is taken. This option can include setting preferences or opting out of consent completely. Users may then continue onto the site with their preferences in place.
Continued Browsing or Scrolling Is Not Consent
Under Google Ad’s EU user consent policy the consent mechanism for cookies must satisfy each member state’s requirements. Consent requires detailed disclosures and an active indication of a user’s wishes by affirmative behavior.
Note that each member state may have a consent mechanism that may exclude certain actions. For example, Germany, France, and the UK have provisions that provide that continuing navigation or scrolling is too ambiguous and not an acceptable mechanism for gaining valid consent.
As every member state can be distinct in its laws, the best method to approach consent is to have a cookie consent manager that has the option to easily disable or enable the feature that allows consent through continued browsing or scrolling.
Cookie Walls Not Allowed for Consent
In all cases, valid consent requires that users make their choices freely.
If a user is not allowed to enter your general website unless they consent to all of your cookies, your actions can make the consent invalid. Forcing a user to consent before they can have basic access to your site is considered coercive. This is because the user really has no actual choice.
Your websites should not make general access conditional on a user accepting all cookies. However, if the user does not consent to cookies, you may be able to limit certain content. There are also exceptions for sites whose ability to provide services is directly related to consent.
Comply or Risk Losing Your Account
A violation of the updated Google’s consent policy will lead to the suspension or termination of your Google account.
However, the suspension will not be immediate. At least seven days prior, a warning will be issued and you will have the opportunity to work with Google to help you achieve compliance and demonstrate a good faith effort to do so.
It’s unclear how Google will locate violators of its updated EU Google user consent policy.
Google states that it will conduct reviews of sites and apps that employ any of its advertising services. The process involves acting as a consumer and reviewing how consent is obtained and disclosure is made.
To help to address questions and issues related to the EU user consent policy, Google has added a detailed help page. As an added compliance measure, if your users find a site that does not meet Google’s EU user consent policy, they can let Google know by submitting a report policy violation form.
Checklist to Ensure Compliance
- Focus on potential tracking and sharing with third parties
- Disclose that access to the data may be available to Google or other third parties
- Make sure your consent notice is clearly displayed at the first visit from users in the EU/EEA/UK
- Provide an affirmative action to opt out, consent, or set cookie preferences
Google Ads may track your users’ personal information, including a massive quantity of critical information like how many ads your users click, how much time they spend on a given site, their entire search history, demographics, and sometimes even where they’re located.
You must make such disclosures to your users in the EU and UK and obtain their consent for the gathering of information used to produce personal ads.
By following the updated Google Ads EU user consent policy, you increase your users’ awareness of how and why their personal data is collected and what is being done with it. The updated policy creates a safer and more empowered browsing experience for your users in the UK and the EU.