The Google EU user consent policy is a component of online data privacy compliance requirements for businesses that use Google’s services in the European Union and European Economic Area. The policy aligns with the requirements set forth by two significant European privacy laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Additionally, the policy takes the Data Protection Act into account, which is the UK’s equivalent regulatory implementation to the GDPR.
Google introduced the EU user consent policy in 2015, with a significant update on May 25, 2018 when the GDPR came into force.
This policy is especially significant in digital advertising. For marketers and pay-per-click specialists, it sets the foundation for responsible data handling, ethical marketing practices, respect for user privacy, and building trust in digital markets.
We explore who the EU user consent policy applies to, what its requirements are, and how to take corrective steps if you’ve received a notice of noncompliance from Google.
Who does the EU user consent policy apply to?
The Google EU user consent policy applies specifically to data collected from end users located in the European Union (EU), European Economic Area (EEA), and/or the United Kingdom (UK), if the business collecting the data:
- has an agreement with Google that includes the policy
- uses Google products that incorporate the policy
A common misconception is that businesses outside the EU, EEA and/or UK don’t need to comply with the policy. The EU user consent policy applies to end users located in these regions, regardless of where the business aiming to collect their data is based.
Google’s advertising and measurement products and services, including AdSense, AdManager, AdMob and Google Analytics Advertising Features, require businesses to meet the specifications of this policy.
Other Google products that come under the scope of this policy are Google Maps Platform Terms of Service, the YouTube API Services Terms of Service, the reCAPTCHA Terms of Service, and in Blogger.
The EU user consent policy impacts websites and apps that meet two specific criteria:
- they use cookies or other local storage where legally required
- they collect, share, and use personal data for ad personalization
Google defines ads as personalized when they rely on previously collected or historical data to influence ad selection. This encompasses factors like a user’s past search queries, online activity, site or app visits, demographic details, and location.
If a website or app serves non-personalized ads using only contextual information, but uses cookies or mobile identifiers where legally required, this policy still applies.
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA
Requirements for Google business users under the EU user consent policy
Google has separate requirements under the policy based on who is collecting the data, which it defines as “properties under your control” and “properties under a third party’s control”.
If you use a Google product and this results in the sharing of a third party’s end-user personal data with Google, you must employ “commercially reasonable efforts” to ensure that the third party adheres to this policy.
For properties that are under your control, or under the control of an affiliate or client, Google has laid out several requirements.
1. Obtaining legally valid consent
Legally valid consent under the GDPR (Art. 7) means users must actively agree to the collection and use of their personal data. Under both the GDPR and the Data Protection Act, consent should be freely given, specific, informed and unambiguous (Recital 32). Explicit consent is valid consent under the applicable data privacy laws.
Learn how to obtain GDPR-compliant consent from users on our blog: 7 Criteria for a GDPR-compliant Consent
2. Retaining consent records
Businesses must keep detailed records of how and when consent was obtained from users. Google has specified that, at a minimum, this includes documenting the text and consent choices presented to users, and the date and time when users gave their consent.
3. Providing clear instructions for revocation of consent
Users must be informed about how they can withdraw their consent to receive personalized ads. Minimum expectations include having easy access to ad controls on the website or app, or through general settings provided by Google or on their device.
4. Identifying each party involved in data handling
The user consent policy mandates the identification of every party that has access to the user’s personal data as a result of using a Google product, including in the collection, reception, or use of personal data.
There must also be transparent and accessible information regarding how each party uses personal data.
What happens if you don’t comply with the EU user consent policy?
Noncompliance with Google’s EU user consent policy carries significant consequences that affect both the operation of websites and apps and their broader legal standing.
Suspension of Google services or termination of agreement
Google reviewers regularly visit websites and apps that use its advertising services to assess whether they are providing clear information and obtaining proper consent as per the policy guidelines. If a website or app is found to be noncompliant, it will receive a notification from Google with a deadline to rectify these issues.
Failing to address the concerns within this period can lead to more severe measures. Google may suspend the noncompliant entity from using its advertising services, which can significantly affect its ability to generate revenue through these channels.
Websites or apps that have received a noncompliance notice must take corrective measures to comply with the policy. Among these measures is using a consent management platform (CMP), which can help you:
- obtain legally valid consent as per the policy’s consent requirements
- securely store and maintain records of consent that the policy requires
- identify and communicate information about all parties with access to user data
- provide clear and accessible mechanisms for users to withdraw consent
Legal and financial ramifications of noncompliance
Noncompliance with the EU user consent policy also poses a significant risk under the GDPR and/or Data Protection Act, including incurring substantial penalties for not obtaining compliant consent.
For first-time or less severe infractions, penalties can be as high as €10 million or 2% of the company’s global annual revenue for the preceding financial year. For repeat violations or more severe breaches, penalties may escalate to €20 million or 4% of global annual revenue, whichever is higher.
Find out how to meet Google’s EU privacy requirements with Usercentrics CMP.
How Usercentrics can help enable compliance with the EU user consent policy
In a move that specifically impacts digital advertising, Google announced on May 16, 2023 that publishers and advertisers using Google AdSense, Ad Manager, or AdMob must use a certified consent management platform that integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF) v2.2 as of January 16, 2024 to serve ads to end users in the EU/EEA and UK.
A Google-certified CMP enables websites and apps to comply with the EU user consent policy’s requirements, including obtaining legally valid user consent, enabling revocation of consent, and disclosure about collection and use of personal data.
Usercentrics’ consent management platform (CMP) was among the first certified CMPs when Google launched its CMP Partner Program for Google Consent Mode in September 2022. All our CMP products—Usercentrics Web and App CMPs and Cookiebot CMP—are certified by Google for this purpose.
Here’s how Usercentrics CMP makes Google consent compliance simpler and more effective.
1. Simplifying consent collection
Usercentrics CMP streamlines securing legally valid end-user consent. It enables obtaining GDPR-compliant consent with explicit opt-in and granular consent mechanisms, and full consent banner customization.
2. Easy consent withdrawal options
Usercentrics CMP enables your website or app users to update or revoke their consent just as easily as they gave it. This aligns with the user consent policy’s specific requirement of consent withdrawal options for users.
3. Transparent data usage information
With Usercentrics CMP, you can identify, for each of your websites and apps, all parties that may collect, receive, or use personal data, and lay out how and why data is being used as per the policy’s requirements for sharing clear information about the use of personal data.
4. WordPress plugin and content management system (CMS) integrations
Usercentrics CMP offers seamless integrations, including a dedicated WordPress Plugin, which simplifies implementation and consent management for WordPress-powered websites.
Other CMS and ecommerce platform integrations include Adobe Experience Manager, Shopify, Typo3, among others.
Besides CMS systems, Usercentrics integrates with a variety of ecommerce marketing tools, like Stripe, Zapier or HubSpot. This simplifies managing consent across different websites and online services.
5. Google platform integrations
For businesses using Google products and services, such as AdSense, AdManager, AdMob, Google Analytics 4 (GA4), Google Consent Mode, and Google Tag Manager, Usercentrics CMP seamlessly integrates with these platforms. This makes it easy to set up and use without disrupting advertising campaigns and analytics.
6. Access to a partner network
For additional support, Usercentrics offers a global partner network that serves as a valuable resource for prospects and customers.
Connect with marketing agencies and legal service providers that implement, maintain, optimize and support the Usercentrics Web and App CMPs. This network provides an extra layer of support for navigating the complexities of data privacy compliance.
7. Free trial option
Curious about how Usercentrics CMP can help you continue using the Google products you love and depend on, while maintaining compliance with privacy regulations and Google’s own consent policy? What better way to explore our platform capabilities than through a free trial?
This 30-day trial period will grant you full access to all advanced features in the Starter Plan, as well as full access to ticket support, guides, and documentation. The trial expires automatically after 30 days so there’s zero risk and no commitment required from your side upfront.
8. Demos and consultations
If you’re looking for more in-depth information or personalized guidance, you can choose to book a demo or an expert consultation and have all your consent management questions answered. We want you to have a better understanding of how Usercentrics CMP can be tailored to your specific data privacy compliance and business requirements.
A practical guide for complying with the Google EU user consent policy
The easiest way to comply with the Google EU user consent policy, GDPR, and other privacy regulations is through a consent management platform. Use Usercentrics consent management platform (CMP) with your website or app to enable:
- compliance with the GDPR, DMA, CCPA, and other privacy laws
- application of privacy requirements based on user geolocation
- obtaining consent before your or third-party scripts load
- platform flexibility for desktop and mobile devices, as well as for mobile apps, games and connected TV apps.
- consent banner customization to match your brand style
You can also create a privacy policy for your website or app easily through our dynamic privacy policy generator. With this integration with Termageddon, you’re able to set up your Privacy Policy, Terms of Service, and other policies in less than 30 minutes.
For more on how to generate comprehensive and easy to understand policies, check these additional resources:
For more support resources and implementation documentation, check our support page.