Usercentrics CMPs were among the first consent management platforms certified by Google when it launched its CMP Partner Program in September 2022. Usercentrics CMP and Cookiebot CMP have now been awarded Google’s Gold Tier certification in the company’s CMP Partner Program.
This certification guides Google customers to select a consent management platform with outstanding customer support, meeting certain technical requirements and that Google customers can easily set up with Consent Mode.
As user privacy expectations continue to evolve, Google has recently updated its data privacy and consent requirements in Europe, the UK, and Switzerland. Consent mode receives your users’ consent choices from your cookie banner or widget and dynamically adapts the behaviour of Analytics, Ads and third-party tags that create or read cookies.
In addition to the Gold Tier certification, Usercentrics CMP and Cookiebot CMP are two of a small number of direct integrations currently available within the Google tag user interface inside of Google Ads, Google Analytics, and Google Tag Manager to provide this straightforward and user-friendly functionality.
“Privacy is a core part of marketing now. The Gold Tier certification means customers can choose a CMP with confidence to meet consent management needs in conjunction with their use of Google Services. The Usercentrics CMPs, accessible through all Google interfaces, make it more seamless than ever for SMBs to meet Google’s EU user consent policy requirements and grow digital marketing operations,” said Eike Paulat, Director of Product at Usercentrics.
As of July 31, 2024, Google has announced a significant expansion of its EU User Consent Policy to include websites and apps with traffic/users in Switzerland. This update has important implications for publishers and advertisers operating within the European Economic Area (EEA), the UK, and now Switzerland.
In this article, we delve into the details of this policy expansion, its impact on businesses, and what’s needed for compliance.
Google EU User Consent Policy: Next stop, Switzerland
The expansion of Google’s EU User Consent Policy signifies a broader application of consent requirements to safeguard user data privacy. It mandates certain disclosures and consents from end users in the EEA, the UK, and Switzerland. This applies to websites and apps using Google products and services, such as AdSense or Google Analytics, outlining the responsibilities of publishers and advertisers regarding user consent for:
- Use of cookies, online trackers and local storage: Where required by law, user consent must be obtained before placing cookies and/or other tracking technologies or using other local storage mechanisms, on user devices.
- Data collection and ad personalization: User consent is necessary to collect, share, and use personal data to personalize digital ads.
Failure to comply with this policy may result in limitations or suspension of the use of Google products, or even termination of the agreement.
Google’s EU user consent policy – what’s changed and what does it mean for advertisers?
Google policy requirements for publishers and advertisers
Publishers and advertisers marketing to audiences in the EEA, UK and now Switzerland using Google products are now subject to specific obligations to ensure compliance:
Obtaining valid user consent
Publishers and advertisers are mandated to obtain legally valid user consent for the use of cookies or local storage where required by law, as well as for the collection, sharing, and use of personal data for ad personalization.
Transparency and user control
Clear instructions on how users can revoke their consent should be provided alongside the request for consent. Furthermore, a record of any granted consent must be maintained to demonstrate compliance with the policy.
Identifying data sharing partners
Publishers and advertisers must transparently disclose any third parties that may collect, receive, or use user data as a consequence of their use of Google products. This includes providing users with easily accessible information about how these third-parties use the data.
New scenarios
The policy also addresses scenarios where user data from a third-party property (website or app not controlled by the publisher or advertiser) is shared with Google due to the use of Google products. In such cases, publishers and advertisers are required to make commercially reasonable efforts to ensure the third-party property operator complies with the user consent obligations outlined in the policy.
Google requirements for publishers marketing to Switzerland
Since last year, Google has implemented a requirement for publisher partners to utilize a Google-certified Consent Management Platform (CMP) such as Usercentrics CMP, integrated with IAB Europe’s Transparency and Consent Framework (TCF) for serving ads to users in the EU/EEA and the UK. After the July 31 deadline, Swiss publishers using Google monetization products targeting Swiss traffic must also adhere to the following:
- Implement a Google-certified CMP
- Comply with Google’s EU user consent policy
- Integrate with the TCF for Swiss traffic
Google’s directive for Swiss publishers to adopt a CMP from their partner program represents a notable shift in Swiss digital practices. This decision, primarily focused on ensuring TCF usage for Swiss traffic, reflects Google’s proactive approach to aligning with legislative dynamics, namely with the Swiss Federal Data Protection Act (FDPA), which came into effect in 2023.
While the GDPR doesn’t directly apply in Switzerland, Google’s enforcement of TCF in the Swiss context indicates an acknowledgment of the FDPA’s alignment with GDPR standards.
You might also find this useful:
FADP checklist: your toolkit for compliance
Learn what you need to know to comply with Switzerland’s FADP privacy law.
Google requirements for advertisers targeting Swiss audiences
Companies using Google adtech products will need to obtain consent from Swiss users where legally required. For now, advertisers won’t be expected to send a verified consent signal for Swiss traffic through Google Consent Mode V2 — the requirement in force for EU/EEA audiences —, but this might change in the future.
To learn all about Google Consent Mode, watch our explainer video:
Even if Consent Mode is not required for now, if you’re advertising using Google products, the most efficient way to collect and manage user consent in a legally compliant way is to implement a consent management platform (CMP) like Usercentrics consent solutions for websites and mobile apps.
Usercentrics CMPs are both Google-certified, fully supporting Transparency and Consent Framework (TCF) and Google Consent Mode v2.
Although Consent Mode activation is not required for now, it’s enabled by default in the tools, so you’ll be one step ahead should the requirements in Switzerland align with the rest of Europe. Plus, by implementing Consent Mode v2 you can benefit from analytics and conversion modeling, and avoid losing marketing data due to rejected consent banners.
Google policy update: impact on marketing strategies
The updated Google policy prompts marketers to prioritize obtaining valid user consent for data collection and ad personalization to align with building trust and respect for user privacy. This involves the implementation of transparent and user-friendly consent mechanisms to ensure compliance with the policy’s requirements.
Here’s what’s essential for marketers to consider under the updated policy:
Prioritize user consent
Making the acquisition of valid user consent for data collection and ad personalization a central element of your marketing strategy in these regions is imperative.
As per Google’s recommendation, their certified CMP Partners, such as Usercentrics Web & App CMP and Cookiebot CMP, have been thoroughly assessed and meet certain technical requirements to ensure the best possible experience for advertisers.
Transparency is crucial
Clearly conveying to users how their data is collected, used, and shared is vital. Equally important is providing easily accessible information and options for users to manage their consent preferences.
Partner compliance
If your operations involve third-party platforms that integrate with Google products, ensuring their compliance with user consent requirements is essential.
By aligning with the EU User Consent Policy, marketers can demonstrate a commitment to respecting user privacy and cultivating trust with audiences in the EEA, UK, and Switzerland. Ultimately, this can lead to a stronger connection between their brand and audiences, heightened user engagement and more successful marketing campaigns.
Before you go: the importance of compliance
The expansion of Google’s EU User Consent Policy to include users in Switzerland underscores the growing emphasis on data privacy and consent management. Publishers and advertisers must proactively adapt to these changes, ensuring compliance with the updated policy to maintain a positive relationship with Google and uphold user privacy.
In summary:
- Implement a Google-certified CMP like Usercentrics CMP to collect user consent
- Activate the Transparency and Consent Framework (if you’re a publisher, i.e., if you monetize your platform)
- Consider implementing Google Consent Mode V2 for additional marketing benefits.
You may find these useful:
- What is the Google EU user consent policy?
- Google Consent Mode: 4 steps you need to take now
- Google Consent Mode checklist to meet Google’s EU privacy requirements
- Understanding Google’s Additional Consent: A guide for publishers
- What is a Google-certified consent management platform and why do you need one?
Navigating the GDPR and ad tech regulation is an ongoing challenge for app publishers, especially when delivering targeted ads to consumers.
The Internet Advertising Bureau Europe (IAB) launched the updated Transparency and Consent Framework version 2 (TCF v2.2) in May 2023, bringing with it a slew of new obligations and guidelines. The update is a response to criticism of the TCF v2.0 and has significant implications for how online advertising works for both publishers and advertisers.
In this guide, we’ll share what the TCF v2.2 is, how it impacts your app, and provide best practices for a smooth transition to the updated framework.
What is IAB TCF v2.2?
IAB TCF v2.2 is the latest set of Transparency and Consent Framework (TCF) changes and guidelines. The Framework was launched in 2016 to enhance transparency and customer control over personal data processing by publishers and advertisers in the digital advertising ecosystem.
This updated version gives consumers more control over their personal data, particularly in the context of advertising and content personalization.
Here are key policy changes brought by TCF v2.2:
- Legal basis for data processing: User consent is now the exclusive legal basis for advertising and content personalization, eliminating the option for legitimate interest.
- User-friendly descriptions: All in-app explanations and disclaimers about data use must be clearly written and easy to understand.
- User control: Individuals have more control over how app publishers may use data processing features like geolocation data.
- Vendor disclosure: App publishers must disclose all vendors that will access personal data, along with details on the type of data they collect, how long they keep it, and their reasons for data use.
- Transparency: App publishers using the framework must reveal the data they collect and use in their ad campaigns.
- Consent management platform (CMP) design: Publishers must ensure that the number of vendors is displayed on the first layer of their CMP UI and that users can easily opt out of data processing.
With these changes, app publishers should be cautious, not only about how they collect and share users’ consented data but also how their vendors and technology partners process that data.
TCF v2.2 deadline
The deadline to comply with the updated TCF v2.2 was originally September 30, 2023. This was delayed two months to November 20 to give companies more time to meet the requirements.
If you missed the deadline, now what?
If you still haven’t updated your app to comply with the new framework, you need to act now.
Noncompliance will not stop your CMP from working correctly, however, not being able to signal valid consent per recent requirements could result in restrictions or losing access to important platforms, like Google’s advertising services. In today’s data-conscious digital markets, you can’t simply sweep rogue mobile advertising placements or poor data privacy practices under the rug.
Vendors and other third parties that rely on valid consent for their services to operate will take notice. Noncompliance may damage your business or customer relationships and reduce potential ad revenue.
If you missed the deadline, update your consent practices to align with TCF v2.2 requirements as soon as possible. The quickest way to do this is to implement a reputable CMP, like Usercentrics Apps CMP, that’s tailored to these requirements right out of the box, and is also registered with the IAB.
By demonstrating your adherence to current data protection and privacy standards, you’ll help restore your vendor functionality and build user trust.
How does the TCF v2.2 affect app publishers?
The TCF v2.2 gives power back to users who can share, refuse, or revoke consent at any time. To avoid the risk of noncompliance, app publishers must adhere to standards when collaborating with third-party vendors.
App publishers need to pay close attention to the following areas.
User consent management
Under the TCF v2.2, app publishers are required to explicitly mention what technologies they use to collect personal data, and how they process it.
App developers must disclose the user data they collect, for what purposes, and what third parties it may be shared with, among other requirements.
Publishers also need to provide users with the ability to refuse consent or to change or withdraw previously granted consent at any time. This needs to be as easy to do as to give consent.
Publisher restrictions
Thanks to the TCF v2.2, app publishing companies can now exercise more control over how their vendors and tech partners access and handle user data.
For example, publishers can set custom requirements specifying how every vendor can process the user data collected on their website. App companies can also limit the purpose of data processing to a single activity, such as ad personalization or visitor analytics.
Vendors can register as capable of operating under multiple legal bases, and publishers can specify their preferred legal bases for partnering with vendors. This enables vendors and publishers to navigate markets with varying legal requirements for processing personal data.
Enhanced transparency
The TCF v2.2 requires publishers to provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies. Additionally, for consent requests to be valid, users must be provided with the following information for each vendor:
- purposes (for data processing) and any special purposes
- associated legal bases for the purposes
- retention period for personal data re. fulfilling each stated purpose
- features and special features
- categories of data collected and processed
If a publisher is using legitimate interest as their legal basis, they must provide a full list of all vendors (third-party partners) involved in data collection and processing operations, with links to their privacy policies, as well as the following information for each vendor:
- purposes (for data processing) and special purposes
- associated legal bases for the purposes and a link to each vendor’s explanation of its legitimate interest(s) at stake
- retention period for personal data re. fulfilling each stated purpose
- features and special features
- categories of data collected and processed
By providing this information in advance of data processing, individuals are empowered to make informed decisions about their data.
Vendor compliance
While not an absolute legal requirement, app publishers are advised to work with vendors that comply with the TCF v2.2 and are on the IAB’s vendors list. By doing so, all parties involved agree to adhere to the same standards, which reduces the overall risk of noncompliance.
Refer to the TCF v2.2-compliant CMP list to verify whether your CMP provider meets to the TCF v2.2’s requirements.
Usercentrics is a leading Google-certified CMP that complies with TCF v2.2 standards and is on the IAB’s list. Thousands of apps in 180+ countries rely on our platform to support them in achieving compliance with the GDPR, CCPA, LGPD, POPIA, and other laws and frameworks.
Impact on revenue
The TCF v2.2 can impact app companies’ revenue. If informed users decide to opt out of personalized ads, app publishers could lose programmatic ad revenue.
Publishers that get most of their traffic in the EU could experience this revenue drop the most due to the region’s regulations and requirements being levied by large digital platform providers. Even so, it’s best to adopt the TCF v2.2 no matter where you operate, since most programmatic ad platforms will eventually stop advertising on websites and applications that haven’t implemented it.
Not meeting the latest standards and requirements could result in an even greater revenue hit from critical third parties. For example, Google now requires European advertisers to use a certified CMP that integrates with the TCF v2.2, or else they will not be able to do personalized advertising.
Let’s explore the benefits and challenges that app publishers face with TCF v2.2.
Opportunities and challenges for app publishers
App publishers face both opportunities and challenges as the ad tech ecosystem adopts these TCF policies. The benefits of implementing the TCF v2.2 framework include:
- improved collaboration as data protection authorities and vendors move toward industry standards for collecting, managing, and exchanging user data
- greater control, flexibility, and security, since the TCF v2.2 enables publishers to choose what data they share with vendors on a per-vendor basis
- removal of legitimate interest provisions means publishers are more likely to need a Consent Management Platform (CMP) to meet consent requirements for advertising and personalization
- better consumer privacy protection, as the TCF v2.2 puts control back in users’ hands to grant or deny consent for use of the personal data that publishers collect and process
Some challenges app publishers must keep in mind while migrating to TCF v2.2.
- In-house CMP solutions aren’t enough: Considering managing compliance with an in-house solution? You’ll face technical and legal challenges. Publishers will likely need full-time resources to achieve and maintain compliance with the GDPR. Privacy compliance requirements are publishers’ responsibility if they collect personal data, but a CMP can help meet technical and legal needs and cut down on resource requirements on the publishers’ side, e.g. via automated functionality.
- Lower consent rates: Users can see and avoid apps that don’t meet TCF v2.2 UI requirements, or don’t abide by UX best practices,. This may be more likely for those using home-grown CMPs or some third-party ones. A Usercentrics study that reviewed hundreds of apps available in the EU showed that 90 percent of them were not compliant with the GDPR or ePrivacy Directive. That’s why it’s best to switch to a TCF v2.2-compliant CMP that offers ad result optimization features.
- Keeping up with regulations: The influx of new privacy laws and the evolution of existing ones is another challenge for publishers, who may need to comply with multiple regulations, including the CCPA and GDPR. Handling numerous frameworks and laws compliantly and in a user-friendly way is a challenge. Using a single CMP platform to meet different compliance requirements makes this much easier.
Tackling these challenges becomes easier when publishers team up with a TCF v2.2-compliant CMP partner to handle user consent collection, storage, and management.
A CMP makes it easier for publishers to obtain the consent they need once they’ve determined which of the processing activities they do requires it. It can then find preferred vendors, or publishers can select them up manually, and display data processing purposes in multiple languages.
A CMP also securely stores user consent choices, enabling users to change them or withdraw previously granted consent. It also equips companies to provide the required information in the event of an audit by data protection authorities or a data subject access request.
Transparency and Consent Framework v2.2 best practices
Achieving privacy compliance with the TCF v2.2 may seem challenging, but it is achievable. All you need is the right tools to set up an ecosystem that enables you to seamlessly connect with and manage vendors and users. Follow these best practices to stay compliant in the TCF v2.2 era and beyond.
- Help users make informed decisions by providing them with the required complete list of data processing partners and legal bases used by your organization.
- Explicitly mention data storage and use policies that publishers and their third-party partners follow.
- Obtain user consent for the use of technologies like cookies that track users, and/or before collecting users’ personal data, like IP addresses and device identifiers, in line with relevant regulatory requirements.
- Enable users to access the list of third parties (aka vendors) that may process users’ data.
- Inform users about the consequences of declining consent, such as certain functions that may not work correctly or at all, or the inability to provide personalized experiences.
- Give users the ability to update, withdraw, or revoke their consent choices as easily as they gave them.
- Notify users if legitimate interest is being used as the legal basis for data processing, but remember that under the TCF v2.2, user consent is now the exclusive allowed legal basis for advertising and content personalization.
- All call-to-action buttons must be equally visible. For example, if the available options are “Agree” and “Learn More,” they should be clearly presented as buttons or links that are equally visible and accessible.
These best practices will help you provide transparency to users while delivering personalized experiences based on the data you collect.
Use a consent management platform to achieve compliance
The TCF v2.2 is a broad framework that introduces strong standards and focuses on many areas of data privacy, including users’ right to object to data processing, UI requirements for CMPs, and other transparency measures.
Implementing a CMP that integrates with the TCF v2.2 helps simplify the complexities and enables companies to meet current and future regulatory and industry requirements.
Usercentrics Apps CMP meets that need. This customizable, all-in-one CMP for apps and games publishers makes it easy for you to obtain, manage and optimize consent while meeting data privacy requirements from regulators and industry partners.
Data privacy has become critical to doing business, touching regulatory compliance, digital marketing strategy and customer relations. For millions of companies, Google — and its products like Google Ads and Google Analytics 4 — is becoming central to privacy compliance and revenue generation.
Why do companies need user consent?
Today there are three primary influences on the requirement for companies to obtain users’ consent for access to and processing of personal data:
- governments and data protection authorities
- large tech partners
- consumers
Some companies continue to ignore consent requirements, but they are increasingly risking not only fines and other penalties, but also loss of brand reputation, user trust, and potentially revenue if they are denied access to third-party platforms, like Google’s advertising services.
Ignoring the revenue potential of consent-based marketing initiatives will quickly leave change-resistant companies behind in highly competitive and rapidly changing markets.
Consent requirements by governments and data protection authorities
- Global data privacy laws: Privacy laws, like the GDPR, aim to protect data; 75% global coverage expected by 2024
- Diverse regional impact: Laws vary, from the EU’s GDPR, to country-specific ones like Brazil’s LGPD and state-level ones like California’s CCPA in the United States
- Enforcement and compliance: Authorities enforce data privacy with fines, requiring compliance of data-reliant organizations
Governments have been passing data privacy regulations around the world to protect citizens for many years. Modern comprehensive privacy laws started showing up over a decade ago, and have ramped up with the influence of the European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018.
Prior to that, however, there have been other privacy laws passed, a number of which have been updated, like Switzerland’s FADP, or are in the process of being updated, like Canada’s PIPEDA and the Privacy Act in Australia.
Some privacy laws, like the GDPR, cover entire regions. Others cover just the country that passed them, like Brazil’s General Data Protection Law (LGPD). Still more only cover a far smaller area, like each of the United States’ state-level data privacy laws passed to date, e.g. California’s Consumer Privacy Act (CCPA) and Consumer Privacy Rights Act (CPRA).
Gartner has predicted that 75% of the world’s population will have its personal data protected by at least one data privacy law by the end of 2024. With China (PIPL) and India (DPDP Act) — the world’s two most populous countries — now on board with data privacy laws, this seems like a reasonable expectation. As does the likely passing of more national privacy laws, and more targeted laws, like those taking artificial intelligence (AI) or children’s online privacy into account. Or addressing the evolution of the ever-growing mobile industry, with mobile gaming alone (also very popular with children) being worth over US $140 billion in 2022.
In addition to passing laws, authorities are also ramping up enforcement efforts. Big tech companies receiving billion-dollar fines may garner headlines, but it’s not just Facebook, Google and Amazon in regulators’ crosshairs anymore. Organizations of all sizes that rely on user data, and that want to maintain users’ goodwill, need to comply with data privacy requirements.
Consent requirements by large tech partners
- Third-party compliance: Big tech companies mandate privacy adherence for business partners and customers, amplifying their influence
- EU’s Digital Markets Act impact: Google requires third-parties to use Google-certified consent tools and the latest version of Consent Mode.
- Industry-wide shift: Privacy moves by dominant players like Meta and Amazon drive widespread data consent practices.
In order for big tech companies to achieve regulatory privacy compliance, they need to ensure third parties they do business with are also compliant. This includes advertisers, merchants, data analytics services, and more. When platforms and services have audiences of billions of people, and are relied upon for revenue, data, and access to those audiences by millions of companies, big tech companies’ privacy compliance requirements for third parties come with significant clout.
Laws like the Digital Markets Act (DMA) are coming into effect in the EU, and gatekeepers, including Google, are implementing new requirements for third parties. As of January 16, 2024, in the EU/EEA and UK, Google is requiring publishers and developers to implement a Google-certified CMP, like Usercentrics CMP, which has Google Consent Mode and the TCF 2.2 integrated, as Google requires.
Usercentrics Web & Apps CMP are Google-certified, fully supporting Transparency and Consent Framework (TCF) and Google Consent Mode v2.
This is to ensure companies obtain and can signal valid user consent if they want to continue to monetize websites and/or apps with advertising using Google AdSense, Ad Manager, or AdMob.
Additionally, if companies are serving ads to audiences in the EU and/or EEA using Google Ads, Google Marketing Platform or Google Analytics (GA4), they need to activate Google Consent Mode v2. The best way to meet this requirement is by also implementing a Google-certified consent management platform (CMP), like Usercentrics CMP, that supports Google Ads Consent Mode, and sending verifiable consent signals to Google to maintain ad revenue from personalized campaigns in the EU and EEA.
Given that companies like Meta (parent of Facebook, Instagram and WhatsApp, among others), Microsoft, ByteDance (parent of TikTok) and Amazon have comparably large platforms and audiences, compliance-related requirements they launch are also likely to cause significant shifts and adoption of data privacy initiatives and uptake of consent management solutions.
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.
Consent requirements by consumers
As the source of personal data, consumers are becoming increasingly concerned about and savvy regarding who gets access to what data, and how they are allowed to use it. They are also starting to expect to get more for their consent in order to hand over their data, rather than just accepting that it will be hoovered up everywhere they go when accessing websites, apps and other connected platforms.
New regulations like the Digital Markets Act are also enabling consumers to exercise greater flexibility and choice regarding the products and services they use. Data portability requirements make it easier to switch platforms for better features or more competitive pricing. This should serve to spur innovation on companies’ part and make them work harder to retain their customer base.
There have also been enough high-profile data breaches, and enough consumers have been personally affected, that people no longer have much patience for companies that don’t protect or respect the data that consumers have entrusted to them. The mobile space is particularly notable, where users are more than willing to delete apps if they don’t feel like they have adequate security and respect for their personal information.
Why is a consent management platform (CMP) required?
- The role of the CMP: CMPs help to ensure legally valid user consent and manage notifications about data collection purposes.
- Diverse consent laws: Privacy laws differ; the GDPR mandates “opt in” consent, while US laws require “opt out” options.
- Multi-jurisdiction compliance: CMPs handle various global laws, integrating consent across platforms for marketing operations.
At the core of all these privacy requirements is user consent. But like any legal requirement, you have to obtain consent the right way, and be able to prove it. This is what a consent management platform (CMP) enables. Most privacy laws also require notifying users about relevant laws, users’ rights, what data is being collected and for what purposes, and more. This is also done via a CMP’s consent banner.
Every privacy law has its own specific requirements for consent. Many require prior consent, or “opt in”, where valid user consent has to be obtained before any data is collected. Some laws, like the ones passed to date in the US, are “opt out”, and require consent for specific uses, like sale of data or using it for profiling, but don’t require it to collect and process data. Different laws also have specific requirements for what constitutes valid consent. Art. 7 GDPR, for example, has become probably the most influential guideline for that.
Adding complexity, companies that do business in more than one jurisdiction may well need to comply with multiple different laws with varying requirements. A CMP streamlines this otherwise very tricky and complex operation. A high performance CMP will also enable geolocation rules so that not only is information displayed about the right regulations, but also in the user’s preferred language for better user experience and transparency.
Marketing operations today also require an ecosystem of platforms and tools, which means that consent requirements have to be applied and communicated across various systems. A good CMP solution also enables this, integrating with many platforms, and enabling signaling of consent information to third parties, like via Google Consent Mode v2, which is integrated into Usercentrics CMP. This way, organizations can obtain valid, granular user consent for relevant regulations, and communicate it to all relevant third-party partners, enabling seamless operations for digital advertising and more.
Do you need cookie consent to use Google Ads or GA4?
Increasingly, yes. In jurisdictions where you need to obtain prior consent from users before collecting user data, you need consent for any non-essential cookie use, including for advertising or analytics purposes. In Europe, companies will have to prove consent to be able to use Google Ads for functions like personalization, retargeting and conversion tracking. Consent is required to collect users’ data from their online browsing, shopping, etc. to power GA4.
Cookies and other trackers also need to be blocked by the CMP until user consent is obtained under many regulations. All of this precedes serving ads or other advertising functions, or collecting user analytics data. Over the past year or two there has been increasing scrutiny on Google Analytics use in Europe, and its compliance with the GDPR.
Google Ads Consent Mode
Google Consent Mode is an API that enables consent management for Google Ads and other platforms to pass consent data to Google Tag Manager in a recognizable format. This enables businesses to modify how Google tags function based on user consent decisions related to cookies for ads and analytics. Google updated Consent Mode to v2 in late 2023.
Originally, Consent Mode mainly enabled anonymized tracking of data when user consent was not obtained. However, the tool and its role have evolved, and now its primary function is as a tool for signaling, as outlined above regarding the use of a CMP. Consent Mode also helps website owners with conversion data from advertising, enabling greater accuracy in their insights for optimization.
In the latest version of Consent Mode, the key settings are ad_user_data and ad_personalization, which are based on the same trigger as ad_storage.
Consent Mode is not exclusively used with Google Ads, but their use is becoming increasingly intertwined and required in light of requirements of regulations like those under the DMA. In relevant jurisdictions like the EU and UK, Google is requiring third parties to use a CMP that they have certified, which supports Consent Mode, to obtain and signal user consent if they want to continue to serve personalized ads as of January 2024.
Be aware that Consent Mode does not itself enable compliance with data privacy laws. For that, valid consent needs to be obtained via a consent management platform for the use of cookies and other tracking technologies on websites and apps.
Google Analytics 4 (GA4) Consent Mode
As with ads, Consent Mode enables modification of how Google tags function based on the consent decisions users make. Importantly in this case, that includes preventing data collection or processing until consent for analytics cookies is obtained.
Consent Mode enables management of cookies for analytics use in GA4 based on users’ consent choices via the analytics_storage tag. If a user consents to analytics cookie use, GA4 can collect the full complement of data for analytics and/or statistical purposes. If a user does not consent to analytics cookie use, then the data GA4 has access to is limited. For example, the user cannot be personally identified, though non-identifying data is still collected, like operating system or browser in use, referrer, etc.
A correctly implemented consent management platform detects (and blocks) all cookies and tracking technologies in use. It should also provide information about all of them to users, available in the consent banner. Usercentrics CMP’s scanning functionality and database of thousands of data processing services streamline this process and save considerable time and resources.
Users can then make consent choices to consent broadly to data processing, or at a granular level. E.g. a user could consent to analytics cookie use, but not advertising cookie use. Consent Mode then enables signaling this information to GA4, which proceeds with collecting and analyzing the consented data.
Who needs Google Consent Mode?
Google is requiring third parties using its platforms and services in the EU to use the latest version of Consent Mode to signal valid user consent, i.e. that obtained through the use of a consent management platform into which it’s integrated. Consent Mode’s original value was also in providing additional information and insights through modeling when users did not provide consent, which continues to be the case.
Organizations intending to collect and use consumers’ data for marketing, analysis, and other purposes very likely need a CMP and Consent Mode if their visitors, users or customers reside where they are protected by a data privacy law with opt-in requirements. This includes the EU, Brazil, South Africa and many other places. Today and into the future, data privacy best practices will involve obtaining valid prior user consent for advertising, analytics, and other functions. Consent will be particularly important as it contributes to enabling revenue generation.
Integrate Google Consent Mode v2 with Usercentrics CMP to collect valid user consent from EU/EEA users and adhere to Google’s user consent policy
What Google services does Consent Mode support?
Consent Mode supports the following Google services:
- Google Analytics
- Google Analytics 4
- Google Ads (Google Ads Conversion Tracking and Remarketing)
- Floodlight
- Conversion Linker
Consent Mode is also a valuable tool for organizations that want to enhance their consent-driven marketing and move away from outdated and questionably privacy-compliant strategies.
In addition to the legal requirements, Consent Mode brings benefits for data and revenue. Great user experience through a user-friendly UI and transparency consent information help optimize opt-in rates. This means more data, which is used to develop conversion insights to better understand user interactions, including those who do not provide consent.
For website operators using Google Analytics, Google Tag Manager or Google Ads, Consent Mode means on average getting over 70 percent of ad-click-to-conversion journeys back for advertisers.
Usercentrics CMP is Google-certified and supports Consent Mode
Usercentrics CMP meets all of Google’s latest requirements and has been certified for use by Google customers operating in the EU, EEA and UK. Usercentrics CMP was one of the first certified by Google in May 2023 to meet their new requirements, and it was upgraded to support Consent Mode v2 in November 2023 when Google rolled out the change. Usercentrics CMP is also integrated with the TCF 2.2, another requirement by Google and for regulatory compliance for advertisers in Europe.
Usercentrics helps companies to achieve and maintain data privacy compliance with global regulations. However, it’s not just important to avoid fines, loss of brand reputation or damage to user trust today. The tech and legal landscapes are always changing, and Usercentrics is committed to ensuring companies are futureproofed as tools, requirements and user expectations evolve.
Companies need to stay focused on their core business, and Usercentrics CMP provides the user-friendly, flexible and scalable solution to provide privacy compliance peace of mind as your company grows.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
On October 30, 2023, Meta announced their decision to offer ad-free versions of Facebook and Instagram on a subscription basis to users in the European Union (EU), European Economic Area (EEA) and Switzerland.
From November 2023, users in these regions could either pay a monthly subscription fee for an ad-free experience or continue to use the platforms for free and receive personalized ads. Users who choose the free version implicitly agree to have their personal data used for tailored advertising.
We examine Meta’s ad-free subscription model, its compliance with European data privacy regulations, and what it means for users and advertisers.
Understanding Meta’s subscription model for EU users
Meta’s new subscription offering for Facebook and Instagram access in the EU and Switzerland has specific variations on pricing and access. The cost of this ad-free experience depends on the platform used for purchase:
- €9.99/month on desktop/web
- €12.99/month on iOS and Android
Additionally, until March 1, 2024, a single subscription covers all linked Facebook and Instagram accounts within a user’s Accounts Center. After this date, a charge of €6 per month for each additional account will apply for web users, while iOS and Android users will face an €8 monthly charge per additional account.
Meta, previously fined for multiple instances of unlawful advertising practices, has changed its approach. The company moved from using legitimate interest as the legal basis for data processing to using consent (Art. 6 GDPR). The aim is to align their advertising practices with European regulations, including the General Data Protection Regulation (GDPR) and the European Digital Markets Act (DMA).
Meta cites a July 2023 ruling from the Court of Justice of the European Union (CJEU) as the basis for its decision to charge a fee for ad-free access, claiming that it provides users with a genuine choice while complying with European regulations. The ruling stated that users must be free to decline consent for data collection without having to completely stop using the offered service. As a result, users should be given an equivalent alternative, “if necessary for an appropriate fee”, where their data is not processed.
Is Meta’s subscription model compliant with the GDPR?
Meta’s introduction of a subscription option, often referred to as the “PUR Model” or “pay or okay”, mirrors strategies used by many publishers in the EU. This model typically involves giving users access to content either through a subscription or by consenting to their data being processed.
Meta’s ad-free subscription model has raised concerns among privacy activists and is facing legal challenges.
The model’s compliance with the GDPR is a topic of ongoing discussion and scrutiny. Several European data protection authorities (DPAs) have weighed in on such subscription models as a way to continue advertising, as well as on related concepts like cookie walls and paywalls.
Denmark
The Danish DPA Datatilsynet in February 2023 shared guidelines suggesting that companies could use a cookie wall if they also offered a reasonable alternative, which could be payment-based for users who did not wish to consent to data processing. The guidelines stated that companies can set a fee for subscription at their discretion but stressed that they must not set “an unreasonably high price for the payment alternative”.
The DPA guidelines also require companies to prove that processing data for statistical or personalization purposes is essential for offering access without payment as an alternative to the paid subscription.
Germany
Even if there have been cases before where a “pay or okay” model was deemed illegal in Germany, the German Data Protection Conference (DSK), evaluated subscription models and concluded in March 2023 that they could comply with GDPR and ePrivacy regulations, assuming all requirements for informed, specific, and voluntary consent were met.
Subscribers and non-subscribers must also have access to equivalent content, and providing granular consent must be possible if personal data is processed for multiple purposes. If granular consent is not possible, then consent cannot be considered fully informed and freely given and is thus invalid.
France
The Commission Nationale Informatique & Libertés (CNIL) also considered this issue in May 2022, stating that paywalls — where users must pay to access content if they refuse cookies — were not inherently prohibited since they offered an alternative to consenting to tracking technologies. Like the Danish DPA, they cautioned that the cost must not deter users from making a true choice, emphasizing the need for a “reasonable price”.
Challenges against Meta’s subscription model for EU users
The Austrian DPA has been approached to assess whether the subscription cost is excessively high, potentially making it a questionable practice under European privacy laws.
A separate legal challenge has been filed before the Consumer Protection Cooperation Network by the BEUC, The European Consumer Organisation and 19 member states to assess whether the subscription model constitutes an “aggressive practice” and contravenes EU consumer laws.
The verdict on Meta’s planned model
The verdict is still out on whether Meta’s model aligns with European regulations like the GDPR and will largely depend on two factors:
- Whether users are offered the option to consent, and, if so, whether this consent is deemed granular.
- Whether the subscription fee is deemed reasonable so that it provides users with a real choice.
It’s a dynamic issue that’s still unfolding as European regulators assess the subscription model’s compliance with legal standards. The Usercentrics team will keep a watch on these developments and provide updates as the situation progresses.
What changes for Meta users in the EU, EEA and Switzerland?
With the announcement of the subscription model, Facebook and Instagram users have three options:
- pay for a subscription to enjoy an ad-free experience
- continue to use the platform(s) without paying, have their personal data processed, and be served personalized ads
- leave the platforms altogether if they don’t want to pay or have their data processed
Users who choose to subscribe will have a distraction-free experience, enabling them to focus on connecting with others and consuming brand content that interests them.
However, we must consider the potential trade-offs of this subscription model. Users may enjoy an ad-free experience, but they now need to pay for platforms that were previously available for free and widely used — Meta reported 255 million monthly active users on Facebook and 250 million on Instagram in Europe at the end of 2022. The move to a subscription model might exclude European users who cannot afford the subscription fee.
Users who can’t or don’t want to pay a monthly subscription must decide if they want to part with their data for access to the social media platforms or stop using them, when they may have built up content and communities over a decade or more of use.
Advertising on Facebook and Instagram: What marketers can expect
With Meta’s new subscription model, advertisers will have to adapt to significant changes in the digital advertising ecosystem.
Potential reduction in audience
Subscribed users pay a monthly fee for a subscription service with no ads on Facebook and Instagram, so they’ll not be targetable by advertisers. There could be a further reduction in audience size if users who are unwilling to subscribe or consent to data use leave the platforms. Experience with PUR models in other platforms tells us there’s normally not a significant decrease in user base. But if it does become considerable over time, it may impact advertisers’ reach, potentially impacting their marketing campaigns and return on ad investment.
Increased competition for Meta ad space
With a portion of the audience now unreachable, the competition for the remaining ad space may intensify. This might lead to higher costs for advertisers as they vie for the attention of a smaller user base. At the same time, non-subscribed users may be less engaged (or more resistant) than paid ones, so less receptive to advertising generally.
Retention of targeted advertising opportunities
Despite these challenges, advertisers retain the opportunity for targeted advertising with non-subscribed users who remain active on the platforms. This segment still allows for data-driven, targeted campaigns, enabling advertisers to maintain precision in their marketing efforts, even if to a narrower audience.
Reevaluation of marketing strategies
These changes in the advertising landscape urge advertisers to reevaluate their marketing strategies. A holistic approach to digital marketing that includes a variety of platforms and channels can help mitigate risks and strengthen overall advertising efforts. Embracing consent-based marketing strategies will also help future-proof organizations’ digital marketing efforts.
These impacts largely depend on how many users choose to subscribe, consent to access to their data, or leave the platforms. Nonetheless, advertisers will need to adapt their strategies to these changes.
Ad transparency under the Digital Markets Act (DMA)
The implementation of the European Digital Markets Act brings a significant shift to businesses advertising on Facebook and Instagram. The DMA mandates that Meta — which is one of the designated gatekeepers under the European regulation — must provide advertisers with more comprehensive ad performance metrics.
This requirement for greater transparency can offer advertisers a clearer view of how their ads perform among the non-subscribed audience segment on Meta’s platforms.
Increased transparency can also translate to deeper insights for advertisers. They can now access more detailed information about the reach, engagement, and overall effectiveness of their ads. This clarity is valuable in understanding how their content resonates with the audience that continues to see ads, and if perhaps shifts in strategy are needed to align with any changes in audience.
New to the Digital Markets Act (DMA)? Learn more in our Digital Markets Act FAQ
Despite a potentially slightly reduced data pool because of the subscription model, the enhanced metrics available under the DMA put advertisers in a position to develop more informed and targeted advertising approaches.
So DMA advertising rules still enable access to more detailed performance data, there’s the opportunity to shift towards a deeper analysis of ad performance and user engagement patterns. Advertisers can examine the nuances of how different audience segments interact with their ads, leading to more precise and effective campaign strategies.
This approach is not just about reaching the audience but engaging with them more meaningfully, tailoring messages that resonate and drive desired actions.
Preparing for the future of digital advertising
As the communication around DMA compliance continues to emerge and the scrutiny of Meta’s subscription model unfolds in front of data protection authorities, marketers need to monitor developments for potential changes in Meta’s policy and EU regulatory enforcement.
Staying informed and responsive to changes will be key to maintaining effective and compliant advertising practices within this evolving regulatory framework. Subscribe to our data privacy newsletter to receive monthly updates on this and other topics straight to your inbox.
Google may do more to enforce the adoption of data privacy compliance than government regulators with its new requirements coming into effect in 2024. This has been reinforced by their latest article by Shirin Eghtesadi, Director Product Management.
Evolving privacy regulations have levied strict requirements on Google and the other designated “gatekeepers”. One of the major requirements is the necessity of signaling verifiable user consent to Google in order to preserve Google ad personalization features.
Read on to learn what Google’s new requirements are for advertisers in the EU and EEA, how to protect your ad revenue, the benefits of consent-based marketing, and other ways that user data collection is evolving that you need to be aware of.
What does Google’s deadline for advertisers mean?
Google’s new requirements are meant to facilitate compliance with data privacy regulations such as the General Data Protection Regulation (GDPR), ePrivacy Directive and other relevant regulations in the EU/EEA and UK. They also enhance enforcement of Google’s EU user consent policy (EU UCP), specifically regarding audience and measurement solutions.
Read on our blog: What is the Google EU User Consent Policy and who does it apply to?
If you’re using Google Ads, Google Analytics and Google Marketing Platform for serving personalized ads in these regions, you need to review the way you obtain and signal consent from end users (mainly consumers online). Organizations that do not meet these requirements by Google’s March 2024 deadline will not be able to run personalized advertising in the EU/EEA and UK using Google’s platforms in the same way, i.e., you’ll lose access to ad personalization features.
Companies can comply with Google’s requirements by implementing a Google CMP Partner to obtain and manage valid user consent. The CMP also needs to be integrated with the latest version of Google Consent Mode to signal user consent information to Google’s platforms.
Usercentrics Web & Apps CMP are Google-certified, fully supporting Transparency and Consent Framework (TCF) and Google Consent Mode v2.
Who is an advertiser?
Advertisers refer to businesses or individuals that engage in promoting products, services, or brands through various media outlets, including online advertising platforms like Google Ads. These entities use digital marketing and advertising tools to target potential customers and track conversion data, for example using Google Analytics.
In short: if you’re running ad campaigns on Google ad tech platforms or using Google Analytics to measure your ad revenue impact in Europe, you need to comply with Google’s requirements to ensure uninterrupted ad revenue after March 2024.
What are the requirements for verifiable consent under Google’s EU user consent policy?
The policy’s main stipulations for third parties using Google services:
- legally valid consent must be obtained from end users for:
- use of cookies or other local storage where legally required, and
- collection, sharing and use of personal data for ad personalization
- when requesting end user consent, parties must:
- retain records of users’ consent
- enable end users to revoke consent at any time and provide clear instructions to do so
What is Google Consent Mode?
Google Consent Mode was launched in 2020 and one of its biggest benefits at the time was how it enabled data tracking and insights, even when users did not provide consent. Consent Mode and its value has since evolved, and today it functions as a signaling tool that enables control of other tools and services based on consent information obtained.
For example, when using Google Analytics, Google Tag Manager or Google Ads, Google Consent Mode helps you both optimize opt-in rates and gain conversion insights for those users who do not provide consent.
Google Consent Mode v2 released last November included two new settings: ad_user_data and ad_personalization, which control personal data usage and ad personalization based on user consent.
How does using Consent Mode meet Google’s requirements for advertisers?
Advertisers that implement a consent management platform can collect legally valid consent information from users. Consent Mode enables them to automatically signal that information to Google, transmitting consent information for use of cookies and other tracking technologies from users. Tags in use automatically adjust behavior of Google Ads, Analytics, and more to respect users’ consent choices and comply with data privacy regulations.
Currently, Consent Mode supports the following Google services:
- Google Analytics
- Google Ads (Google Ads Conversion Tracking and Remarketing)
- Google Tag Manager
- gtag
- Floodlight
- Conversion Linker
Find out how to meet Google’s EU privacy requirements with Usercentrics CMP.
Usercentrics CMP is your Google CMP Partner
Usercentrics CMP was also one of the first CMPs certified when Google launched its CMP Partner Program in 2022. When Google announced changes to Consent Mode in late 2023, Usercentrics CMP was quickly updated to support the Consent Mode v2 integration.
When Usercentrics CMP is implemented, Consent Mode is active by default, i.e. upgrades to the latest Consent Mode API are automated.
Usercentrics CMP enables you as advertiser to obtain legally valid consent and signal it to Google to meet requirements to continue serving personalized advertising in the EU/EEA and UK.
Set up Google Consent Mode in 3 easy steps with Usercentrics CMP
1. Configure Usercentrics Web or App CMP
Scan all Data Processing Services and SDKs in use on your website or app. Quickly set up and fully customize Usercentrics CMP to meet the requirements of the legal framework you want to comply with via our intuitive user interface
2. Implement the CMP on your website or app
Add the CMP script tag to your website or Google Tag Manager. Adjust the Data Processing Services scripts found by the scan. For apps, there’s easy implementation with the Usercentrics SDK. Google Consent v2 is active by default so you’re ready to collect and signal valid user consent.
3. Enjoy the benefits of Consent Mode v2
Respect users’ consent choices while automatically adjusting Google tags and SDK behavior by passing the consent signal to Google. Collect additional user insights with conversion modelling and Advanced Consent Mode, even when users don’t give consent.
If you need implementation support, check our Google Consent Mode documentation for web and mobile apps/games, or consider looking for a qualified partner to help you implement and maintain your Usercentrics consent solution.
Learn why a Google-certified CMP like Usercentrics is essential for serving ads in the EU and EEA.
How do Google’s requirements affect advertising?
Organizations need user data for many digital marketing purposes, including advertising. It is possible to serve ad campaigns based on limited and non-personalized data and analysis, but most marketers want to be able to analyze, segment, and target various audiences to maximize ad spend and conversions. To enable this, you need data from and about these audience members. Increasingly, though, organizations have to get consumers’ consent before they can collect and use this data.
1. As of March 2024, you’ll need to prove you have users’ consent before you can serve them ads via Google services.
2. Companies that implement a CMP and Google Consent Mode will be able to signal consent information to Google, and serve personalized ads to users that have consented to it. If a user has not consented, companies can still serve ads, but not personalized ones. However, per Google’s second requirement, users must be able to change their consent choices at any time (many data privacy laws also require this), so a user may decide to allow more personalized ads at a later date.
3. Companies that do not implement a CMP and Google Consent Mode by March 2024 will be able to continue serving ads on Google platforms, but only non-personalized ones based on more aggregated data and not specific user analysis.
4. If you’re using Google APIs/SDKs to share audience data from your websites and/or apps with Google, you also need to upgrade to their latest API versions to ensure consent information is signaled to Google.
How Google’s consent-based changes are evolving data use online
Generalized third-party data has become outdated in digital marketing for its lack of precision and data privacy issues, and companies are increasingly moving away from relying on it. This includes Google, which is gradually working torward ending the use of third-party cookies, a move they initially announced several years ago. In early January 2024 Google’s Chrome browser started disabling third-party cookies for about one percent of its global users, though the company has delayed the planned full rollout of this change.
Server-Side Tagging is another way that you can move beyond third-party data and address challenges from data privacy regulations and ever-evolving web technologies. Usercentrics offers a Server-Side Tagging solution that integrates with Google services and Google Consent Mode, helping you to future-proof your digital marketing strategy.
Conclusions and next steps for advertisers
Google’s March 2024 deadline for advertisers in the EU/EEA and UK is almost here. Fortunately, implementing Usercentrics CMP with Google Consent Mode integrated for websites and apps is fast and easy, and it will equip you with the right foundation to protect your digital performance in 2024 and beyond.
Artificial intelligence (AI) is at the forefront of the world’s technology evolution and influencing the transformation of the data protection and user privacy landscape. But the application of AI in various industries has also raised important questions about consent and what it means in the context of organizations’ ever-growing need for data, and in increasing applications of AI.
In this article, we delve into the nuances of President Biden’s Executive Order on safer AI and the European Data Protection Supervisor’s (EDPS) General Privacy Agreement (GPA) resolution on generative AI, comparing these two landmark initiatives and their impact on data privacy.
Understanding artificial intelligence
Artificial Intelligence, commonly referred to as AI, is a branch of computer science that simulates human intelligence in machines. These machines are programmed to think like humans and mimic their digital actions and thus be capable of learning, reasoning, problem-solving, perception, and understanding natural language.
AI has immense potential across various industries, from healthcare and education to transportation and entertainment. It can enhance operational efficiency, boost productivity, and drive innovation. AI is steadily becoming an integral part of our everyday life, transforming the way we work, live, and interact.
The intersection of AI and data privacy
While AI promises numerous benefits, it also poses significant challenges, particularly in the realm of data privacy. AI systems typically rely on vast amounts of training data to learn and make decisions. To date, much of this data has been found to have been accessed and used without the consent of those who created or published it, raising critical questions about user privacy and data protection.
The need for consent management in AI
Consent management is crucial in AI as it enables obtaining and managing user consent for data processing, like in training data sets. Given the scale and complexity of data processed by AI systems, consent management plays a pivotal role in ensuring that user data is handled responsibly and ethically.
Consent management solutions, including privacy policies, also help ensure that users who become data subjects are adequately informed about what data of theirs is to be used if they consent, for what purposes, who will have access to it, and other details required by many global data privacy laws.
President Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence
In October 2023, President Biden issued an Executive Order aimed at fostering the safe, secure, and reliable development and use of AI in the United States. This initiative emphasizes the crucial role of federal agencies in setting standards, issuing guidance, and monitoring AI use to safeguard business and societal interests.
Although the Executive Order doesn’t directly regulate the private sector, it influences business processes by setting expectations through federal contracts and standards set by agencies like the National Institute of Standards and Technology (NIST). Therefore, the impact of the Executive Order is likely to be significant and far-reaching.
The European Union and United States have adopted a new Data Privacy Framework (DPF) to govern data privacy and international data transfers. Learn more: The EU-U.S. Data Privacy Framework (DPF)
The European Data Protection Supervisor’s (EDPS) General Privacy Agreement (GPA) Resolution on Generative AI
The GPA resolution on generative AI issued by the EDPS aims to uphold data protection principles in the context of AI. It provides comprehensive guidelines for managing risks associated with AI, ensuring that AI technologies are developed and used in a manner that respects user privacy and data protection and does not violate human rights law in any way that is unfair, unethical or discriminatory.
The GPA resolution is instrumental in shaping AI governance by promoting responsible innovation and ensuring the rights of individuals. It calls for a unified, safe, and reliable approach to AI, emphasizing the importance of transparency, accountability, and fairness. It also requires that AI be designed, developed and deployed in ways that are responsible and trustworthy, based on the principles of transparency, data protection, privacy, human control democratic values.
Legal principles gilding AI development and systems
The resolution also mentions that legal principles are the core elements of consideration for the development, operation and deployment of AI systems. These principles are:
- Must have a legal basis that is lawful in accordance with applicable regulation(s), even if the data is publicly available.
- Data processing in an AI system shall have a specific, explicit and legitimate purpose.
- Data minimization requires limiting the collection, sharing, aggregation, retention and further processing of personal data.
- Data processed must be accurate, reliable and representative.
- Adequate transparency measures must be implemented to ensure the openness of the generative AI tools.
- Reasonable and effective security measures must be implemented and maintained.
- Privacy by design and default requires developers, providers and deployers of AI systems to carefully assess the envisaged processing activities, risks they may pose for the data subjects, possible measures available to ensure compliance with data protection principles and the protection of individual rights.
- Data subjects must be informed of their rights and how to exercise them.
- Those building, running, or using output from AI systems shall be responsible for and must be able to demonstrate compliance with applicable national regulations and international agreements.
Comparing President Biden’s Executive Order and the EDPS’s GPA Resolution
Both President Biden’s Executive Order and the EDPS’s GPA resolution underscore the need for safe and responsible AI. They emphasize the importance of data protection, user privacy, and consent management, highlighting the role of regulatory authorities in ensuring ethical AI practices.
While both initiatives aim to promote responsible AI, they differ in their approach. President Biden’s Executive Order is more focused on setting guidelines and standards for AI development, while the GPA resolution emphasizes the implementation of data protection principles in AI.
Implications of new regulatory initiatives on AI data privacy
Advancements in data privacy
The initiatives by President Biden and the EDPS represent significant advancements in data privacy with regards to AI. They set clear guidelines and standards for AI development and deployment, promoting responsible innovation and safeguarding user privacy.
The role of consent management platforms (CMPs) in AI initiatives
In the context of AI, consent management platforms play a critical role in helping to ensure data privacy. These platforms help manage user consent for data processing, enabling compliance with data protection regulations and fostering trust with users.
Looking ahead: The future of AI and data privacy
As AI continues to evolve, so does the landscape of data privacy. Future advancements in AI will necessitate further enhancements in data protection and user privacy measures, underscoring the importance of consent management.
Regulatory authorities will play an increasingly crucial role in shaping the future of AI and data privacy. Their guidance and regulations will be instrumental in ensuring that AI technologies are developed and used responsibly and ethically.
President Biden’s Executive Order and the EDPS GPA resolution mark significant milestones in the evolution of AI and data privacy. Both initiatives not only underscore the importance of data protection and user privacy in AI but also highlight the critical role of consent management in ensuring ethical AI practices. As we move forward, these initiatives will continue to shape the landscape of AI and data privacy, promoting responsible innovation and safeguarding user interests.
A number of new privacy regulations were passed in 2023, and some passed earlier came into effect. Even more will do so in 2024, or enforcement will begin. Possibly even more influential, regulatory requirements for large tech companies will have substantial data privacy trickle-down effects on third parties that rely on their platforms and services for audience, data and revenue.
AI will surely become more regulated, and the focus on it has also further heightened consumers’ awareness of access to and use of their data. Some changes that will be coming as a result of the aforementioned regulations and business requirements will also bring welcome improvements to the consumer landscape, with more transparency, competition, innovation and consumer choice.
Let’s look at some of what we can expect in data privacy in 2024.
2024 in data privacy regulations and business
A number of the laws passed in the US in 2023 will come into effect in 2024, substantially increasing the number of US states with data privacy regulations in place, with their associated requirements for businesses that process personal data.
There are several major data privacy regulations around the world that are expected to be finalized in 2024, bringing new protections to even more people, and adding additional protections in places like the European Union (EU).
Technologies that enable and enhance privacy (privacy-enhancing technologies or PETs) will also likely take center stage, with your website data privacy policy starting to be seen as pillars for building user trust, promoting transparency, and aligning with corporate social responsibilities.
Once regulatory enforcement begins for new laws like the Digital Markets Act, we will likely see rapid and significant changes in the operations of big tech companies, and in smaller companies that rely on those platforms. Data privacy protections are poised to cover more of the world’s population than ever before. Will it be 75% of people by the end of the year, as Gartner has predicted?
Data privacy in the United States
Eight US states passed data privacy legislation in 2023, and laws in five of those states will come into effect in 2024:
- Montana Consumer Data Privacy Act (MTCDPA)
- Florida Digital Bill of Rights (FDBR)
- Texas Data Privacy and Security Act (TDPSA)
- Oregon Consumer Privacy Act (OCPA)
- Delaware Personal Data Privacy Act (DPDPA)
14 of the 50 US states now have data privacy regulations in place, though in 2023 40 states tabled privacy legislation, many not for the first time. Expect to see even more data privacy laws make it to governors’ desks in 2024.
Progress remains slow to stalled on federal data privacy legislation in the US. However, developments like generative AI and its uses are getting a lot of attention and scrutiny, including on the data privacy front, so it’s possible peripheral topics like that may provide stronger motivation for a broader federal data privacy law in the US.
Data privacy in Canada
Bill C-27 sets out the Digital Charter Implementation Act, 2022, which would bring a new framework for governing personal information access and use in the private sector. The bill is currently before committee and could be passed in 2024. It would bring the Consumer Privacy Protection Act (CPPA) into effect and replace the PIPEDA regulation, which is over 20 years old.
The Digital Charter Implementation Act would also include the Personal Information and Data Protection Tribunal Act, which would set up an administrative tribunal to review some decisions from Canada’s Privacy Commissioner, and impose penalties for CPPA violations.
The Act would also help to address the expansion of AI influence and applications with the Artificial Intelligence and Data Act (AIDA), which would help to regulate trade and commerce in AI systems using a risk-based approach. Any new AI regulations or frameworks would need to have a focus on data privacy, especially for consumers.
Data privacy in Australia
Federally, Australia has had the Privacy Act since 1988 (with additional state and territory laws). An overhaul has been expected for some time, though it was most recently amended in 2022. The Privacy Act Review Report with 116 recommendations was released in February 2023, and some high profile data breaches in recent years will likely add more pressure to enhance data privacy and protections for the country’s citizens. Look for greater change in 2024.
ePrivacy Regulation in the EU
In the European Union, the ePrivacy Directive (ePD) has been in place since 2018, as long as the General Data Protection Regulation (GDPR). But the ePrivacy Regulation (ePR), which would repeal the ePD, has lagged. The EU has since passed other laws with data privacy elements in recent years, including the Digital Markets Act, and the AI Act is likely to be passed in early 2024.
The ePR would establish, among other things, clearer rules on cookie usage, and regulate newer electronic communications services not covered by the ePD, like WhatsApp or Facebook Messenger. However, with a 24-month transition period, if finalized in 2024, it wouldn’t be fully in effect until 2026.
Regulation of artificial intelligence (AI)
The European Union’s AI Act, the first of its kind, is expected to be finalized in early 2024. In addition to providing new rules, guidelines, and prohibitions about the development and application of AI in the EU, it’s likely to have significant influence on similar laws in other countries, just as the GDPR did when it came into effect.
US President Biden also signed an executive order on safer AI in October 2023, which will also influence further developments in the space.
Digital Services Act Package
We covered the Digital Services Act Package and its two laws, the Digital Services Act (DSA) and Digital Markets Act (DMA) in our 2023 recap. Some requirements with the laws were in place in 2023, but enforcement will begin in early 2024.
These laws require compliance from designated big tech companies, and will mean they also need to put compliance pressure on third-party customers and partners, which could have a much greater effect on privacy compliance, especially for smaller organizations — particularly in the EU — than regulations like the GDPR have to date. For example, Google’s requirement for use of a certified consent management platform supporting the TCF 2.2 and Consent Mode.
Watch for substantial changes beginning in 2024 that will affect consumers’ options and affect business operations and competitiveness in digital markets, including the adoption of consent management platforms (CMP) to enable privacy compliance and consent signaling.
The future of “pay or ok”?
With ongoing data privacy challenges in the EU, and in response to the Digital Markets Act (DMA) under which it’s been designated as a “gatekeeper”, Facebook and Instagram parent company Meta announced plans for a new subscription model for users to access Facebook and Instagram, nicknamed “pay or ok”.
In the EU, EEA and Switzerland, Facebook and Instagram users would be able to sign up for a paid monthly subscription to these platforms where they won’t receive advertising. Users who choose not to pay will be shown ads, and their personal data will be collected and used, e.g. for ad personalization.
However, in late 2023 multiple groups, including the European Consumer Organisation (BEUC) filed complaint against Meta over the proposed subscription offering, arguing it was unfair and another attempt to circumvent EU laws. Look for this case to evolve in 2024 and to be watched closely by other big tech companies.
Conclusions and how to embrace data privacy
Probably the best keyword for what to expect in data privacy in 2024 is: acceleration. So much was begun in 2023 that will continue to roll out or will influence new legislation, business requirements, technology and consumer expectations.
Data privacy is becoming critical to doing business and protecting both brand reputation and revenue. Companies are waking up not only to the risks of noncompliance but also to the opportunities of protecting data and respecting user privacy. Expect data privacy in the mobile space, for example, to continue to heat up in 2024.
In some regions, businesses are finding it necessary to comply with multiple regulations, which is challenging, especially for SMEs that have limited resources. But this is the new normal, and isn’t as scary as it may seem. Usercentrics is here to help, and our solutions are designed to be user-friendly, reliable, and especially to scale as your company grows, your tech stack changes, and as regulations evolve.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.
Data privacy definitely ramped up globally in 2023. More regulations were passed, and consumers continued to become more savvy and concerned about access to and use of their personal data. The app industry started to take notice and realize that privacy compliance wasn’t an onerous legal requirement, but a potentially massive revenue opportunity.
Perhaps most of note, however, is that impetus to achieve privacy compliance has started to shift and a greater push is coming not from governments, but from businesses. Laws like the Digital Markets Act (DMA) will affect big tech companies like Alphabet, Facebook and Amazon.
Millions of businesses use those companies’ platforms and services to sell products, collect user data, advertise, and more. If the big tech companies are required to comply with DMA obligations, they will require third parties that rely on them for reach and revenue to comply as well. This hits a lot closer to home than, for example, headlines about “The Biggest GDPR Fine Ever!”
AI has also been an ever-present topic in 2023, with reactions running the full gamut from giddy excitement to alarmist. It’s been good to see that people seem to be aware of and talking about the data privacy issues of AI training, particularly, and laws to regulate AI development and use are already in the works. The EU should have their AI Act finalized in early 2024.
Let’s have a look at what was new and in the news in data privacy in 2023.
2023 in data privacy regulations and business
This year several long-awaited data privacy regulations came into effect, and many were passed that will come into force in the coming years. 2024 looks to become an even bigger year for regulation and enforcement, accompanied by increasing B2B expectations of businesses for their partners and customers.
Laws targeting big tech also got a lot of attention, and it will be very interesting to see how that plays out in the market and their effects on competition and innovation. Regulation of AI, which also brings significant data privacy concerns, will also continue to grow.
Let’s look at where new privacy laws were passed in 2023.
Data privacy in the United States
The United States passed more data privacy laws than any other country in 2023, but that’s because they are still passed state by state. To date the country still doesn’t have a federal-level data privacy law. 14 states of 50 (there’s also the District of Columbia, Puerto Rico, etc.) have now passed data privacy legislation.
California is the only state with two active laws, the California Consumer Privacy Act (CCPA) having come into effect in 2020 and the California Privacy Rights Act (CPRA) having come into effect in 2023.
40 US states introduced privacy legislation in 2023. In many cases these were repeat attempts. Eight states actually passed new data privacy laws, which their respective governors signed into law:
- Iowa Consumer Data Protection Act (ICDPA)
- Indiana Consumer Protection Act (Indiana CDPA)
- Tennessee Information Protection Act (TIPA)
- Montana Consumer Data Privacy Act (MTCDPA)
- Florida Digital Bill of Rights (FDBR)*
- Texas Data Privacy and Security Act (TDPSA)
- Oregon Consumer Privacy Act (OCPA)
- Delaware Personal Data Privacy Act (DPDPA)
The laws in Montana, Florida, Texas, Oregon and Delaware come into effect in 2024. Iowa and Tennessee’s laws come into effect in 2025, and Indiana’s doesn’t come into effect until 2026.
*Florida is not always listed among states that passed “comprehensive data privacy laws”, as there are fairly significant restrictions to organizations it affects. It’s also called a “Digital Bill of Rights” and not a “Privacy Act”. For example, only companies with a billion dollars or more in revenue have to comply, and it targets companies operating app stores or digital platforms.
All of the US states that have enacted privacy laws to date have used an opt out consent model, which means that in most cases, users’ data can be collected without having to obtain their consent. This differs from the opt out or “prior consent” model used in many of the world’s data privacy laws.
Data privacy in Canada
Canada has not updated their federal data privacy law recently, as Bill C-11, which would have become the Consumer Privacy Protection Act, did not pass in 2021. PIPEDA, which is over 20 years old, remains in effect. In the province of Québec, however, the majority of the provisions of Law 25, which was passed in 2021, came into effect in September 2023. The law brings a variety of data privacy and protection requirements for organizations. A number of its provisions resemble privacy laws in Europe more than those in the US.
Data privacy in Switzerland
Switzerland already had a data privacy law, but it was 30 years old, so the Swiss Federal Data Protection Act (FADP), which came into effect in September, is a much needed update. The FADP has some differences from the General Data Protection Regulation (GDPR). For example, consent or a legal basis is required in fewer instances. But the two laws largely align, as a major goal of the FADP is enabling the flow of business between Switzerland and the European Union, as Switzerland is not a member of the EU.
Data privacy in Saudi Arabia
The Saudi Arabia Personal Data Protection Law (PDPL) came into force after an amendment in September 2023. Compliance enforcement will begin in September 2024. The PDPL follows a prior consent model, and organizations that have achieved GDPR compliance will have done most of the work necessary to comply with the Saudi law.
Data privacy in India
India enacted the Digital Personal Data Protection Act (DPDP Act) in August 2023, replacing relevant provisions from existing laws from 2000, 2008 and 2011. The DPDP Act generally follows laws like the EU’s GDPR, and requires prior user consent for data collection in many cases, though “legitimate use” exceptions can be invoked.
EU-U.S. Data Privacy Framework
After being without an adequacy agreement since 2020, the EU and US came to agreement on the EU-U.S. Data Privacy Framework in July. This framework helps to ensure data protection with international data transfers between the two regions. It brings seven core principles:
- Notice: informing data subjects
- Choice: choices for data subjects about processing their data (or declining)
- Accountability for onward transfers: required compliance with certain terms if data is transferred to a third party
- Security: reasonable protection measures
- Data integrity and purpose limitation: personal data must be kept accurate and can only be used for stated purposes and with consent
- Access: data subjects must have access to their data and be able to have it corrected and deleted (with some exceptions)
- Recourse, enforcement and liability: participating companies must implement robust recourse mechanisms for requests and complaints
Digital Services Act Package
The European Commission enacted the Digital Services Act (DSA) and Digital Markets Act (DMA), with some designations and provisions coming into effect in 2023, and more to come in 2024.
Digital Services Act (DSA)
The Digital Services Act (DSA) targets a wide array of digital intermediary services, particularly designated very large online platforms (VLOPs) and very large online search engines (VLOSEs) with 45 million or more monthly active users in the EU. The law imposes a number of strict requirements to address societal risks associated with the operation of these platforms. The Act aims to create safer digital spaces and protect users’ rights. It also assigns new responsibilities to VLOPs and VLOSEs for content published and protection and respect for user data.
Digital Markets Act (DMA)
The Digital Markets Act (DMA) primarily focuses on fostering a fair and competitive digital market in the EU, “leveling the playing field” so to speak. It includes provisions to enable smaller companies to better compete against dominant tech players, which it designates as “gatekeepers”: Alphabet, Amazon, Apple, Bytedance, Meta and Microsoft.
The law requires more openness and transparency from the gatekeepers, giving smaller players access to more data about audiences and algorithms. Data portability requirements will also benefit consumers and be one of the changes that may help spur competition and innovation.
The DMA also introduces additional data privacy requirements. Some gatekeepers have already begun passing down privacy compliance requirements to third parties that use their platforms and services, e.g. Google requiring implementation of a certified consent management platform supporting the TCF 2.2 and Consent Mode.
Google’s certified CMP requirements
In 2023 Google initiated changes and made several announcements that will have significant effects on its customers’ operations. Beginning in January 2024, publishers and developers using Google AdSense, Ad Manager or AdMob must use a Consent Management Platform (CMP) partner that’s Google-certified and integrates with the Interactive Advertising Bureau’s (IAB) Transparency and Consent Framework (TCF).
This is required if they want to continue serving ads to users in the European Union (EU), European Economic Area (EEA) and/or the United Kingdom (UK). Usercentrics CMP is Google-certified and integrates the TCF 2.2 as well as Consent Mode v2.
Conclusions and what’s to come in 2024
A number of the laws passed in 2023 will come into effect in 2024, or enforcement will begin. This will no doubt cause a privacy compliance scramble for some organizations. Other companies will continue to evolve their data privacy strategies and solutions to maintain compliance as their tech stacks change and their businesses grow.
Several countries have been working toward updating or passing data privacy legislation, and it is likely that will conclude in 2024, in Australia, for example. It’s increasingly likely the ePrivacy Regulation will come into force next year as well in the EU. The United States gained momentum with state-level privacy laws this year, which we expect to continue, especially as more states table updated legislation.
The EU’s AI Act should be finalized by January 2024, and will be the first of its kind, likely to have significant influence on future similar regulations, much as the GDPR has had since coming into effect in 2018.
Business-centered laws like the Digital Services Act and especially the Digital Markets Act are expected to catalyze significant changes in European digital markets, which may well have strong global ripple effects on data privacy, but also in transparency, competition and innovation.
With the arrival of data protection regulations like the European General Data Protection Regulation (GDPR), and more recently the Digital Markets Act (DMA), there continues to be a heightened focus on user privacy and consent. We’ve even heard that “data privacy is the hottest industry of the next decade”.
In this context, Google’s Additional Consent has emerged as a key tool for managing consent for Google’s ad tech providers. In this guide, we’ll dive deep into what Google’s Additional Consent is, why it’s important, and how solutions like Usercentrics CMP and Cookiebot CMP can help you navigate ever-changing requirements effectively.
What is Google’s Additional Consent?
Google’s Additional Consent is a technical specification designed to enable publishers to collect and signal additional consent for ad tech providers that are not part of the IAB Europe’s Transparency & Consent Framework (TCF) v2.2, but are listed on Google’s Ad Tech Providers (ATPs) list. This specification is crucial for publishers that want to work with ad tech providers not using the TCF.
It’s important to note that Google’s Additional Consent doesn’t replace the standard IAB TCF v2.2 consent collection process, but supplements it, enabling an extra layer of consent collection for Google ATPs.
Why is Google’s Additional Consent important?
Google’s Additional Consent has significant implications for publishers. Firstly, it presents an opportunity to collect consent from a broader range of ad tech providers, potentially leading to increased ad revenue. Secondly, it helps enable compliance with Google’s EU User Consent Policy, a necessary condition for publishers using Google’s ad products.
When consent for ad personalization is not obtained, Google defaults to serving non-personalized ads or no ads at all to EU users. This can seriously impact your ad revenue. By implementing Google’s Additional Consent, you can continue serving personalized ads to your users and preserve your ad revenue stream.
Understanding the key components of Google’s Additional Consent
Google’s Additional Consent introduces the concept of the “Additional Consent” (AC) string. This string consists of several parts, including a specification version number, a list of consented Google ATP IDs, and a list of disclosed Google ATP IDs.
The AC string is significant because it stores the consent information for Google ATPs. It’s created by an IAB Europe TCF-registered Consent Management Platform (CMP) like Usercentrics’ and is intended to supplement the standard TCF Transparency & Consent String (TC string).
The AC string plays a crucial role in informing Google and its ATPs about the user’s consent preferences, enabling the delivery of personalized ads in compliance with the user’s choices and regulatory requirements.
Changes in Additional Consent
Google announced that starting from December 6, 2023, it supports the Additional Consent specification. This update includes changes to the AC string to support vendors disclosed in the CMP and modifications to the CMP API for interoperability.
The transition to Additional Consent underscores Google’s ongoing commitment to transparency and user privacy. It also signals the evolving complexity of consent management, further emphasizing the need for robust consent management platforms.
Role of consent management platforms (CMPs)
A consent management platform (CMP) plays a critical role in managing user consent across your digital properties. It enables you to collect, manage and document user consent in compliance with global privacy regulations.
In the context of Google’s Additional Consent, a CMP plays a significant role in creating the AC string. This task can only be done by an IAB Europe TCF-registered CMP, ensuring that the process aligns with industry standards and best practices.
Usercentrics CMP and Cookiebot CMP: Your allies in consent management
Usercentrics CMP and Cookiebot CMP are TCF-registered. Both are on Google’s list of certified CMPs that successfully integrate with the standard IAB Europe TCF v2.2 and support Google Additional Consent.
This makes them particularly valuable for publishers looking to navigate the complexities of consent management, particularly in the EU.
Usercentrics CMP and Cookiebot CMP help you manage user consent on your websites and apps. They enable compliance with global privacy regulations, facilitate high consent rates, and help build trust with your customers.
Usercentrics CMP and Cookiebot CMP’s support for Google’s Additional Consent means they can assist you in collecting and signaling additional consent for Google ATPs. This empowers you to display ads from a wider range of ad tech providers, potentially boosting your ad revenue.
Embracing Google’s Additional Consent with Usercentrics CMP and Cookiebot CMP
In conclusion, Google’s Additional Consent is an essential tool for publishers in the era of stringent data privacy regulations. It enables you to collect additional consent for Google’s ATPs, helping ensure compliance with Google’s EU User Consent Policy and potentially increasing your ad revenue.
Leveraging certified consent management platforms like Usercentrics CMP and Cookiebot CMP can greatly simplify your journey in implementing Google’s Additional Consent. Our comprehensive consent management capabilities, coupled with the support for Google’s Additional Consent, make our CMPs invaluable assets for any publisher looking to master consent management in today’s digital landscape.
Remember, opting for a comprehensive consent solution isn’t just about privacy compliance or ad revenue, it’s about respecting user privacy and building trust with your audience. In the long run, these are the factors that truly contribute to a sustainable and successful digital publishing business.
Usercentrics (Cookiebot™) does not provide legal advice; information is provided only for educational purposes. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.