Google offers numerous services to help developers and businesses enhance their online presence. For example, AdSense and Analytics make getting exposure much easier by helping you see how users interact with your website and where most of your traffic comes from.
However, using these services can raise issues when it comes to staying compliant with international law.
To help developers and businesses stay compliant while using Google services, Google enacted its EU User Consent Policy. This short, streamlined policy is based on the EU Cookies Directive ("Directive").
This article will break down how Google's EU User Consent Policy came to be, how to comply with it, and how to handle non-compliance notices you might receive from Google.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
-
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
-
At Step 2, add in information about your business.
-
At Step 3, select a plan for the Cookie Consent.
-
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
<head>
</head>
section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
The EU Cookies Directive
The Directive came into effect in May 2011. It was adopted by all EU member states as part of an amendment to the e-Privacy Directive.
The Directive applies to:
- All businesses headquartered in an EU member state, and
- Foreign businesses that are aimed towards EU users
In general, the Directive requires that websites inform visitors:
- If cookies are in use,
- How cookies are used, and
- How visitors can consent to their usage
This places a cookies notice requirement on the websites that fall under the Directive. Banner notices are the most popular means of giving notice while also securing user consent to use cookies.
Here's an example of a standard type of website cookie notice:
Sometimes a notice will not allow users to continue using the website unless they give consent to allow the use of cookies.
Lenovo Netherlands used to have such a method of consent. It offered links to additional information and required consent before users could explore the website:
Note: Notice and consent are not required if the cookie is needed for transmitting communications or making the website operate. These include authentication cookies, cookies needed for multimedia content, and user input cookies that helps users fill forms or add items to a shopping cart.
Once the Directive passed, Google's EU User Consent Policy soon followed. While it demands slightly more from Google services users in some ways, it is closely linked to the Directive.
This means that if you already satisfy the requirements of the EU Cookies Directive, you'll likely satisfy the requirements by Google.
Requirements of Google's EU User Consent Policy
Google's EU User Consent Policy exists to help users of Google services comply with the Directive. Its content is as follows:
Generally, it has two requirements.
First, websites and apps that are accessible to end users in the EU, EEA, the UK and Switzerland must disclose any data collection, sharing and usage that results from the use of Google products, and obtain consent for that activity to continue.
This includes personalization of ads, tracking website usage, and even counting the number of visits on a website.
Second, if the website uses Google products and cookies, the developer must disclose that fact. It must also obtain consent to use cookies and offer end users the ability to remove cookies if they desire.
Both of these provisions are related to the Directive. While the disclosure regarding Google products is not directly required, it is still a good precaution for those developers with end users in the relevant regions. The second provision that mentions cookies is directly connected to the Directive.
All Google products directed to citizens of the EU, EEA, Switzerland and the UK fall under the Policy. However, Adsense, Analytics Advertising, and Analytics for Firebase are most likely to invoke it and the Directive.
Adsense places targeted ads on its users' websites. To be sure that it places the most effective ad for each end user, it uses cookies.
Analytics Advertising is the same way. This program records page visits to help users find trends. Its Policy requirements includes a link to the EU User Consent Policy:
Analytics for Firebase, which performs the same function as Analytics for Advertising, takes the same approach:
If you use any of these three services, you must comply with the Policy. Fortunately, there are many resources to help you accomplish that.
Complying with Google's EU User Consent Policy
As mentioned above, if you have end users located in the EU, EEA, Switzerland or the UK, or you run a company headquartered in any of these areas, you need to pay extra attention to how you disclose your use of cookies.
Google places additional requirements on you if you use its products. You must also provide the same notice and obtain consent for Adsense or Analytics services.
Google breaks down its requirements into two types of properties:
First, the properties under your control requirements involve any site or app that is under your control or that of your affiliate partner.
If you use Google products such as Analytics on a property that's under your control, you need to do the following:
- Clearly identify every and any party that may collect, receive or use the end users' personal data through the Google product
- Let users know how each party will use the personal data
- Obtain consent to use cookies
- Obtain consent for collecting, sharing and using personal data for personalized ads
- Keep records of consent you obtain
- Instruct users how they may revoke consent
Second, the properties under a third party's control requirements apply when your use of a Google product results in end-user personal data collected by a third party being shared with Google.
In these cases, Google requires that you use "commercially reasonable efforts" to make sure the third party is complying with this policy.
Notice and Consent
A good way to provide notice and obtain consent is to add a cookie consent function to your website or app.
This can be a banner announcement or a pop-up window that notifies users before they go to a section of your website affected by Google services.
Here's an example:
Note the Individual Settings button that lets users adjust their cookie settings directly from the notice. Users are also provided with a link to the Privacy Policy where they can get more details, and consent is obtained with a clearly labeled "Accept all cookies and tools" button. Users can also choose to only accept necessary cookies.
Banner announcements are an effective, common and acceptable method of complying with the EU Cookie Directive. However, you may need to take additional steps to comply with the Policy.
In November 2023, Google released Consent Mode V2, a new way for businesses to communicate EEA and UK users' consent choices regarding the use of their personal data for advertising purposes to Google.
To comply with the new requirement, you'll need to implement Consent Mode V2 by March 2024. We've updated our Free Cookie Consent to work with Google Consent Mode V2.
Here's how you can integrate our Free Cookie Consent with the new Consent Mode V2:
-
Create the gtag function with the default consent states as denied:
-
Load the Google Analytics/Tag Manager script:
-
Communicate user consent status using Cookie Consent callbacks:
These instructions can be found on our Cookie Consent & Google Consent Mode V2 page. We also have a video walkthrough on how to integrate a cookie notice banner with Consent Mode V2.
Most banner announcements and consent messages contain a link to "See details," "Learn More," or some other sort of additional information. Here's where you can provide more information on cookies including what they are, how they function, and how a user can remove them later.
For example, you can link your Cookie Policy or Privacy Policy with a cookies clause in it to this "See details" link.
Providing this information depends on your product and company practices. The more you use Google services and cookies, the more information you may wish to offer consumers.
Google provides products to help its clients track data and use cookies. It also uses many of them itself.
Because of this, Google offers a "See details" link in its own banner notification:
If you click "See details" it takes you to a page with more information and a video:
With the combination of the banner, requested consent, and this additional information linking to a Cookie Policy/Privacy Policy, there is no reason to assume a user will explore Google uninformed about cookies being used.
The video offers a thorough explanation and there are links to help users access ad settings, see a list of cookies used by Google, and review the Privacy Policy to see how Google uses data.
You will need to include information in your Privacy Policy or Cookie Policy that gives users more specific information about your use of cookies, including which ones you or any third parties are using and for what purpose.
Remind users that they can opt out and provide instructions for how they can do so.
Here's how HarperCollins UK details this information in a clause within its Cookie Policy. First, it has a clause addressing analytics cookies informing users of the specific cookie names, and links to how users can opt out of them being used:
It also has a section that addresses advertising cookies, with all the same types of information available:
Remember that you'll also need to keep records of the consent you obtain.
Flagged for Non Compliance with Google EU User Consent Policy
If you don't comply with the above requirements, you may receive an email like this one here, alerting you that your website/s has been flagged for non compliance with the EU User Consent Policy:
It reads:
Hello TermsFeed,
Thank you for reaching us out.
Your websites below are flagged for non compliance with EU User Consent Policy.
As per our EU User Consent Policy requirements you need to disclose all the third parties you work with including the Ad Tech Providers (ATPs).
We have done a manual check on domain (domain) and found that you have only disclosed 1 number of ATP in your consent notice while initially you agreed on working with 196 number of ATPs same findings apply to other 5 domains
As per Comply with EU user consent policy help article If you don’t make any changes, the commonly used set of ad technology providers (ATPs) will continue to be used. This help article also has steps to choose ATPs.
Please find the list of all detected and missing ATPs on your domains attached. If there is a reason why you have not declared any specific ATP kindly add a comment against each missing ATP and send us back the updated spreadsheet.
Also please note if you are using an IAB certified CMP then you wont be required to declare all the ATPs because any CMP vendor selections in your IAB TCF v2.0 registered CMP will override Ad Technology Provider selections in the EU User Consent Controls. Kindly refer to this help article for more details.
Once you have declared all the ATPs you work with in your consent notice, you can get back to us and we will initiate a re audit of these domains.
These types of emails can be received if you are in non compliance for:
- Not disclosing all of the Ad Tech Providers (ATPs) you work with, and/or
- Not obtaining consent before you use cookies
How to Remedy Your Non Compliance with Google's EU User Consent Policy
There are 3 things you can do in the event that you receive such an email:
- Update your Cookie Consent Notice and Cookie Policy to list all the ATPs you use. (Depending on what type of Cookie Consent Notice you use, you can either list all ATPs in your notice, or list them in your Cookies Policy and link your Policy to your Cookie Consent Notice.)
- Use an IAB-approved Consent Management Platform (CMP).
- Disable personalized ads in Google Analytics and other Google products your website uses. (Ads will still be displayed, just not personalized ads that rely on third party cookies.)
Summary
To comply with Google's EU User Consent Policy:
- Give notice that you use cookies to collect information from users,
- Obtain consent for this before you use cookies, and
- Link to more information about how/why you use cookies
This will keep you compliant with Google policies and the EU Cookies Directive, and will also keep your users informed.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.