
If you use Google tools such as advertising services on your website or app, you need to follow Google's EU User Consent Policy. It covers the information you must give to European users and the consent you must collect from them before using some types of cookies or personal data.
Here's what you need to know about Google's EU User Consent Policy and what you need to do to comply with it.
- 1. What is the EU User Consent Policy?
- 2. Why Does Google Have an EU User Consent Policy?
- 2.1. The General Data Protection Regulation (GDPR)
- 2.2. The ePrivacy Directive
- 3. What Does the EU User Consent Policy Require?
- 4. How Does the EU Consent Policy Work With Third Parties?
- 5. How Does Google Enforce the EU User Consent Policy?
- 6. What Steps Should I Take to Comply With the EU User Consent Policy?
- 7. Summary
What is the EU User Consent Policy?
Google's EU User Consent Policy is a set of rules laid down by Google for people who use its products and services on their site or app and serve users in Europe. Common examples include sites that use Google:
- To provide advertising through services such as Adsense
- To track site activity through tools such as SiteKit or Google Analytics
- To create a custom search tool for users to find information on their site
The rules cover using cookies and collecting personal data. We'll break them down in full later in this guide.
"European" in this context means any user in:
- The 27 European Union member countries
- The non-EU countries in the European Economic Area (Iceland, Liechtenstein & Norway)
- The United Kingdom
- Switzerland
Why Does Google Have an EU User Consent Policy?
Google has an EU User Consent Policy to make sure that sites using its services comply with the relevant European Union laws and regulations. The idea is to reduce any risk that Google is held responsible for people using its tools and services in an unlawful manner.
The following are some of the relevant laws and regulations.
The General Data Protection Regulation (GDPR)
The GDPR is a wide-ranging data privacy law. One of its key requirements is to only process personal data when a specific "lawful basis" applies. One of the most common is having user consent. The GDPR covers data collected through cookies when it can be combined with other data to identify an individual.
The ePrivacy Directive
This is formally titled the 2002 Directive On Privacy and Electronic Communications. Broadly it says that you must have consent to issue cookies (and thus collect data) that are not classed as strictly necessary (eg to make the site work.) The consent has to be active, so you can only issue the cookies on an opt-in basis.
Note that the law covers any cookies that are not essential to your site's operation and core services. For example, a cookie that stored data about items in a virtual shopping cart could count as essential. A cookie that tracked how many users you had in a particular town to help you decide where to run local marketing campaigns would not count as essential.
A tougher law known as the ePrivacy Regulation has been agreed in principle but there's no confirmed timetable for its introduction. It would require even more explicit consent and information provided to users about cookies. Google's EU User Consent Policy already covers some of the proposed measures.
What Does the EU User Consent Policy Require?
Google's EU User Consent Policy says you must make certain disclosures and get consent for particular cases of cookie and data use.
Although the policy is broadly based on compliance with European laws, it's not as simple as saying you must follow the law. Instead, you must specifically follow the measures of the policy.
For example, some cookie use may be lawful under the GDPR's "legitimate interest" grounds, but still fall under the requirements of the policy.
The policy requires action when three criteria all apply:
- You are using a Google product on a website, app or other online property,
- The site, app or property is controlled by you, your affiliate or your client, and
- An end user is based in the European Economic Area (EU members plus Iceland, Liechtenstein & Norway), the United Kingdom or Switzerland
The consent policy applies with end users in Switzerland even though it's not covered by the European laws.
The location of the website and its operator does not matter. Neither does it matter who any advertising is targeted at. All that matters is the end user's location.
If the three criteria all apply, you must get valid consent from end users in either of two situations:
- You want to collect, share or use their personal data to provide personalized ads.
- You want to use cookies, and a European law says you need consent.
If either of these two situations apply, then you must also:
- Keep a record of consent given by end users. This should include the date and time the user gave consent and the specific wording of the options you gave them for giving or withholding consent.
- Clearly tell end users how they can revoke (withdraw) the consent later on. This must be as easy as giving consent in the first case.
- Give users clear details of everyone who may collect, get or use personal data you’ve collected about them as a result of using a Google product.
Here's an excerpt of the Policy requirements:
How Does the EU Consent Policy Work With Third Parties?
Google's EU consent policy has a special rule for third-party properties, meaning a site or app that is not controlled by either you or your affiliate or client.
The rule comes into force if two criteria both apply:
- Your use of personal data about an end user of the third-party property means the data is shared with Google, and
- The third-party property doesn’t already use a Google product covered by the EU consent policy
When these criteria apply, you must use "commercially reasonable efforts" to make sure that the third-party property's operator complies with the EU consent policy.
This scenario is much more likely to occur if you provide online marketing or advertising services rather than simply publishing your own website or app.
How Does Google Enforce the EU User Consent Policy?
Google says it makes regular checks of websites and apps that use its advertising tools. It visits the site or app "as a user would visit it." If Google finds any breaches of the policy, it will contact the site operator, tell them about the breach, and give them a "reasonable time frame" to make necessary changes.
If the site operator refuses to do so, Google may restrict the use of its advertising services. For example, it might only let the site carry generic advertising that isn't personalized to the user. This could significantly reduce the likelihood of uses clicking on the ads and thus reduced the site's revenue.
What Steps Should I Take to Comply With the EU User Consent Policy?
You should do the following to be sure you comply fully:
- Identify the location of end users and check whether they come under the consent policy.
- Use a cookie banner or similar measure to make sure you do not issue non-essential cookies or collect personal data for advertising unless and until the end user has given clear consent.
- Keep a record of the consent.
To make sure you comply with the policy, make sure your cookie banner includes:
- A clear explanation of the different types of cookies you issue.
- A clear explanation that users have the right to give or withhold consent (or to withdraw it later) for non-essential cookies.
- Details of, or a link to, a Privacy Policy that includes your use of personal data for advertising and any third parties who may get the data.
As you'd expect, Google's own cookie banner (which appears the first time a user in Europe visits its search page) incorporates all these elements:
The Swiss National Bank uses a two-screen approach. Visitors to the site see a cookie banner which outlines the use of cookies and has a clear, unambiguous way to signal consent:
Clicking on "Manage Settings" gives more detail and options for giving or withholding consent, plus a link to the full Privacy Policy:
FC Bayern uses a concise but detailed cookie banner that offers a range of consent options while making it explicit to the user that the "Accept All Cookies" button consents to the use of cookies:
Summary
Google has an EU User Consent Policy that applies when your end user is in any of 32 European countries. If you issue non-essential cookies to such users, or use their personal data for advertising, you must:
- Get consent to issue the cookies if a European law requires it.
- Get consent to use the personal data for advertising (whether or not a European law requires this.
- Keep a record of the consent.
- Tell users how to revoke the consent.
- Tell users about any third parties who will receive the data.
A cookie banner will help you comply with the rules, as will details of, or a link to, a Privacy Policy.