Google Ads offers a series of tools to target your ads to people who've seen and engaged with your website or app before, or who share characteristics with those people. If you use these tools, Google's rules require additional information in your Privacy Policy to let users know what you are doing. These rules work alongside a variety of national and international laws that cover Privacy Policies, as well.

We'll show you what your Privacy Policy needs in order to compliantly use Google Ads Remarketing.

Google's rules refer to the "remarketing, re-engagement or similar Audiences feature" though this term covers several approaches. They are each based on the idea that ads may be more effective when targeted at people who've previously shown an interest in you.

These approaches also let you reword your ads to directly address this interest, as well as reduce the likelihood of seeing an ad repeated.

Remarketing ads are those shown to people who've already interacted with your website or app. This could be generic ads to cover all such people or dynamic ads that directly refer to the detail of the interaction. For example, you could show an ad for a product that the user has previously viewed on your site.

Re-engagement isn't a separate feature. Instead it's a term that usually refers to a form of remarketing ad that's shown to people who interacted with your site in a specific way.

Similar Audiences is an automated feature where you provide a marketing list to Google Ads covering people who've interacted with your site in a specific way such as signing up to a newsletter or buying a particular product. Google then identifies common features and behavior among people on that list. It will then show your ad to other online users who share those features or behavior.

What Does This Mean For Your Privacy Policy?

Remember that Google makes it mandatory to have a Privacy Policy if you use any Google ad service. This is stated in the AdSense Program Policies, saying:

"You must disclose clearly any data collection, sharing and usage that takes place on any site, app or other property as a consequence of your use of any Google advertising service."

Google AdSense Program Policies: Privacy clause

If you use any of the Remarketing, re-engagement or Similar Audiences tools, you'll need to add four specific pieces of information to your Privacy Policy according to Google. These include:

  • A description of how you use remarketing to advertise online
  • A message about how third-party vendors (including Google) show your ads across the internet
  • A message about how third-party vendors (including Google) use cookies to serve ads based on past visits to your website
  • Information about how users can opt out of this

Here it is from Google's Help Center:

Google Ads Help Center - Manage Ads: Remarketing Privacy Policy requirements list

Let's look at each one.

(Note that if you develop Chrome Apps or Extensions, you'll also need to have a Privacy Policy. Learn more about that in our article "Privacy Policies for Chrome Apps and Extensions.")

How You Use Remarketing to Advertise

You must include an "appropriate" description to cover how you use the relevant tool (Remarketing or Similar Audiences):

"An appropriate description of how you're using remarketing or similar audiences to advertise online."

This can be concise, but must address two key points:

  • What is happening, namely that they are seeing specifically chosen ads, and
  • Why the user will see these specific ads. (For example, because they've interacted with the site or because they share similar characteristics with such people.)

This example from MHG Design covers these points:

MHG Design Privacy Policy: Behavioural Remarketing clause

How Google and Third-Party Vendors Show Your Ads Online

You must include an explanation of the way that Google and other third-party vendors show your ads on "sites across the Internet." In other words, on sites that neither you nor Google control.

"A message about how third-party vendors, including Google, show your ads on sites across the Internet."

Again, be concise, but make sure you cover the key point: although it's you that's targeting the ads to people who used your site or app, those ads could appear on other websites that you don't operate.

Note that Google's rules mean that if you use Google advertising, your Privacy Policy must also cover third-party vendors that deliver ads to the user, even though those ads aren't related to Google.

This example from Farmdrop includes this point as part of a wider note on targeted ads:

Farmdrop Privacy Policy: Interest-Based Advertising clause

How Google and Third-Party Vendors Use Cookies to Show Your Ads Online

You must explain that Google and other third-party vendors use cookies to deliver the ads that you've created using Remarketing and Similar Audiences tools.

"A message about how third-party vendors, including Google, use cookies and/or device identifiers to serve ads based on someone's past visits to your website or use of your app."

The key point is that even though the ads result from the user's activity on your site or app, the cookies come from Google or another vendor rather than you. This is important as it reduces the risk that the user incorrectly assumes they can limit such ads just by blocking cookies relating to your website.

This example from Drenge covers this point in detail:

Drenge Cookies Policy: Google Dynamic Remarketing clause

How Users Can Opt-Out of Google's Cookies

You must detail the key ways in which users can opt out of receiving these cookies.

"Information about how your visitors can opt out of Google's use of cookies or device identifiers by visiting Google's Ads Settings. Alternatively, you can point your visitors to opt out of a third-party vendor's use of cookies by visiting the Network Advertising Initiative opt-out page or control the use of device identifiers by using their device's settings."

These opt-out methods:

  • Visiting Google's Ad Settings pages
  • Visiting Google's Marketing Platform opt-out page. (This applies if you are using the "Remarketing pixels" tool on Google Marketing Platform.)
  • Visiting the Network Advertising Initiative opt-out page. (This applies if you are using a third-party vendor for ads.)
  • Using their device settings to block ads locally

This excerpt from Conde Nast shows how to create a clause that covers a range of cookie opt-out methods:

Conde Nast Cookie Notice: Excerpt of Opting Out of Cookies clause

What Happens If I Don't Comply?

Most Google Ad rules cover the content of specific ads. Google does say that "When we find content that violates these requirements, we may block it from appearing." That means it is possible that any ad you create using Remarketing or Similar Audiences tools could be blocked if you haven't updated your Privacy Policy as required.

Google also says that in cases of "repeated or egregious violations" it will stop accepting any ads from you. Your account will be suspended, meaning that you can access it and check reports, but can't run any new ads. You won't be allowed to create a new account while your existing one is suspended.

Legal Requirements for Your Google Ads Remarketing Privacy Policy

Google requires that advertisers comply with all applicable laws and regulations. This has implications for your Privacy Policy.

Using the Remarketing and Similar Audiences features inherently involves handling personal data, which means that you come under several laws that cover Privacy Policies. These add requirements not specifically addressed by Google's own policies.

California Online Privacy Protection Act (CalOPPA)

CalOPPA covers any online service, regardless of location, that collects data about Californians. The rules say you must say whether (and how) you respond to a web browser's "Do Not Track" signal. This is highly likely to be relevant if you are using Google's Remarketing tools that rely on cookies.

Ecosia does this in a clear and simple manner:

Ecosia Privacy Policy: DNT clause

California Consumer Privacy Act (CCPA)

The CCPA covers large companies ($25 million annual revenue or higher), those who make most of their money from selling personal data, and those who handle personal data about a lot of people (at least 50,000 people, households or devices). If you meet any of these criteria, the CCPA applies if you handle data about people in California, regardless of your location.

Under the CCPA you need a Privacy Policy that covers the consumer's six rights under the law and details what categories of information you've handled in the past 12 months, with separate lists for data you've collected, data you've sold and data you've disclosed. You also need a dedicated web page telling people how to opt out of you selling their data.

Children's Online Privacy Protection Rule (COPPA)

COPPA applies if you have users in the US and you either know people under 13 are using your site or service, or you aim it at under-13s. If the rule applies, you need to detail all the personal data you collect about under 13s.

Uwingu does this with a dedicated page:

Uwingu COPPA page

European Union Cookies Rules

Google specifically requires you to follow EU cookie consent rules. This applies to your own cookies and those created by third parties as a result of you using Google Ads. The rules cover users in the European Economic Area (European Union countries plus Iceland, Liechtenstein and Norway).

The rules say you must:

  • Tell users how you use their data for cookies
  • Get valid consent to use this data and use cookies
  • Tell users how to revoke this consent

Curiscope has an overview of cookies, though it could add more detail about revoking consent to have a more thorough clause here:

Curiscope Privacy and Cookie Policy: Tracking and Cookies Data clause

General Data Protection Regulation (GDPR)

The GDPR applies if you or the user are in a European Union country, or if the data is processed in a European Union country. The most relevant rule for Remarketing and Similar Audiences ads is that you must tell users which of six "lawful bases" you are using to justify collecting personal data.

In the context of advertising, it's highly likely the only basis that's most relevant is that of consent. This means you'll need active, meaningful consent to use somebody's personal data for Google Remarketing ads. Simply making them aware you collect and use the data isn't enough.

Nivea explains its use of marketing cookies and how the company complies with GDPR in this example. It notes its legal bases at the end by referring to the specific Article of the GDPR:

Nivea Privacy Policy: Consent based Cookies clause

Conclusion

Let's recap what you need to know about Privacy Policies with Remarketing and Similar Audiences ads.

  • Google Ads users must have a Privacy Policy
  • Remarketing and Similar Audiences are two tools available to Google Ads customers
  • If you use these tools you must add four points to your Privacy Policy:
    • Describe what and why you are doing with the tool
    • Explain that your ads may appear on sites you don't control
    • Highlight that Google and other third-party vendors use cookies to deliver the ads
    • Explain the various ways users can opt out of these cookies
  • If you don't comply, your ads could be blocked and your account suspended
  • Several national and international laws have Privacy Policy requirements that will apply if you use Remarketing or Similar Audiences. It's part of Google's Terms and Conditions that you comply with these laws.