Google AdSense is a program that allows website publishers to earn money via targeted ads provided by Google and its partners.

Signing up to Google AdSense can be a great way to raise revenue, but it requires you to agree to the Google AdSense Terms of Service.

One of the requirements of these Terms is that your website has a legally compliant Privacy Policy which provides particular information to your visitors.


Google AdSense Publishers Need a Privacy Policy

Google AdSense provides clear terms on which it will allow a publisher to participate in its program. When you sign up as a publisher, you agree to Google's AdSense Online Terms of Service. Here's part of what you're agreeing to:

Google AdSense Terms of Service: Privacy clause updated for 2018

A Privacy Policy is Required By Law

To make the most out of Google AdSense, you'll want as many people as possible to visit your website and click on your ads. Even if you're operating in a country or state that doesn't have strict privacy laws (and there are increasingly few), you're still going to have to abide by the rules of the places from which your users are visiting your website.

European Union

The EU's General Data Protection Regulation (GDPR) requires anyone who processes the personal data of EU citizens to publish a information about their data processing activities in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." This means you need a Privacy Policy. If you're a Google AdSense publisher whose website gets EU traffic - this means you.

United States

The California Online Privacy Protection Act (CalOPPA) means that any "web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California" must "conspicuously post its privacy policy on its web site."

If you're processing personal data on your website, and you want it to be accessed in California, you have to abide by CalOPPA - no matter where the website is hosted.

Other Places

  • The Australian Privacy Act 1988 requires you to have a Privacy Policy if you're processing the personal data of Australia residents.
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies who are processing the personal data of Canadians to have a Privacy Policy available on request.
  • Singapore's Personal Data Protection Act (PDPA) requires you to inform Singapore residents of your purposes for collecting their personal data. This amounts to the requirement for a Privacy Policy.

Cookies and Privacy Law

Google AdSense uses cookies to help it display ads that are relevant to your website's visitors. Because of the information that these particular cookies provide about your visitors, they constitute personal data.

Google requires its users to be transparent about how their websites use cookies. This requirement includes displaying a Privacy Policy:

Google AdSense Support: The requirement to notify users about cookies in a Privacy Policy

Privacy law also specifically requires you to provide information about the cookies your website uses.

The EU has been regulating cookie usage since Section 25 of the ePrivacy Directive 2002 stated that use of cookies "should be allowed on condition that users are provided with clear and precise information" about their use. The Directive also states that "users should have the opportunity to refuse" cookies.

The GDPR only mentions cookies once, in Recital 30. However, this small mention is enough to establish that cookies that identify a user's device are a type of personal data, and so should be treated as such.

The GDPR's rules on transparency and security apply to cookies as much as it applies to a person's name or phone number.

Section 22577(a)(7) of CalOPPA gives a definition of "personally identifiable information" which includes "information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form." Certain cookies fit this definition.

Google AdSense Requirements

You're required you to have a Privacy Policy, and it must include some specific information:

Google AdSense Required content: My Privacy Policy requirements

There are a number of ways you might write a Privacy Policy or adapt your existing Privacy Policy to comply with this. But it may seem a little daunting. Let's break it all down so you can understand how to implement it.

Creating a Google AdSense Compliant Privacy Policy

However you present the information required by Google AdSense, you must make sure it includes:

  • What cookies are and why you use them
  • Information about consent for cookies

This sounds basic, but it actually represents quite a lot of information.

Many websites offer a Cookie Policy separately from their main Privacy Policy. This is fine, so long as you also make sure to provide information about your website's use of cookies - and provide a link to your Cookie Policy - in your Privacy Policy.

Here's how Ziff Davis, which owns Mashable, one of the top Google AdSense websites, links its Cookie Policy to its Privacy Policy:

Ziff Davis Privacy Policy section on cookies and tracking technologies with link to Cookie Policy

Article 12(1) of the GDPR requires that you write your Privacy Policy "in a concise, transparent, intelligible and easily accessible form, using clear and plain language [...]".

You can't assume that your users will understand what cookies are and why they might represent a privacy concern.

Here's how dating website and AdSense publisher Plenty of Fish explains what cookies are to its users:

Plenty of Fish Privacy Policy What are cookies clause

Types of Cookies You Use

One of Google's requirements for AdSense users is that they indicate the following in their Privacy Policy:

"Third party vendors, including Google, use cookies to serve ads based on a user's previous visits to your website or other websites."

Article 13 of the GDPR requires your Privacy Policy to include information about "the recipients or categories of recipients of the personal data" you collect from your visitors.

Because Google AdSense manages the cookies running on your website, cookies will be placed on your users' devices from an outside domain. In effect, your users are visiting your website but their personal data is being processed by someone other than you.

Here's how mobile network operator O2 explains its use of third-party cookies to its websites users:

O2 Third-party cookies clause excerpt from Cookies Policy

This fulfills the requirements under Article 13(1)(c) of the GDPR to inform your users of "the purposes of the processing for which [their] personal data are intended," i.e. the reasons why you're collecting your users' personal data via cookies.

University of Oxford explains the different types of cookies that are used on its site:

University of Oxford's Cookie statement - Types of cookies we use clause excerpt

The Levi's Privacy Policy makes specific reference to Google:

Levi Privacy Policy - Cookie DoubleClick clause mentioning Google AdSense

Note that previously the Google AdSense Online Terms of Service required publishers to make reference to DoubleClick cookies in their Privacy Policy. This is no longer required.

Other Third Party Ad Vendors

Google publishers have the option to opt out of third-party ad serving. If you decide not to do this, Google AdSense requires that you do the following:

Google AdSense Required content: Third-party out-out - Privacy Policy requirements

Here's how news website The Independent links users to the third party ad networks and vendors that use cookies on their website:

Independent.co.uk Cookie Notice - Managing performance cookies clause with third-party cookies links

Note that Google AdSense does provide an alternative option to listing each third-party ad network:

"Alternatively, you can direct users to opt out of some third-party vendors' uses of cookies for personalized advertising by visiting www.aboutads.info."

Google AdSense publisher Aetherweb follows this alternative option. It doesn't list all the third-party ad networks used by Google, but it does link to www.aboutads.info, a website where users can manage their consent for cookies.

Here's the relevant section of its Privacy Policy:

Antherweb Privacy Policy clause excerpt about third-party vendors, Google and Aboutads

If your website serves users in the EU, there are some additional requirements under the GDPR that you'll need to meet before you can use cookies (and therefore Google AdSense) on your website.

Under Article 6 of the GDPR, you're prohibited from processing the personal data of EU citizens unless you have a lawful basis for doing so. Because with Google AdSense you'll be using targeted cookies for advertising and because you don't have a direct relationship with many of your visitors, the only safe and lawful way for you to do this is by obtaining their consent.

Article 7 of the GDPR brings some new conditions for consent.

  • Consent must be freely given - "a clear affirmative act." Messages like "You allow us to use cookies by using this site" without any further information are no longer acceptable.
  • If you users choose to give their consent, they must also be able to withdraw it.

When users visit your site, you should present them with the option of consenting to cookies as early as possible. It's worth considering the following principle given at Recital 42 of the GDPR:

"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."

In other words, your visitors can't be said to have consented to cookies if they were "forced into" agreeing to them (e.g. a message like "Consent to advertising cookies to continue"), or if your site wouldn't function without them.

A great way to do this is via a small but obvious banner at the top or the bottom of the page.

Here's an example from news website The Independent:

Independent.co.uk website cookies consent banner

When the visitor clicks on "Show purposes" they're taken to a control center where they can opt in and out of various types of cookies:

Independent.co.uk website cookies consent banner - Purposes settings screen

Clicking on "See full vendor list" in the bottom left-hand corner allows users to opt out of individual third-party advertisers' cookies:

Independent.co.uk website cookies consent banner - Full vendor list settings screen

This is a great example of how you can give your visitors true control over the way that you process their personal data.

How to Create a Privacy Policy

FreePrivacyPolicy: Privacy Policy Generator - Steps How to Create Privacy Policy

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.

As mentioned, consent is only valid under GDPR if it can be easily withdrawn. In addition to giving your users the mechanisms to withdraw consent for advertising cookies, you should also explain how they can withdraw consent in your Privacy Policy.

Here's how skincare company Nivea handles this:

Nivea Privacy Policy opting out and deleting cookies clauses

Nivea gives several options here - allowing users to manage their cookie setting via an external website, via its own website, or via their browsers.

Your Legally Compliant Google AdSense Privacy Policy

It's possible to have your account disabled by Google if you don't comply with their Terms. Not to mention the dire consequences that can result from breaching your users' national privacy laws.

To comply with the Google AdSense Terms of Service, your Privacy Policy needs to provide information about:

  • What cookies are, and why their use has privacy implications.
  • The types of cookies used on your site. This means third party targeted advertising cookies (the third party being Google).
  • Why your website uses cookies.

If you haven't opted out of Google AdSense's third-party advertising program, you'll also need to:

  • Explain that Google will be allowing third-party vendors to use cookies on your website, and either:
    • Provide a list of the third party vendors that will be using cookies on your site - together with links to those vendors' websites, where your users can manage their cookie settings with each individual vendor

    Or:

    • Provide a link to www.aboutads.info and explain that your users can manage their cookie preferences there.

Of course, the information that Google AdSense requires you to provide is just a small part of what your Privacy Policy must contain to comply with the law. Don't forget that legal compliance is also one of Google AdSense's requirements.

In order to comply with both CalOPPA and the GDPR, your Privacy Policy also needs to provide information about:

  • Your contact details
  • What types of personal data you'll be processing
  • Your lawful basis for processing your users' personal data
  • The purposes for which you'll be processing your users' personal data
  • How you'll be processing your users' personal data
  • The types of third parties you might share your users' personal data with
  • How your website responds to browser Do Not Track signals
  • How your users can exercise their rights in relation to their personal data
  • Whether you'll be transferring EU users' personal data outside of the EU