Signing up to Google AdSense can be a great way to raise revenue, but it requires you to agree to the Google AdSense Terms of Service.
One of the requirements of these Terms is that your website has a legally compliant Privacy Policy which provides particular information to your visitors.
This article will break down this requirement and show you how you can comply with it.
Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.
- Click on the "Free Privacy Policy Generator" button, located at the top of the website.
- Select where your Privacy Policy will be used:
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- Continue with building your Privacy Policy while answering on questions from our wizard:
-
Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.
That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.
- 1. Google AdSense Publishers Need a Privacy Policy
- 1.1. A Privacy Policy is Required By Law
- 1.1.1. European Union
- 1.1.2. United States
- 1.1.3. Other Places
- 1.1.4. Cookies and Privacy Law
- 1.2. Google AdSense Requirements
- 2. Creating a Google AdSense Compliant Privacy Policy
- 2.1. Separate Cookie Policy
- 2.2. Types of Cookies You Use
- 2.3. Other Third Party Ad Vendors
- 3. Obtaining Your Users' Consent For Cookies
- 3.1. Cookie Consent Banner
- 4. Your Legally Compliant Google AdSense Privacy Policy
Google AdSense Publishers Need a Privacy Policy
Google AdSense provides clear terms on which it will allow a publisher to participate in its program. When you sign up as a publisher, you agree to Google's AdSense Online Terms of Service. Here's part of what you're agreeing to:
A Privacy Policy is Required By Law
To make the most out of Google AdSense, you'll want as many people as possible to visit your website and click on your ads. Even if you're operating in a country or state that doesn't have strict privacy laws (and there are increasingly few), you're still going to have to abide by the rules of the places from which your users are visiting your website.
European Union
The EU's General Data Protection Regulation (GDPR) requires anyone who processes the personal data of EU citizens to publish a information about their data processing activities in a "concise, transparent, intelligible and easily accessible form, using clear and plain language." This means you need a Privacy Policy. If you're a Google AdSense publisher whose website gets EU traffic - this means you.
United States
The California Online Privacy Protection Act (CalOPPA) means that any "web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California" must "conspicuously post its privacy policy on its web site."
If you're processing personal data on your website, and you want it to be accessed in California, you have to abide by CalOPPA - no matter where the website is hosted.
Other Places
- The Australian Privacy Act 1988 requires you to have a Privacy Policy if you're processing the personal data of Australia residents.
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies who are processing the personal data of Canadians to have a Privacy Policy available on request.
- Singapore's Personal Data Protection Act (PDPA) requires you to inform Singapore residents of your purposes for collecting their personal data. This amounts to the requirement for a Privacy Policy.
Cookies and Privacy Law
Google AdSense uses cookies to help it display ads that are relevant to your website's visitors. Because of the information that these particular cookies provide about your visitors, they constitute personal data.
Google requires its users to be transparent about how their websites use cookies. This requirement includes displaying a Privacy Policy:
Privacy law also specifically requires you to provide information about the cookies your website uses.
The EU has been regulating cookie usage since Section 25 of the ePrivacy Directive 2002 stated that use of cookies "should be allowed on condition that users are provided with clear and precise information" about their use. The Directive also states that "users should have the opportunity to refuse" cookies.
The GDPR only mentions cookies once, in Recital 30. However, this small mention is enough to establish that cookies that identify a user's device are a type of personal data, and so should be treated as such.
The GDPR's rules on transparency and security apply to cookies as much as it applies to a person's name or phone number.
Section 22577(a)(7) of CalOPPA gives a definition of "personally identifiable information" which includes "information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form." Certain cookies fit this definition.
Google AdSense Requirements
You're required you to have a Privacy Policy, and it must include some specific information:
There are a number of ways you might write a Privacy Policy or adapt your existing Privacy Policy to comply with this. But it may seem a little daunting. Let's break it all down so you can understand how to implement it.
Creating a Google AdSense Compliant Privacy Policy
However you present the information required by Google AdSense, you must make sure it includes:
- What cookies are and why you use them
- Information about consent for cookies
This sounds basic, but it actually represents quite a lot of information.
Separate Cookie Policy
Many websites offer a Cookie Policy separately from their main Privacy Policy. This is fine, so long as you also make sure to provide information about your website's use of cookies - and provide a link to your Cookie Policy - in your Privacy Policy.
Here's how Ziff Davis, which owns Mashable, one of the top Google AdSense websites, links its Cookie Policy to its Privacy Policy:
Article 12(1) of the GDPR requires that you write your Privacy Policy "in a concise, transparent, intelligible and easily accessible form, using clear and plain language [...]".
You can't assume that your users will understand what cookies are and why they might represent a privacy concern.
Here's how dating website and AdSense publisher Plenty of Fish explains what cookies are to its users:
Types of Cookies You Use
One of Google's requirements for AdSense users is that they indicate the following in their Privacy Policy:
"Third party vendors, including Google, use cookies to serve ads based on a user's previous visits to your website or other websites."
Article 13 of the GDPR requires your Privacy Policy to include information about "the recipients or categories of recipients of the personal data" you collect from your visitors.
Because Google AdSense manages the cookies running on your website, cookies will be placed on your users' devices from an outside domain. In effect, your users are visiting your website but their personal data is being processed by someone other than you.
Here's how mobile network operator O2 explains its use of third-party cookies to its websites users:
This fulfills the requirements under Article 13(1)(c) of the GDPR to inform your users of "the purposes of the processing for which [their] personal data are intended," i.e. the reasons why you're collecting your users' personal data via cookies.
University of Oxford explains the different types of cookies that are used on its site:
The Levi's Privacy Policy makes specific reference to Google:
Note that previously the Google AdSense Online Terms of Service required publishers to make reference to DoubleClick cookies in their Privacy Policy. This is no longer required.
Other Third Party Ad Vendors
Google publishers have the option to opt out of third-party ad serving. If you decide not to do this, Google AdSense requires that you do the following:
Here's how news website The Independent links users to the third party ad networks and vendors that use cookies on their website:
Note that Google AdSense does provide an alternative option to listing each third-party ad network:
"Alternatively, you can direct users to opt out of some third-party vendors' uses of cookies for personalized advertising by visiting www.aboutads.info."
Google AdSense publisher Aetherweb follows this alternative option. It doesn't list all the third-party ad networks used by Google, but it does link to www.aboutads.info, a website where users can manage their consent for cookies.
Here's the relevant section of its Privacy Policy:
Obtaining Your Users' Consent For Cookies
If your website serves users in the EU, there are some additional requirements under the GDPR that you'll need to meet before you can use cookies (and therefore Google AdSense) on your website.
Under Article 6 of the GDPR, you're prohibited from processing the personal data of EU citizens unless you have a lawful basis for doing so. Because with Google AdSense you'll be using targeted cookies for advertising and because you don't have a direct relationship with many of your visitors, the only safe and lawful way for you to do this is by obtaining their consent.
Article 7 of the GDPR brings some new conditions for consent.
- Consent must be freely given - "a clear affirmative act." Messages like "You allow us to use cookies by using this site" without any further information are no longer acceptable.
- If you users choose to give their consent, they must also be able to withdraw it.
Cookie Consent Banner
When users visit your site, you should present them with the option of consenting to cookies as early as possible. It's worth considering the following principle given at Recital 42 of the GDPR:
"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
In other words, your visitors can't be said to have consented to cookies if they were "forced into" agreeing to them (e.g. a message like "Consent to advertising cookies to continue"), or if your site wouldn't function without them.
A great way to do this is via a small but obvious banner at the top or the bottom of the page.
Here's an example from news website The Independent:
When the visitor clicks on "Show purposes" they're taken to a control center where they can opt in and out of various types of cookies:
Clicking on "See full vendor list" in the bottom left-hand corner allows users to opt out of individual third-party advertisers' cookies:
This is a great example of how you can give your visitors true control over the way that you process their personal data.
As mentioned, consent is only valid under GDPR if it can be easily withdrawn. In addition to giving your users the mechanisms to withdraw consent for advertising cookies, you should also explain how they can withdraw consent in your Privacy Policy.
Here's how skincare company Nivea handles this:
Nivea gives several options here - allowing users to manage their cookie setting via an external website, via its own website, or via their browsers.
Your Legally Compliant Google AdSense Privacy Policy
It's possible to have your account disabled by Google if you don't comply with their Terms. Not to mention the dire consequences that can result from breaching your users' national privacy laws.
To comply with the Google AdSense Terms of Service, your Privacy Policy needs to provide information about:
- What cookies are, and why their use has privacy implications.
- The types of cookies used on your site. This means third party targeted advertising cookies (the third party being Google).
- Why your website uses cookies.
If you haven't opted out of Google AdSense's third-party advertising program, you'll also need to:
- Explain that Google will be allowing third-party vendors to use cookies on your website, and either:
- Provide a list of the third party vendors that will be using cookies on your site - together with links to those vendors' websites, where your users can manage their cookie settings with each individual vendor
- Provide a link to www.aboutads.info and explain that your users can manage their cookie preferences there.
Or:
Of course, the information that Google AdSense requires you to provide is just a small part of what your Privacy Policy must contain to comply with the law. Don't forget that legal compliance is also one of Google AdSense's requirements.
In order to comply with both CalOPPA and the GDPR, your Privacy Policy also needs to provide information about:
- Your contact details
- What types of personal data you'll be processing
- Your lawful basis for processing your users' personal data
- The purposes for which you'll be processing your users' personal data
- How you'll be processing your users' personal data
- The types of third parties you might share your users' personal data with
- How your website responds to browser Do Not Track signals
- How your users can exercise their rights in relation to their personal data
- Whether you'll be transferring EU users' personal data outside of the EU