Google AdSense is a program that allows website publishers to earn money via targeted ads provided by Google and its partners.
Signing up to Google AdSense can be a great way to raise revenue, but it requires you to agree to the Google AdSense Terms of Service.
- 1.1.1. European Union
- 1.1.2. United States
- 1.1.3. Other Places
- 1.1.4. Cookies and Privacy Law
- 1.2. Google AdSense Requirements
- 2.2. Types of Cookies You Use
- 2.3. Other Third Party Ad Vendors
- 3. Obtaining Your Users' Consent For Cookies
- 3.1. Cookie Consent Banner
Google AdSense provides clear terms on which it will allow a publisher to participate in its program. When you sign up as a publisher, you agree to Google's AdSense Online Terms of Service. Here's part of what you're agreeing to:
To make the most out of Google AdSense, you'll want as many people as possible to visit your website and click on your ads. Even if you're operating in a country or state that doesn't have strict privacy laws (and there are increasingly few), you're still going to have to abide by the rules of the places from which your users are visiting your website.
If you're processing personal data on your website, and you want it to be accessed in California, you have to abide by CalOPPA - no matter where the website is hosted.
Cookies and Privacy Law
Privacy law also specifically requires you to provide information about the cookies your website uses.
The GDPR only mentions cookies once, in Recital 30. However, this small mention is enough to establish that cookies that identify a user's device are a type of personal data, and so should be treated as such.
The GDPR's rules on transparency and security apply to cookies as much as it applies to a person's name or phone number.
Section 22577(a)(7) of CalOPPA gives a definition of "personally identifiable information" which includes "information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form." Certain cookies fit this definition.
Google AdSense Requirements
However you present the information required by Google AdSense, you must make sure it includes:
- What cookies are and why you use them
- Information about consent for cookies
This sounds basic, but it actually represents quite a lot of information.
You can't assume that your users will understand what cookies are and why they might represent a privacy concern.
Here's how dating website and AdSense publisher Plenty of Fish explains what cookies are to its users:
Types of Cookies You Use
Because Google AdSense manages the cookies running on your website, cookies will be placed on your users' devices from an outside domain. In effect, your users are visiting your website but their personal data is being processed by someone other than you.
Here's how mobile network operator O2 explains its use of third-party cookies to its websites users:
This fulfills the requirements under Article 13(1)(c) of the GDPR to inform your users of "the purposes of the processing for which [their] personal data are intended," i.e. the reasons why you're collecting your users' personal data via cookies.
University of Oxford explains the different types of cookies that are used on its site:
Other Third Party Ad Vendors
Google publishers have the option to opt out of third-party ad serving. If you decide not to do this, Google AdSense requires that you do the following:
Note that Google AdSense does provide an alternative option to listing each third-party ad network:
"Alternatively, you can direct users to opt out of some third-party vendors' uses of cookies for personalized advertising by visiting www.aboutads.info."
Google AdSense publisher Aetherweb follows this alternative option. It doesn't list all the third-party ad networks used by Google, but it does link to www.aboutads.info, a website where users can manage their consent for cookies.
Obtaining Your Users' Consent For Cookies
Under Article 6 of the GDPR, you're prohibited from processing the personal data of EU citizens unless you have a lawful basis for doing so. Because with Google AdSense you'll be using targeted cookies for advertising and because you don't have a direct relationship with many of your visitors, the only safe and lawful way for you to do this is by obtaining their consent.
Article 7 of the GDPR brings some new conditions for consent.
- If you users choose to give their consent, they must also be able to withdraw it.
Cookie Consent Banner
When users visit your site, you should present them with the option of consenting to cookies as early as possible. It's worth considering the following principle given at Recital 42 of the GDPR:
"Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."
In other words, your visitors can't be said to have consented to cookies if they were "forced into" agreeing to them (e.g. a message like "Consent to advertising cookies to continue"), or if your site wouldn't function without them.
A great way to do this is via a small but obvious banner at the top or the bottom of the page.
Here's an example from news website The Independent:
When the visitor clicks on "Show purposes" they're taken to a control center where they can opt in and out of various types of cookies:
Clicking on "See full vendor list" in the bottom left-hand corner allows users to opt out of individual third-party advertisers' cookies:
This is a great example of how you can give your visitors true control over the way that you process their personal data.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
Here's how skincare company Nivea handles this:
Nivea gives several options here - allowing users to manage their cookie setting via an external website, via its own website, or via their browsers.
It's possible to have your account disabled by Google if you don't comply with their Terms. Not to mention the dire consequences that can result from breaching your users' national privacy laws.
- What cookies are, and why their use has privacy implications.
- The types of cookies used on your site. This means third party targeted advertising cookies (the third party being Google).
If you haven't opted out of Google AdSense's third-party advertising program, you'll also need to:
- Provide a list of the third party vendors that will be using cookies on your site - together with links to those vendors' websites, where your users can manage their cookie settings with each individual vendor
- Provide a link to www.aboutads.info and explain that your users can manage their cookie preferences there.
- Your contact details
- What types of personal data you'll be processing
- Your lawful basis for processing your users' personal data
- The purposes for which you'll be processing your users' personal data
- How you'll be processing your users' personal data
- The types of third parties you might share your users' personal data with
- How your website responds to browser Do Not Track signals
- How your users can exercise their rights in relation to their personal data
- Whether you'll be transferring EU users' personal data outside of the EU