Former civil litigation attorney. Content legal strategist at TermsFeed.
On this page
Google offers numerous services to help developers and businesses enhance their online presence. For example, AdSense and Analytics make getting exposure much easier by helping you see how users interact with your website and where most of your traffic comes from.
However, using these services can raise issues when it comes to staying compliant with international law.
To help developers and businesses stay compliant while using Google services, Google enacted its EU User Consent Policy. This short, streamlined policy is based on the EU Cookies Directive ("Directive").
This article will break down how Google's EU User Consent Policy came to be, how to comply with it, and how to handle non-compliance notices you might receive from Google.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
The EU Cookies Directive
The Directive came into effect in May 2011. It was adopted by all EU member states as part of an amendment to the e-Privacy Directive.
The Directive applies to:
- All businesses headquartered in an EU member state, and
- Foreign businesses that are aimed towards EU users
In general, the Directive requires that websites inform visitors:
- If cookies are in use,
- How cookies are used, and
- How visitors can consent to their usage
Here's an example of a standard type of website cookie notice:
Lenovo Netherlands used to have such a method of consent. It offered links to additional information and required consent before users could explore the website:
Note: Notice and consent are not required if the cookie is needed for transmitting communications or making the website operate. These include authentication cookies, cookies needed for multimedia content, and user input cookies that helps users fill forms or add items to a shopping cart.
Once the Directive passed, Google's EU User Consent Policy soon followed. While it demands slightly more from Google services users in some ways, it is closely linked to the Directive.
This means that if you already satisfy the requirements of the EU Cookies Directive, you'll likely satisfy the requirements by Google.
Requirements of Google's EU User Consent Policy
Google's EU User Consent Policy exists to help users of Google services comply with the Directive. Its content is as follows:
Generally, it has two requirements.
First, websites and apps that are accessible to end users in the EU, EEA and the UK must disclose any data collection, sharing and usage that results from the use of Google products, and obtain consent for that activity to continue.
This includes personalization of ads, tracking website usage, and even counting the number of visits on a website.
Both of these provisions are related to the Directive. While the disclosure regarding Google products is not directly required, it is still a good precaution for those developers with end users in the EU, EEA and UK. The second provision that mentions cookies is directly connected to the Directive.
All Google products directed to citizens of the EU, EEA and UK fall under the Policy. However, Adsense, Analytics Advertising, and Analytics for Firebase are most likely to invoke it and the Directive.
Analytics Advertising is the same way. This program records page visits to help users find trends. Its Policy requirements includes a link to the EU User Consent Policy:
Analytics for Firebase, which performs the same function as Analytics for Advertising, takes the same approach:
If you use any of these three services, you must comply with the Policy. Fortunately, there are many resources to help you accomplish that.
Complying with Google's EU User Consent Policy
Google places additional requirements on you if you use its products. You must also provide the same notice and obtain consent for Adsense or Analytics services.
Google breaks down its requirements into two types of properties:
First, the properties under your control requirements involve any site or app that is under your control or that of your affiliate partner.
If you use Google products such as Analytics on a property that's under your control, you need to do the following:
- Clearly identify every and any party that may collect, receive or use the end users' personal data through the Google product
- Let users know how each party will use the personal data
- Obtain consent for collecting, sharing and using personal data for personalized ads
- Keep records of consent you obtain
- Instruct users how they may revoke consent
Second, the properties under a third party's control requirements apply when your use of a Google product results in end-user personal data collected by a third party being shared with Google.
In these cases, Google requires that you use "commercially reasonable efforts" to make sure the third party is complying with this policy.
Notice and Consent
A good way to provide notice and obtain consent is to add a cookie consent function to your website or app.
This can be a banner announcement or a pop-up window that notifies users before they go to a section of your website affected by Google services.
Here's an example:
Banner announcements are an effective, common and acceptable method of complying with the EU Cookie Directive. However, you may need to take additional steps to comply with the Policy.
Most banner announcements and consent messages contain a link to "See details," "Learn More," or some other sort of additional information. Here's where you can provide more information on cookies including what they are, how they function, and how a user can remove them later.
Providing this information depends on your product and company practices. The more you use Google services and cookies, the more information you may wish to offer consumers.
Because of this, Google offers a "See details" link in its own banner notification:
If you click "See details" it takes you to a page with more information and a video:
Remind users that they can opt out and provide instructions for how they can do so.
It also has a section that addresses advertising cookies, with all the same types of information available:
Remember that you'll also need to keep records of the consent you obtain.
Flagged for Non Compliance with Google EU User Consent Policy
If you don't comply with the above requirements, you may receive an email like this one here, alerting you that your website/s has been flagged for non compliance with the EU User Consent Policy:
Thank you for reaching us out.
Your websites below are flagged for non compliance with EU User Consent Policy.
As per our EU User Consent Policy requirements you need to disclose all the third parties you work with including the Ad Tech Providers (ATPs).
We have done a manual check on domain (domain) and found that you have only disclosed 1 number of ATP in your consent notice while initially you agreed on working with 196 number of ATPs same findings apply to other 5 domains
As per Comply with EU user consent policy help article If you don’t make any changes, the commonly used set of ad technology providers (ATPs) will continue to be used. This help article also has steps to choose ATPs.
Please find the list of all detected and missing ATPs on your domains attached. If there is a reason why you have not declared any specific ATP kindly add a comment against each missing ATP and send us back the updated spreadsheet.
Also please note if you are using an IAB certified CMP then you wont be required to declare all the ATPs because any CMP vendor selections in your IAB TCF v2.0 registered CMP will override Ad Technology Provider selections in the EU User Consent Controls. Kindly refer to this help article for more details.
Once you have declared all the ATPs you work with in your consent notice, you can get back to us and we will initiate a re audit of these domains.
These types of emails can be received if you are in non compliance for:
- Not disclosing all of the Ad Tech Providers (ATPs) you work with, and/or
How to Remedy Your Non Compliance with Google's EU User Consent Policy
There are 3 things you can do in the event that you receive such an email:
- Use an IAB-approved Consent Management Platform (CMP).
- Disable personalized ads in Google Analytics and other Google products your website uses. (Ads will still be displayed, just not personalized ads that rely on third party cookies.)
To comply with Google's EU User Consent Policy:
This will keep you compliant with Google policies and the EU Cookies Directive, and will also keep your users informed.