Google's EU User Consent Policy

Last updated on 01 July 2022 by Jocelyn Mackie (Former civil litigation attorney. Content legal strategist at TermsFeed)

Google's EU User Consent Policy

Google offers numerous services to help developers and businesses enhance their online presence. For example, AdSense and Analytics make getting exposure much easier by helping you see how users interact with your website and where most of your traffic comes from.

However, using these services can raise issues when it comes to staying compliant with international law.

To help developers and businesses stay compliant while using Google services, Google enacted its EU User Consent Policy. This short, streamlined policy is based on the EU Cookies Directive ("Directive").

This article will break down how Google's EU User Consent Policy came to be, how to comply with it, and how to handle non-compliance notices you might receive from Google.



The EU Cookies Directive

The Directive came into effect in May 2011. It was adopted by all EU member states as part of an amendment to the e-Privacy Directive.

The Directive applies to:

  • All businesses headquartered in an EU member state, and
  • Foreign businesses that are aimed towards EU users

In general, the Directive requires that websites inform visitors:

  • If cookies are in use,
  • How cookies are used, and
  • How visitors can consent to their usage

This places a cookies notice requirement on the websites that fall under the Directive. Banner notices are the most popular means of giving notice while also securing user consent to use cookies.

Here's an example of a standard type of website cookie notice:

European Central Bank cookie consent notice banner with highlighted options

Sometimes a notice will not allow users to continue using the website unless they give consent to allow the use of cookies.

Lenovo Netherlands used to have such a method of consent. It offered links to additional information and required consent before users could explore the website:

Lenovo Netherlands website: Cookies Permission Dialog

Note: Notice and consent are not required if the cookie is needed for transmitting communications or making the website operate. These include authentication cookies, cookies needed for multimedia content, and user input cookies that helps users fill forms or add items to a shopping cart.

Once the Directive passed, Google's EU User Consent Policy soon followed. While it demands slightly more from Google services users in some ways, it is closely linked to the Directive.

This means that if you already satisfy the requirements of the EU Cookies Directive, you'll likely satisfy the requirements by Google.

Requirements of Google's EU User Consent Policy

Google's EU User Consent Policy exists to help users of Google services comply with the Directive. Its content is as follows:

Google EU User Consent Policy - Full screenshot -Updated for 2022

Generally, it has two requirements.

First, websites and apps that are accessible to end users in the EU, EEA and the UK must disclose any data collection, sharing and usage that results from the use of Google products, and obtain consent for that activity to continue.

This includes personalization of ads, tracking website usage, and even counting the number of visits on a website.

Second, if the website uses Google products and cookies, the developer must disclose that fact. It must also obtain consent to use cookies and offer end users the ability to remove cookies if they desire.

Both of these provisions are related to the Directive. While the disclosure regarding Google products is not directly required, it is still a good precaution for those developers with end users in the EU, EEA and UK. The second provision that mentions cookies is directly connected to the Directive.

All Google products directed to citizens of the EU, EEA and UK fall under the Policy. However, Adsense, Analytics Advertising, and Analytics for Firebase are most likely to invoke it and the Directive.

Adsense places targeted ads on its users' websites. To be sure that it places the most effective ad for each end user, it uses cookies.

Analytics Advertising is the same way. This program records page visits to help users find trends. Its Policy requirements includes a link to the EU User Consent Policy:

Policy Requirements for Google Analytics Advertising Features - EU User Consent Policy highlighted - Updated for 2022

Analytics for Firebase, which performs the same function as Analytics for Advertising, takes the same approach:

Google Analytics for Firebase Use Policy: EU User Consent section highlighted and updated

If you use any of these three services, you must comply with the Policy. Fortunately, there are many resources to help you accomplish that.

Complying with Google's EU User Consent Policy

As mentioned above, if you have end users located in the EU, EEA or the UK, or you run a company headquartered in any of these areas, you need to pay extra attention to how you disclose your use of cookies.

Google places additional requirements on you if you use its products. You must also provide the same notice and obtain consent for Adsense or Analytics services.

Google breaks down its requirements into two types of properties:

First, the properties under your control requirements involve any site or app that is under your control or that of your affiliate partner.

If you use Google products such as Analytics on a property that's under your control, you need to do the following:

  • Clearly identify every and any party that may collect, receive or use the end users' personal data through the Google product
  • Let users know how each party will use the personal data
  • Obtain consent to use cookies
  • Obtain consent for collecting, sharing and using personal data for personalized ads
  • Keep records of consent you obtain
  • Instruct users how they may revoke consent

Second, the properties under a third party's control requirements apply when your use of a Google product results in end-user personal data collected by a third party being shared with Google.

In these cases, Google requires that you use "commercially reasonable efforts" to make sure the third party is complying with this policy.

A good way to provide notice and obtain consent is to add a cookie consent function to your website or app.

This can be a banner announcement or a pop-up window that notifies users before they go to a section of your website affected by Google services.

Here's an example:

Janitza Cookie Consent Notice updated

Note the Individual Settings button that lets users adjust their cookie settings directly from the notice. Users are also provided with a link to the Privacy Policy where they can get more details, and consent is obtained with a clearly labeled "Accept all cookies and tools" button. Users can also choose to only accept necessary cookies.

Banner announcements are an effective, common and acceptable method of complying with the EU Cookie Directive. However, you may need to take additional steps to comply with the Policy.

Most banner announcements and consent messages contain a link to "See details," "Learn More," or some other sort of additional information. Here's where you can provide more information on cookies including what they are, how they function, and how a user can remove them later.

For example, you can link your Cookie Policy or Privacy Policy with a cookies clause in it to this "See details" link.

Providing this information depends on your product and company practices. The more you use Google services and cookies, the more information you may wish to offer consumers.

Google provides products to help its clients track data and use cookies. It also uses many of them itself.

Because of this, Google offers a "See details" link in its own banner notification:

Google

If you click "See details" it takes you to a page with more information and a video:

How Google Uses Cookies page and video

With the combination of the banner, requested consent, and this additional information linking to a Cookie Policy/Privacy Policy, there is no reason to assume a user will explore Google uninformed about cookies being used.

The video offers a thorough explanation and there are links to help users access ad settings, see a list of cookies used by Google, and review the Privacy Policy to see how Google uses data.

You will need to include information in your Privacy Policy or Cookie Policy that gives users more specific information about your use of cookies, including which ones you or any third parties are using and for what purpose.

Remind users that they can opt out and provide instructions for how they can do so.

Here's how HarperCollins UK details this information in a clause within its Cookie Policy. First, it has a clause addressing analytics cookies informing users of the specific cookie names, and links to how users can opt out of them being used:

Harper Collins UK Cookie Policy: Analytics Cookies clause

It also has a section that addresses advertising cookies, with all the same types of information available:

Harper Collins UK Cookie Policy: Advertising Cookies clause

Remember that you'll also need to keep records of the consent you obtain.

Flagged for Non Compliance with Google EU User Consent Policy

If you don't comply with the above requirements, you may receive an email like this one here, alerting you that your website/s has been flagged for non compliance with the EU User Consent Policy:

Google EU User Consent Policy: Non Compliance ATP

It reads:

Hello TermsFeed,

Thank you for reaching us out.

Your websites below are flagged for non compliance with EU User Consent Policy.

As per our EU User Consent Policy requirements you need to disclose all the third parties you work with including the Ad Tech Providers (ATPs).

We have done a manual check on domain (domain) and found that you have only disclosed 1 number of ATP in your consent notice while initially you agreed on working with 196 number of ATPs same findings apply to other 5 domains

As per Comply with EU user consent policy help article If you don’t make any changes, the commonly used set of ad technology providers (ATPs) will continue to be used. This help article also has steps to choose ATPs.

Please find the list of all detected and missing ATPs on your domains attached. If there is a reason why you have not declared any specific ATP kindly add a comment against each missing ATP and send us back the updated spreadsheet.

Also please note if you are using an IAB certified CMP then you wont be required to declare all the ATPs because any CMP vendor selections in your IAB TCF v2.0 registered CMP will override Ad Technology Provider selections in the EU User Consent Controls. Kindly refer to this help article for more details.

Once you have declared all the ATPs you work with in your consent notice, you can get back to us and we will initiate a re audit of these domains.

These types of emails can be received if you are in non compliance for:

  • Not disclosing all of the Ad Tech Providers (ATPs) you work with, and/or
  • Not obtaining consent before you use cookies

There are 3 things you can do in the event that you receive such an email:

  • Update your Cookie Consent Notice and Cookie Policy to list all the ATPs you use. (Depending on what type of Cookie Consent Notice you use, you can either list all ATPs in your notice, or list them in your Cookies Policy and link your Policy to your Cookie Consent Notice.)
  • Use an IAB-approved Consent Management Platform (CMP).
  • Disable personalized ads in Google Analytics and other Google products your website uses. (Ads will still be displayed, just not personalized ads that rely on third party cookies.)

Summary

To comply with Google's EU User Consent Policy:

  • Give notice that you use cookies to collect information from users,
  • Obtain consent for this before you use cookies, and
  • Link to more information about how/why you use cookies

This will keep you compliant with Google policies and the EU Cookies Directive, and will also keep your users informed.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

Jocelyn Mackie

Jocelyn Mackie

Former civil litigation attorney. Content legal strategist at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.