Google Signals is a feature of Google Analytics which provides insights into users' cross-device behavior. It uses aggregate data to reveal how people use their devices. You can use this data to further personalize your ad campaigns.

But greater insight into your users' lives, even in the aggregate, means greater responsibility for their privacy. We're going to look at what you need to do to ensure that you meet your obligations when using this powerful new tool.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Google Signals?

People's online lives are spreading out. Mobile phones are omnipresent, wearable technology is going mainstream, and there's a growing demand for Internet of Things products.

IBM President Thomas Watson's claim that there would be "a world market for maybe five computers" seems more amusing with each passing year.

When Google users have ad personalization enabled, Google Signals collects information about how they use the various devices with Google accounts. The data produced by Google Signals is reported via Google Analytics.

This allows a business to:

  • Run remarketing (Google's term for "retargeting") campaigns across a person's various devices
  • Better understand how users engage with sites and apps on different devices
  • See more accurate data on how many users it has (rather than the number of devices)

Here's an example from Google of the sort of insight you might get from Google Signals:

Google Help: Activate Signals - Ad personalization information

Having such a comprehensive picture of how your users are interacting with your business has its advantages. But such information must be treated with respect.

Google assures us that individuals will not be revealed via the data it gathers from Google Signals. However, this data is still subject to privacy law. And so is any company that chooses to use it.

Online Advertising and Privacy Law

Online Advertising and Privacy Law

Governments and regulatory bodies are constantly trying to keep up with developments in online advertising.

There are privacy implications inherent in all sorts of online tools that consumers encounter every day, such as cookies. Technologies that use cookies such as analytics and remarketing ("retargeting") can also intrude into people's privacy.

Google Signals involves some heavily-regulated behavior-monitoring methods. Google must comply with the law when providing this service. And Google's customers must comply with the law when using it, too.

Many countries and jurisdictions have privacy laws that regulate the way such technologies are used. Let's look at some examples.

United States Privacy Law

In the US, California effectively leads the way on privacy law. Any commercial website that collects the "personally identifiable information" (also called "personal information" or "personal data") of California residents must have a Privacy Policy. This is thanks to the California Online Privacy Protection Act (CalOPPA).

But does your website really collect personal information? Well. here's how this is defined in CalOPPA:

CalOPPA text Section 22577: Definition of Personally Identifiable Information highlighted

And here's some guidance from the California Attorney General (at page 10):

California Attorney General: Making Privacy Practices Public Guidance - Data Collection

That's right: cookies, an essential ingredient in a Google Signals campaign, can constitute personal information.

It's true that Google takes measures to prevent the identification of users based on data it collects about ads. However, you don't want to take any risks under privacy law, which is typically interpreted very broadly.

If you operate in California, you must take your obligations under CalOPPA seriously.

The scope of CalOPPA policy naturally extends to any commercial website collecting the personal information of US consumers. After all, you wouldn't want to block visitors to your website from this extremely important market - and nor would you realistically be able to do so.

European Union

There's no ambiguity about the EU's position on cookies. Advertising cookies can be used to collect personal information, and as such, they are only to be used when consent has been granted and a Privacy Policy has been provided.

You can look to two pieces of primary EU law for proof of this.

Firstly, the ePrivacy Directive (amended by the so-called "Cookie Directive"), which says in black and white: cookies are only allowed if "users are provided with clear and precise information" about their purposes and use.

Secondly, the General Data Protection Regulation (GDPR), which states at Recital 30 that cookies could contribute to the identification of a person. Therefore they should be treated as personal information.

Articles 12-14 of the GDPR set out the requirement for a "data controller" to produce a Privacy Policy.

EUR-Lex GDPR Article 12 Section 1

A data controller is any legal entity (such as a person, a business, a public authority) that "determines the purposes and means" of processing personal information.

If your company uses Google Signals, it's a data controller.

  • Cross-device activity and other behavioral information is your users' personal information
  • Collecting personal information is a type of processing
  • Running targeted ads is the purpose
  • Using targeting cookies via Google's services is the means

And just like with California law, all companies who target consumers in the EU must obey EU privacy law - even if they have no base in the EU. This is clear from Article 3 of the GDPR.

EUR-Lex GDPR Article 3 highlighted

Other Places

Various other countries impose a requirement for a Privacy Policy through national law:

  • Canada: the Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Australia: the Enhancing Privacy Protection Act (Privacy Act)
  • Southeast Asia: several countries have strict privacy laws

Like with CalOPPA and the GDPR, most of these laws have "extraterritorial scope." This means they apply in respect to your activities in their jurisdictions - wherever your company is based.

Your Agreements with Google

Your Agreements with Google

It's not only national law you have to consider. To use Google Signals, you'll need to enter into a number of legally-binding agreements with Google.

Google has a lot of agreements. A lot of sets of terms, policies and addendums are incorporated into one another. Navigating this can feel a little overwhelming.

We're going to examine what Google requires under its agreements. This will help you to understand these policies. But remember that it's also important to read anything you agree to in full.

Google Signals Activation

To activate Google signals, you'll need to go to your Google Analytics account follow these instructions from Google:

Google Help: Activate Google Signals - Get Started section

You'll see this page:

Activation and confirmation screen for activating Google Signals and sharing data

You'll notice that Google says that "by enabling these features, you acknowledge that you have the necessary privacy disclosures and rights from your end users."

Let's take a look at what these disclosures and rights are.

Google Analytics Requirements

Opening a Google Analytics account requires you to agree to disclose certain information to your users. This amounts to a requirement to display a Privacy Policy.

Take a look at section 7 of the Google Analytics Terms of Service:

Google Analytics Terms of Service: Privacy section with cookies section highlighted

The Terms require you to agree to provide clear and comprehensive information about storing and accessing cookies, as well as make efforts to get consent to do so.

Advertising Features Requirements

Google Signals is part of the Google Analytics Advertising Features family. Therefore, it also falls under the Policy Requirements for Google Analytics Advertising Features. If you use these features, the policy requirements require you to have a Privacy Policy and disclose some specific information within it:

Remarketing Requirements

Google Signals uses remarketing (retargeting).

In other contexts, Google's remarketing program allows you to display ads a user on other websites. In the context of Google Signals, it allows you to display ads to users across their various devices.

Google has some specific requirements about what its remarketing customers must include in their Privacy Policies:

Google Ads Help: What to include in your privacy policy for remarketing

Requirement to Comply with Privacy Law

Finally, Google has an overarching requirement that its users obey all applicable laws:

Google Advertising Policies Help: Advertisers must comply with all applicable laws and regulations section highlighted

This, of course, extends to privacy law. You should also check the local laws of specific markets (including individual EU countries) in which you advertise.

A lot of the requirements from the agreements listed above overlap. Let's take a look at how you can make sure you're covering all bases with your Privacy Policy.

Creating Your Google Signals Privacy Policy

Creating Your Google Signals Privacy Policy

You can provide the required information as a section in your main Privacy Policy, or as a separate Cookies Policy.

If you choose to have have a separate Cookies Policy, ensure that it is incorporated into your main Privacy Policy. You'll need to conspicuously link your users from one policy to another.

Here's how LinkedIn does this:

LinkedIn Privacy Policy with Cookie Policy link highlighted

Explanation of Cookies

You should include some very basic information about what cookies are and why they are used. Ensure that you use simple language that your users can understand.

Here's how IKEA provides this basic information:

IKEA Privacy Policy: What are cookies clause

IKEA then goes on to explain the nature and purpose of the different types of cookies that operate on its site:

IKEA Privacy Policy: Types of cookies clauses

List of Cookies

Comprehensive information about cookies should include a list of the cookies that you use.

The Information Commissioner's Office, the UK's Data Protection Authority, suggests that you conduct a cookie audit so that you can be sure what cookies your website uses.

Some companies disclose very detailed information about cookies in their Privacy Policy.

Some questions to consider include:

  • Which cookies operate on your site (e.g. _ga, _gid)?
  • What does each of these cookies do?
  • Can any of these cookies be linked to any personal information about your users (e.g. username)?
  • What data does each cookie hold?
  • Which cookies are "session" cookies and which are "persistent"?
  • How long are persistent cookies stored?
  • Which cookies are first-party and which are third-party?
  • Who sets your third-party cookies?

Google provides some information about the specific cookies involved in running Google Analytics:

Google Analytics Cookies Usage: Cookies chart

Here's an excerpt from GSMA's cookie list:

GSMA legal: Cookies types and descriptions clauses

Disclosure of Advertising Features

Under the Google Analytics Advertising Features Policy, you're required to disclose which Advertising Features you use.

Here's how that list appears in Lillydoo's Privacy Policy:

Lillydoo Privacy Policy: Google Analytics tracking and remarketing clause with Signals sections highlighted

Later on in this section, there's a fuller explanation:

Lillydoo Privacy Policy: Google Analytics tracking and remarketing clause excerpt

Green Wedding Shoes also lets its users know the types of personal information that is collected by Google Signals:

Green Wedding Shoes Privacy Policy: Google Signals clause highlighted

Opt-outs

You must let users know how to opt out of Google Signals and any other Google Analytics Advertising Features. Google specifies that you must include the following among these options:

Here's how accounting company Deducting the Right Way does this:

Deducting the Right Way Privacy Policy: Log Files and Cookies clause with opt-out section highlighted

Links are provided which direct users to each opt-out website.

Third Parties

Advertising Features uses third-party cookies. Whereas first-party cookies come directly from the website visited be the user, third-party cookies originate from a different website altogether. This requires specific disclosure in your Privacy Policy.

Here's how Fast Booking does this:

Fast Booking Cookie Policy: Use of Cookies clause

The Guardian uses a lot of third-party cookies and provides this well-organized list of its third-party advertising vendors:

The Guardian Cookies Policy: Third Party Advertising cookies list with options to manage cookies

Other Information

Your Privacy Policy needs to refer to a lot more than just Google Signals. It should disclose every aspect of your company's practices when it comes to processing your users' personal information.

Your obligations will vary depending on the law that you're trying to comply with. If you create a legally-compliant GDPR Privacy Policy, you should have disclosed enough information to also comply with most other privacy laws.

Under the GDPR you must disclose the following in your Privacy Policy:

  • Your company's name and contact details for whoever can handle data protection inquiries.
  • The types of personal information you collect (including cookies) and otherwise process.
  • The reasons that you process personal information.
  • Your lawful basis for doing so (for cookies, for example, this should be consent - see below).
  • The types of companies that you share personal information with (Google will be amongst these).
  • Details of any international data transfers.
  • Your users' data rights.
  • How long you store personal information (including information about cookie expiration).

There may also be other requirements under Articles 12-14 of the GDPR. Not all of these points will be relevant under every privacy law.

Creating a CalOPPA Privacy Policy requires one disclosure not specified by the GDPR - whether your website respects browser "Do Not Track" (DNT) signals.

You'll have noticed that Google's policies require you to earn consent from your users where required by law.

Consent for cookies is required under EU law, as confirmed by the European Commission.

Earning EU users' consent for cookies is also required by Google's EU User Consent Policy.

Here's an excerpt:

Google EU User Consent Policy: Properties under your control section

Consent under EU law must be:

  1. Freely given
  2. Specific
  3. Informed
  4. Unambiguous
  5. Given via a clear, affirmative action
  6. Easy to withdraw

Here's an example from a cookie banner from Cactus Geo that seems to meet all of these requirements:

Cactus Geo cookie notice with consent and management options

It's important to note that you shouldn't set tracking cookies until after a user has consented to them.

Summary - Your Google Signals Privacy Policy

You'll need to be completely transparent with your users if you wish to take advantage of the new insights being offered by Google.

You'll need a Privacy Policy which:

  • Explains what cookies are and why you use them.
  • Discloses which cookies you use and what each one is for.
  • Informs your users that you are using Google Analytics, Google Signals, and any other relevant Google Analytics Advertising Features.
  • Explains the types of information that are collected by these products.
  • Discloses that you share this data with third parties, including Google.
  • Informs your users of how to opt-out of such programs and provides any specific links mandated by Google.
  • Contains all other information legally required by whatever privacy laws you need to comply with.

If you have users in the EU, you must also make sure you obtain consent for collecting their personal information for this purpose.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy