sign in sign up
<<
Home , Google Ad Manager

Summary of “Helping advertisers comply with the GDPR”

Contract updates We have rolled out updates to our contracts for many products, reflecting 's status as e ither a processor or a controller under the new law. Find out more about how we use data in Google Marketing Platform products and : G oogle Marketing Platform advertising product data, C ustomer Match data, H ow Google uses remarketing data, c onversion event data.

Consent support Under our E U User Consent Policy, advertisers that implement remarketing tags are required to obtain consent from users for the collection of data for personalized ads and advertisers that implement conversion tags for measurement purposes are required to obtain consent for the use of cookies. We have updated c ookiechoices.org with examples of consent language and available third-party consent solutions.

Third-party ad serving and measurement changes On Google Ad Manager, Ad Exchange, AdSense, and : To help publishers choose the ad technology providers that can serve and measure ads on their sites and apps for users in the EEA, we have launched A d Technology Provider Controls for publishers. This means your Google campaigns will only serve on an ad impression in the EEA where a given publisher has selected (and has received user consent for) the ad technology providers you use. On YouTube: We have stopped accepting most third-party measurement pixels and we have been working with a small group of vendors (including comScore, DoubleVerify, IAS, MOAT, Nielsen, Kantar, and Research Now) to recertify their pixels. Advertisers can also enable YouTube reporting via the p artners we have integrated with Ads Data Hub (ADH).

Data collection, deletion and retention controls For Google advertising products that include features that give you the ability to upload audience lists for targeting on Google media and third party sites, we offer data retention and deletion controls. We also launched granular data retention controls in , that allow clients to manage how long their user and event data is held on our servers, and a new user deletion tool, that allows clients to manage the deletion of all data associated with an individual user (e.g., site visitor) from their Google Analytics properties.

Working with the IAB Transparency & Consent Framework We have been working closely with IAB Europe over the last several months to ensure our products are interoperable with the Transparency & Consent Framework. We are in the process of formalizing our participation in the framework and are working to resolve open issues in order to be able to integrate with the IAB framework as quickly as we can. Until Google’s IAB integration is complete, οn third-party exchanges, Google will only bid with personalized ads that do not include third-party pixels unless our third-party exchange partner contacts us to put in place a predefined list of third parties for whom they will ensure consent is collected. On Ad Exchange, AdMob and AdSense, we will bid based on the vendors for which the publisher has affirmed consent (i.e., the ad technology partners included in the publishers’ settings).

FAQs

1. Which personal data are processed in the different Google services? From which sources are these data acquired? We collect information to provide better services to all our users – from figuring out basic stuff such as which language they speak, to more complex things like which a ds they’ll find most useful, t he people who matter most to them online or which YouTube videos they might like. The information Google collects, and how that information is used, depends on how they use our services and how they manage their privacy controls. When they’re not signed in to a , we store the information that we collect with u nique identifiers tied to the browser, application or device that they’re using. This helps us do things such as maintain their language preferences across browsing sessions. When they’re signed in, we also collect information that we store with their Google Account, which we treat as p ersonal information. Find out more: I nformation that Google collects. For our processor Ads services, also see information at: p rivacy.google.com/businesses/adsservices/

2. Does Google process these data for other purposes than direct marketing? We use the information that we collect from all our services for the following purposes: provide our services, maintain & improve our services, develop new services, provide personalised services, including content and ads, measure performance, communicate with our users, protect Google, our users and the public. F or more details on each of these purposes, see W hy Google collects data. For our Ads products, also see H ow Google uses information from sites and apps that use our services.

3. How are these personal data processed? Are cookies used? Personal data are processed in accordance with our p rivacy policy, the agreements and policies governing use of our products, as well as relevant in-product controls. Further details about how our products use data can also be found in our Help Center (see answer to question 6 below for some examples).

As a company that acts responsibly, we work hard to make sure that any innovation is balanced with the appropriate level of privacy and security for our users. Our Privacy Principles help guide decisions that we make at every level of our company, so that we can help protect and empower our users, while we fulfil our ongoing mission to organise the world’s information. Find out more: T echnologies and Principles. We use cookies for many purposes. We use them, for example, to remember our users’ safe search preferences, to make the ads they see more relevant to them, to count how many visitors we receive to a page, to help users sign up for our services, to protect their data or to remember their a d settings. You can see a list of the t ypes of cookies used by Google and also find out how Google and our partners use cookies in a dvertising. Our p rivacy policy explains how we protect our users’ privacy in our use of cookies and other information. Also see H ow Google Marketing Platform advertising products and Google Ad Manager use cookies.

4. Which other technologies are used, and how do they work? Google’s advertising systems may use other technologies, including Flash and HTML5, for functions like display of interactive ad formats. We may use the IP address, for example, to identify the general location of a user. We may also select advertising based on information about their computer or device, such as their device model, browser type or sensors in their device like the accelerometer. Find out more: h ere.

5. What procedures does Google have in order to fulfil the end user’s request for access, correction and deletion, and which procedures does Google have in order to assist us in dealing with this in case we are the responsible party? Which erase procedures does Google have in place for these personal data? Signed-in users can always review and update information by visiting the services they use. For example, Photos and Drive are both designed to help our users manage specific types of content that they’ve saved with Google. We also built a place for our users to review and control information saved in their Google Account. G oogle Account includes privacy controls and ways to review & update their information. Signed-out users can manage information associated with their browser or device. Find out more: Y our privacy controls. Our users can e xport a copy of content in their Google Account if they want to back it up or use it with a service outside of Google. T hey can also r equest to remove content from specific Google services based on applicable law. To delete their information, they can: delete their content from s pecific Google services. s earch for and then delete specific items from their account using M y Activity, d elete specific Google products, including their information associated with those products, D elete their entire Google Account. Assisting customers in fulfilling obligations to respond to requests by data subjects: ● Data subject tools: A ds settings, p ersonalised ads opt-out, and G oogle Analytics opt-out are examples of tools made available by Google to data subjects that enable Google to respond directly and in a standardised manner to certain requests from data subjects. ● Providing data deletion and retention controls: For Google advertising products that include features that give you the ability to upload audience lists for targeting on Google media and third party sites, see the ‘Data collection, deletion and retention controls’ section in our H elping advertisers comply with the GDPR article. ● For our processor services, also see section 6 (‘Data Deletion’) and section 9 (‘Data Subject Rights’) in the G oogle Ads Data Processing Terms. Users may also use the P rivacy Troubleshooter to find answers to many common questions about privacy and user data related to Google’s products and services.

6. Are the data used for other purposes than the delivering of services from the advertiser that provided the data or customer list? (For data collected as users use our services, see response to the second question.) ● Google Marketing Platform advertising product data: W e use Google Marketing Platform advertising product data only for limited purposes, as described in your contract. These include: ○ Providing advertising services through Google Marketing Platform ○ Ensuring compliance with our policies ○ As aggregate product statistics that do not identify you or your usage of Google Marketing Platform We will not use or disclose your Google Marketing Platform advertising data for purposes beyond those set out in your contract without your permission. Find out more: H ow Google uses Google Marketing Platform advertising product data. ● Customer Match data: T he data files that you upload will only be used to match your customers to Google accounts and to ensure that your Google Ads Customer Match campaigns comply with our policies. We'll keep your data confidential and secure using the same industry-leading standards that we use to protect our own user data. Find out more: H ow Google uses Customer Match data. ● Remarketing data: Remarketing data is used to match your users to Google accounts, add users to remarketing lists, generate similar audiences, show dynamic ads and to ensure your Google Ads remarketing campaigns comply with Google’s policies. In addition, reports containing audience data are available in your Google Ads account and any other accounts you’ve shared your audiences with. Google may also use remarketing data to improve your campaign performance. For example, Google uses both past conversion data and remarketing data to optimise your bids for automated bid strategies, with the goal of improving your overall ROI. Remarketing data can be used to improve your performance when using certain bid and targeting strategies without requiring you to apply audiences in the campaign. Google might also use your remarketing data to identify other relevant audiences for you and to provide certain insights about the composition of your remarketing lists. Google also uses aggregated and anonymised remarketing data for the benefit of all advertisers, including, for example, improving similar audiences. Finally, your remarketing lists won’t be shared with any third party or other advertisers without your permission, and Google won’t use your remarketing lists to advertise its own products. Find out more: H ow Google uses remarketing data. Also see, H ow Google uses conversion event data a nd H ow Google uses Ad Manager and Ad Exchange data.

7. What procedures does Google have to deal with consents that are withdrawn? Users can opt out of personalised ads in their A ds settings. The opt outs will apply across both Google ads services (ex: Search ads) and the 2+ million websites and apps that partner with Google to show ads. Find out more: O pt out of seeing personalised ads. For Google advertising products that include features that give you the ability to upload audience lists for targeting on Google media and third party sites, see the ‘Data collection, deletion and retention controls’ section in our H elping advertisers comply with the GDPR article.

8. Google has recently provided statements that with the use of Google DFP, DoubleClick Ad Exchange, AdMob and AdSense, the responsibility for the processing of personal data is shared between themselves and the advertisers, while other statements from Google indicates that Google is the sole responsible party for this. W hat is correct here, and why is it so? As part of our preparations for GDPR, we undertook an exercise to examine how each of our advertising services processed data in order to determine whether Google was acting as a data processor on behalf of the customer of the relevant product, or acting as an independent data controller (sometimes referred to by us as a ‘co-controller’). The full classification of our advertising services can be found h ere. The designation of an advertising service as a ‘controller service’ or a ‘processor service’ determines whether the G oogle Ads Controller-Controller Data Protection Terms or the Google Ads Data Processing Terms apply. Note that we have used the terms “independent controller” and “co-controller” interchangeably in prior communications - they are intended to mean the same thing and are used in order to clarify that Google and its customer are each separate data controllers, rather than ‘joint controllers’ for the purposes of GDPR. Acting as a controller does not give us any additional rights to the data. This designation simply reflects a factual assessment of how Google handles the relevant personal data when providing the product ." Responsibility for obtaining consent for use of cookies (or other local storage) and for the collection, sharing, and use of personal data for personalization of ads is determined by Google’s E U User Consent Policy b ut please note that you are not required to seek consent for a user’s activity on Google’s sites (we obtain that ourselves when users visit our sites). We are asking only that you seek consent for your uses of our ads products on your properties (or third party properties, where the third party is not already bound by Google’s EU User Consent Policy). Find out more: H ow Google uses Ad Manager and Ad Exchange data, T ools to help publishers comply with the GDPR, H elp with the EU user consent policy.

9. We will also ask Google to draft and submit a proposal for consent texts, based on Google’s knowledge of their own services, that we as advertisers may use as a basis for our consent agreements. We have updated c ookiechoices.org with examples of consent language and available third-party consent solutions. We have also updated our H elp Page for the EU User Consent Policy to address questions we have received from our customers. However, please take your own legal advice to develop appropriate consent wording for your particular circumstances.

10. How does Google’s EU user consent policy (which also applies to users in EEA countries) interpret local requirements around cookies and consent, such as those of the Electronic Communications Act in Norway? The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required". Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalized ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations. For Norway, this means we will look primarily at the Electronic Communications Act and guidance from the Norwegian Communications Authority.