Privacy Policy

Google AdSense Publishers Need a Privacy Policy

Google AdSense provides clear terms on which it will allow a publisher to participate in its program. When you sign up as a publisher, you agree to Google’s AdSense Online Terms of Service. Here’s part of what you’re agreeing to:
Google AdSense Terms of Service: Privacy clause updated for 2018

A Privacy Policy is Required By Law

To make the most out of Google AdSense, you’ll want as many people as possible to visit your website and click on your ads. Even if you’re operating in a country or state that doesn’t have strict privacy laws (and there are increasingly few), you’re still going to have to abide by the rules of the places from which your users are visiting your website.

European Union

The EU’s General Data Protection Regulation (GDPRrequires anyone who processes the personal data of EU citizens to publish a information about their data processing activities in a “concise, transparent, intelligible and easily accessible form, using clear and plain language.” This means you need a Privacy Policy. If you’re a Google AdSense publisher whose website gets EU traffic – this means you.

United States

The California Online Privacy Protection Act (CalOPPA) means that any “web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” must “conspicuously post its privacy policy on its web site.
If you’re processing personal data on your website, and you want it to be accessed in California, you have to abide by CalOPPA – no matter where the website is hosted.

Other Places

  • The Australian Privacy Act 1988 requires you to have a Privacy Policy if you’re processing the personal data of Australia residents.
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies who are processing the personal data of Canadians to have a Privacy Policy available on request.
  • Singapore’s Personal Data Protection Act (PDPA) requires you to inform Singapore residents of your purposes for collecting their personal data. This amounts to the requirement for a Privacy Policy.

Cookies and Privacy Law

Google AdSense uses cookies to help it display ads that are relevant to your website’s visitors. Because of the information that these particular cookies provide about your visitors, they constitute personal data.
Google requires its users to be transparent about how their websites use cookies. This requirement includes displaying a Privacy Policy:
Google AdSense Support: The requirement to notify users about cookies in a Privacy Policy
Privacy law also specifically requires you to provide information about the cookies your website uses.
The EU has been regulating cookie usage since Section 25 of the ePrivacy Directive 2002 stated that use of cookies “should be allowed on condition that users are provided with clear and precise information” about their use. The Directive also states that “users should have the opportunity to refuse” cookies.
The GDPR only mentions cookies once, in Recital 30. However, this small mention is enough to establish that cookies that identify a user’s device are a type of personal data, and so should be treated as such.
The GDPR’s rules on transparency and security apply to cookies as much as it applies to a person’s name or phone number.
Section 22577(a)(7) of CalOPPA gives a definition of “personally identifiable information” which includes “information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form.” Certain cookies fit this definition.

Google AdSense Requirements

You’re required you to have a Privacy Policy, and it must include some specific information:
Google AdSense Required content: My Privacy Policy requirements
There are a number of ways you might write a Privacy Policy or adapt your existing Privacy Policy to comply with this. But it may seem a little daunting. Let’s break it all down so you can understand how to implement it.

Creating a Google AdSense Compliant Privacy Policy

However you present the information required by Google AdSense, you must make sure it includes:
  • What cookies are and why you use them
  • Information about consent for cookies
This sounds basic, but it actually represents quite a lot of information.

Separate Cookie Policy

Many websites offer a Cookie Policy separately from their main Privacy Policy. This is fine, so long as you also make sure to provide information about your website’s use of cookies – and provide a link to your Cookie Policy – in your Privacy Policy.
Here’s how Ziff Davis, which owns Mashable, one of the top Google AdSense websites, links its Cookie Policy to its Privacy Policy:
Ziff Davis Privacy Policy section on cookies and tracking technologies with link to Cookie Policy
Article 12(1) of the GDPR requires that you write your Privacy Policy “in a concise, transparent, intelligible and easily accessible form, using clear and plain language […]”.
You can’t assume that your users will understand what cookies are and why they might represent a privacy concern.
Here’s how dating website and AdSense publisher Plenty of Fish explains what cookies are to its users:
Plenty of Fish Privacy Policy What are cookies clause

Types of Cookies You Use

One of Google’s requirements for AdSense users is that they indicate the following in their Privacy Policy:
Third party vendors, including Google, use cookies to serve ads based on a user’s previous visits to your website or other websites.”
Article 13 of the GDPR requires your Privacy Policy to include information about “the recipients or categories of recipients of the personal data” you collect from your visitors.
Because Google AdSense manages the cookies running on your website, cookies will be placed on your users’ devices from an outside domain. In effect, your users are visiting your website but their personal data is being processed by someone other than you.
Here’s how mobile network operator O2 explains its use of third-party cookies to its websites users:
O2 Third-party cookies clause excerpt from Cookies Policy
This fulfills the requirements under Article 13(1)(c) of the GDPR to inform your users of “the purposes of the processing for which [their] personal data are intended,” i.e. the reasons why you’re collecting your users’ personal data via cookies.
University of Oxford explains the different types of cookies that are used on its site:
University of Oxford's Cookie statement - Types of cookies we use clause excerpt
The Levi’s Privacy Policy makes specific reference to Google:
Levi Privacy Policy - Cookie DoubleClick clause mentioning Google AdSense
Note that previously the Google AdSense Online Terms of Service required publishers to make reference to DoubleClick cookies in their Privacy Policy. This is no longer required.

Other Third Party Ad Vendors

Google publishers have the option to opt out of third-party ad serving. If you decide not to do this, Google AdSense requires that you do the following:
Google AdSense Required content: Third-party out-out - Privacy Policy requirements
Here’s how news website The Independent links users to the third party ad networks and vendors that use cookies on their website:
Independent.co.uk Cookie Notice - Managing performance cookies clause with third-party cookies links
Note that Google AdSense does provide an alternative option to listing each third-party ad network:
“Alternatively, you can direct users to opt out of some third-party vendors’ uses of cookies for personalized advertising by visiting www.aboutads.info.”
Google AdSense publisher Aetherweb follows this alternative option. It doesn’t list all the third-party ad networks used by Google, but it does link to www.aboutads.info, a website where users can manage their consent for cookies.
Here’s the relevant section of its Privacy Policy:
Antherweb Privacy Policy clause excerpt about third-party vendors, Google and Aboutads

Obtaining Your Users’ Consent For Cookies

If your website serves users in the EU, there are some additional requirements under the GDPR that you’ll need to meet before you can use cookies (and therefore Google AdSense) on your website.
Under Article 6 of the GDPR, you’re prohibited from processing the personal data of EU citizens unless you have a lawful basis for doing so. Because with Google AdSense you’ll be using targeted cookies for advertising and because you don’t have a direct relationship with many of your visitors, the only safe and lawful way for you to do this is by obtaining their consent.
Article 7 of the GDPR brings some new conditions for consent.
  • Consent must be freely given – “a clear affirmative act.” Messages like “You allow us to use cookies by using this site” without any further information are no longer acceptable.
  • If you users choose to give their consent, they must also be able to withdraw it.

Cookie Consent Banner

When users visit your site, you should present them with the option of consenting to cookies as early as possible. It’s worth considering the following principle given at Recital 42 of the GDPR:
“Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
In other words, your visitors can’t be said to have consented to cookies if they were “forced into” agreeing to them (e.g. a message like “Consent to advertising cookies to continue”), or if your site wouldn’t function without them.
A great way to do this is via a small but obvious banner at the top or the bottom of the page.