Google AdSense is an extremely popular service used by businesses to reach new customers, with approximately 58.5 million websites using AdSense across the world. In fact, approximately 80% of businesses utilize Google Ads for their pay-per-click advertising campaigns. However, since Google Ads collects Personally Identifiable Information (PII) and tracks individuals through multiple websites as they use the Internet, the use of AdSense also comes with multiple privacy risks and obligations. If you are located in the United Kingdom, these obligations come from two sources – privacy laws and the Google Measurement Controller-Controller Data Protection Terms. In this article, we will discuss both of these obligations so that you can continue using Google AdSense in a way that reduces the likelihood of heavy fines and violations of Google’s Terms.
Privacy law requirements for using Google AdSense
If your business is located in the United Kingdom, you will have to comply with the United Kingdom’s Data Protection Act (UK DPA) as you:
- Have an establishment in the UK;
- Offer goods or services to residents of the UK;
- Track the behavior of UK residents online through AdSense.
The first UK DPA requirement that you will need to meet is providing individuals with a comprehensive Privacy Policy that includes all of the disclosures required by this privacy law. When it comes to AdSense specifically, you will need to disclose what PII is collected through AdSense, how that information is used (i.e. for targeted advertising), and who that information is shared with (i.e. advertising vendors). You will also need to disclose the legal basis used for processing the PII (i.e. consent), as well as the privacy rights you provide to individuals, amongst other disclosures. It is important to note that your Privacy Policy should state that individuals have the right to opt out of targeted advertising at any time and how they can do so.
The second UK DPA requirement that you will need to meet when using AdSense is obtaining the consent of the individual for processing their PII for advertising purposes. This is usually achieved through a cookie consent banner which blocks scripts such as AdSense from firing until the user provides their consent to be tracked. It is important that your cookie consent banner obtains proper consent (meaning that it must have an “accept” and a “decline” button) and that it allows individuals to easily withdraw their consent at any time. It is also important that you have a Cookie Policy, which lists the cookies your website uses, including Google AdSense.
The last UK DPA requirement that you will need to meet is to allow individuals to stop the use of AdSense at any time, whether that be through a privacy rights request, adjustment of their browser settings or through the cookie consent banner.
It is important to note that since privacy laws are meant to protect individuals and not businesses, a variety of other privacy laws can also apply to you even if you are not based in the states or countries that passed them. These privacy laws can establish additional obligations such as additional Privacy Policy disclosure requirements, rights to opt out of targeted advertising, and consent obligations.
Google Measurement Controller-Controller Data Protection Terms
When enabling Google AdSense on their websites, UK businesses are also required to accept and follow the Google Measurement Controller-Controller Data Protection Terms, which establish the privacy requirements that must be met by the business and by Google. It is important to note that these Terms can also apply to other Google services such as Google Analytics or Google Optimize.
The first requirement placed upon businesses by these Terms is the requirement to obtain consent. The Terms state that “customer will comply with the Policies in relation to the Controller Personal Data shared pursuant to the Data Sharing Setting and at all times will bear the burden of proof in establishing such compliance.”
This means that UK businesses are required to show that they have obtained the consent of the individual for them to be tracked by Google AdSense.
The second requirement by Google is that you demonstrate that you have provided adequate information to individuals about your use of AdSense. In particular, this paragraph states that the business must provide individuals with information about Google’s Processing of Controller Personal Data:
Thus, to use Google AdSense, UK businesses must ensure that they comply with Google’s Terms, including obtaining the consent of the individual to be tracked and providing adequate privacy information to that individual.
As you can see from the above, there are quite a few requirements that UK businesses must meet to use Google AdSense, including requirements imposed by privacy laws and the requirements imposed by Google itself. If you do not currently have a Privacy Policy that discloses your use of Google AdSense, make sure to check out the Termageddon Privacy Policy generator. If you do not have a cookie consent banner that obtains proper consent and that allows individuals to withdraw that consent at any time, you should check out the Termageddon/Usercentrics cookie consent banner solution.