If you are using Google AdSense on your website, chances are that you have received an email from Google that states: “create a GDPR consent message by January 16, 2024.” The email also states that your Google AdSense ads will stop showing and you will not receive AdSense revenue from the EEA and UK traffic if you do not implement a cookie consent solution:
Google is requiring all websites using AdSense to have a cookie consent banner due to the fact that AdSense uses cookies and collects personally identifiable information, which is regulated under multiple privacy laws and Google is required to ensure that websites using AdSense comply with those laws. In this article, we will discuss how AdSense collects cookies and personally identifiable information, what is a GDPR consent message, and the steps that you will need to take to meet Google’s new requirements so that you can keep using AdSense.
Table of Contents
What personally identifiable information is collected by AdSense?
Google AdSense provides a way for publishers to earn money by matching advertisements to your website based on items and services that individuals may want to purchase. To determine what advertisements to show to whom, Google uses cookies, which are small pieces of data that are put on a device to track an individual as they browse different websites. Google also uses search results, the applications used, location history, IP address, and device information to track an individual and display the advertisements. It is important to note that this information is considered “personally identifiable information” and is protected by a variety of privacy laws.
What is GDPR?
Google’s email states that you will need to use a Google-certified CMP to create a GDPR message. GDPR (General Data Protection Regulation) is a privacy law that protects the privacy of residents of the European Union and the European Economic Area by providing them with certain privacy rights. GDPR prevents companies from collecting personally identifiable information unless a certain exception, otherwise known as a “legal basis” applies.
The legal basis most commonly used for advertising purposes is consent. To process the personally identifiable information of residents of the EU or the EEA under the consent legal basis, an individual must provide their consent to the processing of their personally identifiable information. GDPR defines consent as “any freely given, specific, informed and unambiguous indication of an individual’s wishes by which they, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data.” This means that an individual must be provided with an opportunity to state “yes” or “no” to them being tracked and their personal data being collected through Google AdSense.
It is important to note that there are multiple other privacy laws such as the ePrivacy Directive, United Kingdom’s Data Protection Act 2018, PIPEDA, Quebec Law 25, and the California Privacy Rights Act that require websites to obtain consent prior to certain cookies being placed on a user’s device.
Why is Google requiring websites to have a cookie consent banner?
The Digital Markets Act, which went into effect in 2023 has begun to regulate “gatekeeper platforms” such as Google and Facebook in an attempt to make the digital economy more fair, regulating anything from pricing to advertising. One of the requirements of the Digital Markets Act is that users must provide their consent prior to being tracked for advertising purposes. While the Digital Markets Act regulates large platforms, its requirements have trickled down to smaller businesses as the gatekeeper platforms need to ensure that businesses using their services do not violate the requirements of the law so that the gatekeeper platforms do not end up being fined for non-compliance. Thus, Google has implemented the requirement that all businesses using AdSense have a cookie consent banner that obtains proper consent from individuals to be tracked for advertising purposes.
What is a GDPR consent message?
A GDPR consent message is a cookie consent banner that complies with GDPR’s requirements for consent. A cookie consent banner that complies with these requirements will:
- Prevent any functional, marketing, and advertising cookies from being placed on a user’s device until the user consents to those cookies. This means that Google AdSense will not track a user until they consent to being tracked;
- Provide the user with information on what cookies would be placed on their device if they were to consent. This means that the cookie consent banner will list all cookies, their categories, the data collected by those cookies, the location of processing, the data recipients, and the purpose of the cookie;
- Provide the user with an option to accept or reject cookies. This means that an “accept” and a “deny” option will be equally visible to the user. A cookie consent banner that provides only an “accept” or an “OK” option will not be suitable for this purpose as it will not obtain proper consent;
- Provide the user with an option to change their cookie consent settings and withdraw their consent at any time.
How to obtain a GDPR consent message that meets Google’s requirements
To continue using AdSense, you will need to have a cookie consent banner that meets Google’s requirements, namely that you will need to use a cookie consent banner provider that is Google certified. In addition, your cookie consent banner will need to meet the GDPR consent message requirements above. If you do not currently have a cookie consent banner or if your banner does not meet the above requirements, make sure to check out the Termageddon/Usercentrics cookie consent solution, which is Google certified and can help you create a GDPR consent message that meets Google’s requirements for AdSense.
