You Need a Privacy Policy for Google AdSense

If your website is using Google AdSense, you must have a Privacy Policy. That Privacy Policy must comply with state, federal and international privacy laws, as well as with Google's AdSense Online Terms of Service.

This article will take an in-depth look at the broader privacy considerations when using Google AdSense with your website. It will also offer strategies for compliance.

What Google AdSense Does

Google AdSense is a tool that allows website publishers to deliver advertisements to site visitors in exchange for revenue calculated on a per-click or per-impression basis. To do this, Google uses cookies and tracking technology to deliver ads personalized to a website user/visitor.

These technologies gather personal information from users and their devices, including information about IP addresses and user location, as well as behavior information such as websites visited, products viewed or purchased, and other personal preferences. All of this information is protected by various privacy laws because it can be used to identify an individual.

Take a look at the screenshot below. Google AdSense is displaying a standard banner ad at the top and a retargeting ad in the right sidebar, also called a remarketing ad. The website, Food Network, earns pay-per-impression income from the banner ad and pay-per-click income from the retargeting ad.

Blogs are an increasingly common place where Google AdSense is used. In the example below from Coastal Living, we see ads at work inside blog content and in the sidebar.

We also see Google AdSense at work in YouTube videos, one of the fastest-growing media for advertising revenue.

Depending on the advertiser's plan, viewers must watch an entire higher-priced ad before getting to their selected video, or they can skip a lower-priced ad after a few seconds.

Data Collected by Google AdSense is Protected

The data Google collects from users is protected by privacy laws. So, too, is the logic Google deploys to deliver targeted and retargeted ads that will drive revenue through high engagement.

Section 3 of the AdSense Terms requires users to comply with all laws:

That single statement speaks volumes.

User IP addresses, browsing histories, website preferences, device location and even device preferences all are collected by Google.

If you are an AdSense user, you share privacy protection obligations with Google, and you must adhere to Google's Terms for using its AdSense service.

Section 2 of the Google AdSense Online Terms of Service spells out the many ways Google AdSense collects user data from your site. Just as importantly, this clause requires your agreement to allow Google to collect this information, and also to deliver ads to your users based on that data.

Applicable laws including the California Online Privacy Protection Act (CalOPPA) and the EU's General Data Protection Regulation (GDPR) require your Privacy Policy to disclose these activities as "third party information sharing activities."

In doing so, you must have a Privacy Policy that specifies the data being collected and shared with Google, and the reasons that data is needed for Google AdSense to perform its services.

Section 10 specifically requires the following:

• A clearly posted Privacy Policy on your website.
• The Privacy Policy must be written clearly, and must provide a comprehensive summary of the tools you use to collect and share consumer data, such as cookies, device identifiers, location data and user preferences.
• Options for your website visitors to grant consent or decline consent for collecting and using their information.

Understanding a Privacy Policy

A Privacy Policy is a legally required document virtually every website owner needs to carefully construct and conspicuously post on their website. This policy informs your website visitors of what information you are collecting and how you are using it. It also advises them of their rights to limit that information collection, opt out or even review information you have collected about them.

State, federal and international laws of varying scope and enforcement strength make it advantageous to comply with privacy regulations. Knowing where your website visitors live and how their personal information is being collected and managed by you and third party vendors is critical to creating a sound policy.

Additionally, your Privacy Policy must adhere to the privacy laws of where your website visitors live. Where your business or website is located is unimportant.

Certain jurisdictions impose particularly strict privacy laws. The EU and California are among the most stringent. By complying with the laws there, you will go a long way toward ensuring your Privacy Policy meets applicable laws and the Google AdSense Online Terms of Service.

Privacy Laws Affecting Your Website

Two laws more than all others influence your privacy protection obligations and, thus, your Privacy Policy. These are the EU's General Data Protection Regulation, also called (GDPR), and in California, the California Online Privacy Protection Act (CalOPPA).

Let's take a brief look at each of these regulations so you understand the connection to the law and to obligations in meeting the Google AdSense Online Terms of Service.

General Data Protection Regulation (GDPR)

The GDPR is possibly the most stringent privacy law in the world. Governing all 28 member states, the GDPR was created to protect the privacy rights of EU citizens.

The GDPR applies to all websites attracting EU citizens, whether or not the website is located in the EU.

GDPR defines activities subject to its rules as:

1. Offering goods or services to EU citizens, whether or not an online payment is required, or
2. Monitoring website behavior and online activities of EU citizens

Interestingly, certain activities on your website, such as displaying Google ads, are exempt from the GDPR if the ads are presented generally to a global audience versus specifically to an individual user. However, the data you collect and share with Google AdSense is affected under rules pertaining to third-party information sharing.

What Does the GDPR Cover?

The GDPR protects a long list of personally identifiable consumer data and grants considerable rights to EU citizens in controlling how their data may be collected and managed.

It's important to understand the comprehensive list of data protected by the GDPR, as well as have a comprehensive list of the data you are collecting. The GDPR requires you to fully disclose all data you are currently collecting, data you might collect in the future, and the ways in which you use the data.

The GDPR also imposes rules pertaining to consumer rights for granting consent to collect their data, revoking consent, requesting copies of their data, or directing you to transfer or delete the data.

How your website handles all of these provisions must be thoroughly detailed in your Privacy Policy.

Google AdSense requires you to follow all privacy laws, including the GDPR. If you use AdSense, you are collecting personal data from your website users and must update your Privacy Policy to comply with the GDPR requirements.

Specifically, when using Google services, you agree to comply with Google's EU User Consent Policy.

The GDPR also imposes handling and disclosure requirements for website cookies. Under the law, you are required to advise your website visitors of your Cookies Policy, and also to give them easy access to simple instructions for changing their cookies preferences.

The cookies rule was designed to benefit consumers by educating them about how their information might be collected online, and their rights for controlling that.

A Cookies Policy is a separate agreement from a Privacy Policy, and both must be displayed on your website if you attract site visitors from the EU.

Your Cookies Policy must identify your specific reasons for using cookies to collect personal information from your website visitors. It also must identify all third parties collecting information from your website users via cookies.

AdSense uses cookies to perform its advertising and targeting services. Because of this, you are required to include a clause relating to cookies within your Privacy Policy. You might also consider posting separate links to each, ensuring compliance with all applicable laws.

California Online Privacy Protection Act (CalOPPA)

Enacted in 2003, CalOPPA was the first state privacy law in the United States.

If your website attracts visitors from the state of California, regardless of where your website is headquartered, you are subject to the rules and regulations imposed by CalOPPA.

In many ways, CalOPPA is similar to the GDPR in terms of the types of data it protects and its mission to improve both the protection of private consumer data and also the public's understanding of their privacy rights. Basically, if you meet GDPR requirements, you'll likely be satisfying CalOPPA requirements as well.

One of CalOPPA's requirements is for you to have an informative, easy-to-understand Privacy Policy in place.

Examples from Google AdSense-Compliant Privacy Policies

This Privacy Policy posted by the Scripps Networks offers a good example for disclosing the scope, methods and communication policies deployed, as well as how they pertain to the agreement with third parties.

The language is both succinct and clear - a requirement of the GDPR and CalOPPA - and includes consumer-centric information regarding opt-in, opt-out and other rights. Most importantly, Scripps is plainly stating that it has third-party relationships, such as with Google AdSense.

In doing this, Scripps is meeting legal requirements to disclose the nature of third party information sharing relationships and Google's requirements for disclosures.

Online swimwear retailer Venus Swimwear takes a different approach, generically referring to third-party information sharing policies in two Privacy Policy clauses, "Cookies and Other Website Technologies" and "How Venus Uses Online Remarketing Campaigns."

Venus presents display ads on its website and utilizes Google technologies to remarket its products to its website visitors after they leave the Venus site. Both of these practices are subject to Google's AdSense Online Terms of Service.

With these two clauses, Venus fully discloses its many current and potential reasons to collect consumer information for third party use as well as how the information is shared and how it's managed.

Venus also provides helpful information for consumers to control their options in allowing or preventing the collection of their information for these purposes.

Because GDPR and CalOPPA require websites to use language that the typical website visitor can understand, it's important to remember to consider your site visitors when drafting your Privacy Policy.

This example of a Privacy Policy posted on the Pealim Hebrew translation site offers a good example of user-friendly language written for its typical site visitor:

Pealim attracts a mostly younger audience from around the world. The plain and simple language used in their disclosures helps ensure their site visitors can understand the website's privacy protection procedures and their rights as consumers.

Understanding and respecting all of the applicable privacy laws, third party disclosure requirements and the Google AdSense Online Terms of Service is critical to protecting your legal liability.

Additionally, incorporating all of this into a sound Privacy Policy is mandatory for retaining your relationship with Google.