Google offers numerous services to help developers and businesses enhance their online presence. For example, Adsense and Analytics make getting exposure much easier by helping you see how users interact with your website and where most of your traffic comes from.
However, using these services can raise issues when it comes to staying compliant with international law.
To help developers and businesses stay compliant while using Google services, Google enacted its EU User Consent Policy. This short, streamlined policy is based on the EU Cookies Directive ("Directive").
Here is how Google's EU User Consent Policy came to be and how to comply with it.
The EU Cookies Directive
The Directive came into effect in May 2011. It was adopted by all EU member states as part of an amendment to the e-Privacy Directive.
The Directive applies to:
- All businesses headquartered in an EU member state, and
- Foreign businesses that are aimed towards EU users
In general, the Directive requires that websites inform visitors:
- If cookies are in use,
- How cookies are used, and
- How visitors can consent to their usage
This places a cookies notice requirement on the websites that fall under the Directive. Banner notices are the most popular means of giving notice while also securing user consent to use cookies.
Here's an example of a banner notice used by BBC:
Sometimes a notice will not allow users to continue using the website unless they give consent to allow the use of cookies.
Lenovo Netherlands offers links to additional information and requires consent before users can explore their website:
An exception to this is that notice and consent are not required if the cookie is needed for transmitting communications or making the website operate. These include authentication cookies, cookies needed for multimedia content, and user input cookies that helps users fill forms or add items to a shopping cart.
Once the Directive passed, the Google's EU User Consent Policy soon followed. While it demands slightly more from Google services users in some ways, it is closely linked to the Directive.
This means that if you already satisfy the requirements of the EU Cookies Directive, you'll likely satisfy the requirements by Google.
Requirements of Google's EU User Consent Policy
The Policy exists to help users of Google services comply with the Directive. Its content is as follows:
Generally, it has two requirements.
First, websites and apps that are accessible to EU end users must disclose any data collection, sharing and usage that results from the use of Google products, and obtain consent for that activity to continue.
This includes personalization of ads, tracking website usage, and even counting the number of visits on a website.
Second, if the website uses Google products and cookies, the developer must disclose that fact. It must also obtain consent to use cookies and offer end users the ability to remove cookies if they desire.
Both of these provisions are related to the Directive. While the disclosure regarding Google products is not directly required, it is still a good precaution for those developers with end users in the EU. The second provision that mentions cookies is directly connected to the Directive.
All Google products directed to EU citizens fall under the Policy. However, Adsense, Analytics Advertising, and Analytics for Firebase are most likely to invoke it and the Directive. This is apparent in help pages and FAQs for these products.
Adsense places targeted ads on its users' websites. To be sure that it places the most effective ad for each end user, it uses cookies.
The Adsense program policies includes a direct link to the EU Consent Policy FAQ's.
Analytics Advertising is the same way. This program records page visits to help users find trends. Its Policy requirements includes a link to the Policy:
Analytics for Firebase, which performs the same function as Analytics for Advertising, takes the same approach:
If you use any of these three services, you must comply with the Policy. Fortunately, there are many resources to help you accomplish that.
Complying with Google's Policy
If the EU Cookie Directive applies to you, then so does Google's European Union User Consent Policy. As mentioned above, if you have EU end users or you run a company headquartered in an EU member state, you need to pay extra attention to how you disclose the use of cookies.
Google places additional requirements on you if you use its products. You must also provide the same notice and obtain consent for Adsense or Analytics services.
Notice and Consent
A good way to provide notice and obtain consent is to add a cookie consent function to your website or app.
This can be a banner announcement like the one used by BBC or a pop-up window that notifies users before they go to a section of your website affected by Google services.
The good news is there are resources available to help you comply.
The European Commission offers a guide on cookie policies and includes a Cookie Consent Kit. You can find these links by scrolling to the bottom of the guide and finding this section:
Google's Cookie Choices page is another excellent resource for giving cookies notice and getting consent to use them. It includes open source software and small businesses that may assist you. These entities and their products include:
- Silktide: Cookie Consent
- CIVIC: Cookie Control
- Governor Technology: The Cookie Collective
- Cybot: Cookiebot
Cookie Consent offers demos to help you choose themes and content. One demo produces this banner that lets you obtain affirmative consent before your cookies will be placed:
Banner announcements are an effective, common and acceptable method of complying with the EU Cookie Directive. However, you may need to take additional steps to comply with the Policy.
On its Cookie Choices page, Google offers two examples for consent messages. Both will likely need customizations to fit your unique business and should only be taken as general examples and templates.
This one may be appropriate for a website. Notice it addresses ads, personalized content, and social media features while also stating a purpose--analysing web traffic:
Mobile apps must extend the same courtesy if there is tracking and personalization involved. This general consent should be adapted to fit your product, but it's a good example to get you started:
Most banner announcements and these consent messages contain a link to "See details," "Learn More," or some other sort of additional information. Here's where you can provide more information on cookies including what they are, how they function, and how a user can remove them later.
For example, you can link your Cookie Policy or Privacy Policy with a cookies clause in it to this "See details" link.
Providing this information depends on your product and company practices. The more you use Google services and cookies, the more information you may wish to offer consumers.
Google provides products to help its clients track data and use cookies. It also uses many of them itself.
Because of this, Google offers a "See details" link in its own banner notification:
If you click "See details" it takes you to a page with more information and a video:
With the combination of the banner, requested consent, and this additional information linking to a Cookie Policy/Privacy Policy, there is no reason to assume a user will explore Google uninformed about cookies being used.
The video offers a thorough explanation and there are links to help users access ad settings, see a list of cookies used by Google, and review the Privacy Policy to see how Google uses data.
To comply with Google's EU User Consent Policy:
- Give notice that you use cookies to collect information from users,
- Obtain consent for this before you use cookies, and
- Link to more information about how/why you use cookies
This will keep you compliant with Google policies and the EU Cookies Directive, and will also keep your users informed.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.