Helping publishers comply with US state privacy laws
- California
- Virginia
- Connecticut
- Colorado
- Utah
Google is a long-standing company that takes a user-centric approach to everything it does. In line with our commitment to users, we don’t sell personal information . We provide users with transparency and control over their ad experience through My Ad Center , My Account , and many other features to help them manage their accounts. In line with our personalized advertising policy , we don’t use sensitive information like health, race, religion, or sexual orientation to personalize ads. We also invest in initiatives like the Coalition for Better Ads , the Google News Initiative , and ads.txt to support a healthy and sustainable ads ecosystem .
Google welcomes privacy laws that protect consumers. In May 2018, we introduced several updates to help publishers comply with the General Data Protection Regulation (GDPR) in the EEA.
To help publishers manage their compliance with U.S. state privacy laws, we are adding restricted data processing, as defined below, to this set of features.
Service provider terms
Google already provides data protection terms in Europe in accordance with the General Data Protection Regulation (GDPR). We are now also providing service provider terms that complement the data protection terms, effective January 1, 2023. For customers under our online contracts and updated platform contracts, the service provider terms will be incorporated into our existing contracts via the data protection terms . Such customers do not need to take any action to add the service provider terms to their contracts.
Enable restricted data processing (RDP) for applicable US states
Publishers can configure restricted data processing (RDP) for traffic in US states or any region of the world. When a DDR signal is present, AdSense will not serve ads based on a user’s previous behavior and will send non-personalized ad requests to all bidders. Publishers can enable DDR in a few ways:
1. User Consent Management Platform
Many publishers work with a User Consent Management Platform (CMP) to pass appropriate consent signals to their advertising partners based on the type of consent they receive from the user.
With Google’s own user consent management solutions, you can enable the CMA to serve non-personalized ads to eligible web users in applicable US states. You can also offer optional messaging features through the Privacy & Messaging tab .
2. Publisher ad tags
Publishers can also choose to enable PII only on a per-request basis for some users via GPT and AdSense/Ad Exchange asynchronous ad tags . This can be useful if you are showing users a “Do Not Sell My Personal Information” link to opt out. You may decide that you are complying with your legal obligations with respect to users who have opted out by providing this signal.
3. Standardized IAB framework
Today, publishers can choose to use the IAB Tech Lab US Privacy String to implement restricted data processing when necessary . Publishers can submit this string or work with a CMP to do so. Using a standardized framework to enable the PII ensures that mediation partners can read the signal. By Q1 2024, AdSense, AdMob, and Ad Manager will begin supporting IAB Tech Lab’s Global Privacy Platform (GPP) for applicable US states and will enable the PII whenever the GPP signal is received. Once GPP is fully supported by AdSense, AdMob, and Ad Manager for US states, we recommend that publishers begin sending the GPP string instead of the IAB US Privacy String .
4. Privacy and Messaging settings
Publishers can change the CPRA settings in the AdSense user interface to restrict data processing and only display non-personalized ads to eligible users in the applicable US states. These settings will apply to all US states with privacy laws. They do not control the data you share outside of your account (for example, through mediation).