Why is this important?
European laws, including the General Data Protection Regulation (GDPR) and the e-Privacy Directive, create obligations for digital publishers to give visitors to their sites and apps information about their use and sharing of personal data, as well as about the use of cookies, mobile ad IDs, and other forms of local storage. In many cases these laws also require that consent be obtained.
This site is produced by Google. We work with lots of publisher partners and, based on that experience, we wanted to provide publishers and advertisers with information and access to easy-to-implement tools that can help them meet their legal obligations to get user consent.
How should I choose which Consent Management Platform (CMP) provider to adopt?
You can consider building your own consent solution, using Funding Choices or use a third party CMP solution (please refer here for more information). If using an already available CMP, you should consult your legal department as to the proper consent solution for your circumstances as well as ensure that the solution allows the level of customization to reflect those circumstances.
There are external resources available to help you choose the appropriate CMP provider, including the list of CMPs that have registered with the IAB’s Transparency and Consent Framework. Note, this list is not exhaustive of all CMPs available, nor does adopting any of these CMPs guarantee compliance with Google’s EU User Consent Policy, as this depends on the specific consent message presented to users. For more guidance on this please refer to the Help with the EU Consent policy page.
I'm a publisher. What do I put in my consent message?
Unfortunately we can’t tell you what your website or app consent message should say because it will largely depend on your approach to monetization, how you use personal data and the third party services you work with. However, we can give you some pointers.
Here’s a message that might be appropriate for your website, if you use products like Google AdSense or similar products from other organisations. Just remember, you’ll need to adjust this to suit your own choice of vendors, uses of cookies and other information.
Note: The example above talks about browser cookies. If you are writing a consent notice for an app, you might want to reference "mobile identifiers" instead of cookies.
In this example, a user can click "Yes" to consent to the specified use of her data. If she clicks "No", she is alerted that she will see only non-tailored ads, and that cookies will be used to deliver the ads. She can confirm this choice, or return. If she selects the "Learn how…" link, she can see information about the specific vendors who will collect data for ad personalization and measurement, and learn more about how they process the data collected. In this example, the number of partners is 10, but the number of vendors you use on your site may be more or less than that.
Again, we can’t tell you what to write by way of detail: it will depend on the vendors and services you work with, the choices you wish to present to your users, and any controls made available to users of your site.
If you’re using Google products like Google AdSense, you’ll be required by your contract to follow Google’s EU user consent policy. Implementing a consent mechanism like this for your EEA visitors can help you meet the requirements of Google’s own policies. It should also help towards your compliance with European cookie and data protection laws.
I’m an advertiser. What do I need to do for consent?
Many advertisers use tags or code from third-party advertising services, such as Google's, to assist with things like ad measurement and remarketing. These tags cause data to be shared with these advertising service providers. An advertiser might use an advertising service’s SDK in its mobile app for the same purposes.
Again, the same caveats as above apply: we can't tell you what your website or app consent message should say because it will largely depend on the advertising services you use, how you use personal data, and the third party services you work with. Here is a notice that might be more appropriate if visits to your site are used for ad personalization on your own site or other sites. You’ll notice it is very similar to the publisher notice above, and would operate in a similar manner.
If visits to your site do not influence the ads served elsewhere, the following notice might be appropriate:
Again, if you are writing a consent notice for an app, you might want to reference "mobile identifiers" instead of cookies.
If you're using Google products like Google AdWords or Doubleclick Digital Marketing, you’ll be required by your contract to follow Google's EU user consent policy. Implementing a consent mechanism like this for your EEA visitors can help you meet the requirements of Google's own policies. It should also help towards your compliance with European cookie and data protection laws.
Other Resources
For more information about the GDPR and its application to digital publishers and advertising:
Article 29 Working Party guidance on Consent under the GDPR
(2018) Article 29 Working Party guidance on Transparency under the GDPR
(2018) Article 29 Working Party guidance on Legitimate Interests
(2014) IAB Europe Guidance: Five Practical Steps to help companies comply with the E-Privacy
Directive (2015)
For regulatory guidance on cookie consent in advertising:
