We are committed to complying with applicable data protection laws
We are always working to stay compliant, which helps make compliance easier for your business. We are audited regularly by third parties, maintain certifications, provide industry-standard contractual protections, and share tools and information you can use to strengthen your business’ compliance.
Our commitment to user privacy
Keeping users’ information safe, secure and private is among our highest priorities at Google. Over the years, we have worked closely with data protection authorities around the world and have implemented strong privacy protections that reflect their guidance.
We are well placed to meet the security requirements of the applicable data protection laws. Our services are backed by robust, state-of-the-art technical and organizational safeguards, dedicated security and privacy teams, and our program is reviewed annually by third-party auditors.
We will promptly inform you of incidents involving your customer data in line with the data incident terms in our agreements with you. We maintain and continue to invest in advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help you identify and respond to security or privacy events without delay and with available information.
We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide changing requirements including those in the GDPR around Privacy by Design and Privacy by Default.
Ads data retention policies
We update our ads data retention policies whenever necessary and have made changes to our products to unify retention practices.
Our commitment to data protection laws
Privacy regulation is changing. We know you need to select products that are both compliant with all applicable data protection laws, and use personal data in ways that are compliant. Below is information on how Google is complying with specific privacy laws:
Lei Geral de Proteção de Dados (“LGPD”) is a new data privacy law that is expected to go into effect on August 16, 2020. LGPD applies to businesses (both inside and outside Brazil) that process the personal data of users located in Brazil. A Brazilian Data Protection Authority (DPA) will be established and will provide guidelines on how to interpret and implement the LGPD’s requirements. As the DPA is yet to be established, Google’s approach is subject to further change.
Terms & Contractual Protections
Google already offers data protection terms for its Ads products under the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We will be updating those existing Ads data protection terms to add LGPD-specific terms. Google’s status under the LGPD as either a controller or processor for each Ads product will be the same as under the GDPR. The LGPD terms will be incorporated into our existing Ads data protection terms, so no action is required to accept the LGPD terms where the existing Ads data protection terms already form part of your contract.
If your existing contract does not incorporate our existing Ads data protection terms, please review the product-specific Help Centers in Resources for Advertisers and Publishers for more information on how to accept the terms in the relevant Ads product UI.
More about LGPD
In addition to the updated LGPD terms, we offer product controls that our Ads customers may utilize as part of their LGPD compliance strategy. If you believe you may be in scope of the LGPD, we recommend that you work with your legal advisors to determine how to comply with the LGPD, including how to use the options we offer.
Terms & Policies
Resources for Publishers & Advertisers
The California Consumer Privacy Act (CCPA) is a new data privacy law which applies to certain businesses that collect personal information from California residents. The law went into effect on January 1, 2020.
More about CCPA
In October 2019, the California Attorney General published draft regulations to provide further guidance on CCPA which are expected to be finalized in the next several months. The information and product updates provided here are subject to change based on updated regulations from the California Attorney General.
The law includes a provision that gives California residents the right to opt out of the "sale" of their "personal information" through a prominent link that says "Do Not Sell My Personal Information" on the "selling" party’s homepage. The CCPA includes certain exceptions to the definition of "sale", including transfers to "service providers".
Restricted data processing & service provider terms
Restricted data processing is intended to help advertisers, publishers, and partners meet their CCPA compliance needs. When you enable restricted data processing, Google restricts how it uses certain data to only undertake certain business purposes.
We are also offering service provider terms to help advertisers, publishers and partners prepare for the CCPA. In certain circumstances, we will act as your service provider in handling data processed while restricted data processing is enabled. You should review these terms carefully to ensure they meet your compliance needs. Restricted data processing operates differently across our products.
Advertisers, publishers, and partners should ensure that the use of Google products and services, including restricted data processing, meets their CCPA compliance requirements. In some products, restricted data processing can be enabled for all California users, or only for those users who an advertiser, publisher, or partner indicates should have it enabled.
Advertisers and publishers should evaluate their use of Google products and services, including restricted data processing, with their legal advisors, to determine their compliance requirements. Please see this article to learn more about restricted data processing.
Considerations for advertisers
Advertisers should work with their legal advisors to determine whether and how they should comply with CCPA. This includes making a decision about whether to place a "Do Not Sell My Personal Information" link on their site or in their app and whether to enable restricted data processing in the Google products they plan to use. Advertisers should refer to this article to find out more information about how restricted data processing works for each product.
Considerations for publishers
Publishers should work with their legal advisors to determine whether and how they should comply with CCPA. This includes making a decision about whether to place a "Do Not Sell My Personal Information" link on their site or in their app and whether to enable restricted data processing in the Google products they plan to use. Publishers should refer to this article to find out more information about how restricted data processing works for each product.
The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, replacing the 1995 EU Data Protection Directive. The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It regulates how businesses can collect, use, and store personal data.
Terms & contractual protections
Where we act as a processor of personal data, we make available data processing terms, reflecting the controller-processor relationship, where required. Products where Google acts as a processor include:
- Ads Data Hub
- Google Ads Customer Match
- Google Ads Store sales (direct upload)
- Android Enterprise
- Google Marketing Platform (including Display & Video 360, Campaign Manager, Search Ads 360, Google Analytics, Tag Manager, Optimize, Data Studio, Attribution, and Google Analytics for Firebase)
- Google Cloud Platform
- G Suite
The data processing terms that we offer for the Ads products listed above are available here. More information about the types of personal data in scope for those terms for each Ads product can be found here. Information about Google Cloud Platform and G Suite commitments to the GDPR, including data processing terms, can be found here.
Additionally, for products where Google and the customer each act as independent controllers of personal data, we have updated our agreements or made available terms that reflect that status. These Google products include:
- Google AdMob
- Google AdSense
- Google Ads (including Shopping and Hotel Ads, but not Google Ads features where we act as a processor of personal data - see above)
- Google Ad Manager
- Google Customer Reviews
- Google Maps APIs
- Waze Audio SDK
The controller-controller terms that we offer for the Ads products listed above are available here. We have published additional information on our Help Center to address common questions: Ad Manager, AdSense, and AdMob.
We also offer European Model Contract Clauses to address EU data-transfer requirements for Google Cloud Platform and G Suite. We previously obtained Common Opinions from EU Data Protection Authorities confirming the alignment of our Model Contract Clauses with the Standard Contractual Clauses published by the European Commission.
The Privacy Shield frameworks provided a mechanism to comply with data protection requirements when transferring EEA, UK or Swiss personal data to the United States and onwards. While the Swiss-U.S. Privacy Shield currently remains valid, in light of the recent Court of Justice of the European Union ruling on data transfers, invalidating the EU-U.S. Privacy Shield, Google will be moving to reliance on Standard Contractual Clauses for relevant data transfers, which, as per the ruling, can continue to be a valid legal mechanism to transfer data under the GDPR. We will share more information about these updates (including timelines) as soon as possible. Standard Contractual Clauses are already offered as a transfer mechanism by Google Cloud.
If your existing contract does not incorporate our Ads data protection terms, please review the product-specific Help Center articles under "Useful links" for more information.
We are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.
We will continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.
Terms & policies:
- Ads Controller Terms
- Ads Processor Terms
- Breakdown of Google’s Controller and Processor Ads Products
- Advertising & Cookies
- EU User Consent Policy
- Help with the EU user consent policy
Tools to help publishers comply with the GDPR:
Tools to help advertisers comply with the GDPR:
We encourage you to check on compliance plans within your own organization, and have included the checklist below to high light some key questions to think about:
- How does your organization ensure user transparency and control around data use? Do you explain to your users the types of data you collect and for what purposes?
- How will you show to regulators and partners that you meet the applicable regulatory requirements and are an accountable organization?
- Does your organization have the right systems to record user preferences and consents?
- Have you assessed each of the partners and vendors you work with to ensure your organization is comfortable with their approach to managing user data and complying with regulation?
Audits and certifications
When you share your business’ data with Google, we want you to know it is protected. Our product security controls are audited regularly against international standards, like ISO standards and SSAE18/ISAE 3402 – so you know your business’ data is handled responsibly. In addition, a U.S.-based, qualified, independent third party reviews the effectiveness of our controls at least every two years.
ISO 27001 (Information security management)
ISO 27017 (Cloud security)
ISO 27018 (Cloud privacy)
ISO 27701 (Privacy information management)
The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and Criteria for security, availability, processing integrity, and confidentiality.
Google has both SOC 2 and SOC 3 reports for Google Cloud Platform and G Suite. You can download our SOC 3 report. We also have SOC 1 Type 2 for AdWords, AdSense, DoubleClick Campaign Manager, DoubleClick for Publishers, and DoubleClick Ad Exchange, available to customers under NDA.
FedRAMP is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. federal government. Google maintains a FedRAMP Authorization to Operate (ATO) for G Suite and Google App Engine.
PCI DSS (Payment Card Industry Data Security Standard)
The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements for entities that store, process, or transmit payment card data. The following Google services have been reviewed by an independent Qualified Security Assessor and determined to be compliant with the current version of PCI DSS: Android Pay, Google App Engine, Google Compute Engine, Google Cloud Storage, Google Cloud Datastore, Google Cloud SQL, Google BigQuery, Google Cloud Dataproc, Google Cloud Dataflow, Google Container Engine, Google Container Registry, Google Cloud Bigtable.