We are committed to complying with applicable data protection laws
We are always working to stay compliant, which helps make compliance easier for your business. We are audited regularly by third parties, maintain certifications, provide industry-standard contractual protections and share tools and information you can use to strengthen your business’ compliance.
Our commitment to user privacy
Keeping users’ information safe, secure and private is among our highest priorities at Google. Over the years, we have worked closely with data protection authorities around the world and have implemented strong privacy protections that reflect their guidance.
We are well placed to meet the security requirements of the applicable data protection laws. Our services are backed by robust, state-of-the-art technical and organizational safeguards, dedicated security and privacy teams and our program is reviewed annually by third-party auditors.
We will promptly inform you of incidents involving your customer data in line with the data incident terms in our agreements with you. We maintain and continue to invest in advanced threat detection and avoidance technologies, as well as a rigorous 24/7 incident management program to help you identify and respond to security or privacy events without delay and with available information.
We already have processes to build privacy into our products from the very earliest stages, and we are continually evolving our practices, including Data Protection Impact Assessments, to meet worldwide changing requirements including those in the GDPR around Privacy by Design and Privacy by Default.
We update our ads data retention policies whenever necessary and have made changes to our products to unify retention practices.
Our commitment to data protection laws
Privacy regulation is changing. We know you need to select products that are both compliant with all applicable data protection laws, and use personal data in ways that are compliant. Below is information on how Google is complying with specific privacy laws:
The Lei Geral de Proteção de Dados (LGPD) is a new Brazilian privacy law that came into effect on September 18, 2020. While enforcement powers by the Brazilian DPA are postponed to August 1st, 2021, the LGPD can still be enforced by other governmental authorities, such as public prosecutors and consumer protection agencies, who can apply sanctions based on the Civil Code and the Consumer Protection Code.
Google already offers data protection terms for its Ads products under the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We will be updating those existing Ads data protection terms to add LGPD-specific terms. Google’s status under the LGPD as either a controller or processor for each Ads product will be the same as under the GDPR. The LGPD terms will be incorporated into our existing Ads data protection terms, so no action is required to accept the LGPD terms where the existing Ads data protection terms already form part of your contract.
If your existing contract does not incorporate our existing Ads data protection terms, please review the product-specific Help Centers in Resources for Advertisers and Publishers for more information on how to accept the terms in the relevant Ads product UI.
In addition to the updated LGPD terms, we offer product controls that our Ads customers may utilize as part of their LGPD compliance strategy. If you believe you may be in scope of the LGPD, we recommend that you work with your legal advisors to determine how to comply with the LGPD, including how to use the options we offer.
The California Consumer Privacy Act (CCPA) is a new data privacy law which applies to certain businesses that collect personal information from California residents. The law went into effect on January 1, 2020.
In October 2019, the California Attorney General published draft regulations to provide further guidance on CCPA which are expected to be finalized in the next several months. The information and product updates provided here are subject to change based on updated regulations from the California Attorney General.
The law includes a provision that gives California residents the right to opt out of the "sale" of their "personal information" through a prominent link that says "Do Not Sell My Personal Information" on the "selling" party’s homepage. The CCPA includes certain exceptions to the definition of "sale," including transfers to "service providers."
Restricted data processing is intended to help advertisers, publishers, and partners meet their CCPA compliance needs. When you enable restricted data processing, Google restricts how it uses certain data to only undertake certain business purposes.
We are also offering service provider terms to help advertisers, publishers and partners prepare for the CCPA. In certain circumstances, we will act as your service provider in handling data processed while restricted data processing is enabled. You should review these terms carefully to ensure they meet your compliance needs. Restricted data processing operates differently across our products.
Advertisers, publishers, and partners should ensure that the use of Google products and services, including restricted data processing, meets their CCPA compliance requirements. In some products, restricted data processing can be enabled for all California users, or only for those users who an advertiser, publisher, or partner indicates should have it enabled.
Advertisers and publishers should evaluate their use of Google products and services, including restricted data processing, with their legal advisors, to determine their compliance requirements. Please see this article to learn more about restricted data processing.
Advertisers should work with their legal advisors to determine whether and how they should comply with CCPA. This includes making a decision about whether to place a "Do Not Sell My Personal Information" link on their site or in their app and whether to enable restricted data processing in the Google products they plan to use. Advertisers should refer to this article to find out more information about how restricted data processing works for each product.
Publishers should work with their legal advisors to determine whether and how they should comply with CCPA. This includes making a decision about whether to place a "Do Not Sell My Personal Information" link on their site or in their app and whether to enable restricted data processing in the Google products they plan to use. Publishers should refer to this article to find out more information about how restricted data processing works for each product.
The General Data Protection Regulation (GDPR) went into effect on May 25, 2018, replacing the 1995 EU Data Protection Directive. The GDPR lays out specific requirements for businesses and organizations who are established in Europe or who serve users in Europe. It regulates how businesses can collect, use, and store personal data.
Where we act as a processor of personal data, we make available data processing terms, reflecting the controller-processor relationship, where required. Products where Google acts as a processor include:
- Ads Data Hub
- Google Ads Customer Match
- Google Ads Store sales (direct upload)
- Android Enterprise
- Google Marketing Platform (including Display & Video 360, Campaign Manager, Search Ads 360, Google Analytics, Tag Manager, Optimize, Data Studio, Attribution, and Google Analytics for Firebase)
- Google Cloud Platform
- Google Workspace
The data processing terms that we offer for the Ads products listed above are available here. More information about the types of personal data in scope for those terms for each Ads product can be found here. Information about Google Cloud Platform and Google Workspace commitments to the GDPR, including data processing terms, can be found here.
Additionally, for products where Google and the customer each act as independent controllers of personal data, we have updated our agreements or made available terms that reflect that status. These Google products include:
- Google AdMob
- Google AdSense
- Google Ads (including Shopping and Hotel Ads, but not Google Ads features where we act as a processor of personal data - see above)
- Google Ad Manager
- Google Customer Reviews
- Google Maps APIs
- Waze Audio SDK
The controller-controller terms that we offer for the Ads products listed above are available here. We have published additional information on our Help Center to address common questions: Ad Manager, AdSense, and AdMob.
We also offer European Model Contract Clauses to address EU data-transfer requirements for Google Cloud Platform and Google Workspace. We previously obtained Common Opinions from EU Data Protection Authorities confirming the alignment of our Model Contract Clauses with the Standard Contractual Clauses published by the European Commission.
The GDPR requires companies to meet certain conditions before transferring personal data outside the EEA, CH and UK. To comply with this requirement, Google relies on Standard Contractual Clauses for relevant data transfers in our Ads and measurement products. Standard Contractual Clauses are also offered as a transfer mechanism by Google Cloud.
If your existing contract does not incorporate our Ads data protection terms, please review the product-specific Help Center articles under "Useful links" for more information.
We will continue to monitor the evolution of international data-transfer mechanisms under the GDPR, and are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.
Terms & policies:
- Ads Controller Terms
- Ads Processor Terms
- Breakdown of Google’s Controller and Processor Ads Products
- Advertising & Cookies
- EU User Consent Policy
- Help with the EU user consent policy
Tools to help publishers comply with the GDPR:
Tools to help advertisers comply with the GDPR:
We encourage you to check on compliance plans within your own organization, and have included the checklist below to highlight some key questions to think about:
- How does your organization ensure user transparency and control around data use? Do you explain to your users the types of data you collect and for what purposes?
- How will you show to regulators and partners that you meet the applicable regulatory requirements and are an accountable organization?
- Does your organization have the right systems to record user preferences and consents?
- Have you assessed each of the partners and vendors you work with to ensure your organization is comfortable with their approach to managing user data and complying with regulation?
Audits and certifications
When you share your business’ data with Google, we want you to know it is protected. Our product security controls are audited regularly against international standards, like ISO standards and SSAE18/ISAE 3402 – so you know your business’ data is handled responsibly. In addition, a U.S.-based, qualified, independent third party reviews the effectiveness of our controls at least every two years.
The American Institute of Certified Public Accountants (AICPA) SOC 2 (Service Organization Controls) and SOC 3 audit framework defines Trust Principles and Criteria for security, availability, processing integrity, and confidentiality.
Google has both SOC 2 and SOC 3 reports for Google Cloud Platform and Google Workspace. You can download our SOC 3 report. We also have SOC 1 Type 2 for Google Ads, Google Ad Sense, Campaign Manager and Google Ad Manager, available to customers under NDA.
FedRAMP is a program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by the U.S. federal government. Google maintains a FedRAMP Authorization to Operate (ATO) for Google Workspace and Google App Engine.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational requirements for entities that store, process, or transmit payment card data. The Google services have been reviewed by an independent Qualified Security Assessor and determined to be compliant with the current version of PCI DSS can be found here.