How to Advertise on Google without Violating the GDPR

Advertising on Google without violating the GDPR is possible, but only by strictly following the rules set out in the EU's comprehensive data protection regulation. Google has a long history with GDPR fines and has gotten a bad reputation lately, but that doesn't mean that you'll violate the rules by default just by simply using their products.

In this article, we will delve deep into how to set up your advertising campaign to avoid GDPR breaches. As you may be guessing already, a lot comes down to obtaining explicit consent. But there are some caveats.

We'll get into:

• Google Ads v. GDPR compliance
• How does Google Ads conversion tracking work
• How to use Google Ads in conjunction with other Google products
• Google Consent Mode v2
• How Secure Privacy can help
• Google Advertising Dos and Donts to avoid GDPR penalties

Google Ads and GDPR Compliance

Google has gotten a bad reputation with data protection enforcement bodies since its advertising methods rely heavily on the processing of personal data and profiling based on user preferences. That's the reason why their advertising works so well, but also why online privacy is an issue for their services and products.

Google tracks internet users all over the internet while using its services, including Google Chrome, Google Analytics, YouTube, Google Maps, and others. Based on the gathered data, Google creates extensive profiles of users and serves them with ads that are likely to be clicked by the user.

If you are an advertiser, there is a lot to love about Google products. But not so much if you need to meet GDPR requirements. EU companies needs to comply with the GDPR at all times. Non-EU companies must respect it when dealing with European residents.

How Does Google Ads Conversion Tracking Work?

As a Data Protection Officer, it's imperative to ensure that our use of Google Ads conversion tracking aligns with data protection principles, particularly under regulations such as the GDPR. This tool enables us to monitor the effectiveness of our advertising campaigns by tracking user actions post-ad click, which may include making a purchase, signing up for a newsletter, or downloading our app. Here's an overview from a data protection standpoint:

• Setting up conversions and tagging. Initiating conversion tracking requires configuring conversion actions within the Google Ads account. This step involves identifying actions that signify a conversion, like a sale or newsletter sign-up, ensuring these definitions align with our data processing activities and are clearly communicated to users. Google also provides a "conversion tracking tag" or "conversion pixel" for website implementation, or SDKs and server-to-server APIs for app integrations, upon defining conversion actions. This tag, which should be placed on the conversion completion page (e.g., a thank you page) helps in collecting and processing of personal data. This is the point where GDPR comes into play.
• Visitor Interaction. The system places a temporary cookie on the user's device upon ad interaction, unique to both the user and the conversion action. This step requires transparent communication with users about the use of cookies and must only be implemented with their consent. This cookie identifies the user. That's why it must not be used without user's explicit consent.
• Conversion Recording. The conversion tracking tag detects the cookie and records the conversion action if the user completes it while the cookie is active. If the user has given consent, your action are lawful. If the user hasn't given consent, you have violated the GDPR.

Using Google Ads in Conjunction with Google Analytics 4

Integrating Google Ads with Google Analytics 4 to enhance advertising strategies necessitates careful consideration of user privacy and compliance with data protection regulations such as GDPR.

Two important things you should know about using GA4 togetehr with other Google products:

• You need specific consent for each purpose, particularly for analytics v. advertising purpose
• You must not use either product without consent.

GA4 purpose is website analytics, but it also helps in retargeting all over the internet where Google is present. That means that you process data for two different purposes - for analytics and advertising. That means that you need two separate consents.

But, what happens if the user does not give consent? Will you waste too much data?

If you implement Google Consent Mode v2, you can track conversions even without consent and without using cookies.

Google Consent Mode v2: Advertise on Google and Comply with the GDPR at the Same Time

Google Consent Mode version 2 (v2) is an advanced framework designed to help advertisers and website owners comply with the General Data Protection Regulation (GDPR) and other privacy regulations while running Google Ads, using Google Analytics 4, and employing other Google services.

It allows websites to adjust how Google tags behave based on the consent status of users, ensuring that personal data is handled appropriately.

Consent Mode introduces two new settings: `ad_storage` and `analytics_storage`. These settings control the behavior of cookies for advertising and analytics purposes. With Consent Mode, you can adjust these settings based on the consent given by the user, ensuring compliance with GDPR.

Before integrating Consent Mode, you need a Consent Management Platform (CMP) to manage user consent. Secure Privacy is a consent management platform. The CMP should be capable of interfacing with Google Consent Mode to signal user consent preferences regarding data storage and processing.

Next, you should integrate Consent Mode by updating your website's tagging setup. This involves adding the Consent Mode API to your website's code before any other Google tags. Once you've set the default consent state, use your CMP to modify these settings based on the user's choices.

After implementing Consent Mode, Google's services, such as Google Ads and Google Analytics, will adjust their behavior based on the consent status. For example, if a user does not consent to `ad_storage`, Google Ads will not use cookies for personalized advertising. Similarly, if `analytics_storage` is denied, Google Analytics will collect only basic data without using cookies for user identification.

By using Google Consent Mode v2, advertisers can respect user privacy choices, comply with GDPR, and still gather valuable insights and performance data from their websites and ads. It's a balanced approach that respects user consent while enabling data-driven decision-making.

How Secure Privacy Helps Google Advertisers Track Conversions without GDPR Consent?

Secure Privacy is a Google-certified consent management platform. Google has evaluated our product and confirmed that we ensure GDPR compliance while implementing Google Consent Mode v2.

Before the GDPR, you could track users as much as you wanted without consent. After the GDPR, you had to obtain consent first, but users usually do not interact with cookie banners asking them to allow tracking pixels and targeted ads. That's where personalized ads often lead to a GDPR violation.

Now, with the introduction of the Google Consent Mode v2, you can do both: track conversions without obtaining cookie consent, be GDPR compliant, and respect users' online privacy.

Google Ads Tracking Without Violating the GDPR: Dos and Donts

We know that reading an article very often is not enough to comprehend all the requirements. That's why we created a simple checklist of Dos and Donts on Google Advertising and the GDPR to help you navigate the waters.