Google's EU User Consent Policy Explained: What Advertisers and Publishers Must Do

A Policy on Top of the Law

Most discussions of consent focus on the law — the GDPR, the ePrivacy regime, and their national implementations. But if you advertise or measure with Google's products, there is a second layer of obligation that is easy to overlook: Google's own EU User Consent Policy. This is a contractual requirement Google imposes on everyone who uses its advertising and measurement services in connection with users in the European Economic Area and the UK.

The distinction matters. The GDPR is enforced by regulators; Google's EU User Consent Policy is enforced by Google, through its terms of service. Failing to meet it is not merely a legal risk — it is a breach of your agreement with Google that can ultimately affect your access to its products. This guide explains what the policy requires, who it applies to, and the concrete steps to stay compliant. You can read the official text on Google's EU User Consent Policy page.

Who the Policy Applies To

The policy reaches a broad set of Google products. If you use any of the following with EU or UK end users, you are within scope:

• Google Ads and Display & Video 360 for advertising.
• Google AdSense and Ad Manager for monetizing a site or app.
• Google Analytics where it feeds advertising features.
• Other measurement and tagging products that set cookies or process personal data for ads.

The trigger is not where your business is located but where your users are. A company based anywhere in the world that shows ads to, or measures, European users through Google's stack must comply. This mirrors the extraterritorial logic of the underlying privacy laws and means very few advertisers can treat the policy as someone else's problem. If you operate across regions, our comparison of GDPR, CCPA, and PECR provides the legal backdrop.

The Three Core Requirements

At its heart, the EU User Consent Policy obliges you to obtain legally valid consent from end users for two things, and to disclose certain information clearly. The requirements can be summarized in three duties.

1. Consent for cookies and local storage

You must obtain users' legally valid consent to the storing and accessing of cookies or other information on their devices, where legally required. This is the ePrivacy dimension — the act of reading or writing to the device itself.

2. Consent for personal data use in ads

You must obtain consent for the collection, sharing, and use of personal data for the personalization of ads. This is the GDPR dimension — the processing of the data for an advertising purpose.

3. Clear disclosure and records

You must retain records of the consent you obtained and provide users with clear instructions for revoking it. In other words, the policy explicitly requires the kind of consent logging and audit trail that good practice demands anyway, and an accessible way to withdraw.

The Certified CMP Requirement for Ad Serving

For publishers serving ads through Google's ad-serving products to European users, the policy goes a step further than a generic "get consent" instruction. Google requires that you use a Consent Management Platform that has been certified by Google and that integrates with the IAB Transparency and Consent Framework.

This requirement exists because Google needs to receive consent signals in a standardized, machine-readable form to decide whether and how it may serve personalized ads. The TCF provides that standard format — the encoded consent string we describe in our explainer on what TCF is. A certified platform passes those signals to Google's ad systems automatically, so the ad request honors the user's choice.

The practical implication is that, for ad-serving use cases, a homegrown banner that merely toggles tags on your own site may not satisfy Google's contractual requirement. You need a consent solution that is both certified and properly integrated, so that the signal actually flows to Google in the expected form.

How Consent Mode Fits In

Google's mechanism for receiving and acting on consent signals across its measurement and advertising products is Consent Mode. When implemented, your consent platform updates Consent Mode parameters — such as whether advertising and analytics storage are granted — and Google's tags adjust their behavior accordingly.

For advertisers using Google Ads with European traffic, Google has made the advanced consent signals effectively necessary to keep audience features and full measurement working. Without valid consent signals flowing in, certain features degrade or stop functioning, and remarketing audiences cannot be populated. This is the carrot-and-stick design of the system: honoring consent is not only a compliance duty but a prerequisite for the product working at full capability. Our dedicated guide on Google Consent Mode v2 covers the implementation detail, and our piece on how Consent Mode affects GA4 reporting explains the downstream impact on your data.

What Happens If You Do Not Comply

Because this is a contractual policy, the consequences are distinct from a regulator's fine, though both can apply simultaneously. Google reserves the right to take action against accounts that violate the policy. In practice, the risks fall into a few buckets.

• Degraded performance. Without valid consent signals, audience building, remarketing, and conversion measurement lose fidelity, directly hurting campaign results.
• Feature restrictions. Certain personalization features simply will not operate for European users who have not consented, which is the policy working as intended.
• Account enforcement. Persistent or egregious non-compliance can lead to warnings or account-level action under Google's terms.
• Layered legal exposure. The same failure that breaches Google's policy typically also breaches the underlying law, exposing you to regulatory action on top.

The reassuring flip side is that a single well-built consent setup satisfies both Google and the regulators at once, because the policy is deliberately aligned with the law.

A Compliance Checklist

To meet Google's EU User Consent Policy, work through the following:

1. Confirm scope. Identify every Google product you use that touches EU or UK users.
2. Deploy a compliant consent banner that obtains affirmative consent for device storage and for ad personalization, with rejection as easy as acceptance.
3. Use a certified, TCF-integrated CMP if you serve ads through Google's ad-serving products.
4. Implement Consent Mode so consent choices propagate to Google's tags and measurement.
5. Keep consent records and provide a clear, persistent way for users to revoke.
6. Disclose in your privacy notice that personal data may be used for ad personalization and how users control it.
7. Re-test periodically, especially after adding new Google tags or changing your banner.

Treated as a single integrated project rather than a series of disconnected tasks, compliance with Google's EU User Consent Policy becomes a natural extension of the consent program you should already be running — and it keeps both your advertising performance and your legal standing intact.