How Many Google Privacy Policies Are You Violating?
If you're a Google advertiser, or use Google Analytics, you may be inadvertently violating some of their privacy policies. When I examined more than 200 sites I found that more than 90% were violating at least one Google privacy policy. Are you?
Every website that uses Google AdWords, Analytics or AdSense, and does not have a privacy policy, violates three of Google’s terms of service agreements.
To get a sense of how big a problem this is, I took a look at a couple hundred sites this week and found some startling statistics:
- More than 90% were breaking at least one of Google’s policies
- More than 65% were breaking at least two of Google’s policies
- More than 40% were breaking at least three of Google’s policies
How many of these policies are you breaking?
When conducting this survey, I only included sites that were required to follow at least one of Google’s policies, based on the Google products or services it was using. If a site didn’t need to follow any, then I excluded it from the results.
I also focused on privacy policies, and not every single policy for all of the services; had I looked at everything, the total number of Google policies broken would be a higher number.
This is an unofficial survey of a couple hundred sites and I excluded most larger and authoritative domains from my research, although some sites in Google’s Top 1000 List were breaking at least two policies.
What happens if you violate Google’s terms of service? Technically, you could be sued; but more likely you’ll get warned or lose access to the Google program with the violation.
Losing access to your Google analytics data, the ability to drive traffic with AdWords, or your website’s monetization efforts with AdSense can have a significant impact on a business.
Here are some common ways businesses unintentionally break Google’s privacy policies. I’ll also review the requirements for any website to be in compliance with Google’s policies.
Note: This is not intended to be legal advice. I’m not a lawyer nor do I pretend to be. The purpose of this post is to increase your awareness of Google’s policies so that you do not suddenly lose access to Google’s programs such as AdWords, Analytics or AdSense.
Google Analytics
Google Analytics (GA) is used on more than 28% of all websites. When you sign up for GA you must agree to the terms of service. Take a close look section seven of this document:
7. PRIVACY. You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.
Source: Google Analytics terms of service.
If you use Google Analytics you must have a privacy policy on your website. Considering many small websites do not have a privacy policy, those sites are automatically breaking Google’s terms of service.
Another reason to have a privacy policy is that transparency to the user is one factor Google uses to determine your landing page quality score.
To be in compliance with this section of Google Analytics terms of service:
- Create a privacy policy
- State the usage of third party tracking
- State the usage of cookies to track anonymous data
By following these simple steps, your site will now be in compliance with the most commonly broken rule of the Google Analytics privacy policy. However, Google Analytics terms of service does contain more details about how the service should be used, such as not using it to collect personally identifiable information. Given the stakes if you’re not in compliance, you should really take the time to closely read the entire Google Analytics terms of service.
AdWords conversion tracking
When Google first launched AdWords conversion tracking you had to put a script on a page that would show a graphic to someone who converted (and had the AdWords cookie on their browser). Later, Google made a change where you could opt not to show a script, but still inform users yourself.
This is the most ambiguous of Google’s policies as there are no guidelines to follow; therefore, a simple statement that you use third party cookies to track data is all that is required to be in compliance. If you have amended your privacy policy to follow the Google Analytics terms of service, then you should be in compliance with this policy. If you are not using Google Analytics, then follow those same steps to comply with this guideline.
AdWords remarketing
Remarketing is powerful as you can serve ads across the content network to people who visited your website even once. While powerful, these ads can seem creepy to users, as you can follow someone around the web making very explicit statements in your ads.
Because it is easy to abuse remarketing, and cause uneasy feelings in some consumers that can push them away from ads, Google has some policies you must follow if you use Google’s remarketing feature. Here is an excerpt from Google’s policies on remarketing:
If you’re using the remarketing feature, you must have an appropriate description of your use of remarketing in online advertising. The description must be included in the privacy policies of all sites that include the remarketing tag.
The privacy policies should include the following information:
- Third party vendors, including Google, show your ads on sites on the internet.
- Third party vendors, including Google, use cookies to serve ads based on a user’s prior visits to your website.
- Users may opt out of Google’s use of cookies by visiting the Google advertising opt-out page. (Alternatively you can point users to opt out of a third party vendor’s use of cookies by visiting the Network Advertising Initiative opt out page.)
If you’re using DoubleClick’s remarketing pixels, your privacy policy may instead tell users to opt out of DoubleClick’s use of cookies by visiting the DoubleClick opt-out page or the Network Advertising Initiative opt-out page.
Because advertiser sites and laws across countries/territories vary, we’re unable to suggest specific privacy policy language. However, you may wish to review resources such as the Network Advertising Initiative (NAI) for guidance on drafting a privacy policy.
Source: Google Help Files.
That is a lot of information. Google’s FAQ is old and the DoubleClick and Google advertising opt-out page are now the same. So you can link to a single opt out page if you are using AdWords, DoubleClick or both for remarketing. How?
- Create a privacy policy
- Briefly describe remarketing (bullet points 1 & 2)
- Tell users they can opt out at the Google advertising opt-out page.
- If you want users to be able to opt out of anything, or you are using multiple remarketing systems, linking to the Network Advertising Initiative opt-out page is a good idea
However, there is much more than just a privacy policy update to consider when using remarketing. Google has specific requirements for certain industries as well.
Remarketing policies by industry
Google’s industry-specific policies are here. Most of these policies fall into one of three categories:
- Don’t use sensitive information in ads
- Don’t imply you know more about someone than you do
- Follow the laws: don’t market to children under 13
Here are some requirements for a few common industries:
Financial services:
Financial sites are not just credit card companies: they are also banks and affiliates who promote products and services in this industry.
Here’s a quote from Google’s remarketing restriction page:
- Sites which solicit or store information about the user’s financial status or situation cannot use that sensitive information to create remarketing lists.
- Ads which imply to know the user’s financial status or information should not be run with remarketing.
This means you cannot have a remarketing list that was compiled when someone visited the “bad credit” section of your website and then serve ads that say, “We know your credit is bad. We’ll give you a credit card anyway.” Financial sites have many laws they need to follow, but Google’s remarketing terms of service is a must read for any financial site.
Marketing to children
More from Google:
Because of numerous laws around marketing to children, in the US and elsewhere, we want to ensure we do not allow advertisers to remarket to children under 13 using remarketing. Sites which store or solicit information about users that indicates their age is below 13 may not create remarketing lists using that data.
Ads which are directly marketed toward users under 13 OR ads which are primarily appealing to those under 13 are not allowed to run in conjunction with remarketing. Ad texts which appear to target children are not permitted to run in conjunction with remarketing.
This is a grey area. If you ads appear like they will appeal to children, you can be outside of the terms of service. If you offer services for children or families, you need to make sure your ads are speaking to the parents and not to the minors.
Sensitive information
Your lists and ads can never be segmented by:
- Race
- Ethnic background
- Sexual orientation
- Sensitive or private information
- etc.
While this might seem obvious for privacy reasons; there are times you might naturally segment this way for marketing purposes—but you need to be careful. Let’s say you own a dating site, and that site has a Latino and Catholic section. You cannot cookie just people in the Latino section with one list and people in the Catholic section with another list and then target those individuals with Latino dating service ads.
Likewise, you cannot make a “drug rehab” list and serve ads based upon needing a drug rehabilitation center. That is too just too personal.
If you are engaged in remarketing, you should take a look at the Google remarketing policy page.
Interest based ads
Google’s “interest based ads” are still in beta; however, beta advertisers should be following Google policies as well.
The policies for interest based ads are very similar to the remarketing policies. If you are in the interest based ads beta, even though you might not be using remarketing, you should pay close attention to the terms as you need to inform users of your lists and opt-out methods.
Because this policy is so close to remarketing, there is no need to cover it in-depth; but you can read more on the interest-based advertising policy page.
Google AdWords terms of service
What we covered in this column with regards to Google’s terms of service mostly concerns the privacy policy. However, you should be aware of the AdWords terms of service to make sure you are following all of the practices. The entire policy can be found here.
Google AdSense
Google AdSense is so prevalent across the web, and so easy to install, I believe most publishers (especially the small ones with instant blogging plug-ins) don’t understand there are terms of service that all AdSense publisher must agree to.
The AdSense policy (this is for the US; you can see the terms by county here) clearly states:
You must have and abide by an appropriate privacy policy that clearly discloses that third parties may be placing and reading cookies on your users’ browser, or using web beacons to collect information, in the course of ads being served on your website. Your privacy policy should also include information about user options for cookie management.
This is a very similar policy to Google Analytics. There are many more policies with regards to AdSense about not encouraging people to click ads and so forth. If you use AdSense, you need to read the terms of service. However, you also need to have a privacy policy that lets people know about your cookie usage.
About privacy policies
Laws concerning privacy policies vary by country. In the United States you do not have to have one—it is optional. However, if you have one you need to follow it.
In other countries, privacy policies are mandatory.
In some tests I’ve run, the simple act of adding a privacy policy to a page has increased conversion rates as well. Consumers are increasingly concerned about their privacy online, and if your site does not tell a consumer what you will do with their data, they may decide to abandon your website and move on to one where they feel more secure with online activities.
Creating a privacy policy should be a business decision as it may affect how you collect and use data. However, if you use several of Google’s services, privacy policies are mandatory.
If you would like to learn more about privacy online, here are some good resources:
From a marketer’s perspective, you need to make consumers feel secure in your website and your honesty. A privacy policy that tells someone exactly what you are doing often works well; but of course that effectiveness does vary by market. You can see our privacy policy which is very blunt in what we collect, and yet not a single person has clicked on the opt-out links in our policy.
Contributing authors are invited to create content for Search Engine Land and are chosen for their expertise and contribution to the search community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. The opinions they express are their own.
Related stories
New on Search Engine Land