How Many Google Privacy Policies Are You Violating?
To get a sense of how big a problem this is, I took a look at a couple hundred sites this week and found some startling statistics:
- More than 90% were breaking at least one of Google’s policies
- More than 65% were breaking at least two of Google’s policies
- More than 40% were breaking at least three of Google’s policies
How many of these policies are you breaking?
When conducting this survey, I only included sites that were required to follow at least one of Google’s policies, based on the Google products or services it was using. If a site didn’t need to follow any, then I excluded it from the results.
I also focused on privacy policies, and not every single policy for all of the services; had I looked at everything, the total number of Google policies broken would be a higher number.
This is an unofficial survey of a couple hundred sites and I excluded most larger and authoritative domains from my research, although some sites in Google’s Top 1000 List were breaking at least two policies.
What happens if you violate Google’s terms of service? Technically, you could be sued; but more likely you’ll get warned or lose access to the Google program with the violation.
Losing access to your Google analytics data, the ability to drive traffic with AdWords, or your website’s monetization efforts with AdSense can have a significant impact on a business.
Here are some common ways businesses unintentionally break Google’s privacy policies. I’ll also review the requirements for any website to be in compliance with Google’s policies.
Note: This is not intended to be legal advice. I’m not a lawyer nor do I pretend to be. The purpose of this post is to increase your awareness of Google’s policies so that you do not suddenly lose access to Google’s programs such as AdWords, Analytics or AdSense.
Google Analytics (GA) is used on more than 28% of all websites. When you sign up for GA you must agree to the terms of service. Take a close look section seven of this document:
Source: Google Analytics terms of service.
To be in compliance with this section of Google Analytics terms of service:
- State the usage of third party tracking
- State the usage of cookies to track anonymous data
AdWords conversion tracking
When Google first launched AdWords conversion tracking you had to put a script on a page that would show a graphic to someone who converted (and had the AdWords cookie on their browser). Later, Google made a change where you could opt not to show a script, but still inform users yourself.
Remarketing is powerful as you can serve ads across the content network to people who visited your website even once. While powerful, these ads can seem creepy to users, as you can follow someone around the web making very explicit statements in your ads.
Because it is easy to abuse remarketing, and cause uneasy feelings in some consumers that can push them away from ads, Google has some policies you must follow if you use Google’s remarketing feature. Here is an excerpt from Google’s policies on remarketing:
If you’re using the remarketing feature, you must have an appropriate description of your use of remarketing in online advertising. The description must be included in the privacy policies of all sites that include the remarketing tag.
The privacy policies should include the following information:
- Third party vendors, including Google, show your ads on sites on the internet.
Source: Google Help Files.
That is a lot of information. Google’s FAQ is old and the DoubleClick and Google advertising opt-out page are now the same. So you can link to a single opt out page if you are using AdWords, DoubleClick or both for remarketing. How?
- Briefly describe remarketing (bullet points 1 & 2)
- Tell users they can opt out at the Google advertising opt-out page.
- If you want users to be able to opt out of anything, or you are using multiple remarketing systems, linking to the Network Advertising Initiative opt-out page is a good idea
Remarketing policies by industry
Google’s industry-specific policies are here. Most of these policies fall into one of three categories:
- Don’t use sensitive information in ads
- Don’t imply you know more about someone than you do
- Follow the laws: don’t market to children under 13
Here are some requirements for a few common industries:
Financial sites are not just credit card companies: they are also banks and affiliates who promote products and services in this industry.
Here’s a quote from Google’s remarketing restriction page:
- Sites which solicit or store information about the user’s financial status or situation cannot use that sensitive information to create remarketing lists.
- Ads which imply to know the user’s financial status or information should not be run with remarketing.
This means you cannot have a remarketing list that was compiled when someone visited the “bad credit” section of your website and then serve ads that say, “We know your credit is bad. We’ll give you a credit card anyway.” Financial sites have many laws they need to follow, but Google’s remarketing terms of service is a must read for any financial site.
Marketing to children
More from Google:
Because of numerous laws around marketing to children, in the US and elsewhere, we want to ensure we do not allow advertisers to remarket to children under 13 using remarketing. Sites which store or solicit information about users that indicates their age is below 13 may not create remarketing lists using that data.
Ads which are directly marketed toward users under 13 OR ads which are primarily appealing to those under 13 are not allowed to run in conjunction with remarketing. Ad texts which appear to target children are not permitted to run in conjunction with remarketing.
This is a grey area. If you ads appear like they will appeal to children, you can be outside of the terms of service. If you offer services for children or families, you need to make sure your ads are speaking to the parents and not to the minors.
Your lists and ads can never be segmented by:
- Ethnic background
- Sexual orientation
- Sensitive or private information
While this might seem obvious for privacy reasons; there are times you might naturally segment this way for marketing purposes—but you need to be careful. Let’s say you own a dating site, and that site has a Latino and Catholic section. You cannot cookie just people in the Latino section with one list and people in the Catholic section with another list and then target those individuals with Latino dating service ads.
Likewise, you cannot make a “drug rehab” list and serve ads based upon needing a drug rehabilitation center. That is too just too personal.
If you are engaged in remarketing, you should take a look at the Google remarketing policy page.
Interest based ads
Google’s “interest based ads” are still in beta; however, beta advertisers should be following Google policies as well.
The policies for interest based ads are very similar to the remarketing policies. If you are in the interest based ads beta, even though you might not be using remarketing, you should pay close attention to the terms as you need to inform users of your lists and opt-out methods.
Because this policy is so close to remarketing, there is no need to cover it in-depth; but you can read more on the interest-based advertising policy page.
Google AdWords terms of service
Google AdSense is so prevalent across the web, and so easy to install, I believe most publishers (especially the small ones with instant blogging plug-ins) don’t understand there are terms of service that all AdSense publisher must agree to.
The AdSense policy (this is for the US; you can see the terms by county here) clearly states:
About privacy policies
Laws concerning privacy policies vary by country. In the United States you do not have to have one—it is optional. However, if you have one you need to follow it.
In other countries, privacy policies are mandatory.
If you would like to learn more about privacy online, here are some good resources: