TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Privacy and Google: What Your Website Must Disclose
Legal Compliance

Privacy and Google: What Your Website Must Disclose

Learn what Google's privacy requirements mean for your website, from Analytics to Ads, and what you must include in your privacy policy.

TermsBox Team|April 3, 202615 min read

Privacy and Google are tightly connected for almost every website on the internet. If your site uses Google Analytics, Google Ads, Google Fonts, reCAPTCHA, YouTube embeds, or any other Google service, you have specific privacy obligations that come from both privacy law and Google's own contractual terms.

This guide covers what Google requires from website operators regarding privacy disclosures, how Google's services interact with the GDPR and other privacy regulations, and the specific steps you need to take to ensure your website complies. This is educational content, not legal advice. Consult a qualified attorney for guidance specific to your situation.

Why Google's Privacy Requirements Matter for Your Website

Google's products are embedded across the web. Over 85% of websites use at least one Google service, whether it is Analytics for traffic measurement, Ads for marketing, Fonts for typography, or reCAPTCHA for spam protection. Each of these services collects data from your visitors, and that collection triggers privacy obligations from two separate directions.

First, privacy laws such as the GDPR (Regulation 2016/679), the CCPA (California Civil Code Section 1798.100 et seq.), and the ePrivacy Directive (Directive 2002/58/EC) require you to disclose what data you collect, who receives it, and the legal basis for processing. When Google processes visitor data through its services on your site, you are the data controller (or "business" under the CCPA) responsible for those disclosures.

Second, Google's own terms of service for its products impose contractual obligations. Google Analytics, Google Ads, and AdSense each have terms that require you to maintain a privacy policy meeting specific standards. Violating these terms can result in account suspension or termination, independent of any regulatory enforcement.

The combination means that using Google services without proper privacy disclosures creates both legal risk from regulators and business risk from Google itself.

Google Analytics Privacy Requirements

Google Analytics is the most widely used web analytics platform, and it comes with the most detailed privacy obligations for website operators.

What Google's terms require

The Google Analytics Terms of Service (Section 7) require you to:

  • Publish a privacy policy that discloses your use of cookies and your use of Google Analytics
  • Inform visitors about the data Google Analytics collects and how it is used
  • Provide information about how visitors can opt out of Google Analytics tracking
  • Not circumvent any privacy features built into the service

These are contractual obligations. Google can terminate your Analytics account for non-compliance.

What privacy laws require on top of Google's terms

Beyond Google's contractual requirements, privacy laws impose additional obligations when you use Google Analytics:

  • GDPR Article 13: You must disclose the identity of all data recipients, including Google, and the categories of personal data transferred
  • GDPR Article 6: You need a valid legal basis for processing. For analytics cookies, this is typically consent under Article 6(1)(a), because the ePrivacy Directive requires consent for non-essential cookies
  • ePrivacy Directive Article 5(3): You must obtain prior consent before the Google Analytics tracking script loads and places cookies on the visitor's device
  • CCPA Section 1798.100: You must disclose the categories of personal information collected and the categories of third parties with whom it is shared

Data Google Analytics collects

Your privacy policy should disclose the specific data Google Analytics collects from your visitors:

  • IP addresses (even with IP anonymization enabled, the full IP is briefly processed)
  • Pages visited and time spent on each page
  • Referring source, search terms, and campaign parameters
  • Browser type, operating system, screen resolution, and device information
  • Geographic location derived from IP address
  • User interactions such as clicks, scrolls, and form submissions (if event tracking is configured)
  • Client ID stored in cookies (_ga, _gid) that tracks returning visitors across sessions

If you use Google Analytics 4 with Google Signals enabled, Google can also associate Analytics data with signed-in Google users across devices, which significantly increases the personal data implications.

Google Ads and Privacy Compliance

Running Google Ads campaigns introduces additional privacy requirements, particularly around remarketing, conversion tracking, and the data shared between your website and Google's advertising network.

Conversion tracking

Google Ads conversion tracking uses cookies and, optionally, Enhanced Conversions to measure what visitors do after clicking an ad. When you install the Google Ads tag on your website, it collects:

  • Click identifiers (GCLID) stored in cookies
  • Pages visited after an ad click
  • Conversion events you have configured (purchases, sign-ups, form submissions)
  • With Enhanced Conversions enabled: hashed first-party data such as email addresses, names, and phone numbers

Your privacy policy must disclose this data collection and its purpose. Under the GDPR, conversion tracking cookies require prior consent because they serve an advertising purpose, not a strictly necessary function.

Remarketing and audience targeting

If you use Google Ads remarketing lists to target previous visitors with ads, you are collecting behavioral data for advertising purposes. This requires:

  • Explicit disclosure in your privacy policy that you use remarketing
  • Consent before the remarketing tag fires (required under the GDPR and ePrivacy Directive)
  • A link to Google's Ads Settings page where users can opt out of personalized advertising
  • Disclosure that Google and its partners use cookies to serve ads based on prior visits

The EDPB has stated that advertising cookies require specific, granular consent separate from analytics consent. A single "accept all" for both categories may satisfy the consent requirement if the purposes are clearly listed, but combining them into one undifferentiated category does not meet the specificity requirement.

Google's EU User Consent Policy

Google's EU User Consent Policy applies to all publishers and advertisers using Google products with EU and UK audiences. It requires you to:

  1. Obtain legally valid consent before using cookies or collecting data for advertising
  2. Retain records of consent
  3. Provide users a clear way to withdraw consent
  4. Comply with all applicable privacy laws

Since September 2023, Google enforces this through Consent Mode v2, which requires websites to send consent signals to Google tags. Without Consent Mode v2, Google may limit the functionality of Analytics and Ads features for EU traffic.

Google Consent Mode v2: Technical Requirements

Consent Mode v2 is Google's technical framework for adjusting how Google tags behave based on user consent choices. It does not replace the need for a cookie consent banner, but it is now required for websites using Google services with EU audiences.

How Consent Mode works

Consent Mode communicates consent status to Google tags through two primary parameters:

  • analytics_storage: Controls whether Analytics cookies can be set (granted/denied)
  • ad_storage: Controls whether advertising cookies can be set (granted/denied)
  • ad_user_data: Controls whether user data can be sent to Google for advertising purposes (granted/denied)
  • ad_personalization: Controls whether personalized advertising is allowed (granted/denied)

When a visitor has not yet consented (or has denied consent), Google tags operate in a limited mode. They send cookieless pings to Google that do not contain personal identifiers, allowing Google to model conversions and traffic without individual tracking.

Implementation requirements

To implement Consent Mode v2 correctly:

  1. Deploy a cookie consent management platform that collects valid consent per the GDPR and ePrivacy Directive
  2. Set default consent states to "denied" for all parameters before any Google tags load
  3. Update consent states when the visitor makes a choice through the consent banner
  4. Ensure consent signals are sent before any Google tag fires
  5. Test that Google tags respect denied consent by verifying no measurement cookies are set when consent is withheld

TermsBox's cookie consent banner integrates with Google Consent Mode v2, automatically communicating visitor consent choices to Google tags so that your Analytics and Ads scripts adjust their behavior according to each visitor's preferences.

Privacy Issues with Other Google Services

Google Analytics and Ads receive the most attention, but other Google services embedded on your website also have privacy implications that must be disclosed.

Google Fonts

Google Fonts, when loaded from Google's CDN (fonts.googleapis.com), sends the visitor's IP address and browser information to Google's servers with every page load. This became a significant compliance issue after a Munich court ruled in January 2022 that a website embedding Google Fonts remotely violated the GDPR because it transferred visitor IP addresses to Google in the United States without consent.

The practical solution is to self-host Google Fonts, which eliminates the data transfer to Google entirely. If you continue using Google's CDN, you should disclose this in your privacy policy and consider whether consent is required.

reCAPTCHA

Google reCAPTCHA collects substantial data from visitors, including IP addresses, cookies, browser plugins, mouse movements, keystrokes on the page, and CSS information. Google's reCAPTCHA terms require you to inform visitors about this data collection. Under the GDPR, reCAPTCHA's cookies and data collection likely require consent because the data collected goes beyond what is strictly necessary for spam protection.

Your privacy policy should disclose:

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now
  • That you use Google reCAPTCHA and why
  • What data reCAPTCHA collects
  • That data is sent to Google for processing
  • A link to Google's Privacy Policy

YouTube embeds

Embedding YouTube videos on your site loads cookies from YouTube (owned by Google) that track viewer behavior. Standard YouTube embeds set cookies even before the visitor plays the video. Using YouTube's privacy-enhanced mode (youtube-nocookie.com) delays cookies until playback begins but does not eliminate them.

Disclose YouTube embeds in your privacy policy and obtain consent before loading standard embeds if your visitors include EU users.

Google Tag Manager

Google Tag Manager itself does not set cookies, but it loads and manages scripts that do. You must disclose Tag Manager in your privacy policy and ensure that the tags it fires respect your consent mechanism. Tag Manager's data processing terms (Appendix to the Tag Manager Terms of Service) define Google as a data processor for the Tag Manager service itself.

What Your Privacy Policy Must Include for Google Services

When your website uses any Google service, your privacy policy generator output should cover specific disclosures. A complete privacy policy addressing Google services includes the following sections.

Required disclosures per service

For each Google service you use, disclose:

  • The service name and provider: "We use Google Analytics, a web analytics service provided by Google LLC"
  • What data is collected: List specific data points (IP address, cookies, browsing behavior)
  • Purpose of collection: "To analyze website traffic and improve our service"
  • Cookie details: Names, durations, and purposes of cookies set by the service
  • Data transfers: Where data is processed, particularly transfers to the United States
  • Legal basis: Consent (Article 6(1)(a) GDPR) for non-essential services, or legitimate interest (Article 6(1)(f)) where applicable
  • Opt-out mechanism: How visitors can prevent data collection (browser add-on for Analytics, Ads Settings for advertising)
  • Link to Google's privacy policy: https://policies.google.com/privacy

Transfer mechanism disclosure

If your website serves EU visitors, you must disclose the legal mechanism for transferring their data to Google's U.S. servers. Since Google is certified under the EU-U.S. Data Privacy Framework (DPF), you should reference this certification. Your policy should state that Google participates in the DPF and explain what this means for the protection of transferred data.

Before the DPF adequacy decision, Google relied on Standard Contractual Clauses (SCCs) under Article 46(2)(c) of the GDPR. If the DPF were to be invalidated (as happened with Privacy Shield in the Schrems II ruling), SCCs would again become the primary transfer mechanism, and your privacy policy would need updating.

Privacy Enforcement Actions Involving Google Services

Regulatory enforcement actions specifically targeting websites' use of Google services have increased significantly since 2020. Understanding these precedents helps you assess your own compliance risk.

Google Analytics GDPR rulings

In January 2022, the Austrian Data Protection Authority (DSB) ruled that a website's use of Google Analytics violated Article 44 of the GDPR because personal data (including IP addresses and online identifiers) was transferred to the United States without adequate safeguards. France's CNIL reached an identical conclusion in February 2022, followed by similar findings from the Italian Garante and other supervisory authorities.

These rulings were based on the Schrems II decision, which invalidated the EU-U.S. Privacy Shield. The subsequent adoption of the EU-U.S. Data Privacy Framework in July 2023 addressed the transfer mechanism concern, but the requirement for consent before loading Analytics remains independent of the transfer question.

Cookie consent fines involving Google services

  • CNIL v. Google (2022): 150 million EUR for cookie consent violations on google.fr and youtube.com
  • CNIL v. Amazon (2020): 35 million EUR for placing advertising cookies (including Google-related) without consent
  • Garante v. Caffeina Media (2022): Italian authority found that a media company's use of Google Analytics without consent violated both the GDPR and the ePrivacy Directive transposition

Lessons for website operators

These enforcement actions establish that:

  1. Using Google Analytics without consent is a GDPR violation, not just a policy violation
  2. Loading any Google advertising scripts before consent is a violation of the ePrivacy Directive
  3. "Everyone uses Google Analytics" is not a defense
  4. Small and medium companies are not exempt from enforcement
  5. Having a privacy policy is necessary but not sufficient: the consent mechanism must work correctly

A compliance scanner, like the one offered by TermsBox, can identify which Google services are active on your site and whether they load before consent is obtained, helping you spot violations before a regulator does.

Practical Steps for Google Privacy Compliance

Achieving privacy compliance across all the Google services on your website requires a structured approach. Follow these steps to address the most common issues.

Step 1: Inventory all Google services

Scan your website to identify every Google service currently active. Check for services loaded by plugins, themes, or tag managers that you may not have directly configured. Common services to look for include:

  • Google Analytics (UA or GA4)
  • Google Ads conversion tracking and remarketing
  • Google Tag Manager
  • Google Fonts (remote or self-hosted)
  • Google reCAPTCHA
  • YouTube embeds
  • Google Maps embeds
  • Google AdSense
  • Google Sign-In

Step 2: Implement consent before loading

Configure your consent management platform to block all non-essential Google scripts until the visitor provides consent. Google tags should be set with default consent states of "denied" using Consent Mode v2, and should only activate after explicit consent is received.

Step 3: Update your privacy policy

Add specific disclosures for each Google service. Use a privacy policy generator to ensure you cover the required elements: service name, data collected, purpose, cookies, transfer mechanism, legal basis, and opt-out options.

Step 4: Self-host where possible

Reduce data transfers by self-hosting assets that do not require Google's servers:

  • Download and serve Google Fonts from your own domain
  • Use YouTube's privacy-enhanced embed mode
  • Consider privacy-focused alternatives for services like reCAPTCHA (such as hCaptcha or Turnstile)

Step 5: Configure data retention settings

In Google Analytics 4, set your data retention period to the minimum necessary for your analysis needs. The GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data not be kept longer than necessary. GA4 allows retention periods of two months or 14 months for user-level data.

Step 6: Monitor for changes

Google regularly updates its products, terms, and data practices. Subscribe to updates from Google's Privacy Blog and your relevant supervisory authority. Review your compliance posture when Google announces significant changes, such as the shift from Universal Analytics to GA4 or the introduction of Consent Mode v2.

Frequently Asked Questions

Do I need a privacy policy if I use Google Analytics?

Yes. Google's Terms of Service for Analytics explicitly require you to have a privacy policy that discloses your use of Google Analytics, the data it collects, and how cookies are used. Beyond Google's contractual requirement, the GDPR (Articles 13 and 14), the CCPA (Section 1798.100), and the ePrivacy Directive (Article 5(3)) independently require disclosure and consent for the tracking cookies Google Analytics places on visitor devices.

Does Google require cookie consent for EU visitors?

Yes. Google's EU User Consent Policy requires websites serving EU and UK visitors to obtain legally valid consent before using Google cookies or collecting personal data for advertising or measurement purposes. Since September 2023, Google enforces this through Consent Mode v2, which adjusts the behavior of Google tags based on the consent status communicated by your website's consent management platform.

What happens if my website violates Google's privacy requirements?

Google can suspend or terminate your access to services like Analytics, Ads, and AdSense for violations of its privacy policies. Beyond Google's enforcement, regulatory authorities can fine you for the underlying privacy law violations. The Austrian Data Protection Authority ruled in January 2022 that a website's use of Google Analytics violated the GDPR because data was transferred to the United States without adequate safeguards, and CNIL in France reached a similar conclusion the following month.

Does Google's Consent Mode replace the need for a cookie consent banner?

No. Consent Mode is a technical implementation that communicates your visitors' consent choices to Google tags. It does not collect consent itself. You still need a cookie consent management platform that presents the consent banner, collects valid consent according to GDPR and ePrivacy Directive standards, and then signals those choices to Google through the Consent Mode API. Consent Mode without a proper consent banner does not satisfy legal requirements.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • Why Google's Privacy Requirements Matter for Your Website
  • Google Analytics Privacy Requirements
  • What Google's terms require
  • What privacy laws require on top of Google's terms
  • Data Google Analytics collects
  • Google Ads and Privacy Compliance
  • Conversion tracking
  • Remarketing and audience targeting
  • Google's EU User Consent Policy
  • Google Consent Mode v2: Technical Requirements
  • How Consent Mode works
  • Implementation requirements
  • Privacy Issues with Other Google Services
  • Google Fonts
  • reCAPTCHA
  • YouTube embeds
  • Google Tag Manager
  • What Your Privacy Policy Must Include for Google Services
  • Required disclosures per service
  • Transfer mechanism disclosure
  • Privacy Enforcement Actions Involving Google Services
  • Google Analytics GDPR rulings
  • Cookie consent fines involving Google services
  • Lessons for website operators
  • Practical Steps for Google Privacy Compliance
  • Step 1: Inventory all Google services
  • Step 2: Implement consent before loading
  • Step 3: Update your privacy policy
  • Step 4: Self-host where possible
  • Step 5: Configure data retention settings
  • Step 6: Monitor for changes
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.