How you balance privacy and marketing with Google Ads
GDPR-safe Google Ads Implementation Guide
An important note regarding “GDPR-compliant” We use the term GDPR compliant because marketers search for it, yet no one can guarantee 100 % compliance in every circumstance. Realistically, all you can do is reduce legal risk by following best-practice implementation and documenting every decision. Treat the advice below as a framework to help you reach that lower-risk state.
Relevant contracts & agreements
The confusing Google terms
Starting from scratch is almost impossible to figure out and understand the relevant data processing terms and terms of services for the different Google services. It all starts from the confusing naming, and it only gets worse. Google have chosen to bundle the processing terms for many of their services together, resulting in services like Google Analytics and Looker Studio are using data processing terms called "Google Ads Data Processing Terms". Ironically Google Ads is not eligible for these processing terms, but is eligible for the processing terms called "Google Ads Controller-Controller Data Protection Terms".
Even though it looks like it, I don't believe Google intent to confuse us. But I believe they don't really care about making this understandable for their b2b users. If they did, they could have fixed this with a couple of weeks work.
Here you can see what Google service is eligible for what data processing terms: . But after looking at this things might get even more confusing. Google Ads is listed under "Controller services", which makes sense. But why is Enhanced Conversions listed under "Processor services". Enhanced Conversions is a feature of Google Ads, so why isn't it listed under "Controller services". We have engaged lawyers and even Google in this question, and its still not 100% clear. But here is our best answer: The processing of personal data related to Enhanced Conversions is eligible for the "Data processing terms". This means that data you used for finding a user match through Enhanced Conversions (for example an email address or a phone number) is eligible for these terms, but as soon as the match is found the data is eligible for the Google Ads Controller-Controller Data Protection Terms. Its the match with the user, the ad and the ad click that is relevant in Google Ads context, and not the email address of phone number itself. So the email address and phone number is only used to find a match and then deleted. We are quite sure this is why Google have split up the terms this way, but this could have been explained clearly from their side to make it clear and understandable to all of their Google Ads customers.
- Google services and their data processing terms
- Google Controller-Controller Data Protection Terms (Eligible for Google Ads)
- Google Ads Data Processing Terms (Eligible for Enhanced Conversions)
- EU user consent policy (Very important. Read this and make sure you implement whats required)
Consent mode
Consent Mode allows you to communicate a user's consent status for various types of usage to Google services (analytical purpose, marketing purpose etc). Consent Mode offers two flavours of implementation, each with distinct implications for data collection:
- Basic Consent Mode: In basic mode, Google tags are prevented from loading until the user interacts with the consent banner and grants consent. If consent is denied, no data at all is transmitted to Google.
- Advanced mode: Rather than simply blocking Google tags if consent isn't given, Consent Mode enables Google scripts to adjust their behavior dynamically based on the user's choices. This allows for a more nuanced approach to data collection, but also exposes you for some GDPR compliance risks.
The privacy risk of using Google Consent mode, Advanced mode
When using Google Consent mode, Advanced mode, the Google scripts on your site collect data before the users respond to your cookie pop-up, and they also collect data even when your users deny cookies. Google claims that the data collected is anonymous and not personally identifiable data. In this article we will only cover data sent to Google Ads. Data sent to Google Analytics under Advanced mode is a very different beast, and must be assessed separately from Google Ads. For Google Ads the data sent with Advanced mode is used for modeling of conversion attribution. Since the data collected has no unique id's Google can't connect a conversion to an add click og utm parameter. But by looking at how many clicks an ad campaign gets and by correlating that to conversions over time, Google can estimate how many conversions are coming from the add campaign even if the conversion event has no data related to the click or campaign. This is obviously good for the performance of your campaigns. Please note that the number and types of events that Google Ads collects are the same for all users no matter if the user accepts cookies or not. The only difference is that events tracked in non consented mode is anonymized.
So the central question is: event though the events are stripped for ids, and according to Google are anonymized, is the data truly anonymous? We have worked with businesses who's conclusions has landed on both sides if this question. But a hugely important factor for this conclusion is: how much data and what type of data is collected by the Google Ads script? If you ad the Google Ads script to all pages, your URLs contain a lot of unique query parameters and you also send a lot of custom events, then it's hard to claim that the data is truly anonymous. Our opinion on this is that sending data to Google under Advanced mode is OK as long as you minimize the data sent and that you make sure you are not sending data that can re-identify any user. To our knowledge there has not been any enforcements from any european data protection authority regarding the use of Advanced mode, in our opinion this is also a factor that reduces the compliance risk .
Ways to send data to Google
Google Ads offers several ways to collect and send data to Google Ads. In addition to Google's own products and services for tag/data management there are also other third party services that can be used for sending data to Google Ads. We do not cover third party services in this article. Here is an overview:
| Method | Channel | Typical use-case | GDPR risk profile |
|---|---|---|---|
| Google Tag / Google Ads conversion tag | Browser (JavaScript) | Standard page-view & conversion tracking | Highest - browser cookies & auto-collected identifiers |
| Google Ads API / Offline Conversion Uploads | Server-to-server | Export conversion events to Google Ads through API | Low - full control over data sent. |
| Google Server-side tag manager | Browser-to-server-to-server | More advanced setup for businesses that requires more detailed control. | Low - almost full control over data sent. |
| Google tag gateway for advertisers | Browser-to-server-to-server | Used to get more data through to Google, by making Google tracking data look like it's your own first-party domain data. | High - due to limited control on what data is sent |
| Partner & third party solutions | Depends | Easy One-click setups | Varies, but be very careful since many default settings can be risky |
Google Tag (browser)
The Google Tag (formerly Global Site Tag) is a javascript that you ad to your pages and it will send data back to Google. It can be a bit confusing, since the Google Tag is used to send data to many different Google Services. At the time of writing this article the Google Tag can send data til Google Analytics, Google Ads, Floodlight and Merchant Center. Google call this "destinations". What destinations the tag sends data to depends on your configuration of the tag. You can configure a single tag to send data to both Google Analytics and Google Ads. In this article we are only focusing on sending data to Google Ads. The tag behaves differently based on wether the user has consented to cookies or not (see details about Google consent mode above). When a page that has the Google tag on it gets loaded, the tag will send data back to Googles servers. The tag will send multiple of the same requests to different domains owned by Google. This is normal and is done in order to bypass browser restrictions or add blockers. Each request includes:
| Parameter | Purpose |
|---|---|
| gcl_id / gclid | Click identifier for attribution(if it is present in the url or stored in a cookie) |
| url | Full page URL, including querystring (you need to be careful with this, since som sites can have a lot of personal data in the query strings) |
| ref | Previous page URL |
| tiba | The title of the page |
| u_w and u_h | Screen resolution |
| ua | User-agent string |
| ip | Collected but immediately truncated on Google’s servers when Consent Mode is in “denied” state |
| _gcl* cookies | First-party conversion cookies |
Risk drivers:
- The full URL: The full URL may contain personal data (e.g., search terms or email addresses in query strings). Make sure you scrub or block such parameters before the tag loads.
- Where to add the Google Tag : Only add the Google Tag to the pages you need to track. A very common mistake we see is that marketers add the Google Tag to all the pages of a site. This is almost always a privacy breach. Let's say you have an area of your site where the customers can log inn and administer their orders, make complaints etc. Do you need to send data to Google about this activity in order to optimize your campaigns? Most likely not. Our recommendation on where to add the Google tag is:
- Add the tag to landing pages for your Google Ad campaigns, and ad the tag to all pages in the funnel towards conversion, off course including the conversion page.
- Add the tag to the pages you want to collect lists for remarketing campaigns. Thats right, you need to think about what pages are relevant for collecting remarketing audiences beforehand, rather than add the tag to alle pages and figure out later what pages you want to use for remarketing.
Consent Mode - make sure you set the defaults
Consent Mode adds two layers of control:
- Storage controls (
ad_storage,analytics_storageetc.) - Behavior controls (
ad_user_data,ad_personalization)
When consent is denied, Google sends cookieless pings: the request contains URL, IP (truncated at arrival), and basic device headers, but no advertising cookies. No matter if you choose to use Advanced mode or not, remember to set consent mode defaults to denied an ALL pages where you load the Google Tag. Failing to do this might lead to unintentionally sharing data with Google and that is a GDPR breach in itself (GDPR demands that you know what you are sharing at all times).
Recommendation:
gtag('consent', 'default', {
'ad_storage': 'denied',
'ad_user_data': 'denied',
'ad_personalization': 'denied'
});
Then update to 'granted' only after the user opts-in.
Server-side & offline options
1. Google Ads API (custom)
- Full control over what, when, and how you upload.
- Aligns well with data-minimization principle—send only an external
gclid, timestamp, and conversion value. - Requires secure OAuth2 service account and adherence to Google’s API terms.
2. Google Tag Manager Server-Side
- Acts as a forward proxy, by sending data to a server you control before forwarding it to Google.
- Lets you strip URL parameters, modify any data on your own infrastructure and respect consent before forwarding to Googles servers.
- You can also use Google Tag Manager server-side to send data to other marketing platforms such as Meta ads for example.
- Host on Google Cloud or any platform supporting Docker (we have successfully implemented it in Microsoft Azure).
Google tag gateway for advertisers
Google Tag Gateway for advertisers is a feature that enables the deployment of your Google Tag using your own first-party domain, rather than loading it directly from a Google domain. Loading the tag from your domain and sending data to your domain (where they are then forwarded to Google) can help getting through more of the requests to Google Ads that would otherwise be blocked by browser privacy features or ad blockers.
However this solution does not help you control what data to send to Google Ads, so its not helping you in reducing or controlling your privacy risk.
Partner and third party integrations
Services like Shopify, WooCommerce, Tealium, Segment, etc., offer “one-click” setups that sends data to Google Ads. This can be ver risky if you don't know what data is sent when. As a minimum you should understand what data is sent by testing and debugging you solution to see what data is sent.
Platform-required consent text
Google’s EU User Consent Policy states you must disclose cookies and personalised ads and record consent. Read this and make sure you understand whats required: EU user consent policy
Example cookie banner text “We use cookies to measure conversions and optimize and personalize our advertising. With your permission, we’ll store cookies and send hashed identifiers (e.g., email) to our advertising partners for this purpose. Read more in our cookie policy. [Accept] [Reject]”.
Store a timestamped log of each choice and offer an easy withdrawal mechanism.