Must I disclose Google Ads / AdSense in my privacy policy?

Yes. Google Ads / AdSense must be disclosed because it collects personal data including IP addresses, device identifiers, and browsing behavior to build advertising profiles. Failure to disclose creates compliance risks under GDPR, CCPA, and similar regulations, and violates user transparency rights.

What specific data does Google Ads / AdSense collect?

Google Ads / AdSense collects pages visited, conversion events, IP addresses, device and browser information, and Google user IDs. This data is used to track conversions, create advertising profiles, and target ads across the Google Display Network. The _gcl_au and IDE cookies store conversion and targeting data for up to 13 months.

Does Google Ads / AdSense require a cookie consent banner?

Yes. Under GDPR and similar regulations, the _gcl_au and IDE cookies require explicit user consent before placement because they are marketing cookies used for tracking and ad targeting. You must obtain consent before Google Ads / AdSense scripts load and set these cookies.

Who processes my data and where is it transferred?

Google LLC, a U.S.-based company, acts as a data processor. Data is transferred to the United States and may be subject to U.S. government access. If you have EU users, you must ensure an adequate legal mechanism (Standard Contractual Clauses or Binding Corporate Rules) is in place to comply with GDPR data transfer requirements.

Advertising

Privacy policy clauses for Google Ads / AdSense

Google Ads and AdSense are advertising platforms that track user behavior across websites to serve targeted display ads and measure conversion performance. Websites use these services to monetize content or measure advertising campaign effectiveness.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Google Ads / AdSense collects

Your privacy policy must disclose each of the following data types when you use Google Ads / AdSense.

Pages visited

Conversion events

IP address

Device/browser info

Google user ID

When does Google Ads / AdSense trigger privacy obligations?

Activation point

Google Ads / AdSense begins collecting data the moment the tracking code or SDK is installed and loaded on your site or app. Immediately upon installation, Google's cookies (_gcl_au and IDE) are set in user browsers, and Google begins receiving:

–IP addresses (geolocation inference)

Privacy policy clauses for Google Ads / AdSense

What data Google Ads / AdSense collects

When does Google Ads / AdSense trigger privacy obligations?

Activation point

First concrete step

Where data goes

Cookies set by Google Ads / AdSense

Common compliance pitfalls

Pitfall 1: No consent, or consent misconfigured

Pitfall 2: Forgetting to name Google as a processor and omitting the Data Processing Agreement

Pitfall 3: AdMob deployed without ATT prompt on iOS

Legal note

Sample privacy policy clause

What regulators look for

Primary audit focus areas

Enforcement precedent

Frequently asked questions

Must I disclose Google Ads / AdSense in my privacy policy?

What specific data does Google Ads / AdSense collect?

Does Google Ads / AdSense require a cookie consent banner?

Who processes my data and where is it transferred?

Don't ship without Bandit.

Cookie	Duration	Category	Purpose
_gcl_au	3 months	marketing	Conversion tracking
IDE	13 months	marketing	Ad targeting across Google Display Network