Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google AdSense is Google's advertising platform that enables website publishers to earn revenue by displaying targeted ads. AdSense loads third-party advertising cookies and sends visitor data to Google's ad infrastructure before serving any ads. Under GDPR and the ePrivacy Directive, consent is required before personalised ads are served. Publishers must integrate with the IAB Transparency and Consent Framework (TCF 2.2) or Google Consent Mode v2 to pass valid consent signals to AdSense. Non-personalised ads may be served without full consent with appropriate disclosure, though many EU DPAs still recommend consent.
Google AdSense is Google's publisher monetisation platform, allowing website owners to earn revenue by displaying ads served by the Google Display Network. Publishers place a JavaScript snippet (adsbygoogle.js) on their pages, which communicates with Google's ad servers to fetch and display contextually or behaviourally targeted advertisements. AdSense is one of the most widely deployed third-party scripts on the web, making it a significant compliance touchpoint for any European website that monetises through advertising.
AdSense sets several advertising cookies including __gads and __gpi (persistent, up to 13 months, ad targeting and frequency capping), IDE (persistent, 13 months, DoubleClick cross-site conversion tracking), and DSID (for signed-in users). Beyond cookies, AdSense collects IP address, browser fingerprint, page URL and referrer, ad interaction events (impressions, clicks), and audience segment data derived from browsing history across the Google Display Network. All this data feeds into Google's advertising profiles used for behavioural targeting.
Under the ePrivacy Directive and GDPR, personalised advertising requires explicit prior consent. This means the adsbygoogle.js script must not load, and no AdSense cookies must be set, until the user has actively consented to advertising cookies in a compliant cookie banner. The IAB Transparency and Consent Framework (TCF 2.2) provides a standardised consent signal that AdSense can read. Publishers using a TCF-certified CMP must obtain consent for TCF Purpose 1 (store and access information on a device) as a minimum before AdSense operates. Failures to obtain valid consent for AdSense have resulted in significant fines across the EU.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Google offers two alternatives to fully blocking AdSense before consent. First, Non-Personalised Ads (NPA) mode: when a publisher passes a consent signal indicating no personalisation consent, AdSense serves contextual ads only, without setting persistent tracking cookies. This reduces the privacy footprint but does not eliminate all data collection. Second, Google Consent Mode v2: a framework where AdSense adjusts its behaviour based on the consent signals passed by the CMP. With Consent Mode, AdSense can model conversions and audiences even when users decline cookies, using aggregated and anonymised data. Both approaches reduce risk but do not fully eliminate the need for a compliant consent banner and privacy policy disclosure.
All AdSense data processing occurs on Google infrastructure in the United States. Google relies on Standard Contractual Clauses (SCCs, 2021 edition) for EU to US data transfers. Publishers must accept Google's DPA (available in their AdSense account settings) and document the SCC reliance in their Records of Processing Activities. The publisher acts as data controller for their own site and as a joint data controller or data processor depending on the specific use of AdSense features. The Google Ads Data Processing Terms must be accepted before serving ads to EU users.
To run AdSense compliantly: (1) Implement a TCF 2.2 certified CMP and block adsbygoogle.js until consent is given. (2) Accept Google's Ads Data Processing Terms in your AdSense account. (3) Enable Google Consent Mode v2 to send consent signals and recover modelled conversions. (4) Configure NPA mode as a fallback for users who decline cookies. (5) Disclose AdSense, its cookies, the US data transfer, and Google's role as data processor in your privacy policy and cookie notice. (6) For large-scale EU advertising, complete a DPIA and document your legitimate interest assessment where NPA is used.
Websites using Google AdSense must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for publishers with significant EU traffic using personalised AdSense advertising, particularly where AdSense audience profiling combines with other on-site user data, or where sensitive content categories trigger special processing considerations under Art. 9 GDPR.
Sample consent text
We use Google AdSense to display advertisements on this website. AdSense uses cookies and collects data about your visits to serve personalised ads based on your interests. Data is processed by Google in the US. You can manage your advertising preferences below or opt out of personalised ads at any time.
Third-party domains contacted
pagead2.googlesyndication.comtpc.googlesyndication.comgoogleads.g.doubleclick.netadservice.google.comdoubleclick.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __gads | persistent | 13 months | Google AdSense publisher-side ad targeting and frequency capping |
| __gpi | persistent | 13 months | Google Publisher ad impression frequency and measurement |
| IDE | persistent | 13 months | Google DoubleClick cross-site conversion tracking and ad personalisation |
| DSID | persistent | 2 weeks | Signed-in user targeting and ad personalisation for Google ads |
Google AdSense places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. Google AdSense uses advertising cookies and processes personal data for behavioural targeting, which requires prior explicit consent under the ePrivacy Directive and GDPR Art. 6(1)(a). The adsbygoogle.js script must not load until the user has consented to advertising cookies in a compliant banner. Without valid consent, your site risks enforcement action from EU data protection authorities and potential fines under GDPR.
Google AdSense sets several cookies: __gads (persistent, 13 months, publisher-side ad targeting and frequency capping), __gpi (persistent, 13 months, Google Publisher ad frequency), IDE (persistent, 13 months, DoubleClick cross-site conversion tracking and ad personalisation), and DSID (persistent, 2 weeks, signed-in user targeting). In NPA mode, persistent advertising cookies are not set. Some browsers and ad blockers may prevent these cookies from being set, which can affect ad revenue.
Google offers a Non-Personalised Ads (NPA) mode where AdSense serves contextual ads only, based on page content rather than user behaviour. In NPA mode, no persistent tracking cookies are set for ad targeting. However, AdSense still makes a request to Google servers (sharing IP and page URL), so it is not entirely cookieless. Most EU DPAs accept NPA mode as compatible with legitimate interest, but require clear disclosure and an easy opt-out. Some stricter authorities may still require consent even for NPA mode, so consult your local DPA guidance.
Google Consent Mode v2 is a framework that allows your CMP to pass consent signals to Google tags including AdSense. When a user declines advertising cookies, Consent Mode instructs AdSense to operate in a restricted mode: no advertising cookies are set, but AdSense can still collect anonymised, aggregated signals (pings) to model conversion data without identifying individual users. This allows publishers to recover some measurement data even from users who declined consent. Consent Mode v2 is required for publishers using Google Ads with EU traffic. Implementing it requires a TCF 2.2 certified CMP or direct Consent Mode API integration.
Yes. All AdSense data processing occurs on Google LLC infrastructure in the United States. Google uses Standard Contractual Clauses (SCCs, 2021 edition) as the legal transfer mechanism under GDPR Chapter V. Publishers must: (1) accept the Google Ads Data Processing Terms in their AdSense account; (2) reference the Google DPA and SCCs in their privacy policy; (3) document the transfer in their Records of Processing Activities. US intelligence law (FISA 702) continues to be a concern under Schrems II, and publishers should document a Transfer Impact Assessment.
A DPIA is recommended (and may be required) if: (1) your website serves a large EU audience and relies heavily on personalised AdSense advertising; (2) AdSense audience data is combined with other personal data from your platform (e.g., logged-in user profiles); (3) your content targets vulnerable groups such as minors or involves sensitive categories. The DPIA should assess the risk of US data transfers, the breadth of behavioural profiling, and the measures taken (Consent Mode, NPA fallback, SCCs). Even without a full DPIA, a legitimate interest assessment is required if using NPA mode.
To implement AdSense with a compliant consent banner: (1) Choose a CMP certified under IAB TCF 2.2 (e.g., Axeptio, CookieBot, OneTrust). (2) Configure AdSense as a vendor in your CMP, ensuring it is linked to the correct IAB vendor ID. (3) Block the adsbygoogle.js script from loading until TCF consent is obtained. (4) Implement Google Consent Mode v2 to pass consent signals and enable NPA fallback. (5) Test that AdSense does not fire on initial page load for new users. (6) Verify that your cookie banner offers a genuine and easy way to refuse all advertising cookies.
Your privacy policy should state: (1) that you use Google AdSense for advertising revenue; (2) what data AdSense collects (cookies, IP, browsing behaviour); (3) that Google processes data in the US under SCCs; (4) a link to Google's Privacy Policy and Google's Ad Technology Provider list; (5) how users can manage ad personalisation via Google's My Ad Center. Your cookie notice should list __gads, __gpi, and IDE under the advertising category with accurate durations and mark them as requiring consent. If using NPA mode, explain that contextual ads may be shown without consent but that Google still receives IP data.