Does your website use third-party services? Get GDPR compliant in minutes.

Google Cloud Storage

What does Google Cloud Storage do?

Google Cloud Storage is the object storage service of Google Cloud Platform, used for uploads, media files, backups and static asset hosting. It is a backend service: by itself it does not set client side cookies or run JavaScript. The main privacy considerations are data residency (configurable per bucket, EU regions available) and the US CLOUD Act exposure of Google LLC. When public buckets are loaded directly into the visitor's browser via storage.googleapis.com, additional Google domain cookies may appear in some configurations.

What Google Cloud Storage is

Google Cloud Storage is the managed object storage service of Google Cloud Platform. It stores files of any kind in containers called buckets, with a flat namespace, immutable object versions and a HTTP/HTTPS API. It is used as a backend tier for file uploads (user generated content, profile pictures, document attachments), media hosting (images, video), backups, machine learning training datasets and as a static asset CDN tier. Operators choose the bucket location (single region, dual region or multi region) and the storage class (Standard, Nearline, Coldline, Archive) for each bucket.

What data is involved

From a privacy perspective the data inside the buckets matters more than the service itself. Buckets typically contain personal data: user uploaded files, profile photos, account documents, backups of databases, datasets used to train models. Cloud Storage itself logs each API access (bucket read, write, delete) in Cloud Audit Logs, which include the caller identity (service account or user account) and the IP address. End user IPs are logged when public buckets are accessed directly from a visitor''s browser.

GDPR and ePrivacy implications

As a backend storage service, Google Cloud Storage falls under the GDPR rules for processors. Google acts as a data processor under its Cloud DPA. The lawful basis for the underlying processing (storing user files, hosting images) depends on the use case. ePrivacy Art. 5(3) does not apply to backend storage itself, but if the operator serves assets directly from storage.googleapis.com to the visitor''s browser, Google may set cookies on that domain that require consent. Operators usually mitigate this by serving assets through their own domain (using signed URLs or a CDN that proxies the bucket).

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Data residency and US CLOUD Act exposure

EU regional buckets (europe-west1 Belgium, europe-west3 Frankfurt, europe-west9 Paris, europe-southwest1 Madrid, europe-north1 Finland, europe-central2 Warsaw, etc.) keep the object data in that region with replication inside the region. The eu multi region replicates across multiple EU regions. However, Google LLC remains a US company subject to the US CLOUD Act, which can compel Google to disclose data to US authorities regardless of where the data is stored. The CNIL, BfDI and DSK have all expressed concerns about US hyperscaler use for sensitive workloads. For very sensitive cases, Google offers Sovereign Controls and partnerships (T Systems for Germany, S3NS for France) that restrict admin access to EU personnel and EU controlled key management.

Configuration choices that affect compliance

Choose EU only bucket locations for personal data. Enable Customer Managed Encryption Keys (CMEK) via Cloud KMS to keep the encryption keys under operator control. Enable Cloud Audit Logs (Data Access logs) for accountability, with retention aligned to the data protection register. Use Object Versioning and Bucket Lock for retention compliance. Use Signed URLs to serve assets to the visitor''s browser through the operator''s own domain rather than directly from storage.googleapis.com, which avoids Google domain cookies. For highly regulated workloads, evaluate Sovereign Controls (Assured Workloads), T Systems (Germany) or S3NS (France).

Practical compliance steps

Sign the Google Cloud DPA and Standard Contractual Clauses. Document the bucket locations in the record of processing. Run a Transfer Impact Assessment focused on US CLOUD Act exposure, with mitigations (CMEK, audit logs, EU only locations, optionally Sovereign Controls). List Google as a sub processor in the privacy notice with the categories of data, the EU storage location and the transfer mechanism. If public buckets are loaded directly into the visitor''s browser, list any Google cookies in the cookie policy or migrate to signed URL delivery through the operator''s own domain.

GDPR consent category

Analytics

Websites using Google Cloud Storage must obtain user consent under GDPR regulations.

Legal basisDepends on use case. Backend storage of personal data (uploads, account data) rests on the lawful basis of the underlying processing (contract, legitimate interest, consent). Public asset hosting falls under operational legitimate interest for delivering the site. If a visitor's browser loads an asset from a Google domain, the Google domain may set its own cookies and that processing requires the analysis for Google cookies (consent under ePrivacy Art. 5(3)).

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive (only when assets served from Google domains set cookies), US CLOUD Act, French CNIL guidance on hyperscalers, German BfDI and DSK positions on US cloud providers, Schrems II case law

DPIA considerations

Google Cloud Storage processing depends on what is stored. DPIA considerations: (1) data residency is configurable per bucket; EU single region (europe-west1, europe-west3, europe-west9, etc.) or multi region (eu) keeps data in the EU, single region in the US or Asia means an international transfer; (2) Google LLC is a US company subject to the US CLOUD Act, which European supervisors flag as a residual concern even when data sits in EU regions; (3) Google self certifies under the EU US Data Privacy Framework and offers Standard Contractual Clauses for transfers outside the DPF; (4) for highly regulated workloads, Google offers Workspace and Cloud Sovereign Controls (Assured Workloads) that further restrict admin access and key management to specific jurisdictions; (5) if public buckets serve assets directly to the visitor's browser via storage.googleapis.com, Google may set cookies on that domain which require consent under ePrivacy Art. 5(3). A DPIA is recommended for any storage of special category data or large scale processing.

Sample consent text

We use Google Cloud Storage from Google LLC as backend storage for files uploaded to our service and static assets. Buckets are configured in the European Union (region: [eu-west1 Belgium / eu-west3 Frankfurt / eu-west9 Paris]) so your data stays in the EU. Google LLC is a US company subject to the US CLOUD Act, so we have signed Standard Contractual Clauses and rely on the EU US Data Privacy Framework as additional safeguards. Public assets served from storage.googleapis.com may load in your browser if you grant the necessary cookie consent.

Technical details

Tracking methodObject storage service from Google Cloud Platform. Used as a backend storage tier (uploads, media, backups, static assets). Buckets can be configured as private or public, and public buckets can serve static assets directly to end users via the storage.googleapis.com domain or a custom domain. The service itself does not set client side cookies; if assets served from storage.googleapis.com are loaded in the visitor's browser, Google may set its NID cookie in some configurations.

Server locationConfigurable per bucket. Operators can select region (single region in EU like europe-west1 Belgium, europe-west3 Frankfurt, europe-west9 Paris), dual region (eu) or multi region (eu spanning multiple EU regions). The operator's choice determines the GDPR transfer position.

Cookieless tracking availableYes

Data transferred outside the EUGoogle Cloud Storage data location depends on the bucket configuration. EU regional or multi region (eu) buckets keep data in the EU, including replication. However, Google LLC is a US company subject to the US CLOUD Act, which European supervisors flag as a residual concern regardless of bucket location. Google self certifies under the EU US Data Privacy Framework and provides Standard Contractual Clauses, plus the Workspace Sovereign Controls option for tighter control on Enterprise contracts.

Third-party domains contacted

storage.googleapis.comstorage.cloud.google.comgoogleapis.comgstatic.com

Google Cloud Storage collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Does Google Cloud Storage set any cookies?

Not by itself for backend use. If the operator serves public bucket contents directly to the visitor's browser via storage.googleapis.com, Google may set cookies on that domain (such as NID for Google service preferences). Operators usually avoid this by using Signed URLs or a CDN that proxies the bucket through the operator's own domain.

Is consent required for Google Cloud Storage?

Not for backend storage of data the operator handles. If public bucket assets are loaded directly into the browser from storage.googleapis.com and Google cookies are set on that domain, consent under ePrivacy Art. 5(3) is required for those cookies.

What is the legal basis for Google Cloud Storage processing?

Depends on what is stored. The lawful basis follows the underlying processing purpose: contract necessity for user uploads tied to the service, legitimate interest for backups and operational data, consent for data the user did not need to share. Google acts as a data processor under the Cloud DPA.

Does Google Cloud Storage transfer data to the United States?

Object data location is controlled by the bucket region. EU regions or the eu multi region keep data in the EU. However, Google LLC is a US company subject to the CLOUD Act, which European supervisors flag as a residual concern regardless of bucket location. SCCs and the EU US Data Privacy Framework apply.

Do I need a DPIA for Google Cloud Storage?

A DPIA is recommended for any storage of special category data, large scale personal data processing, or use cases involving children or vulnerable groups. For ordinary backend storage of business data, the DPIA may not be mandatory but documenting the bucket location, encryption choices and transfer mechanism in the record of processing is still required.

How do I implement Google Cloud Storage compliantly?

Choose EU only bucket locations for personal data. Enable Customer Managed Encryption Keys (CMEK) via Cloud KMS. Enable Cloud Audit Logs (Data Access) for accountability. Use Signed URLs to serve assets through your own domain rather than storage.googleapis.com. Sign the Google Cloud DPA and SCCs. For highly regulated workloads, evaluate Sovereign Controls or partner offers (T Systems, S3NS).

What alternatives to Google Cloud Storage exist?

EU sovereign alternatives include OVH Object Storage (France), Scaleway Object Storage (France), Hetzner Object Storage (Germany), IONOS S3 (Germany), Wasabi (EU regions), Backblaze B2 (EU regions), and the Gaia X compliant providers. US alternatives include Amazon S3, Azure Blob Storage and Cloudflare R2, each with their own data residency and CLOUD Act considerations.

How should I update my cookie or privacy policy?

Google Cloud Storage is a sub processor and belongs in the sub processor section of the privacy notice, not the cookie banner. List the bucket regions, the storage purpose, the legal basis, the transfer mechanism (EU US Data Privacy Framework / SCCs) and any encryption choice. If public buckets serve assets directly to browsers, list the resulting Google domain cookies in the cookie policy.

Get compliant — Try FlowConsent free

Free plan · 10-min setup