Does your website use third-party services? Get GDPR compliant in minutes.

Google Forms

What does Google Forms do?

Google Forms is Google's free survey and form builder, used by millions of organisations to collect responses, run quizzes and capture leads. Forms can be embedded via iframe or shared as a standalone URL. When embedded, Google sets cookies and transfers form data and metadata to Google LLC servers in the United States, triggering GDPR and ePrivacy obligations.

What Google Forms is and how it works

Google Forms is part of the Google Workspace suite and lets anyone create surveys, quizzes, registration forms and feedback questionnaires through a simple drag and drop interface. Forms are hosted on docs.google.com and can be distributed via a shareable link, an email invitation or, most commonly on websites, embedded inside an iframe. Each response is stored in a linked Google Sheets file or directly in the Forms response panel.

What data and cookies Google Forms collects

When a Google Form loads on your site (whether through an iframe embed or a direct visit), Google sets several cookies on the docs.google.com and google.com domains, including NID, CONSENT, SOCS, AEC and 1P_JAR. Beyond cookie data, Google collects the respondent IP address, user agent, referrer, screen resolution and, if the respondent is signed in, the Google account identifier. All form responses themselves are stored on Google servers.

GDPR and ePrivacy implications

Because cookies are written to the user device on page load, Article 5(3) of the ePrivacy Directive (transposed in national cookie laws across the EU) requires prior, informed and freely given consent before Google Forms can be loaded in an embedded context. Google acts as a data processor for form responses under the Google Workspace Data Processing Addendum, but as an independent controller for some telemetry, which means publishers remain accountable for transparency and for offering a refusal that is as easy as acceptance.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent requirements before loading

In practice, an embedded Google Form must be blocked behind a consent management platform until the visitor has actively opted in to the relevant category (typically Functional or Marketing depending on how you classify it). A two click solution, where a placeholder explains what loading the form entails and lets the user explicitly accept, is the most common pattern and aligns with guidance from the CNIL, the BfDI and other EU regulators.

Data transfers to the United States

Google Forms data is processed on Google LLC infrastructure primarily in the United States. Transfers rely on Standard Contractual Clauses under Article 46(2)(c) GDPR, and on the EU, US Data Privacy Framework where Google LLC is certified. Controllers should run a Transfer Impact Assessment, consider supplementary measures (such as pseudonymising form fields) and document the legal basis for the transfer in their record of processing activities.

Practical compliance steps

Concretely, list Google Forms in your cookie policy and record of processing activities, block the iframe until consent is captured, present a two click placeholder, keep the Google Workspace DPA on file, run a Transfer Impact Assessment, and avoid collecting sensitive categories of data through Google Forms unless you have a strong Art. 9 lawful condition. For high risk use cases (health surveys, employee feedback, minors) consider hosting forms on a EU based alternative.

GDPR consent category

Analytics

Websites using Google Forms must obtain user consent under GDPR regulations.

Legal basisConsent (Art. 6(1)(a) GDPR)

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive (Cookie Law), CCPA

DPIA considerations

Google Forms processes form responses (including any personal data submitted by respondents), IP addresses, browser fingerprints and Google account identifiers when respondents are signed in. Embedded forms inherit the cookies of the docs.google.com domain. Key DPIA considerations: (1) the categories of personal data collected via form fields may include sensitive data (health, political opinions, religion) depending on use case, requiring an Art. 9 GDPR lawful condition; (2) cross-border data transfer to Google LLC in the US, evaluated via a Transfer Impact Assessment; (3) Google acts as data processor under the Google Workspace DPA but may also process technical metadata as an independent controller; (4) persistent identifiers via NID and CONSENT cookies enabling cross-service tracking on Google properties; (5) IP address logging in form analytics and submission records. A DPIA is recommended where forms collect sensitive data, are used at scale, or target vulnerable populations.

Sample consent text

We use Google Forms to collect your responses. When you load this form, Google places cookies on your device and may transfer form data and technical metadata to Google LLC in the United States. You can withdraw your consent at any time via our cookie settings.

Technical details

Tracking methodIframe embed or shared URL (Google Forms JavaScript)

Server locationUnited States (Google LLC)

Data transferred outside the EUForm responses, IP addresses and device metadata are transferred to Google LLC servers in the United States. Transfers rely on Standard Contractual Clauses (SCCs) under Article 46(2)(c) GDPR and on the EU, US Data Privacy Framework where Google is certified.

Third-party domains contacted

docs.google.comforms.google.comgoogle.comfonts.gstatic.comaccounts.google.com

Cookies placed

Name	Type	Duration	Purpose
NID	Preference	6 months	Stores user preferences (language, region, number of search results) used by Google to personalise responses across services including Google Forms.
CONSENT	Functional	2 years	Records the visitor consent state for Google services and persists choices made in Google's own consent interfaces across sessions.
SOCS	Functional	13 months	Stores the user's consent state for Google services, including which Google product consent dialogs the user has interacted with.
AEC	Security	6 months	Ensures that requests within a browsing session are made by the user and not by other sites, mitigating cross-site request forgery on Google services.
1P_JAR	Marketing	1 month	Used by Google for advertising measurement, including aggregating site statistics on Google services and properties.

Google Forms collects user analytics data — you legally need a consent banner. Try FlowConsent free.

Get started free Scan your site

Frequently asked questions

Does Google Forms set cookies when embedded on a website?

Yes. When a Google Forms iframe loads on your site, Google writes several cookies to the docs.google.com and google.com domains, including NID, CONSENT, SOCS, AEC and 1P_JAR. Some support functional behaviour (language, consent state), others are used by Google for advertising measurement.

Is prior consent required before loading an embedded Google Forms?

Yes. Because cookies are placed on the user device on page load and data is transferred to Google in the US, Article 5(3) of the ePrivacy Directive and Article 6(1)(a) GDPR require prior, informed and freely given consent before the iframe is loaded. A two click placeholder is the recommended pattern.

What is the legal basis for processing data through Google Forms?

For embedded forms that set non-essential cookies and transfer data to the US, consent under Art. 6(1)(a) GDPR is the standard basis. If the form is the core of a contractual interaction (job application, service registration), Art. 6(1)(b) may also apply to the response data itself, but consent is still needed for the cookies.

Where is Google Forms data stored and is it transferred to the United States?

Google Forms responses are stored on Google LLC infrastructure, primarily in data centres in the United States. Transfers rely on Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR and on the EU, US Data Privacy Framework. You should run a Transfer Impact Assessment and document supplementary measures.

Do I need a DPIA for Google Forms?

A DPIA is recommended when forms collect sensitive categories (health, religion, political views), process data at large scale, target vulnerable populations (minors, employees) or are used for systematic monitoring. For routine contact or feedback forms with minimal personal data, a DPIA is typically not mandatory but documenting the assessment is good practice.

How do I implement Google Forms in a GDPR compliant way?

Block the iframe behind your consent management platform, present a two click placeholder explaining what loading the form entails, list Google Forms in your cookie policy and record of processing activities, keep the Google Workspace DPA on file, run a Transfer Impact Assessment, and avoid collecting sensitive data through Google Forms without a strong Art. 9 lawful condition.

What are EU based alternatives to Google Forms?

Alternatives hosted in the EU include Tally, Typeform (Europe data residency option), Formbricks, JotForm (EU data centre), LimeSurvey, and SurveyMonkey EU. These reduce or eliminate the US transfer concern and often offer DPA terms aligned with EU expectations out of the box.

How should my cookie policy describe Google Forms?

List Google Forms by name, the categories of cookies set (functional, marketing), the data collected (form responses, IP address, device metadata), the controller and processor relationship with Google LLC, the storage duration (per Google Workspace terms), the destination country (United States), the transfer mechanism (SCCs, Data Privacy Framework) and a link to Google's privacy policy.

Get compliant — Try FlowConsent free

Free plan · 10-min setup