Does your website use third-party services? Get GDPR compliant in minutes.

Google Pay

PreferencesWebsite

What does Google Pay do?

Google Pay is a digital wallet and online payment service that lets users pay on third party sites with card details stored in their Google account.

What is Google Pay?

Google Pay is the digital wallet and online payment service of Google. For European buyers, the payment leg is operated by Google Payment EMEA Limited, an Irish E-Money Institution supervised by the Central Bank of Ireland. On the web, merchants integrate Google Pay through the Google Pay JavaScript API or the Web Payments Request API, which displays a button that opens a Google sheet pre filled with the user payment methods, addresses and contact details from their Google account.

What data and cookies does Google Pay collect?

Loading the Google Pay button drops third party cookies on pay.google.com and accounts.google.com (NID, SID, HSID, SSID, APISID, SAPISID, GPS for ad targeting if the user is signed in to Google). The Google Pay API receives the merchant ID, the amount, the currency, the country, the supported card networks and the customer billing and shipping requirements. On click, Google returns an encrypted payment token bound to the merchant for the gateway to process.

GDPR and ePrivacy implications

Strictly necessary cookies for the Google Pay button to function fall under the article 5(3) ePrivacy exemption. However Google sets a number of cookies on pay.google.com and accounts.google.com that go beyond the payment itself (advertising, sign in continuity, personalisation). CNIL and other EU regulators expect merchants to either delay the button until consent or to use the rendering options that limit Google cookies before click.

Get GDPR compliant in 10 minutes

Free plan available · No credit card required

Try FlowConsent free

Consent management with Google Pay

Render the Google Pay button on the checkout page only. Avoid loading pay.google.com scripts on browse or category pages. Wrap the button behind a CMP gate if it is displayed before consent. Use the Google Consent Mode v2 if you integrate Google Pay with Google Ads or Google Analytics, so that ad_storage and analytics_storage signals propagate correctly. Inform users in your privacy notice that Google Payment EMEA Limited and Google LLC process the payment.

Data residency and Google DPF

For EEA buyers, Google Payment EMEA Limited operates from Dublin. Card processing, tokenisation and fraud detection can involve Google entities globally including the United States. Transfers rely on EU SCCs and the Google LLC DPF certification under the EU US Data Privacy Framework. Document the transfer mechanism in your records of processing activities.

Practical compliance checklist

Sign the Google Pay merchant agreement and the Google DPA with EU SCCs. Display the button only on checkout. Avoid loading Google Pay scripts on non checkout pages. Use Consent Mode v2 to propagate the user choices. Categorise Google Pay cookies as Strictly Necessary and Google advertising cookies as Marketing. Identify Google Payment EMEA Limited and Google LLC as joint or independent controllers in your privacy notice.

GDPR consent category

Preferences

Websites using Google Pay must obtain user consent under GDPR regulations.

Legal basisPerformance of a contract (article 6(1)(b) GDPR) for the payment processing, combined with legitimate interest for fraud prevention. Consent (article 6(1)(a) GDPR) and article 5(3) ePrivacy for non essential Google cookies set when the button loads.

Risk levelmedium

Applicable regulationsGDPR, ePrivacy Directive, TTDSG, LOPDGDD, French Data Protection Act, UK GDPR and PECR, PCI DSS, PSD2 SCA, Irish payment services regulation

DPIA considerations

A DPIA is recommended whenever Google Pay is paired with other Google services on the merchant site (Google Ads conversion tracking, Google Analytics enhanced ecommerce, Google Sign In), when the merchant runs subscription billing, or when sensitive sectors are processed.

Sample consent text

We use Google Pay to let you check out with the card details stored in your Google account. Loading the Google Pay button sets Google cookies and shares payment data with Google Payment EMEA Limited in Ireland and Google LLC in the United States. Payment cookies are strictly necessary, additional Google cookies for advertising or analytics only load if you grant consent.

Technical details

Tracking methodGoogle Pay JavaScript API and Web Payments Request API integration, with first and third party cookies set on Google domains

Server locationGoogle LLC (United States) and Google Ireland Limited (Dublin) on Google Cloud Platform

Data transferred outside the EUGoogle Pay is operated by Google Payment EMEA Limited (Ireland) for EEA buyers and by Google LLC in the United States. Card processing, tokenisation and fraud detection can involve Google entities globally. Transfers rely on EU SCCs and on the Google DPF certification under the EU US Data Privacy Framework.

Third-party domains contacted

pay.google.compayments.google.comaccounts.google.comgoogle.comgstatic.com

Cookies placed

Name	Type	Duration	Purpose
NID	Strictly Necessary	6 months	Google identifier used to remember user preferences and authentication state in Google services, including Google Pay.
SID	Strictly Necessary	2 years	Google session identifier used to authenticate the user in Google Pay.
HSID	Strictly Necessary	2 years	Companion to SID, used by Google for session protection against forged credentials.
SSID	Strictly Necessary	2 years	Companion to SID used by Google to bind the session to a secure context.
APISID	Strictly Necessary	2 years	Google API session identifier required to call Google Pay APIs while authenticated.
SAPISID	Strictly Necessary	2 years	Hashed companion to APISID for secure API authentication.
GPS	Marketing	30 minutes	Google identifier used for geolocation and ad personalisation when the user is signed in to Google.
CONSENT	Functional	2 years	Stores the user consent state for Google services, including cookies and personalised content.

Google Pay uses cookies for user preferences — inform visitors with a consent banner.

Get started free Scan your site

Frequently asked questions

What cookies does Google Pay set?

Google Pay sets third party cookies on pay.google.com and accounts.google.com (NID, SID, HSID, SSID, APISID, SAPISID, GPS, CONSENT). The exact set depends on whether the user is logged in to Google.

Is consent required to display the Google Pay button?

Strictly necessary cookies are exempt under article 5(3) ePrivacy. The Google advertising and personalisation cookies that load with the button are not strictly necessary and require consent in most EU jurisdictions.

What is the legal basis for Google Pay?

Performance of a contract for the payment, legitimate interest for fraud prevention, consent for Google advertising and personalisation cookies.

What about US data transfers?

Google Payment EMEA Limited is in Dublin but processing involves Google LLC in the US. Transfers rely on EU SCCs and the Google DPF certification.

Do I need a DPIA for Google Pay?

A DPIA is recommended when Google Pay is paired with Google Ads conversion or Google Analytics enhanced ecommerce, when subscription billing is in use, or when sensitive verticals are processed.

How do I implement Google Pay compliantly?

Display the button only on checkout. Block it behind a CMP if shown earlier. Use Consent Mode v2. Sign the Google Pay merchant agreement and the Google DPA with EU SCCs.

What are the alternatives to Google Pay?

Apple Pay, Amazon Pay, PayPal Express, Shop Pay, Klarna Pay Now, GoCardless, Stripe Link, Adyen, Mollie or local methods (Bancontact, iDEAL, Sofort, Bizum).

How do I document Google Pay in my cookie policy?

List the Google cookies (NID, SID, HSID, SSID, APISID, SAPISID, GPS, CONSENT) with domain, duration and purpose. Identify Google Payment EMEA Limited and Google LLC as controllers. Describe the EU and US flows and the safeguards.

Get compliant — Try FlowConsent free

Free plan · 10-min setup