Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Google Meet is Google's video conferencing service, available through Google Workspace and as a standalone product for personal accounts. When embedded on a website or loaded through a Google Calendar invite, it sets Google ecosystem cookies and transfers data to Google LLC in the United States. As a third party processor, it falls under GDPR consent requirements for marketing pages and requires contractual safeguards for business use.
Google Meet behaves very differently depending on where it is loaded. When the Meet widget or a meeting link is embedded on a marketing page, a help center, or a blog, the browser loads Google scripts and sets Google ecosystem cookies before any meeting starts. In that scenario Google acts as a third party processor of personal data such as IP address, device identifiers and account identifiers, and the website operator becomes the data controller responsible for obtaining valid consent. When Google Meet is used internally inside a Google Workspace tenant, by employees joining a planned meeting, the legal basis usually shifts to performance of a contract or legitimate interest, and the Workspace Data Processing Addendum governs the relationship between the employer and Google.
Meet does not have a single dedicated cookie, instead it reuses the broad set of Google authentication and security cookies. Typical cookies observed include NID for advertising and preferences on Google domains, SID, HSID, SSID, APISID and SAPISID for signing the user into Google services, and __Secure-3PSIDCC for cross site session continuity. Some of these cookies have lifetimes of six months to two years, are flagged as Secure and HttpOnly, and are set on .google.com so they are shared across every Google property a user visits. From a privacy perspective they are not strictly necessary cookies in the meaning of the ePrivacy Directive, so they require prior consent when triggered from a non Google website.
Google LLC is established in the United States and self certifies under the EU-US Data Privacy Framework, which the European Commission recognised as providing an adequate level of protection in its adequacy decision of July 2023. For data subjects in the European Economic Area, transfers of Google Meet usage data to the United States are therefore covered by an adequacy mechanism. As a defence in depth strategy, Google also offers Standard Contractual Clauses in its Workspace Data Processing Addendum. Controllers should document in their records of processing activities that the transfer relies on DPF first and SCCs as a fallback, and they should monitor any future challenge to the adequacy decision before the Court of Justice of the European Union.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
On public websites that embed Google Meet, the recommended pattern is click to load. The page first shows a static placeholder that explains that loading the meeting widget will set Google cookies and transfer data to the United States. Only after the visitor presses an explicit accept button does the website inject the Meet iframe or the Google Calendar script. The consent management platform should record the consent event with a timestamp, the policy version and the cookie scope. The same consent record should be reused if the visitor returns within the consent retention window, so the banner does not reappear on every page load.
A Data Protection Impact Assessment becomes mandatory when Google Meet is used to record meetings on a large scale, when the meetings discuss special category data such as health information, union activity or legal matters, when minors are involved, or when the recordings are stored in Google Drive and shared across borders. The DPIA should describe the lifecycle of the recording from capture to deletion, the access controls applied to the storage location, the retention period, and the rights of participants to obtain a copy, request rectification or ask for erasure. Where the residual risk remains high after mitigation, the controller must consult the supervisory authority under Art 36 GDPR before launching the processing.
Sign the Google Workspace Data Processing Addendum with its DPF references, list Google LLC in the public sub processor register, document the legal basis for each Meet use case, expose Google Meet as a granular toggle inside the cookie banner, gate the embed code with the consent state, configure recording retention to the minimum required, restrict who can record and who can join externally, train staff on lawful recording disclosures, and review the entire setup at least once per year or whenever Google publishes a material change to its terms.
Websites using Google Meet must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended when Google Meet is used for recording meetings, processing special category data (health, legal advice, HR cases), large scale internal communications, or when embedded on high traffic public pages. Document the role of Google as processor, the DPF transfer mechanism, retention of recordings and access controls.
Sample consent text
We use Google Meet to provide video conferencing on this page. Loading the Meet widget sets Google cookies and transfers data to Google LLC in the United States under the EU-US Data Privacy Framework. By clicking Accept, you consent to this processing under Art 6(1)(a) GDPR.
Third-party domains contacted
meet.google.comwww.google.comapis.google.comssl.gstatic.comfonts.googleapis.comfonts.gstatic.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| NID | third_party | 6 months | Stores Google preferences and personalised advertising settings, set on .google.com when any Google property loads, used by Meet alongside other Google services. |
| SID | third_party | 2 years | Authentication cookie that signs the user into Google services. Set on .google.com, marked Secure and HttpOnly, used by Meet to identify the participant. |
| HSID | third_party | 2 years | Security cookie that protects Google accounts against forged authentication requests, used together with SID and SSID during Meet sign in flows. |
| SAPISID | third_party | 2 years | Cross domain authorisation cookie that allows Google APIs to recognise the signed in user, used by the Meet web client to call backend services. |
| APISID | third_party | 2 years | Companion authorisation cookie used with SAPISID to enable signed requests from Meet to other Google services such as Calendar and Drive. |
| __Secure-3PSIDCC | third_party | 1 year | Cross site session continuity cookie used by Google to keep the user signed in across third party embeds. Marked Secure, relevant when Meet is loaded from an external website. |
Google Meet uses cookies for user preferences — inform visitors with a consent banner.
Google Meet does not have a unique dedicated cookie. Instead it reuses Google ecosystem cookies that are set on .google.com when the page or widget loads. The most common ones are NID for preferences and advertising, SID, HSID, SSID, APISID and SAPISID for sign in and security on Google services, and __Secure-3PSIDCC for cross site session continuity. Lifetimes typically range from six months to two years and most of these cookies are flagged Secure and HttpOnly. From an ePrivacy perspective they are not strictly necessary, so prior consent is required when Meet is loaded from a non Google website.
Yes. When the Meet widget, an iframe to meet.google.com, or a Google Calendar embed is loaded on a public website, Google sets cookies and processes personal data such as the visitor IP and device identifiers before any meeting actually starts. That processing is not strictly necessary for the requested service in the meaning of the ePrivacy Directive, so it requires prior, informed, freely given and specific consent under the GDPR. A click to load pattern, where the embed is gated by an explicit accept button, is considered best practice and is favoured by most supervisory authorities.
The lawful basis depends on the use case. For Google Meet embedded on a marketing or public web page, consent under Art 6(1)(a) GDPR is the appropriate basis because the cookies and data sharing are not strictly necessary. For a user who joins a meeting hosted by a Workspace customer, performance of a contract under Art 6(1)(b) GDPR generally applies, because the processing is needed to deliver the requested communication service. For internal employee usage, employers usually combine contract and legitimate interest, documented in the records of processing activities and supported by the Workspace Data Processing Addendum.
Yes. Google Meet is operated by Google LLC in the United States, and even though Google maintains data centres across Europe, processing routinely involves staff and systems in the US. Google self certifies under the EU-US Data Privacy Framework, which the European Commission recognised in July 2023 as offering an adequate level of protection. As a defence in depth, Standard Contractual Clauses are also incorporated in the Workspace Data Processing Addendum. Controllers should keep this transfer documented in their Art 30 records and monitor any future legal challenge.
A Data Protection Impact Assessment is strongly recommended, and often mandatory, when Google Meet is used to record meetings at scale, when meetings discuss special category data such as health, union activity or legal advice, when minors are involved, or when recordings are stored in Google Drive and shared across borders. The DPIA should cover the lifecycle of the recording, the legal basis, the access controls, the retention duration and the data subject rights. If the residual risk remains high after mitigation, the controller must consult its supervisory authority under Art 36 GDPR before launching the processing.
Sign the Google Workspace Data Processing Addendum, list Google LLC in your sub processor register, identify the right legal basis for each Meet scenario, and expose Google Meet as a granular toggle in your cookie banner. For embeds, use a click to load placeholder so that the Meet iframe is only injected after explicit consent. Configure recording retention to the minimum necessary, restrict who can record and who can join externally, train staff on lawful recording notices, document everything in your records of processing activities, and review the setup at least once per year or whenever Google updates its terms.
European or self hosted alternatives include Jitsi Meet, which can be self hosted in the EU and avoids US transfers entirely, OpenTalk and BigBlueButton for education and webinar scenarios, Whereby with EU regional storage, and Zoom configured with the EU pod for healthcare and public sector customers. Microsoft Teams is also widely used but raises similar US transfer questions to Google Meet. The right choice depends on integration with existing identity systems, retention needs, recording requirements and the sensitivity of the meetings.
In your cookie policy, list Google Meet as a third party video conferencing service operated by Google LLC, describe the categories of cookies it sets such as authentication, security and preferences, and provide their typical durations. Explain that loading the Meet widget transfers personal data to the United States under the EU-US Data Privacy Framework. Reference the legal basis (consent for public embeds, contract for joining meetings) and link to the Google privacy policy and the DPF certification page. Finally, document the granular consent toggle that controls when the embed is loaded.