Google provides translated versions of our Help Center, though they are not meant to change the content of our policies. The English version is the official language we use to enforce our policies. To view this article in a different language, use the language dropdown at the bottom of the page.
For subtitles in your language, turn on YouTube captions. Select the settings icon at the bottom of the video player, then select "Subtitles/CC" and choose your language.
We want users to trust that information about them will be respected and handled with appropriate care. As such, our advertising partners should not misuse this information, nor collect it for unclear purposes or without appropriate disclosures or security measures.
Note that additional policies apply when using personalized advertising, which includes remarketing and custom audiences. If you use personalized advertising targeting features, be sure to review the personalized ads data collection and use policies.
Below are some examples of what to avoid in your ads. Learn about what happens if you violate our policies.
Inadequate data security
The following is not allowed:
Troubleshooter: Inadequate data securityFailing to use appropriate security measures for the type of information being collected based on relevant industry standards
Examples (non-exhaustive): Collecting numbers for credit or debit cards, bank and investment accounts, wire transfers, national identity, tax ID, pension, healthcare, driver's license, or social security numbers over an unsecured page that is not SSL (Secure Sockets Layer) protected and without a valid SSL certificate
- Fix the ad's destination. Either stop collecting personal information from users or collect that personal information through a secure SSL server to keep it safe.
- Option 1: Use a secure server.
Use a secure processing server (called SSL) when collecting personal information. With SSL, your webpage URL will appear with https:// instead of http://. Learn how to set up SSL on your site.- Option 2: Don't collect user data.
Change your website or app so that it doesn't ask for personal information when users access your content.Edit the ad. This will resubmit the ad and its destination for review.
Most ads are reviewed within 1 business day, though some can take longer if they need a more complex review.
Unacceptable information sharing
The following is not allowed:
Sharing personally identifiable information (PII) with Google through remarketing tags, conversion tracking tags, or through any product data feeds that might be associated with ads
Example (non-exhaustive): Sharing user’s email addresses through URLs that have remarketing tags
Troubleshooter: Unacceptable information sharingNote: This requirement does not apply to Google Ads services subject to the Google Ads Data Processing Terms. (Enhanced Conversions, Google Ads Customer Match, Google Ads Store sales, Google Ads Store sales (direct upload))
- Identify the source. Use the breach notice email provided by Google to identify which URLs are violating the policy. Frequently, PII is accidentally included in URLs that are passed to Google from web forms, login pages, and custom email marketing campaign parameters.
- Remove PII in shared data. Update your systems so that PII is not included in URLs. Below are the most common methods for removing PII from URLs.
You can implement a UUID to prevent PII from passing to Google. For example,Web forms: HTML forms should be submitted with the
POST
protocol. If theGET
protocol is used, the parameters of the form will end up as part of the URL in the address bar. Update the page source or the component generating the HTML so the form tag hasmethod=”post”
in the attribute. Learn more about the form method.Login pages: Some sites, especially those with user profiles or user login, use URL patterns that include PII as part of the design. Replace the PII in the URL with a unique site-specific identifier or a unique user ID (UUID).
Custom email marketing campaign parameters: Examine the URLs generated by a test email marketing campaign to identify email addresses or other PII in URL parameters. Assign each user a unique site-specific identifier or a unique user ID (UUID) and track the UUID through URL parameters.
site.com/my_settings/[email protected]
could be changed tosite.com/my_settings/43231
, where43231
is a number that uniquely identifies the account with address [email protected].- Fill out the response form. Use the form to indicate that you have taken steps to fix the issue. The form helps Google know where you are in the process.
Verify the problem is fixed. After you respond through the form, Google will validate that the changes you made to your site addressed the issue. Within two weeks, you’ll receive another notice to confirm that the issue is fixed or let you know if PII is still being shared from URLs associated with your account. If PII is still detected, examine the updated list of URLs that don’t comply with the policy to determine the cause of the issue.
Note that you can verify that your changes work on a test site before pushing code changes to your live site. Tag your test site with tags from the same Google Ads customer ID that you use for personalized advertising. Once your test site shows up in the list of URLs where PII was detected, you can make test changes. If we stop detecting PII from your test site, it will drop off reports. Then you can push changes to your live site.
Remarketing lists and other lists based on remarketing, such as custom combination lists or similar audiences, will be disabled if they don’t comply with this policy. Learn more about what happens if you violate our policies.
Misusing personal information
The following is not allowed:
Using personal information in ways that users have not consented to
Examples (non-exhaustive): Re-selling users' contact information, using images of users in ads without their consent
Ads that directly address the user using their personal information
Example (non-exhaustive): Ads addressing a user by name, title, or job position
Specific example: "Hello John Smith - buy flowers here!"
Ads that imply knowledge of a user's personal information
Example (non-exhaustive): Ads that claim to know your financial status or political affiliations
Specific example: "You're buried in debt. Get help today."
European user consent
The following is not allowed:
Promotions that violate our policy on consent from European users
Example (non-exhaustive): Using Google Ads features, such as remarketing or conversion tracking, without obtaining appropriate consent from European Economic Area or UK users for using cookies or (in the case of remarketing) the use of personal data for personalized ads.
Unauthorized cookies on Google domains
The following is not allowed:
Setting a cookie on a Google domain
Examples (non-exhaustive): Any entity other than Google setting a cookie on doubleclick.net or googlesyndication.com, or enabling any other entity to set such a cookie