Why Did Google Ads Send Me An Email Re: Updates about GDPR Compliance?

In July 2020, the EU’s highest court ruled against the validity of the Data Privacy Shield for protecting EU citizen data when it is transferred out of the EU to other countries including the US. This caused many businesses, including Google and other ad tech companies, to have to revise their platforms’ data processing terms.

What Did the EU Rule on Data Transfers to the US in July 2020?

In July 2020 the Court of Justice of the European Union, the highest court in the EU, ruled that the current Privacy Shield that allowed transfers of online advertising and measurement personal data out of the EU to the US was invalid. This was based on the court finding that EU citizen data could be interfered with by the US government based on the country’s current surveillance laws. 

TechCrunch.com’s Natasha Lomas explains that, The CJEU’s finding is that “the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country”, and that mechanisms in the EU-US Privacy Shield ostensibly intended to mitigate this interference (such as an ombudsperson role to handle EU citizens’ complaints) are not up the required legal standard of ‘essential equivalence’ with EU law.

The Court of Justice of the European Union did keep Standard Contractual Clauses (SCCs) in place as a valid and legal way for businesses including banks, Facebook, and Google to transfer online advertising and measurement personal data out of the EU and into the US. This effectively provides these companies with a way to maintain data transfers outside of the EU and into the US (and other countries) for the time being.

How Does The EU Ruling on Data Transfers Impact My Google Ads Account?

Since SCC’s are still considered an allowed method of transferring data from the EU to servers in the US, Google is moving to use them for all transfers of online advertising and measurement personal data out of the EU, Switzerland and the UK in order to stay in compliance with the ruling.

Google is also updating its existing Google Ads Data Processing Terms, Google Ads Controller-Controller Data Protection Terms, and Google Measurement Controller-Controller Data Protection Terms to add the relevant SCCs as adopted by the European Commission. These updated contract terms for using Google Ads will apply starting on August 12, 2020.

How Can I Make Sure My Google Ads Account Is Still In Compliance with GDPR?

First off, we are not legal experts and you should be consulting your lawyer regarding how to keep your business in compliance with GDPR and other consumer data privacy protection laws. 

  1. Google’s updated contract terms that add the relevant SCCs ensure your agreement with their ad platform keeps the account in compliance with the updated ruling. 
  2. Make sure you have a cookie preference solution in place (such as OneTrust) on your site. Make sure settings are specific for traffic from visitors from the EU countries, allowing them to control how their personal data is used across the site and ad platforms. 
  3. We also recommend that you have detailed information regarding your business’ privacy policies that can be found on the privacy policy page on your website. 

The court’s standing on SCC’s and how EU citizens’ data is transferred out of the EU could come under further scrutiny, which could further complicate things for banks, ad tech companies, and other businesses. 

Have further questions about the recent EU ruling on data transfers and how it affects your Google Ads account? Please make sure to consult your lawyer and be sure to reach out to GCommerce to help you implement cookie compliance tools on your website.