Fix Your Google Ads
User Privacy & Transparency
Violation

This is mandatory for anyone running Google Ads. If your website collects any information from users — including just their email address, phone number, or browsing behaviour — a Privacy Policy must exist and be easy to find. A Privacy Policy buried in a help centre or only accessible after signing up does not meet this requirement. It must be linked from every page, typically in the footer.

Your Privacy Policy must specifically list what types of data you collect. This includes: name, email address, phone number, IP address, cookie data, payment information, browsing behaviour on your site, device information, and any other data you gather. A vague statement like "we collect some personal information" is not sufficient — every category of data collected must be named.

Users have the right to know what you do with their information. Your Privacy Policy must state: whether data is used to send marketing emails, whether it is used for ad personalisation or retargeting, whether it is shared with or sold to third parties (including advertising partners and data brokers), and what happens to data if your business is sold or transferred.

If you run Google Ads or use Google Analytics, Google requires you to disclose this in your Privacy Policy. You must mention that Google uses cookies and tracking technologies, and link to Google's own privacy information. Google's policy requires this disclosure as a condition of using their advertising services. Without it, your account can be suspended.

Under GDPR (Europe), CCPA (California), and similar laws in many other regions, users have legal rights over their personal data. Your Privacy Policy must provide a contact method — an email address or a web form — through which users can request to see, correct, or delete their data. Failing to provide this is both a policy violation and often a legal one.

A Privacy Policy filled entirely with legal terminology that the average person cannot understand does not meet Google's transparency standards. While your policy can include legal language for compliance purposes, it should also explain the key points in clear, simple terms. If your policy reads like it was written purely for a lawyer and not for your actual users, it needs to be rewritten or supplemented with a plain-language summary.

Each form on your site — a contact form, a quote request form, a newsletter sign-up, a checkout page — must have a brief, clear explanation of what happens with the information the user submits. A simple statement like "We will use your email to send your quote and may contact you about our services. See our Privacy Policy for details" is acceptable. Collecting data through a form with no explanation is a transparency violation.

Technologies that track users without any disclosure — such as hidden pixels, session recording software (Hotjar, FullStory), canvas fingerprinting, or browser fingerprinting — must be disclosed in your Privacy Policy. Running these tools on your landing page without disclosure is a privacy transparency violation. List every tracking technology you use, what it collects, and why.

Under GDPR and ePrivacy regulations, websites must inform users about cookies and obtain consent before non-essential cookies are set. If you target or receive traffic from the EU, UK, EEA, or similar regulated regions and do not have a cookie consent banner, this is a compliance violation. Google requires advertisers to have appropriate consent mechanisms in place as a condition of using personalised advertising features.

Google Consent Mode is a technical tool that tells Google Ads how to behave based on the user's consent choices. If you operate in the EU or EEA and use Google Ads, implementing Consent Mode is now mandatory for compliance with Google's EU User Consent Policy. Without it, your ads may be restricted or suspended for targeting EU users without proper consent signals. Work with your web developer to implement this if it is not already in place.

Collecting personal data from children is subject to extremely strict rules under COPPA (USA), GDPR (EU), and similar laws worldwide. If your website could attract children — even if it is not specifically directed at them — and you collect any personal data, you must have age verification and parental consent mechanisms in place. Advertising to or collecting data from children without proper safeguards is a serious violation that Google treats as a severe breach.

Using customer lists for remarketing or custom audience matching is allowed — but only if that data was collected with proper consent and disclosure. Purchasing email lists from third-party data brokers and uploading them as a customer match list is a violation. Every contact in a customer list uploaded to Google Ads must have given their explicit consent to have their data used for advertising purposes by your company.

Pre-ticked consent boxes — where the user has to uncheck a box to avoid being subscribed to marketing — are explicitly prohibited under GDPR and considered deceptive practice by Google. Every consent checkbox must start unticked. The user must make a deliberate, active choice to subscribe or consent. This applies to email newsletters, SMS marketing, and any other communication channel.

Combining "I agree to the Terms and Conditions and consent to receive marketing emails" into a single checkbox is not valid consent under GDPR. Consent for marketing must be separate from agreement to terms. Use two separate checkboxes — one for terms (which can be mandatory) and one for marketing consent (which must be optional). Each consent request must be clearly worded and stand alone.

Every marketing email must include a visible, working unsubscribe link. When a user clicks unsubscribe, they must be removed from your marketing list within the timeframe required by law (10 business days under CAN-SPAM in the USA, immediately under GDPR in the EU). Continuing to send marketing emails to users who have unsubscribed is a violation of both privacy law and Google's policy.

Requiring users to consent to marketing emails or data sharing as a condition of using your service — "you must subscribe to our newsletter to download this report" or "you must agree to data sharing to complete your purchase" — is not valid consent. Access to the service must not be made conditional on marketing consent. You can offer an incentive for subscribing, but the choice must be genuinely optional.

Under GDPR and similar regulations, you must be able to demonstrate that consent was given if challenged. This means keeping a record of: the date consent was given, what the user was shown (the consent language), which form or page they submitted, and which version of your Privacy Policy was in effect at that time. Without these records, you cannot prove compliance and will fail an audit or investigation.

If you run remarketing campaigns (showing ads to people who previously visited your website), your Privacy Policy and ideally a cookie notice must disclose this. Users have the right to know that their browsing behaviour on your site is being used to show them ads across the internet. A statement like "We use remarketing features through Google Ads to show relevant ads to previous visitors" is the minimum required disclosure.

Google's policy explicitly prohibits building remarketing audiences based on sensitive categories. This includes: medical conditions (e.g., targeting people who visited a cancer treatment page), financial hardship (e.g., targeting visitors to debt consolidation pages), religious affiliation, sexual orientation, and other sensitive attributes. Even if you did not intend to create such an audience, if your website content implies sensitive characteristics, you must exclude those pages from your remarketing tags.

Using remarketing or audience targeting to show ads only to certain races, religions, genders, or other protected groups — or to specifically exclude them — is discriminatory advertising and a serious policy violation. Audience targeting must not be used to discriminate in housing, employment, credit, or any other regulated category.

If you cannot demonstrate proper consent for personalised advertising in your target market, you should run non-personalised ads (also called contextual ads). In your Google Ads settings, you can restrict your campaigns to non-personalised ads. Continuing to run personalised ads without proper consent mechanisms in regulated markets is a direct violation of Google's User Data Policies.

Google's Customer Match feature allows you to upload email addresses or phone numbers for targeting. But Google requires that every contact in that list provided their data with knowledge that it would be used for advertising. This means your sign-up form or data collection point must specifically mention that data may be used for advertising purposes. Generic "newsletter" consent does not cover Customer Match targeting.

Your Privacy Policy should include a link that allows users to opt out of interest-based advertising. For Google specifically, this means linking to https://www.google.com/settings/ads. For broader opt-out options, you can link to the Network Advertising Initiative opt-out page at optout.networkadvertising.org. This is both a transparency best practice and a requirement in many privacy regulations.

Telling users "We need your phone number to improve your experience" when the number is actually used to call them with sales pitches is deceptive. Every data collection request must accurately describe why that specific data is needed. If you ask for an email "to send your receipt" but then also add them to a marketing list, you must disclose the marketing use explicitly and separately.

Intentionally hiding tracking technologies — placing pixels in image tags with 1x1 dimensions, using invisible iframes, or loading tracking scripts in ways specifically designed to avoid detection by browser tools or privacy extensions — is a deceptive practice. All tracking must be disclosed, and the implementation must not be specifically designed to evade user awareness or ad blockers through deceptive technical means.

Sharing or selling user data with advertising partners, data brokers, or other businesses without clear disclosure and user consent is one of the most serious privacy violations. Even sharing data with "trusted partners" must be disclosed. If you share data with anyone outside your own company for any purpose, this must be clearly stated in your Privacy Policy, and in many jurisdictions requires explicit consent from the user.

Dark patterns are UI design tricks that manipulate users into making choices they would not otherwise make. In data collection contexts, this includes: making the "yes" button for data sharing bright and prominent while the "no" option is in small grey text, using double negatives in consent language ("uncheck to not receive emails"), or burying data sharing disclosures in walls of text. All consent mechanisms must be clear, balanced, and easy to understand.

Using a Privacy Policy template copied from another company, using a generator but never updating it to reflect your actual practices, or having a policy that references technologies or processes you no longer use — or does not mention ones you do use — is deceptive. Your Privacy Policy must accurately describe your current actual practices and be reviewed and updated at least once a year, or whenever your data practices change.

Your Google Ads policy notification should reference a specific policy — for example "EU User Consent Policy," "Data Collection and Use," or "Remarketing." Look this up in Google's policy help centre to understand exactly which requirement was not met. Privacy violations can come from many different sources — a missing Privacy Policy, an undisclosed tracking technology, an improper consent mechanism, or non-compliant remarketing audience. Knowing the exact issue is essential before you can fix it.

Google's review team will check your website, your Privacy Policy, and your Google Ads account settings when reviewing a privacy violation appeal. Submitting an appeal before making all necessary changes — even if just one item is still non-compliant — will result in rejection. Make every change first, verify each one, then appeal.

A strong privacy violation appeal includes: (1) the specific issue that was identified, (2) a description of every change made to resolve it, (3) the URL of the updated Privacy Policy with a note on what was added, (4) confirmation of any technical changes (Consent Mode implementation, cookie banner update, remarketing audience adjustment), and (5) a commitment to ongoing compliance. Vague appeals are rejected every time.

Google's review team examines your entire account when processing a privacy violation appeal — not just the specific page or campaign that was flagged. If your Privacy Policy is now compliant but another landing page still lacks a consent notice, or another remarketing audience includes sensitive category data, your appeal will be rejected. Conduct a complete compliance audit of every page, every campaign, and every audience list before submitting.