Fix Google’s Data Collection
& Use Policy Violation

Check the inbox of the email address linked to your Google account. Google always sends a clear notification that names the specific policy — in this case, Data Collection and Use. The email will often include the names or URLs of the specific pages causing the problem. Keep it open while you work through this checklist, as you will need details from it when writing your appeal.

Go to the Google platform that flagged you. In Google AdSense: click "Policy Center" in the left menu. In Google Ads: click the tools icon (wrench) then "Policy Manager." In Search Console: click "Security & Manual Actions" then "Manual Actions." Find and read the violation in full, take a screenshot, and note whether specific page URLs are listed — every named page must be fixed individually.

This policy requires every website using Google services to: clearly tell visitors what data is collected and why, explain who it is shared with, get proper permission before collecting sensitive data, give visitors a way to opt out, have a working and visible Privacy Policy, and implement Google's Consent Mode for tracking tools. Any gap in these requirements caused your violation. Your job is to close every gap before appealing.

List every web address mentioned in the violation notice — for example: yoursite.com/contact, yoursite.com/signup, yoursite.com/blog. You must audit and fix each page individually. Do not assume that fixing one page fixes them all. Google's review team checks every flagged URL separately, and leaving even one page unresolved will result in the appeal being rejected.

Visit support.google.com/adsense/answer/1348688 for AdSense policies or policies.google.com for Google's broader privacy requirements. Reading the official policy helps you spot issues in your website that you might otherwise overlook. Pay particular attention to sections covering cookies, user consent, children's data, third-party sharing, and personalised advertising — these are the most frequently violated areas.

Go through your entire website and write down every piece of information it asks visitors for or records automatically. Common examples: name, email address, phone number, billing address, IP address, browsing behaviour, location data, and device type. This list becomes the foundation of your Privacy Policy and your appeal. Missing even one data type from this list can result in a second violation after reinstatement.

Every form — contact forms, newsletter sign-ups, checkout forms, registration, quizzes, surveys — collects data. Visit each one and check: Is there a note telling the user why you are collecting this information? Is there a link to your Privacy Policy next to the form? Does the form collect more data than it actually needs? Remove unnecessary fields and add a Privacy Policy link and a brief disclosure note to every single form on your website.

Cookies are small files websites store on a visitor's device to remember preferences or track behaviour. Tracking scripts are code from third-party services like Google Analytics, Facebook Pixel, or ad networks. Use a free scanner such as cookiebot.com or CookieYes to scan your website and generate a full list. Every cookie and script must be disclosed in your Privacy Policy and covered by your cookie consent banner — none are exempt.

Collecting personal data from children under 13 without clear parental consent is one of the most serious data violations. If your website targets or is likely visited by children — through content about toys, games, cartoons, or education — you must have special protections. Either add proper parental consent mechanisms or remove all data collection from those pages entirely. In Google AdSense, you must also mark any child-directed content in your account settings to disable personalised ads on those pages.

Sensitive data requires the highest level of protection and explicit user consent. Sensitive categories include: health or medical information, financial details (bank accounts, credit card numbers beyond payment processing), racial or ethnic origin, religious beliefs, sexual orientation, political opinions, biometric data, and criminal history. If your site collects any of these, you must clearly disclose it and obtain explicit, informed consent from each user before collecting it — implied or passive consent is not sufficient.

Remarketing means showing ads to people who already visited your site, made possible by a tracking cookie placed on their device. If you use Google Ads remarketing or any retargeting service, your Privacy Policy must explicitly say so. Visitors must also be told their browsing behaviour is being used to show them personalised ads, and they must have a clear way to opt out. Check that both your disclosure and your opt-out mechanism are in place and working.

If your website has no Privacy Policy, create one immediately using a free generator like privacypolicygenerator.info, termly.io, or iubenda.com. If you already have one but it is more than 12 months old, or does not cover all the data you currently collect, rewrite it now. After generating, read every section carefully and customise it to accurately match what your website actually does. Do not use a generic template without editing it — a mismatched privacy policy is itself a violation.

Your Privacy Policy must be clearly accessible from every single page — not buried inside a menu or hidden at the end of a long document. Add a link to it in your website footer (the section appearing on every page). Also link to it next to every form that collects data, and include it in your cookie consent banner. Google's review team will look for this link first, and if they cannot find it easily, your appeal will fail regardless of how thorough your fixes are.

A compliant Privacy Policy must cover: (1) What data you collect, (2) Why you collect it and how it is used, (3) Who you share it with including all third-party tools, (4) How long you keep the data, (5) How it is stored and kept secure, (6) What rights users have over their data, (7) How users can contact you with data requests, (8) Whether you use cookies and how, (9) Whether you show personalised ads and how users can opt out, (10) Your policy on children's privacy. Missing any section is grounds for a rejected appeal.

Any time you use Google Analytics, Google Ads, Facebook Pixel, YouTube embeds, Stripe payments, Mailchimp, live chat, or any other third-party feature, that service may also collect data from your visitors. You must name each service in your Privacy Policy, explain what data they collect, link to their own Privacy Policy, and explain why your site uses them. Visitors have a right to know every organisation collecting information about them through your website.

Your Privacy Policy must explain that users can: request to see what data you hold about them, ask you to correct inaccurate data, ask you to delete their data, ask you to stop processing their data, and in regions like the EU, object to automated decision-making. Provide a clear way to make these requests — typically a dedicated email address or a contact form specifically for data enquiries. Users must be able to act on these rights without unnecessary obstacles.

Your Privacy Policy must state how long you keep different types of data. Examples: "We keep contact form submissions for 12 months," "We retain purchase records for 7 years as required by tax law," "We delete newsletter subscriber data within 30 days of unsubscription." Review what you currently store, set clear and reasonable time limits, then update your Privacy Policy to reflect them. Keeping data indefinitely or longer than necessary is itself a violation of the principles Google's policy is built on.

Every Privacy Policy must show when it was last updated — displayed prominently at the very top of the page, for example: "Last updated: May 2025." This signals to users and Google's reviewers that the policy is current and actively maintained. Every time you make changes to how your website handles data, update the policy and change this date. A policy without a date is often treated as outdated, even if it was written recently.

A cookie consent banner is the pop-up or bar that appears when someone first visits your site, asking them to accept or decline cookies. If you do not have one, add it now using a free tool like CookieYes, Osano, or Cookiebot — all of which can be set up without coding knowledge. The banner must: appear before any non-essential tracking cookies activate, clearly explain what cookies do, offer separate options for different cookie categories (analytics, marketing, functional), and give a genuine choice to accept or decline each type.

Any consent checkbox on your website — "I agree to receive marketing emails," "Accept all cookies," "Share my data with partners" — must start as unticked. Pre-ticking means you are assuming the user agreed without them actively doing so, which is not valid consent. Go through every form and every consent prompt on your site. Ensure all consent options begin empty and require the user to deliberately tick them. This also applies to cookie banner settings — "Accept All" cannot be the default.

A cookie wall stops users from reading your content unless they first accept all cookies. This is forced consent, which is not legally valid. Users must be able to access your website — or at minimum its basic content — even if they decline non-essential cookies. If your site currently blocks access to users who decline cookies, remove or redesign this restriction immediately. Making consent a condition of service is prohibited under Google's policy and most privacy laws.

Google Consent Mode tells your Google tools (Analytics, Ads, etc.) to adjust their data collection based on what a user consented to. If a user declines cookies, the tools collect less data but continue operating in a limited, privacy-safe way. This is now required for all publishers using Google's ad products. If you use Google Tag Manager, search "Google Consent Mode v2 setup" on support.google.com for instructions. Many cookie consent tools like CookieYes also configure this automatically — check your tool's settings to confirm it is enabled.

If your website shows Google AdSense or any personalised advertising, you must give users a clear and accessible way to opt out — meaning they can choose to see generic ads instead of ads based on their browsing behaviour. Add a link to Google's Ad Settings page (adssettings.google.com) and to the Digital Advertising Alliance opt-out page in your Privacy Policy. Ideally, also include an opt-out link in your cookie banner's marketing cookies section.

Withdrawing consent must be as simple as giving it. This means: your cookie banner must have a "Manage Cookie Preferences" option accessible at any time, not just on first visit (add a small link in your footer); every marketing email must have a one-click unsubscribe link; and if a user contacts you to withdraw data consent, you must act within 30 days. Test all of these withdrawal paths yourself to confirm they work properly before submitting your appeal.

HTTPS is the secure version of the web connection your website uses. If your site address starts with "http://" rather than "https://", data submitted through your forms (including contact details and payment info) is transmitted without encryption and can be intercepted. You need an SSL certificate to fix this — most web hosts offer this free through Let's Encrypt. Contact your hosting company and ask them to enable HTTPS on your website. This is also a basic requirement for Google Ads and AdSense.

Check your email list, CRM system, website database, and any spreadsheets where you store user data. Delete: contacts who signed up long ago and have never engaged, data from people who have unsubscribed or requested deletion, and any data collected for a purpose that no longer applies to your business. Storing data indefinitely is a violation of the data minimisation principles underpinning Google's policy. Document what you deleted and on which date — this strengthens your appeal.

Only people who genuinely need access to user data should have it. Review your Google Analytics, email marketing platform, CRM, and any other tool holding user data. Remove access for team members, contractors, or former employees who no longer need it. Where possible, set different permission levels — a social media manager does not need access to customer billing records. This is called the principle of least privilege and is a core requirement of responsible data handling.

If you share user data with any third-party service — a payment processor, email platform, analytics tool, or CRM — that service must also comply with privacy regulations. Check that each one has a current Privacy Policy and is GDPR-compliant (or compliant with the laws in your country). If a service cannot demonstrate compliance, stop sharing your users' data with them. You are partly responsible for what happens to data you pass on to other companies.

If any pages on your website are designed for or frequently visited by children under 13, you must not collect personal data there. This includes tracking cookies, analytics, ad personalisation, newsletter sign-ups, and contact forms. If Google AdSense is running on those pages, mark them as "child-directed" in your AdSense account settings — this disables personalised ads. Failing to do this is one of the most severe data violations and can result in a permanent, non-appealable ban.

A data breach occurs when personal information is accessed, stolen, or exposed without authorisation — for example, if your site is hacked and email addresses are leaked. Your Privacy Policy should state what you will do if this happens. At minimum: you will investigate promptly, notify affected users within 72 hours (required in many regions), take steps to limit further damage, and notify the relevant data protection authority if required. A single clear paragraph in your Privacy Policy covering these points is sufficient and expected by reviewers.

Open an incognito window (Chrome: Ctrl+Shift+N, Mac: Cmd+Shift+N) and visit every flagged page. This shows pages as a first-time visitor or Google reviewer would see them — no saved logins or cached files can hide issues. Check that: the cookie consent banner appears before tracking begins, the Privacy Policy link is visible in the footer, no forms collect data without disclosure, no consent boxes are pre-ticked, and the HTTPS padlock appears in the browser address bar. Then repeat the check on your phone.

Before submitting anything to Google, write down every fix in plain, numbered order. Example: "1. Created new Privacy Policy — published at yoursite.com/privacy-policy on [date]. 2. Added cookie consent banner via CookieYes — now fires before any tracking. 3. Removed pre-ticked marketing consent checkbox from newsletter form. 4. Implemented Google Consent Mode v2 via Tag Manager. 5. Removed Google Analytics from child-content pages." The more specific and factual your list, the more convincing your appeal will be to Google's review team.

For AdSense: log in → Policy Center → find the violation → click "Request Review" → paste your numbered changes list. For Google Ads: log in → Tools (wrench) → Policy Manager → find the item → click "Appeal" → paste your list. Submit once and wait patiently. Submitting the same appeal multiple times will not speed up the process — it can actually delay it and trigger additional scrutiny. Google typically takes 3 to 14 business days to respond. Monitor your email and dashboard daily.

Privacy regulations and Google's policies change regularly. Every 3 months, spend 15 minutes reviewing your Privacy Policy and ask: Have I added new tools that collect data? Has anything changed about how I use or store data? Is the "Last Updated" date still accurate? If yes to any, update the policy. This small habit prevents the months of lost revenue that comes with a repeat violation. Set the reminder now before you forget.

If you receive repeated violations, collect sensitive data, serve users across multiple countries, or are unsure whether your setup is fully compliant, invest in professional compliance support. A digital consultant or privacy specialist can perform a full audit of your data practices, implement a properly configured consent management platform, and create documentation that meets both Google's requirements and applicable privacy laws — preventing costly violations, regulatory fines, and permanent account bans.