Google Ads and Data Protection – What Website Operators Need to Know

If a website operator uses Google Ads with conversion tracking, they process conversion events, click data, and device information for the purpose of measuring the success of advertising campaigns on the basis of consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG). Google Ads is an advertising-based tracking and targeting system from Google that enables website operators to measure advertising campaigns and to retarget users.

A. Purpose and Function of Google Ads, Conversion Tracking, and Floodlight

Google Ads is the advertising network of Google Ireland Limited. With it, website operators and e-commerce companies can place paid advertisements on Google Search, the Google Display Network, and other Google partners. Conversion tracking is an integral feature: It measures whether users, after clicking on a Google ad, perform a particular action on the advertiser's website (e.g. purchase, registration, download, enquiry form).

Floodlight tags are a special form of conversion tracking, originally from the former DoubleClick platform that Google acquired. Floodlight makes it possible to measure conversions across multiple tracking points (e.g. different websites or apps) and offers more granular tracking options than the standard Google conversion tag.

Integration function: On the website, either a JavaScript code (Google Conversion Tag or Google Tag Manager with conversion tags) or a Floodlight pixel is embedded. The code loads on page view, sets cookies (in particular _gcl_aw for the GCLID – Google Click ID), and sends conversion data to Google servers. Conversions can also be triggered when certain pages are visited (e.g. a thank-you page after registration).

B. Mandatory Disclosures in the Privacy Policy on Google Ads

The GDPR requires the following mandatory disclosures for Google Ads conversion tracking and Floodlight: purposes of processing (Art. 13(1)(c) GDPR), legal bases (Art. 13(1)(b) GDPR), in particular since tracking cookies require consent, recipients and categories of recipients (Art. 13(1)(e) GDPR), retention period of the data (Art. 13(2)(a) GDPR), and information on third-country transfers to Google LLC in the USA (Art. 13(1)(f) GDPR, with DPF or SCC).

This information should not be listed as a separate text template for Google Ads. Instead, a topic-oriented approach is recommended: Under the heading "Marketing and advertising campaign measurement", all advertising and tracking services are summarised (Google Ads, Facebook Pixel, LinkedIn Ads, etc.) with shared legal bases and purposes. Provider details follow in a structured recipient list in the annex. This corresponds to the matterius methodology and is maintainable.

C. Provider of Google Ads: Google Ireland Limited

Provider: Google Ireland Limited (for German website operators)

Full address: Gordon House, Barrow Street, Dublin 4, Ireland

Country of seat: European Economic Area (EEA), Ireland

Contractual partner: Website operators typically conclude Google Ads accounts with Google Ireland Limited, which acts as the controller for EU customers. The US parent company, Google LLC (Mountain View, California, USA), operates the actual servers and sub-processors.

Data Privacy Framework (DPF): Google LLC has been certified under the EU-US Data Privacy Framework since September 2023 (https://www.dataprivacyframework.gov/participant/5780). The US level of data protection is therefore considered adequate.

Provider's privacy policy: https://policies.google.com/privacy (general Google privacy policy)

Data Processing Agreement (DPA): Google Ireland Limited offers a standardised Data Processing Agreement that can be retrieved via the Google Ads account dashboard. Website operators should activate this. Details: https://support.google.com/google-ads/answer/3221666

D. Data Processing by Google Ads – Procedure

E. Data Collected When Using Google Ads Conversion Tracking

Google Ads, when conversion tracking and Floodlight are activated, records click information, device and browser information, and conversion events. The data collected includes in particular: GCLID (Google Click ID) from the URL parameter, timestamp of the conversion, conversion value (e.g. purchase amount), custom parameters (depending on the tracking configuration), and for Enhanced Conversions the hashed email address or telephone number.

This data can be classified into the following standardised data type categories:

• Web server log data: IP address, browser version, operating system, device type, referrer, timestamp
• Click paths: The URL with the GCLID parameter (containing tracking information about the click), target page after the click
• Device data: Device type, operating system, screen resolution
• Browser information: Browser name, browser version, language
• Coarse location data: Coarse location determined on the basis of the IP address
• Conversion events: Purchase, registration, download, enquiry form, page view, custom events, conversion value
• User profiles: Where remarketing is activated: historical click and interaction data, interest profiles, segment assignment

F. Purposes of Use When Using Google Ads

The primary purposes of Google Ads conversion tracking are the success measurement of advertising campaigns (return on ad spend, conversion rate) and the optimisation of targeting (who is most likely to click on advertisements and convert). In addition, Google LLC uses the aggregated conversion data to improve the Google Ads service and to train machine learning models.

The purposes can be classified as follows:

• Provision of functionality: Measurement and provision of conversion data to the advertiser
• General product improvement: Optimisation of the Google Ads platform, improvement of targeting algorithms
• General marketing: Success measurement of campaigns, success measurement through third-party attribution
• User profile creation: Formation of interest segments and cohorts on the basis of conversion behaviour
• User-individual marketing: Remarketing to users who have converted or who have shown a particular behaviour, personalised targeting

G. Legal Bases for Google Ads Conversion Tracking

Google Ads conversion tracking falls into the category tracking (marketing). The legal basis is:

Primary legal basis: Consent (Art. 6(1)(a) GDPR in conjunction with § 25(1) TDDDG)

The setting of tracking cookies by Google Ads (in particular _gcl_aw for the GCLID) and the transfer of conversion data to Google servers require, under German law, the explicit consent of the user before activation. This is typically obtained via a cookie consent banner. Consent must be given specifically for advertising tracking and Google Ads.

Google Consent Mode v2 makes it possible to process Google Tags (Ads, Analytics, Floodlight) differently based on user consent. In "Basic Mode", data transfer takes place only with consent, which enables a GDPR-compatible configuration.

The specific legal basis must be examined by the website operator on a case-by-case basis.

H. Special Features and Notes on Google Ads

• GCLID handling: The GCLID parameter is automatically added to the URL (auto-tagging). Website operators should ensure that this parameter is not stored in external logs or analytics systems without a legal basis.
• Enhanced Conversions: Optional feature that sends hashed customer data (email, telephone) to Google. This requires special data protection precautions and corresponding transparency disclosures.
• Floodlight specifics: Floodlight tags enable cross-domain tracking and are more granular than standard conversion tags. They likewise require consent and a DPA.
• Data Privacy Framework (DPF): Google LLC is certified. Verification at https://www.dataprivacyframework.gov/participant/5780
• Processing relationship: A DPA with Google Ireland Limited should be concluded and can be activated via the Ads dashboard.
• Google Ad Settings: Users can manage their advertising settings at https://adssettings.google.com and limit tracking.

I. FAQ on Google Ads Conversion Tracking and Floodlight

J. Conclusion and Recommendation on Google Ads

Google Ads is a central marketing tool for many website operators, since it directly measures the profitability of advertising campaigns. According to the publicly accessible information of the provider and common GDPR interpretation, consent is typically the relevant legal basis for conversion tracking and Floodlight. Data processing takes place – according to Google – under DPF certification in the USA, and a DPA is recommended.

It makes little sense to include a separate text template for Google Ads in the privacy policy. This results in long, unwieldy texts that are difficult to maintain and run counter to the transparency requirement of Art. 12(1) GDPR. A topic-oriented approach is more appropriate, explaining processing operations such as "Marketing and advertising campaign measurement" in an integrated manner and naming Google Ireland Limited as the specific recipient in the annex. This is the methodology of the matterius generator.