Are you violating Google’s Privacy Policy?

The New York Times recently wrote a story about how J.C. Penney used “black hat” optimization – or search practices Google equates to cheating – to obtain top search ranking results. When Google was made aware of Penney’s tactics, they penalized the company where it hurt, in the search. They went from the number one or two spot in most categories to essentially nonexistent. While these are violations of Google’s search policy, there are other ways you can hurt your Google search results and NOT EVEN KNOW IT.

After I read the New York Times piece I begin thinking about ways (not just blatant) one could harm their Google relationship. I learned that one of the most common ways is violating Google’s Privacy Policy.

Did you know? Every site that uses Google AdWords, Analytics or AdSense, and does not have a privacy policy, violates three of Google’s terms of service agreements.

What happens if you violate Google’s terms of service? If you read the fine print, you could actually be sued. However, the more likely scenario is that you’ll lose access to whatever Google program you’ve violated. Hence, affecting your online search results.

Common ways businesses unintentionally break Google’s privacy policies and how to correct them:

Borrowed with attribution from Search Engine Land, “How Many Google Privacy Policies Are You Violating?” by Brad Geddes

Google Analytics

Google Analytics (GA) is used on more than 28% of all websites. When you sign up for GA you must agree to the terms of service. Take a close look section seven of this document:

7. PRIVACY. You will not (and will not allow any third party to) use the Service to track or collect personally identifiable information of Internet users, nor will You (or will You allow any third party to) associate any data gathered from Your website(s) (or such third parties’ website(s)) with any personally identifying information from any source as part of Your use (or such third parties’ use) of the Service. You will have and abide by an appropriate privacy policy and will comply with all applicable laws relating to the collection of information from visitors to Your websites. You must post a privacy policy and that policy must provide notice of your use of a cookie that collects anonymous traffic data.

Source: Google Analytics terms of service.

If you use Google Analytics you must have a privacy policy on your website. Considering many small websites do not have a privacy policy, those sites are automatically breaking Google’s terms of service.

Another reason to have a privacy policy is that transparency to the user is one factor Google uses to determine your landing page quality score.

To be in compliance with this section of Google Analytics terms of service:

• Create a privacy policy
• State the usage of third party tracking
• State the usage of cookies to track anonymous data

By following these simple steps, your site will now be in compliance with the most commonly broken rule of the Google Analytics privacy policy. However, Google Analytics terms of service does contain more details about how the service should be used, such as not using it to collect personally identifiable information. Given the stakes if you’re not in compliance, you should really take the time to closely read the entire Google Analytics terms of service.

AdWords conversion tracking

When Google first launched AdWords conversion tracking you had to put a script on a page that would show a graphic to someone who converted (and had the AdWords cookie on their browser). Later, Google made a change where you could opt not to show a script, but still inform users yourself.

This is the most ambiguous of Google’s policies as there are no guidelines to follow; therefore, a simple statement that you use third party cookies to track data is all that is required to be in compliance. If you have amended your privacy policy to follow the Google Analytics terms of service, then you should be in compliance with this policy. If you are not using Google Analytics, then follow those same steps to comply with this guideline.

AdWords remarketing

Remarketing is powerful as you can serve ads across the content network to people who visited your website even once. While powerful, these ads can seem creepy to users, as you can follow someone around the web making very explicit statements in your ads.

Because it is easy to abuse remarketing, and cause uneasy feelings in some consumers that can push them away from ads, Google has some policies you must follow if you use Google’s remarketing feature. Here is an excerpt from Google’s policies on remarketing:

If you’re using the remarketing feature, you must have an appropriate description of your use of remarketing in online advertising. The description must be included in the privacy policies of all sites that include the remarketing tag.The privacy policies should include the following information:

• Third party vendors, including Google, show your ads on sites on the internet.
• Third party vendors, including Google, use cookies to serve ads based on a user’s prior visits to your website.
• Users may opt out of Google’s use of cookies by visiting the Google advertising opt-out page. (Alternatively you can point users to opt out of a third party vendor’s use of cookies by visiting the Network Advertising Initiative opt out page.)

If you’re using DoubleClick’s remarketing pixels, your privacy policy may instead tell users to opt out of DoubleClick’s use of cookies by visiting the DoubleClick opt-out page or the Network Advertising Initiative opt-out page.

Because advertiser sites and laws across countries/territories vary, we’re unable to suggest specific privacy policy language. However, you may wish to review resources such as the Network Advertising Initiative (NAI) for guidance on drafting a privacy policy.

Source: Google Help Files.

You can link to a single opt out page if you are using AdWords, DoubleClick or both for remarketing:

• Create a privacy policy
• Briefly describe remarketing (bullet points 1 & 2)
• Tell users they can opt out at the Google advertising opt-out page.
• If you want users to be able to opt out of anything, or you are using multiple remarketing systems, linking to the Network Advertising Initiative opt-out page is a good idea

Remarketing policies by industry

Google’s industry-specific policies are here. Most of these policies fall into one of three categories:

• Don’t use sensitive information in ads
• Don’t imply you know more about someone than you do
• Follow the laws: don’t market to children under 13

Here are some requirements for a few common industries:

Financial services:

Financial sites are not just credit card companies: they are also banks and affiliates who promote products and services in this industry.

Here’s a quote from Google’s remarketing restriction page:

• Sites which solicit or store information about the user’s financial status or situation cannot use that sensitive information to create remarketing lists.
• Ads which imply to know the user’s financial status or information should not be run with remarketing.

This means you cannot have a remarketing list that was compiled when someone visited the “bad credit” section of your website and then serve ads that say, “We know your credit is bad. We’ll give you a credit card anyway.” Financial sites have many laws they need to follow, but Google’s remarketing terms of service is a must read for any financial site.

Marketing to children

More from Google:

Because of numerous laws around marketing to children, in the US and elsewhere, we want to ensure we do not allow advertisers to remarket to children under 13 using remarketing. Sites which store or solicit information about users that indicates their age is below 13 may not create remarketing lists using that data.Ads which are directly marketed toward users under 13 OR ads which are primarily appealing to those under 13 are not allowed to run in conjunction with remarketing. Ad texts which appear to target children are not permitted to run in conjunction with remarketing.

This is a grey area. If you ads appear like they will appeal to children, you can be outside of the terms of service. If you offer services for children or families, you need to make sure your ads are speaking to the parents and not to the minors.

Sensitive information

Your lists and ads can never be segmented by:

• Race
• Ethnic background
• Sexual orientation
• Sensitive or private information
• etc.

While this might seem obvious for privacy reasons; there are times you might naturally segment this way for marketing purposes—but you need to be careful. Let’s say you own a dating site, and that site has a Latino and Catholic section. You cannot cookie just people in the Latino section with one list and people in the Catholic section with another list and then target those individuals with Latino dating service ads.

Likewise, you cannot make a “drug rehab” list and serve ads based upon needing a drug rehabilitation center. That is too just too personal.

If you are engaged in remarketing, you should take a look at the Google remarketing policy page.

Interest based ads

Google’s “interest based ads” are still in beta; however, beta advertisers should be following Google policies as well.

The policies for interest based ads are very similar to the remarketing policies. If you are in the interest based ads beta, even though you might not be using remarketing, you should pay close attention to the terms as you need to inform users of your lists and opt-out methods.

Because this policy is so close to remarketing, there is no need to cover it in-depth; but you can read more on the interest-based advertising policy page.

Google AdWords terms of service

What we covered in this column with regards to Google’s terms of service mostly concerns the privacy policy. However, you should be aware of the AdWords terms of service to make sure you are following all of the practices. The entire policy can be found here.

Google AdSense

Google AdSense is so prevalent across the web, and so easy to install, I believe most publishers (especially the small ones with instant blogging plug-ins) don’t understand there are terms of service that all AdSense publisher must agree to.

The AdSense policy (this is for the US; you can see the terms by county here) clearly states:

You must have and abide by an appropriate privacy policy that clearly discloses that third parties may be placing and reading cookies on your users’ browser, or using web beacons to collect information, in the course of ads being served on your website. Your privacy policy should also include information about user options for cookie management.

This is a very similar policy to Google Analytics. There are many more policies with regards to AdSense about not encouraging people to click ads and so forth. If you use AdSense, you need to read the terms of service. However, you also need to have a privacy policy that lets people know about your cookie usage.

About privacy policies

Laws concerning privacy policies vary by country. In the United States you do not have to have one—it is optional. However, if you have one you need to follow it.

In other countries, privacy policies are mandatory.

Creating a privacy policy should be a business decision as it may affect how you collect and use data. However, if you use several of Google’s services, privacy policies are mandatory.

If you would like to learn more about privacy online, here are some good resources:

• Network Advertising Initiative
• FTC: Fair Information Practice Principles
• Google’s Privacy Policy