With 18 different state regulations currently signed into law and more on the way, deciphering and approaching data protection in the U.S. can be daunting.


As organizations grapple with the American legal patchwork, Google recently emailed advertisers in the United States with updates regarding opt-out preferences in its advertising and analytics products.


In this article, we help you understand what this Google update means in practical terms for you and your organization, how it might impact our industry, and how to stay compliant.






Breaking down Google’s new updates regarding advertising and analytics products in the U.S.


In a recent communication issued to users of Google ads and/or analytics products, Google acknowledges upcoming regulations in the U.S., namely Florida, Texas, Oregon, Montana, and more specifically, Colorado and its Universal Opt-Out Mechanism (UOOM) provisions.


To comply with these opt-out provisions, Google shares that going forward, the company will update its practices across the organization’s ads and analytics products, which, in the case of Colorado’s opt-out provisions, for example, involve receiving and processing Global Privacy Control (GPC) signal from users to respect and apply their choices, through Restricted Data Processing (RDP), Google’s compliance tool to limit data usage based on certain parameters:


“We will act as your service provider or processor with respect to data processed while Restricted Data Processing (RDP) is enabled for the states outlined above. If you’ve enabled RDP via a product control in Google Ads, then RDP functionality will expand to the other states as they come into effect.”


Google Ads Team, Important updates regarding Restricted Data Processing control & Universal Opt-Out Mechanisms (source: Google) 


In its communication, Google informs users that the company has already updated some of its user terms accordingly to reflect these changes but that no additional action is required from you if you have already agreed to the online data protection terms:



While this is all good and well, what does it mean for you and the industry at large, in practical terms?


What does it mean for the data privacy industry and your organization?


The update might be difficult to understand at a glance, but it is quite straightforward in essence: Google is informing its U.S. customer base that, in accordance with data privacy laws in place, the company is implementing updates to adjust service behavior based on end users’ opt-out choices.


Importantly, the crucial takeaway from the announcement is Google’s acknowledgment of the Global Privacy Control (GPC) signals. 


Essentially, when a user has installed the GPC extension in their browser, or if the browser inherently supports GPC, Google will require its publishers to share this GPC signal. As the owner of Chrome, Google will also presumably directly check for the presence of the GPC signal. If the signal indicates that the user has opted out, Google will enforce its RDP rules, meaning that certain Google Ads features and functionalities will no longer be available to advertisers, causing a significant impact on their digital marketing capabilities:


“As a result of these changes, advertisers might view less personalized ads inventory for bidding resulting in changes to targeting efficiency. Additionally, Customer Match, Audiences API, and Floodlight Remarketing lists may see degraded functionality due to increased user opt-outs via the Global Privacy Control. For users who have opted out of Ad Targeting via Global Privacy Controls, Google will disable personalized ad serving based on Customer Match, Audiences API, Floodlight, and Remarketing lists for those users.”

Google Ads Team, Important updates regarding Restricted Data Processing control & Universal Opt-Out Mechanisms (source: Google) 


What remains unclear in Google’s announcement is the handling of potential opt-in requests under specific legal frameworks, such as the Universal Opt-Out Mechanism (UOOM) in Colorado


These regulations allow publishers to ask users who have opted out via GPC to reconsider and consent to data sharing on a particular site despite their broader opt-out preference. However, Google’s update does not provide details on how it expects to receive and process such signals from publishers.


This lack of clarity leaves a significant gap in understanding how advertisers should manage user consent in compliance with both GPC and varying local laws.


What are the next steps, and how can Didomi help?


These changes establish the start of new requirements for Google users in the U.S., confirming moves that the company has made in recent months, including adopting IAB Tech Lab’s Global Privacy Platform (GPP) and supporting Global Privacy Control (GPC) signal in its Chrome browser.


This is a logical continuation for Google, which has worked extensively on implementing data privacy in its products and services over the last years in Europe, including the release of Google Consent Mode V2, the adoption of the Transparency and Consent Framework v2.2, and the creation of the CMP Partner Program


“Although not explicitly mentioned, it is conceivable that this development represents an initial step towards extending the Google CMP Partner Program. This mirrors the approach Google took in Europe, where they initially adopted existing protocols before gradually ensuring compliance by mandating that CMPs be certified by Google.  Change is on the horizon in the U.S., and we at Didomi are excited to help U.S. organizations tackle the challenges ahead."


Thomas Adhumeau, Chief Privacy Officer at Didomi


As a long-time Google collaborator and certified CMP provider, Didomi is strategically positioned to help U.S. companies prepare for what we believe will be a major shift in the American data privacy landscape.


To learn more, check out our Google-certified Consent Management Platform (CMP) and book a call with one of our experts to continue the conversation:

Talk to an expert