Back to blog

Google's Restricted Data Processing & Universal Opt-Out in the USA

Reading time 14 mins | Written by: Liza Kruse

Google's Restricted Data Processing & Universal Opt-Out in the USA


Navigating Google's Latest Privacy Policy Changes: Impacts and Adaptation Strategies for Advertisers

In today's digital landscape, where privacy and security are paramount, Google has announced significant updates to its privacy policies. These updates are designed to address evolving privacy legislation in several U.S. states, including Florida, Texas, Oregon, Montana, and Colorado, that will significantly impact the way advertisers and marketers operate. The goal is to strengthen user privacy while ensuring that companies can comply with new regulations.

A key element of these changes is the Colorado Privacy Act (CPA), which introduces a universal opt-out mechanism (UOOM). This addition presents both challenges and opportunities for digital marketing professionals. Advertisers will need to review and potentially revise their data management practices and audience targeting and ad personalization strategies.

In this blog post, we will explore the nuances of Google's recent privacy policy updates, analyze their impact on advertising strategies, and provide actionable advice on how to adapt to this new privacy framework effectively. Join us to ensure your marketing initiatives are both effective and compliant.

Overview of the New Privacy Regulations

The digital privacy landscape continues to evolve, resulting in a proliferation of legislative actions in several U.S. states. These regulations require companies to overhaul their data processing tactics to protect users' privacy. In response, Google has updated its policies and tools to help advertisers comply with these new standards. At the heart of Google's changes are two key concepts: Restricted Data Processing (RDP) and the Universal Opt-Out Mechanism (UOOM).

Definition and Explanation of Restricted Data Processing (RDP)

Restricted Data Processing is a special setting within Google's services that helps partners comply with privacy laws. By enabling RDP, Google limits its data processing to essential services and restricts its usual extensive use of data for advertising. This approach prioritizes user privacy but may reduce the effectiveness of targeted advertising and sophisticated data analytics.

Introduction of the Universal Opt-Out Mechanism (UOOM)

Under the Colorado Privacy Act (CPA), the introduction of the Universal Opt-Out Mechanism marks a critical shift. This mechanism utilizes Global Privacy Controls (GPC) that users can activate to signal their preference not to have their data used for personalized advertising across platforms. Advertisers must recognize and respect these GPC signals, which could significantly alter audience targeting and the overall impact of marketing campaigns.

Relevant Changes in affected States

In addition to Colorado, states such as Florida, Texas, Oregon, and Montana are enacting similar privacy laws that will go into effect in 2024. While the specifics of these laws vary - each emphasizing greater data control and transparency - the overarching theme is a move toward stricter protection of user data. Advertisers using Google Ads will need to adjust their strategies and data handling practices to comply with each state's legal framework, ensuring that their marketing efforts remain both compliant and effective.

Exploring the Nuances of Third-Party Data Sharing

Sharing data with third parties involves complex processes that often go beyond mere data transfer. Once data is transferred to a third party, the terms and policies of that third party's products take precedence, effectively shifting responsibility for the data from the original sender to the recipient. This transfer underscores the importance of the original company's obligation to ensure that all necessary compliance measures are met in third-party relationships. Rigorous selection and vetting processes are essential to ensure that these third parties maintain equal or higher standards of privacy and security.

Colorado Privacy Act and Universal Opt-Out Mechanism (UOOM): Measures and Implications

The enforcement of the Colorado Privacy Act (CPA) introduces robust privacy protections for residents, notably through the Universal Opt-Out Mechanism (UOOM). This regulation empowers individuals with greater control over their personal data by allowing them to opt out of certain data processing activities.

Google's Actions under UOOM

In accordance with the UOOM, Google has committed to integrating Global Privacy Controls (GPC) directly from users, allowing Colorado residents to set their privacy preferences centrally. Upon receiving these preferences, Google will promptly disable ad targeting for users who opt out, ensuring that their ad experience is no longer personalized based on their information.

Handling Global Privacy Controls (GPC)

Google’s direct receipt and response to Global Privacy Controls further exemplify its compliance with user privacy desires. These controls allow users to assert their privacy preferences across various platforms seamlessly. Once Google detects a GPC signal, it ceases targeted advertising, adhering strictly to the stipulated privacy settings.

Enhancing User Control Over Privacy

Additionally, users can influence their interactions with Google through privacy settings such as Restricted Data Processing (RDP). This feature allows users to limit how their data is used for advertising, sold, or shared, thereby bolstering their privacy. Such capabilities are crucial for users seeking to protect their personal information from commercial use or distribution, significantly enhancing their overall privacy protection.

Implementing Global Privacy Control (GPC) for User Privacy

GPC Signal

Global Privacy Control (GPC) represents a major step forward in privacy by introducing a universal opt-out signal that users can easily manage within their browsers. This signal, or extension, streamlines the way individuals set their privacy preferences during Internet browsing sessions.

Functionality of GPC

GPC provides a simple mechanism for users to express their choices about cookies, data sharing, data selling, and targeted advertising. When enabled, GPC transmits these privacy preferences from the user's browser to websites the user visits. Sites configured to recognize the GPC signal will automatically opt the user out of certain data use practices.

Consequences of Activating GPC

Enabling GPC results in several privacy-enhancing actions on compliant Websites:

  • Stop Internet tracking: Websites will no longer track a user's activities across different websites, significantly reducing a user's digital footprint.
  • Stop collecting personal information for advertising: The direct collection and use of user data for targeted advertising will be stopped. This change will ensure that users are not served personalized ads based on their behavior or preferences.
  • Prohibit the sale of personal information: Once the GPC signal is detected, the site is prohibited from selling the user's personal information to third parties, thereby protecting the user's information from further commercial use.

Affected Google Products by Changes in Restricted Data Processing

Recent changes to Google's Restricted Data Processing (RDP) protocols primarily affect Google Ads and Analytics. It is important to note that other services such as Google Workspace or Cloud Identity are not affected by these changes.

Google Products with Pre-Implemented Restricted Data Processing

The following products already have restricted data processing applied:

Looker Studio

  • Ads Data Hub
  • Analytics, Analytics 360
  • Audience Partner API
  • Authorized Buyers
  • Campaign Manager
  • Customer Match
  • Display & Video 360
  • Enhanced Conversions
  • Google Customer Reviews
  • Google Survey App for Publishers
  • Looker Studio
  • Offline Conversion Import
  • Open Bidding Buyers
  • Optimize, Optimize 360
  • Search Ads 360
  • Store Sales (Uploads)
  • Tag Manager, Tag Manager 360
  • Waze Ads

Certain Google products already have RDP built in, so users of those services need take no further action. However, when data is moved from these products to other products through linking or other transfer methods, the data becomes subject to the terms of use of the receiving product. This pre-integrated RDP applies to specific services, ensuring compliance without additional user intervention.

Google Products Requiring Manual Activation of Restricted Data Processing

On the other hand, some Google services require users to manually enable RDP in order to comply with privacy regulations and effectively protect personal information. These products include

  • Ad Manager and Ad Manager 360
  • AdMob
  • AdSense
  • Google Ads (except for the Google Ads services listed above)

Users of these products must proactively activate RDP to ensure compliance with privacy laws and to protect the personal information of their audiences. This activation is crucial for maintaining trust and legal compliance, especially in environments with stringent data protection regulations.

Navigating New Privacy Changes in Google Ads: What Advertisers Need to Know

Google's implementation of Restricted Data Processing (RDP) and the Universal Opt-Out Mechanism (UOOM) introduces critical adjustments for advertisers using Google Ads, an essential component of digital marketing strategies. These updates have a profound impact on ad personalization, the use of specific features such as Customer Match and the Audiences API, and the overall effectiveness of remarketing campaigns.

Impact on Ad Personalization

Traditionally, ad personalization has been fundamental to digital advertising, allowing ads to be tailored to the specific interests and needs of users. However, the introduction of UOOM and the broader use of RDP significantly limits the data available for such targeting. This reduction could hinder advertisers' ability to effectively target and personalize ads. If users opt out of data processing, the resulting ads may lack relevance and targeting precision, potentially reducing campaign performance and return on investment.

Effects on Customer Match and Audiences API

Google Ads features such as Customer Match and the Audiences API leverage advertisers' customer data to create customized audiences, increasing reach among users with existing brand relationships. However, the new privacy rules limit the availability of critical data for these personalized tools. With tighter data restrictions and the need for explicit user consent, the functionality of these features may be compromised, resulting in a less effective targeting process.

Reduced Effectiveness of Remarketing Campaigns

Remarketing strategies that target users who have previously expressed interest in a product or service rely heavily on detailed user data to drive re-engagement. The new privacy regulations, coupled with enhanced user privacy controls such as RDP and GPC, may limit access to this critical information. As a result, remarketing efforts may become less effective, with ads becoming less relevant and less targeted. This could lead to reduced user engagement and lower conversion rates.

Strategies for Advertisers to Thrive Under Stringent Privacy Regulations

In an environment of increasing privacy regulations, advertisers must remain vigilant and adaptable to ensure compliance and effectiveness. As these regulations reduce the granularity of available data, improving the quality of data collected with explicit user consent becomes imperative. This high-quality data is essential for effective pattern recognition and predictive modeling, challenging advertisers to establish clear benefits for users who share their data while maintaining transparency about its use.

Building consumer trust through preference management
Implementing a preference management system can benefit both users and advertisers. By allowing users to specify their advertising preferences, companies not only build trust, but also collect data that supports more targeted and relevant advertising. In addition, the use of advanced pattern recognition technologies can help fill gaps left by reduced data availability.

Diversify marketing strategies
Mitigate the impact of reduced data access:
  • Content marketing and influencer marketing: Develop marketing strategies that do not rely heavily on personalized data. Content and influencer marketing can engage audiences with relevant and compelling content without the need for detailed user data.
  • Better leverage first-party data: Prioritize the collection and use of first-party data derived from direct customer interactions. This data is inherently compliant, collected with consent, and invaluable for precise targeting.
  • Develop lookalike audiences: Leverage existing data to identify and target lookalike audiences, which can help extend campaign reach while maintaining privacy.
  • Geographic and demographic targeting: Use broader targeting criteria based on geographic and demographic factors to maintain campaign effectiveness without violating individual privacy.
Innovations in Non-Personalized Targeting Techniques
  • Contextual targeting: Placing ads in contexts that match the product or service, such as placing sports equipment ads on fitness sites. This strategy aligns with users' interests without relying on personal information.
  • Leverage aggregated data: Analyze aggregated data to identify broad patterns and trends that inform campaign strategies, allowing advertisers to target general interests without personal data.
  • Surveys and direct feedback: Engage directly with audiences through surveys and feedback mechanisms to gain insight into their preferences and needs, providing a direct line of communication and data collection.

Understanding the Impact of State Privacy Laws on Business Practices

California's comprehensive privacy laws: CPRA and CCPA

The California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), set strict standards for how businesses handle personal information. A key component of these regulations is the requirement that companies adhere to Global Privacy Controls (GPC). These controls allow consumers to express their privacy preferences universally, overriding other less comprehensive settings, such as those provided by cookie banners. GPC signals must be respected by companies to ensure compliance with California privacy laws, protect consumer rights, and enhance control over personal information.

Colorado's Proactive Approach to Data Privacy: CPA

Colorado CPA

The Colorado Privacy Act (CPA), effective July 1, 2024, significantly strengthens consumer privacy rights in the state. It establishes a universal opt-out mechanism that allows consumers to opt out of the processing of their personal information for advertising purposes and the sale of their information. This mechanism places a firm obligation on businesses to strictly comply with consumer opt-out requests, thereby strengthening consumer privacy.

In addition, the CPA establishes specific technical standards for recognizing and processing these opt-out signals. By January 1, 2024, the Colorado Department of Law will publish a list of approved universal opt-out mechanisms that meet the CPA's technical requirements, providing a valuable resource for businesses seeking to comply with these regulations.

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) is scheduled to go into effect on January 1, 2025. It introduces sweeping changes to data privacy affecting both businesses and consumers. The primary goal of these changes is to increase consumer control over personal information, with a particular focus on targeted advertising and the sale of personal information.

Obligations Regarding Universal Opt-Out Mechanisms (UOOM)

As of January 1, 2025, companies will be required to recognize and implement universal opt-out mechanisms (UOOMs) as a legitimate method for consumers to opt out. This requirement will force companies to respect and process opt-out signals received via UOOMs, thereby stopping the processing of personal data for advertising purposes or its sale. This policy is designed to enable consumers to effectively exercise their privacy rights.

Criteria for Recognizing Valid UOOMs

Unlike similar provisions in other states, such as Colorado, the CTDPA does not delegate the determination of valid UOOMs to the Attorney General. Instead, the statute specifically sets forth the criteria for a valid UOOM, which must be:

  • Fairness: Be transparent and equitable, and protect consumer interests.
  • Voluntary Consumer Choice: Be used on the basis of voluntary consumer choice, free from coercion or undue influence.
  • Usability: Be simple and accessible, allowing consumers to easily configure their privacy settings.
  • Consistency across platforms: Align with other platforms and systems to provide a consistent user experience.
  • Identify Connecticut residents: Accurately identify Connecticut residents to ensure proper handling and implementation of opt-out requests.

Privacy Laws of Delaware, Montana, and Oregon

The Delaware, Montana, and Oregon Data Privacy Acts introduce comprehensive regulations that enhance the protection of consumers' personal information. These laws are closely aligned with the provisions of the Connecticut Data Privacy Act (CTDPA) and include universal opt-out mechanisms (UOOM) that give consumers greater control over their personal information.

Universal Opt-Out Mechanisms (UOOM)

The privacy laws in Delaware, Montana, and Oregon require companies to recognize universal opt-out mechanisms (UOOMs) as legitimate means for consumers to opt out. These requirements mirror those of the CTDPA, allowing consumers to effectively opt-out of the processing of their personal information for marketing or sales purposes. This ensures that consumers' privacy preferences are respected and enforced in all states.

Implementation Timelines

Each state's data protection law will take effect on the following dates:
  • Montana: Implementation begins on January 1, 2025, requiring businesses within Montana to comply with the UOOM provisions.
  • Delaware and Oregon: These states' privacy laws will go into effect on January 1, 2026.

Texas Data Privacy and Security Act (TDPSA)


The Texas Data Privacy and Security Act (TDPSA) is set to go into effect on January 1, 2025, and will bring significant changes to data privacy regulations in Texas. The law requires companies to recognize Universal Opt-Out Mechanisms (UOOMs) as legitimate opt-out requests, with a notable exception that sets this legislation apart from other privacy laws.

Universal Opt-Out Mechanism (UOOM) Obligations

Beginning January 1, 2025, companies doing business in Texas will be required to honor UOOM signals and treat them as valid opt-out requests. This will allow Texas consumers to express their privacy preferences through UOOMs and opt out of the processing of their personal information for marketing purposes or for sale. Businesses must honor these preferences, thereby increasing consumer authority over their personal information.

Exception Clause in the TDPSA

The TDPSA contains a special exemption that allows businesses to disregard UOOM signals under certain conditions. This exemption applies if businesses are not already processing similar or identical consumer requests from other states under comparable laws or regulations. This provision provides businesses with operational flexibility by exempting them from responding to UOOM signals if they are not similarly obligated in other jurisdictions. This is particularly important for companies that do most of their business in states that do not have equivalent privacy regulations.

Setting Up Websites to Respond to Universal Opt-Out Mechanisms (UOOMs)

Implementing Universal Opt-Out Mechanisms (UOOMs) on websites requires overcoming technical hurdles due to the variety of UOOMs, each with its own set of specifications. Below are some critical steps and considerations for organizations seeking to effectively integrate UOOMs into their websites.

Navigating the variety of UOOMs and their technical specifications

UOOMs vary widely in their technical requirements, making it challenging for organizations to implement a unified response system. Flexibility and adaptability are essential when configuring systems to meet these varying specifications.

Using a Consent Management Platform (CMP)

Leveraging a trusted consent management platform (CMP) is a strategic approach to effectively managing UOOM signals. CMPs help companies manage user consent and preferences related to cookies and data processing. Companies should work closely with their CMP providers to ensure that their systems are set up correctly to detect and process UOOM signals efficiently.

Using the Global Privacy Control (GPC) Implementation Guide

Global Privacy Control (GPC) provides an Implementation Guide to assist companies in the accurate processing of GPC signals. This guide provides comprehensive instructions and best practices to ensure that Web sites properly recognize and implement these signals. By following these guidelines, companies can align their operations with users' privacy preferences and comply with regulatory standards.

Contact now

Free initial consultation

Contact us and we will support you in implementing and configuring a Consent Management Platform (CMP) that supports both Universal Opt-Out Mechanism (UOOM) and Global Privacy Controls (GPC).

If you have any questions, please do not hesitate to contact us:

Liza Kruse