Users grant Google permission to share their device, payment, location, and account information with card issuers, payment networks, merchants, payment processors, and other third parties. The sharing with merchants and processors is qualified by the phrase 'where necessary to process your transactions,' though the document does not enumerate specific third-party recipients.
This analysis describes what Google Ads's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the consent basis under which Google shares location, payment, and device data with a broad set of third parties. The non-exhaustive list of recipients and the absence of specific data retention or enumeration language may require evaluation under GDPR and equivalent national data protection frameworks in non-US jurisdictions.
Interpretive note: The phrase 'other third parties' is undefined and the necessity qualifier 'where necessary to process your transactions' introduces ambiguity about which sharing events require separate justification under applicable data protection law.
Under this clause, users permit Google to share their device, payment, location, and account information with card issuers, networks, merchants, and payment processors as part of operating the service. The agreement does not enumerate specific third-party recipients or retention periods for data shared under this provision.
How other platforms handle this
That is why we are committed to transparency about how we collect, use, and share that information.
We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, we consider the amount, nature, and sensitivity of the p...
We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including app...
Monitoring
Google Ads has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"In order for Google to provide Google Pay services, you permit Google to disclose to apps and websites that you have set up Google Pay, and to share your device, payment, location, and account information with your payment method's issuer and network. Where necessary to process your transactions, you also permit Google to share your personal information with merchants, payment processors, and other third parties.— Excerpt from Google Ads's Google Ads Terms of Service
(1) REGULATORY LANDSCAPE: This provision implicates GDPR, particularly principles of purpose limitation, data minimization, and transparency (Articles 5, 13, and 14), as well as the requirement for a valid lawful basis for processing location and payment data. The Irish Data Protection Commission is the lead supervisory authority for Google's EU operations. The UK GDPR applies to UK users. National data protection authorities across non-US jurisdictions may assess whether blanket consent language of this type constitutes specific and informed consent under local law. (2) GOVERNANCE EXPOSURE: High. The provision authorizes sharing of location data, payment data, device identifiers, and account information with a broad and non-exhaustive category of third parties. The phrase 'other third parties' is not defined. GDPR Article 13 and 14 transparency obligations require identifying specific or categories of recipients; blanket language of this type may face regulatory scrutiny in EU/EEA jurisdictions. (3) JURISDICTION FLAGS: EU and EEA users face heightened exposure under GDPR consent requirements. UK users are subject to UK GDPR. Location data is a sensitive data category in several jurisdictions and its sharing with merchants and processors may require a specific, documented lawful basis. In jurisdictions that treat payment data as sensitive personal data, additional protections may apply. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations using Google Pay for corporate card programs should assess whether this data-sharing provision is consistent with their internal data governance policies and employee privacy notices. The provision does not identify sub-processors by name, which may create complications for organizations required to maintain data processing records under GDPR Article 30. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should evaluate whether user consent obtained through acceptance of these terms satisfies GDPR's requirements for granular, specific consent for location data sharing. A data mapping exercise should trace which categories of data flow to which third-party categories. Privacy notice updates may be required to reflect the scope of third-party data sharing authorized by this provision.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 10 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the consent basis under which Google shares location, payment, and device data with a broad set of third parties. The non-exhaustive list of recipients and the absence of specific data retention or enumeration language may require evaluation under GDPR and equivalent national data protection frameworks in non-US jurisdictions.
Under this clause, users permit Google to share their device, payment, location, and account information with card issuers, networks, merchants, and payment processors as part of operating the service. The agreement does not enumerate specific third-party recipients or retention periods for data shared under this provision.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Google Ads.