TL;DR: AdSense rejected your site because your privacy policy doesn’t name Google, third-party cookies, and personalized advertising in the wording its reviewers grep for. Fastest fix: paste Google’s required content language into /privacy (the three sentences in Step 2 below), link /privacy from every page footer, publish a European-regulations consent message from AdSense -> Privacy & messaging if you serve EEA/UK/Swiss traffic, wait ~24-48 hours for a recrawl, then request another review from the Policy center.
Your AdSense Sites status shows “Needs Attention” (or it’s stuck on “Getting Ready”), and the rejection reads something like “your site doesn’t meet our policies — necessary policies are missing.” The most common cause that fits this wording: the privacy policy is missing, or exists but doesn’t say what AdSense’s program policies and required content require. A boilerplate “we don’t collect any data” line doesn’t pass — AdSense reviewers (and Google’s automated crawler) look for the specific terms “third-party,” “cookies,” “Google,” and “personalized advertising” on the page.
This page covers exactly what an AdSense-passing privacy policy contains as of June 2026, the verbatim language Google asks for, and the specific traps that trip up indie sites.
Which bucket are you in
Run the three checks below before changing anything. Most rejections are bucket A or B.
| Quick check | Result that points here | Bucket |
|---|---|---|
curl -sI https://yourdomain.com/privacy | Returns 404 | A — no privacy page |
curl -s https://yourdomain.com/privacy | grep -ic google | Returns 0 | B — page exists but too generic |
| Open the site through a German VPN | No consent banner appears | C — missing certified CMP for EEA/UK/CH |
| View any article’s footer | No “Privacy” link | D — page not linked sitewide |
Common causes
Ordered by hit rate, highest first.
1. No /privacy page at all
You skipped the legal pages and submitted with just articles + About + Contact. Some publishers think the cookie banner is sufficient — it’s not.
How to spot it: curl -s -o /dev/null -w "%{http_code}\n" https://yourdomain.com/privacy. If 404, that’s it.
2. Privacy page exists but doesn’t mention AdSense
Many template privacy policies are generic and never mention “AdSense,” “Google,” or “personalized advertising.” AdSense reviewers’ search heuristic doesn’t find what it’s looking for and flags the site.
How to spot it:
curl -s https://yourdomain.com/privacy | grep -iE "adsense|google|personalized|third-party|cookie"
You should get multiple hits for each. If “AdSense” or “Google” return nothing, the policy is too generic.
3. No certified consent banner (CMP) for EEA/UK/Swiss traffic
Google requires every AdSense publisher serving the EEA or UK (since 16 January 2024) and Switzerland (since 31 July 2024) to use a consent management platform (CMP) that is Google-certified and integrated with IAB Europe’s Transparency and Consent Framework (TCF). Without one, ads in those regions fall back to Limited Ads or stop serving entirely, and reviewers check for the banner.
A 2026 trap: Google stopped accepting old TCF v2.2 consent strings after 28 February 2026, so banners built before that need to emit TCF v2.3. Also, a vague “this site uses third-party cookies” line in the first layer of the banner is no longer sufficient — the first screen must explicitly mention ads personalization and let the user accept or reject.
How to spot it: Open your site through a VPN set to Germany. If no consent banner appears, you’re not compliant. If a banner appears but never mentions ad personalization, it may be a generic cookie notice, not a TCF CMP.
4. Privacy page not linked from every page footer
You created the page but it’s only linked from the homepage. AdSense reviewers expect a sitewide footer link.
How to spot it: Open a random article. Scroll to the footer. If “Privacy” isn’t there, it’s not linked sitewide.
5. Privacy policy contradicts the actual setup
The policy says “we don’t use cookies” but Google Analytics is installed. Or it says “no third-party services” but AdSense is embedded. Reviewers do basic sanity-check this.
How to spot it: Read your own privacy policy line by line and check: is every claim still true given what’s actually on the site?
6. Privacy policy is in the wrong language
You’re targeting global users but the privacy policy is only in your native language. Reviewers often work in English — they need an English version available.
How to spot it: Visit /privacy and also /en/privacy (or your equivalent). If only one language is present and it’s not English, add an English version.
Shortest path to fix
Step 1: Create or rewrite /privacy with required sections
The minimum sections an AdSense-passing privacy policy needs:
- What data we collect: be specific: IP, user-agent, page views, form submissions, etc.
- Third-party services: name them: Google AdSense, Google Analytics, Vercel, Cloudflare, etc.
- Cookies: what types (essential, analytics, advertising), set by whom.
- Personalized advertising: explicit statement that Google AdSense serves personalized ads based on cookies and user activity.
- User rights: opt-out paths: Google Ads Settings, browser settings, regional rights (GDPR/CCPA).
- Data retention: how long you keep what.
- Contact: an actual email for privacy inquiries.
Use a generator (privacypolicies.com, termly.io, iubenda) as the skeleton, then customize.
Step 2: Add the AdSense-required language verbatim
This is the wording Google publishes on its Required content page. Paste it close to verbatim:
Third-party vendors, including Google, use cookies to serve ads based on
a user's prior visits to this website or other websites.
Google's use of advertising cookies enables it and its partners to serve
ads to your users based on their visit to your sites and/or other sites
on the Internet.
Users may opt out of personalized advertising by visiting Ads Settings:
https://www.google.com/settings/ads
You can also opt out of a third-party vendor's use of cookies for
personalized advertising by visiting https://www.aboutads.info.
Two notes as of June 2026: the opt-out link https://www.google.com/settings/ads now redirects to Google’s My Ad Center at myadcenter.google.com, but keep the classic URL — that’s the one Google’s docs still show and it resolves correctly. What the reviewer’s crawler keys on is the presence of “Google,” “third-party,” “cookies,” and “personalized advertising,” so the exact phrasing matters less than every keyword appearing.
Step 3: Link /privacy from every page footer
In your site layout, add:
<footer>
<a href="/privacy">Privacy Policy</a>
<a href="/terms">Terms</a>
<a href="/contact">Contact</a>
</footer>
For Astro/Next, this goes in your root layout. Verify by viewing source of 3 random articles.
Step 4: Publish a certified CMP for EEA/UK/Swiss traffic
Easiest is Google’s own CMP, which is built into AdSense. (The old standalone “Funding Choices” product was folded into the Privacy & messaging tab — there’s no separate Funding Choices console anymore.) It’s free, Google-certified, TCF-compliant, and AdSense recognizes it automatically.
Steps:
- AdSense sidebar -> Privacy & messaging -> European regulations.
- Click Create message (or Manage if one already exists).
- Set the message to cover the EEA, UK, and Switzerland, paste your
/privacyURL into the message’s privacy-policy field, and pick your consent options (the recommended layout offers “Consent,” “Do not consent,” and “Manage options”). - Publish the message. Google’s CMP loads automatically through your existing AdSense ad code — no extra script tag needed for the Google CMP.
If you prefer a third-party banner, it must be on Google’s certified-CMP list (for example iubenda, Cookiebot, Osano, Quantcast) and emit current TCF v2.3 strings.
Verify with a VPN to Germany — the banner should appear and must mention ad personalization, not just “cookies.”
Step 5: Make sure privacy page has an English version
If your primary language isn’t English:
/privacy → native language
/en/privacy → English translation
Cross-link them with <link rel="alternate" hreflang="...">.
Step 6: Resubmit after the recrawl
Once changes are live and crawlable, wait at least 24-48 hours so Googlebot can recrawl /privacy and the footer before you ask for another review. Then in AdSense go to the Policy center (or Sites), open the flagged issue under “Issues found,” and click Start review process. The button is greyed out if you’ve requested reviews too many times recently — in that case fix everything first, then submit once. Reviews usually return a verdict within a few days.
How to confirm it’s fixed
Before you click “Start review process,” confirm all of this passes:
# 1. /privacy returns 200, not 404
curl -sI https://yourdomain.com/privacy | head -n 1
# 2. The required keywords are present (expect several hits)
curl -s https://yourdomain.com/privacy | grep -ioE "google|third.?party|cookie|personalized" | sort | uniq -c
# 3. The footer link is in the rendered HTML of an article, not just the homepage
curl -s https://yourdomain.com/some-article/ | grep -i 'href="/privacy"'
Then load the live site through a German VPN: the consent banner must appear and mention ad personalization. In AdSense -> Privacy & messaging -> European regulations, the message status should read Published. If all four checks pass, request the review.
Easy to misdiagnose as
- “Low value content” rejection. That’s a separate verdict about thin or unoriginal articles, not your legal pages — see AdSense low value content rejection. Read the exact rejection wording: “necessary policies are missing” points at this page; “isn’t ready / low value content” does not.
- A standalone Cookie Policy. A “Cookie Policy” page alone isn’t a substitute for a privacy policy. AdSense wants one comprehensive privacy policy that includes the cookie disclosure (or both pages, clearly linked).
- The consent banner replacing the policy. A CMP banner satisfies the consent requirement, not the written-policy requirement. You need both.
Prevention
- Use a generator (privacypolicies.com, termly.io) as a starting point, then paste in the Step 2 Google-required wording by hand.
- Update the privacy policy every time you add a new third-party service (analytics, ad network, CDN, form handler).
- Re-audit the policy every 6 months against the AdSense program policies — enforcement tightens over time, and what passed in 2020 may not pass now.
- Always link
/privacyfrom the global footer, not just the homepage. - Default to Google’s built-in CMP under Privacy & messaging unless you have a specific reason to use a certified third-party banner; keep it on TCF v2.3.
FAQ
Can I use a generic privacy-policy generator? Use it for the structure, but customize the disclosures. The generated skeleton (privacypolicies.com, termly.io, iubenda) rarely names Google AdSense, third-party advertising cookies, or ad personalization, which is exactly what the reviewer looks for. Add the Step 2 language by hand.
Do I need a CMP if I don’t have EU users? Not strictly — the certified-CMP rule applies only to EEA, UK, and Switzerland traffic. But if any visitor comes from those regions and no CMP message is published, ads there drop to Limited Ads or stop, and reviewers may flag the account. Publishing Google’s own message costs nothing, so most publishers just turn it on.
How long after I fix it will AdSense re-review? Allow 24-48 hours for Googlebot to recrawl the changed pages before requesting the review, then a typical verdict lands within a few days (sometimes up to two weeks during backlogs). Resubmitting repeatedly does not speed it up and can grey out the button.
My banner shows but ads still don’t serve in the EU — why? Most often the CMP is publishing old TCF v2.2 strings; Google stopped accepting those after 28 February 2026, so update your CMP to TCF v2.3. Also confirm the message is actually Published (not draft) in Privacy & messaging, and that its first layer offers a real reject option, not just “Accept.”
Does the privacy policy need an English version?
If you target a global audience, yes — keep an English /en/privacy even if your main site is in another language, because reviewers commonly work in English. Cross-link the language versions with hreflang.
Related
- Cookie consent for ad-supported sites
- AdSense low value content rejection
- Site needs review for too long
Tags: #AdSense #Monetization #Troubleshooting #Privacy policy