DSGVO (GDPR)The AMP framework was established to speed up mobile websites. Normally, AMP pages are served via Google's CDN and are cached on Google's servers. Visitors who click on an AMP result in Google search seldomly recognize that they are directed to Google infrastructue, which means that their personal data like the IP address is processed by Google. The European GDPR that comes into effect on May 25th is very strict about raising, gathering and processing user data - especially when the data is sent to third-party servers. Is it still possible to use AMP according to the GDPR?

Important notice: The purpose of this article is not to give legal advice. Every implementation or change on a website according to GDPR should be checked and approved by a legal expert.
Nevertheless, my experiences in preparing for GDPR might be an inspiration for other webmasters what to look for and how to avoid or mitigate some of the risks rising from GDPR. Yet there is no claim for any kind of completeness. This article is written in English because most members of the AMP development community share their knowledge in this language. Sharing this article might help to get some more input from international AMP experts.


Google servers instead of domain shown in the search results

When Google introduced AMP about two years ago, only a few websites used this framework. AMP is supposed to speed up mobile websites by reducing the filesize of HTML and JavaScript. Additionally, AMP pages are delivered via Google's Content Delivery Network (CDN) and are cached on Google servers.

This is where the problems with respect to GDPR begin: If you cooperate with a partner that raises, gathers and processes user data like their IP address, you as a webmaster should have a Data Processing Agreement (DPA) with that partner. Additional requirements might be necessary (Privacy Shield, EU Model Clauses etc.). This is true if you for example have a hosting contract or if you use a CDN provided by a third party.

As to AMP, Google might be regarded as such a data processing partner - therefore it might be necessary to have a DPA with Google for that. But until now, such a DPA seems not to be available.

There has been an interesting discussion on Google's Webmaster Central Help Forum about AMP and GDPR. As it seems, currently only few people deal with the questions mentioned above. Some are of the mind that AMP can be treated like normal pages cached by Google for search results. But one big difference in my opinion is that when I request a page from Google cache I know it's delivered by Google. That's not the case with AMP results.

There is also no official statement from Google concerning AMP and GDPR. I asked John Mueller via Twitter about this, but without any response yet. Maybe he will answer in the next few days because he has to check for details with the responsible team first.


So what can be done in order to deal with this probem?

As long as there are no experiences from webmasters dealing with AMP and GDPR everyone has to draw his own conclusions. Webmasters who want to reduce their risk can deactivate their AMP pages - when a website is responsive or has at least a mobile friendly version this can be an alternative. The drawback would be to forego opportunities that come with AMP like prominent news carousels.

AMP also offers a new component called AMP consent. This component allows an AMP page to react according to user consent. Some page elements like tracking or ads can so be deactivated if no user consent is given. Unfortunately, AMP consent is not suited for dealing with the problems mentioned above.

One thing that might help would be some kind of notice on the Google SERPs containing AMP results that inform the users that when clicking on such a result they are taken to Google servers instead of the domain shown in the search results. In addition to this Google should provide a DPA for AMP users in order to have some kind of agreement on how Google deals with user data.

It remains to be seen if there will be some progress regarding these questions in the next four weeks. If the situation remains unclear, maybe switching off all AMP pages can be a solution.

Update: Malte Ubl, AMP Project Lead at Google, answered via Twitter and pointed to Googles help page for viewers of AMP pages. He also sent a link to a discussion on a Github page:


Malte Ubl: answer regarding AMP and GDPR


But still the answer is missing about how users can be informed about being directed to a Google server before they click on a result. There is also no information about Google providing a DPA for AMP yet.


Update May 3rd:

Antje Weisser, Publisher Support Manager AMP in Mountain View, suggested via Google Forum:

"For user interactions through Google's AMP Viewer we strive to ensure data sharing meets user expectations. We currently provide a link to a Help Center article that can be accessed via the Viewer to explain how data flows in the hybrid environment of the Viewer. These are some of the notable consequences of this arrangement:

During a visit to an AMP page via the Google AMP viewer, any data that the Google AMP viewer may collect, such as a record of the visit happening, is covered by Google’s Privacy Policy.

Separately, a publisher can use features in their AMP page that collect data on the publisher’s behalf. Because the publisher chooses the behaviors and vendor integrations in the page, the publisher is responsible for managing the compliance obligations that stem from those choices. Check out this post for how to implement user choice flows in AMP documents, and if you need additional features to be supported in AMP, you can suggest them in the AMP Project GitHub

A publisher may use a Google service (e.g. Google Analytics) on their AMP page and create an additional relationship between Google and the publisher concerning data. In that case, there are specific additional arrangements in place to cover the relationship between Google and the publisher with respect to that data, and scoped to the Google service involved."

It remains to be seen if reference to Google's Privacy Policy for AMP viewer will be enough to be in accordance with GDPR. Anyway, some residual legal risk will likely remain for publishers because of the resulting ambiguity between publishers and Google.

There is still no sign of Google providing a DPA or more visible hints for users on SERPs informing them about being directed to Google servers when clicking on an AMP result.



Titelbild © Matthias Enter -


Christian Kunz

Von Christian Kunz

SEO-Experte. Sie benötigen Beratung für Ihre Webseite? Klicken Sie hier.

SEO-Newsletter bestellen

Melde Dich für den SEO-Newsletter von SEO Südwest an und erhalte monatlich eine Übersicht der wichtigsten SEO-News.

Mit SEO Südwest vernetzen

Verwandte Beiträge

Mobile Websites haben sich seit dem Beginn von Google AMP weiterentwickelt. Laut John Müller von Google ist es durchaus vernünftig, AMP abzuschalten, wenn die mobile Darstellung einer Website gut...

Bei einigen Websites waren im AMP-Bericht der Google Search Console zuletzt vermehrt Crawling-Fehler gemeldet worden. Die Ursache dafür soll in den nächsten Tagen behoben sein.

Wenige Monate vor dem Aus von Google Analytics Universal ist noch nicht geklärt, ob AMP Unterstützung für Google Analytics 4 erhalten wird.

SEO-Newsletter bestellen

Im monatlichen SEO-Newsletter erhaltet Ihr eine Übersicht der jeweils zehn wichtigsten SEO-Meldungen des Monats. Mit dem SEO-Newsletter bleibt Ihr auf dem Laufenden.
Ich bin mit den Nutzungsbedingungen einverstanden



Premium-Partner (Anzeige)

Anzeigen sedo

SEO Agentur aus Darmstadt

Better sell online

Online Solutions Group




Sprecher auf

SEO- und Suchmaschinenblogs


Bild © FM2 -

SEO selber machen

SEO selber machen

Bekannt aus

Website Boosting

Internet World Business

SEO United

The SEM Post


Jetzt vernetzen





Wir bringen gemeinsam Ihre Webseite in Google nach vorne. Profitieren Sie von jahrelanger SEO-Erfahrung.

Social Networks und RSS-Feed


seo19 sieger sichtbarkeit 2020 200x200px