Welcome to WebmasterWorld Guest from 34.238.194.166

Forum Moderators: DixonJones & mademetop

Message Too Old, No Replies

EU GDPR (General Data Protection Regulation) and Analytics cookies

How will this affect webmasters?

     
9:21 am on Nov 15, 2017 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Oct 12, 2000
posts: 15157
votes: 170


The new General Data Protection Regulation or GDPR [en.wikipedia.org] is meant to protect the privacy, but it looks like it could be a nightmare for webmasters whose sites have dealings with citizens of the EU. Reading through some of these regulatory requirements and opinions is making my head spin.

Are there established guidelines of what a website would need to do to comply with this? For example, if my site uses Analytics it's serving a cookie (from Google). Does this mean I have to clutter my sites with those annoying "this site uses cookies" banners? They seem like a fairly useless addition, and I've read that they may not actually be sufficient for compliance with the new regulations.

What's a non-EU site to do? What about EU sites? Analytics arguably are not tracking personally identifiable data, but I'm sure we could find a lawyer who could argue otherwise. I am not seeing definitive information about this from Google.

We only have until May 2018 before the EU hammer comes down...
7:50 am on Feb 23, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1717
votes: 263


GDPR concerns people located in the EU- either citizen or visitor (plus all businesses themselves located in the EU, regardless of traffic source). I don't think it is claiming extra-jurisdictional competence on EU citizens accessing 3rd-country sites from outside the EU.
7:58 am on Feb 23, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1817
votes: 59


Assuming I make google analytics anonymise visitor's IP addresses, and presumably not serve cookies, what functionality do I lose in analytics as a result?
8:24 am on Feb 23, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1817
votes: 59


For anyone struggling with the original text of the regulation there is a much easier version to read at [gdpr-info.eu...]
8:28 am on Feb 23, 2018 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1532
votes: 295


There are so many chapter/pages! Even history seems interesting than reading this :D
1:04 pm on Feb 23, 2018 (gmt 0)

Junior Member

joined:Feb 22, 2018
posts:146
votes: 22


There are so many chapter/pages! Even history seems interesting than reading this :D

And this is ONE domain. Multiply this by all European directives , and you can imagine how things are. Now I have nothing against defining rules. The problem being always the same, it's because some abuses, that authorities need to set rules. And since there are always some abusing and bypassing rules, then more rules need to be made and so on.

By the way, History is interesting and amazing subject.
11:36 pm on Feb 24, 2018 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1336
votes: 429


Perhaps the greatest benefit of the GDPR is that it is forcing a great many webdevs to actually think about PII. Until now many had 'we use cookies because' privacy boilerplate copied and pasted from somewhere and that was about it.

Now we are having to consider just what user data is collected/logged whether deliberately or inadvertently and what our or, more likely, our various third party scripts/software and their businesses are doing with it. Additionally, coming to understand just what visitor data is, or potentially may be, considered PII depending on context, eg. what data individually is not PII but in aggregate is/might be.

Once technical steps, i.e. identify PII and usage, incorporate anonymisation and/or secure it and/or delete it on time/usage methodologies and a viable audit process, the greatest hurdle is in the visitor interface and informed choice concerns.
* where one has to explain simply clearly exactly what PII of a visitor is being gathered;
* how it will be used by the site;
* the value to the visitor in allowing their PII to be so used;

* which PII data will be shared with which third parties;
* how it will be used by each third party;
* the value to the visitor in allowing their PII to be so used;

* what is anonymised by any/all above.
* how it will be secured by all above.
* the rights of the visitor in regard to all above and their data.
Granted much can be 'offset' by links to detailed information on a dedicated privacy page or pages. However, the gist needs to be explained before the 'call to action' aka agreement button click. Think of it as Reddit's 'You must be 18+ to view this community' interstitial with 'no thank you' and 'continue' buttons but, probably, without the lure of NSFW content.

So how does one design a modal/interstitial that 'sells' saying 'yes, I'll share' with the requirement of full disclosure and with 'no' aka opt-out as the default?

The site also must decide what happens if the visitor clicks 'no'. Or doesn't click 'yes'.
Does one let the visitor continue?
This requires some mechanism to stop/purge data collection for that particular visitor before use. Or it requires a default 'no PII data collection' and a methodology of adding it to the pages seen by those who agree. It also requires some quality control that flags failure of data collection stoppage or unauthorised collection plus appropriate notification/remedial action.

Should there be a differentiation in the PII data collection, i.e. between IP and MAC address, username and credit card, with separate requests for agreement?
If so what levels of service, site access, etc. might be altered given the different levels of data sharing and how might one accomplish same?
And how does one best 'sell' the value of agreeing at each step?

Frankly, the last year or so of working towards GDPR compliance has been a frustrating fascinating process.
2:21 pm on Feb 27, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1817
votes: 59


Am I right that there seems little information from Google about Analytics and the GDPR?
2:29 pm on Feb 27, 2018 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1532
votes: 295


Yes. Once they are done with Auto Ads promotion, we will hopefully learn more about this.
8:50 am on Feb 28, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1817
votes: 59


So, regarding google analytics and GDPR.

Does analytics record the full IP address of site visitors?
Does analytics serve cookies to site visitors?

In browsing around analytics I haven't yet seen individual IP addresses, although I have seen identifier numbers which might incorporate IP addresses. If I can see personal identifying information in analytics then it will come under GDPR scope.
10:07 pm on Mar 17, 2018 (gmt 0)

Junior Member

joined:Feb 22, 2018
posts:146
votes: 22


ps: if the owner WebmasterWorld reads this, I think it would be interesting to know what he is doing to conform to the GDPR. This could help "us".

So I got the answer, WW is above the laws and will not respect the GDPR, like that it's clear...
12:46 pm on Mar 20, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts: 1817
votes: 59


Some of the more proactive sites are now starting to renew their terms and conditions.
Should give us good hints as to the best way forward.
8:35 pm on Mar 21, 2018 (gmt 0)

New User

joined:Feb 23, 2018
posts:21
votes: 0


Is is the case that I won't be able to use AdSense and Analytics on my sites until users have opted into cookies? If so, does Google provide a tool for us to easily let them know who has/hasn't consented, or will I need to change my code so as not to even include AdSense/Analytics code on a page until consent has been given?

Also, I read somewhere that providing a meaningful opt-out might require webmasters to provide cookie-free versions of their sites. Is that actually the case? Because it would be incredibly unfair to expect people to provide content they can't monetise.
9:06 am on Mar 22, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1717
votes: 263


You can use GA, as long as you declare you do. They are first-party cookies- you are the Data Controller. You send them to Google as a Data Processor.

See also this discussion [webmasterworld.com]

The third post has an overview of grounds for data collection. See the subheading "Legitimate Interests".
11:29 am on Mar 22, 2018 (gmt 0)

New User

joined:Feb 23, 2018
posts:21
votes: 0


Thank you, Shaddows. I'm gradually piecing together my understanding.
11:58 pm on Mar 22, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


@shaddows, does mean everyone will have to have those annoying "cookie consent" prompts on their sites for EU users?

Outside of our forum, which people have to agree to cookie use/forum terms in their forum terms agreement during registration, we don't store any cookies or use any cookies for marketing or advertising. The ad networks we use are issuing cookies, but that has nothing to do with us in terms of storing that info - Google grabs and stores it for example. Even when I go to EU sites under an EU IP, the only sites giving those cookie prompts are those which issue cookies.

From what I understand, for US based sites a lot of this has to do with outlining things clearly in your privacy policy.
8:34 am on Mar 23, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1717
votes: 263


No, under the GDPR, you can drop cookies with only tacit consent, as long as you can reasonably argue there is a legitimate interest, and make it clear in the appropriate place (and provide an opt-out). Cookies that make your site actually function just need to be declared, without needing an opt-out.

See, for example, how the EU's Own Site [europa.eu] works.
The ad networks we use are issuing cookies, but that has nothing to do with us in terms of storing that info - Google grabs and stores it for example

Ok, there are a few things there. My understanding is that Third party cookies need explicit permission. "Nothing to do with us" is a conceptual problem for you. If something is served at your URL, then my understanding of the legal situation is that it is everything to do with you.

And Google doesn't "grab" exactly- you send it.
8:50 am on Mar 23, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


@shaddows, so what you are saying is that if you are serving Adsense or other types of ads - your EU users need to see those annoying cookie consent prompts (on every page until they click)? We have an entire cookie policy page (since late 2016), but we've never done the prompts for EU traffic.

And I've seen several types of cookie consent prompts, the kind where you have to click and the kind where it just says in the header or footer "if you continue using this website then you agree to our cookie policy" and then it fades away if you click on another link.

Regarding our forum, just a cookie so the user's account functions. Other than that we don't do any newsleters or email lists, etc. Just like any forum, someone can easily opt out from receiving admin emails or subscribed thread emails.

Here are two questions.

1. If a site just says the hell with it, is the EU going to chase some 15 year old blogger from the United States or Mexico or go after a mid-level website with click-bait articles that receives maybe 10% of their traffic from the EU?

2. I have friends who have sites that are 100% geared to the U.S. market and they make good ad revenue money, but they still get traffic from all over the world. They don't plan to do anything. I have a feeling there will be a high level of disregard for GDPR outside of the EU.
8:59 am on Mar 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


I have a feeling there will be a high level of disregard for GDPR outside of the EU
Probably, but outsiders who publish ads will need to abide if they want those ads to display on Chrome.

Just today I received an email updating Google's requirements for ad publishers.
9:07 am on Mar 23, 2018 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Aug 11, 2008
posts:1717
votes: 263


Well, I have an opinion, but it means nothing. Risk assessments are part of any business, and I would not presume to judge. Similarly, I have no idea how the EU will chose to treat such sites, although I observe there are a lot of sites in the world, and they have finite resources.
9:16 am on Mar 23, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


@keyplyr - I received the same requirements for ad publishers and I've yet to see anything about Chrome blocking out website ads that don't abide.

And how would Chrome even detect if you have a custom cookie consent prompt?

Even if they do block ads out for EU users, if someone makes 10 bucks a month from EU traffic, will they really care?

From what I read, Adsense is going to offer the option of serving ads that are not cookie based to EU users.

In the worst case scenario, I will have to code a custom cookie consent prompt that is only geared for EU users on my footer. I honestly prefer the one that fades away, the common 'if you continue using this site then you agree to our cookie policies, etc.'

To be honest, most people I speak to have zero idea about GDPR and it is so complex for them to understand (even to me in some areas) - and to understand how to be in compliance, that it's going to be one big mess.
9:31 am on Mar 23, 2018 (gmt 0)

Senior Member from IN 

WebmasterWorld Senior Member Top Contributors Of The Month

joined:Apr 30, 2017
posts:1532
votes: 295


'if you continue using this site then you agree to our cookie policies, etc.'

This should work fine. But how do you plan to show this prompt to the Europe only? Is there any WordPress plugin for this task?

Microsoft does the same.
If you continue to use our products and services on or after Ma‍y 1, 20‍18, you are agreeing to the updated Microsoft Services Agreement.
If you do not agree, you can choose to discontinue using the products and services, and close your Microsoft account before these terms become effective.


Accept our cookie policies, or get out. That's what I'm going to do.
9:34 am on Mar 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@vegasrick - I didn't say that was in the email and you know it.

If you want that information, go to GSC and follow the Web Tools links discussing Chrome & ad display actions.


[fix typo]

[edited by: keyplyr at 9:41 am (utc) on Mar 23, 2018]

9:38 am on Mar 23, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


@key, I never said you did. I said Ive yet to see that written anywhere with respect to this specifically. Ive seen chrome blocking sites with ad units that violate their warning directives in Search Console.
9:40 am on Mar 23, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


@MayankParmar, Sky Sports has a tiny one on the bottom that says "we use cookies and if you continue to use our site we'll assume it's OK" - and they are one of the largest websites in the UK, certainly the largest sports site, so I'll follow their lead.
9:58 am on Mar 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


It is somewhat of a leap, I admit, but Google is being pushed against the wall by the upcoming EU regulations. The EU is threatening huge penalties to those that don't conform to the GDPR starting in May.

It's not us little guys the EU will go after, it will be the big players like Google. The way that Google will need to avoid the penalties is by following GDPR policy in a couple main areas: Google Analytics and Google Adsense.

With Analytics, Google can do on their end since *they* are the one that's processing and storing user data. (discussed in the recent email.)

Adsense & other ad network publishers are the one's that Google can force to abide by levering Chrome's power to display the ads or not.

Sites that don't publish ads but violate the GDPR by collecting user data in some way won't be subject to Chrome's leverage but could be subject to other sanctions or fines, but as Shadows said, it will be difficult to reign them in.
10:48 am on Mar 23, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Jan 16, 2018
posts:147
votes: 41


So is there anything that confirms whether a cookie opt-in button is needed if you use Adsense?
Or whether simply having a notice at the bottom of the page, like with Sky Sports, is enough?
4:21 pm on Mar 23, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Apr 26, 2005
posts:2284
votes: 606


The email says that there will be an option to only show non-personalized ads. I am assuming that this is targeted to EU visitors since you can already turn off personalization.
4:27 pm on Mar 23, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


Exactly what Ember said, and if you are using non personalized ads then there is no reason for the cookie consent prompt, unless you are using tracking cookies for non-site function reasons.
6:43 pm on Mar 23, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Mar 11, 2015
posts: 101
votes: 31


Following this with interest!
7:31 pm on Mar 23, 2018 (gmt 0)

Full Member

Top Contributors Of The Month

joined:July 3, 2015
posts: 263
votes: 44


I actually had a long conversation with a lawyer from the UK. He said there is "so much misinformation out there on this subject that it's scary." He said I have a better chance of getting hit by a plane than the EU coming after me or any outsider with a fine. He said the regulations for the most part are geared towards major companies, companies that collect data, to protect consumers from these countless data breaches and also giving consumers legal recourse when it happens and gives EU the ability to fine websites that had breaches and didn't follow the GDPR protocols. He said in the worst case scenario a site "may" have to add a cookie prompt for EU users, but he said it's certainly not something Google will be acting as the police for, and he said if you read Adsense's agreement that every publishers agrees to, they are basically held harmless in these types of matters. The liability falls on the site in question. However, if Google has a data breach and don't follow the EU regulations regarding a breach, then that's their problem.
This 105 message thread spans 4 pages: 105
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members