I'm not worried about the EU coming after me - it would just never happen - I worry about Google suspending ads on my sites if I don't comply. But I think they are in the process of developing solutions, like non-personalized ads for EU visitors and ways to gain EU visitor consent.

@ember, I dont think they would suspend ads, but they may instead show non-personalized ads - or maybe no ads at all, to your EU visitors (similar to no ads being shown to page not being in compliance with TOS on your site).

Although GDPR is becoming the law in May, the cookie consent prompt has been around for some time, and I know Google advised certain EU based sites to carry that way back, but even that was never policed with any blowback from the EU publishers I'm friends with - because Google did their due diligence with emailed proof that it advised their EU partners.

Well, it'd be great if G could show the cookie prompt and disable personalized ads for EU by default. Pretty sure almost all AdSense publishers outside the EU doesn't bother about GDPR... as much as they should.

I agree. Ideally, Google would provide a cookie prompt tool. Something that detected if a visitor was in the EU, then showed non-personalised ads until it detected an opt in, after which personalised ads would be shown.

my policy is to follow through with this as much as I have with the farcical "EU cookie prompt" - i.e. not at all.
I guess I'll have to tick some checkbox on adsense/GA page at some point.

can't wait to see the likes of FB reigned in as to how they collect/use/sell millions of their users' data.

nah, thought not.

I really don't understand why cookie law hasn't crashed and burned. I've never met anyway - developer or user - who wants it, and I'm in the EU.

The cookie law is no longer a thing with GDPR, apart from 3rd party cookies.

For 1st party "plumbing" cookies, just note they exist.
For 1st party tracking cookies, note they exist and provide an opt-out. This can be done in a privacy statement, not as originally implemented.
For 3rd party cookies, you still need the original "Click to accept" cookie prompt.

________________
As per the Facebook breach/not-a-breach, Google can undertake it's responsibilities by telling it's partners what to do, and including it on their TOS.

Failing to comply with their TOS is not Google's (legal) problem. So there is no need for them to police.

Failing to comply with their TOS is not Google's (legal) problem. So there is no need for them to police.

Exactly, and for the rare who are reading Google's TOS you can see it clearly in the way they turn their sentences.

It's also normal, that publishers are responsible of the content they are delivering on their site.

Since, my initial post has been deleted somehow, I am repeating that , this is not necessarily the EU itself going after sites which will not respect the GDPR. The EU will not visit each single site, to verify. The EU will only focus on big names. But this is not a reason for small or even single-man publishers to feel not concerned. The GDPR is giving a way for any citizen of the EU to fill a complain about a site. So even if the EU will never come to bother "you", then a single citizen can cause you problem, if you are not respecting the GDPR. With 500 millions citizens, ... it has to be taken seriously.

New forum dedicated for GDPR and related discussion:

Website Regulatory Compliance News, Issues and Guidelines [webmasterworld.com]

Last night e-mail from Google about Analytics, remains very ambiguous.

Can anyone provide links to English language websites that have implemented solutions for GDPR? I run a medium sized UK based website and generally look at some of the bigger publishers for guidance, e.g. BBC, Guardian, Telegraph, Sun, Mirror, Mail.

The BBC privacy policy (Top level: [bbc.co.uk...] includes this:

"We collect some data automatically
Like your IP address, what browser and device you’re using, and your unique identifier. And we can tell what webpage directed you to the BBC by looking at information from your browser."


[bbc.co.uk...]

Is that GDPR compliant?

Depends what they do with that data. But in as far as that it just server log data, necessary to make the web page work (therefore "legitimate interest"), just making the statement is sufficient. (IANAL)

just making the statement is sufficient

This is another obscure point of the GDPR. Users have to be informed about what you collect, why, how long, etc... But the GDPR insists on how this information has to be clearly visible and easy to understand. If the information is buried into a TOS, which is istself linked from a microscopic link at the very bottom of the page, this "might" not be compliant. I think this is why, lot of big sites have this kind of links in the header of their page, this can be an argue that the information is easily accessible.

There is quite a lot that will only become clear if/when tested in court- especially the extent to which you can invoke the "legitimate interests" basis.

I have generally avoided giving explicit, specific requirements so far. However, this is my current understanding (IANAL, I am very happy to be corrected, and even happier to have a discussion on any point):

For nuts-and-bolts data to make a site function at all (IP, Agent, session cookie), I'm pretty confident you can bury that, as long as it is in T&C's, TOS, Privacy Statement or other boilerplate text.

For analytics purely designed for the site owner to gauge user experience, and to make future improvements- you probably need to make a reasonably prominent statement, but no opt in (or even opt-out, if you anonymise).

Anything delivering first-party personalisation, you will need to allow an opt-out but can enable by default.

Remarketing, third-party personalisation (possibly including tailored ads), mailing lists, selling PII, you will need explicit consent via a checkbox that is un-ticked (unchecked for you Yanks) by default. You will need a separate box for each activity. You will need to make is as easy to opt-out as it was to opt-in (which means no disappearing header/footer).

Yes, I have the same understanding as you Shaddows, excepting may be about the IP. The EU seems to consider it, a critical personal data. I loosely remember, a German case, where a man succeeded to get a site condemned because they recorded (and stored) his IP address in their server access logs.

Also, the EU GDRP says that, you have to remember the consent from a User, and allow him/her to remove this consent at anytime. So I guess that, when someone checks a box to give his explicit consent, we have to record this action, with the time and IP (!) as a proof that the consent was given.

An interesting article about GDRP and consent : [techrepublic.com...]

If a user contact us and ask us to remove his information such as IP address from everywhere, we are supposed to do that right? These information could be on server logs, Sucuri, Mailchimp, theme, analytics and the list goes on, it would be a headache :(

excepting may be about the IP. The EU seems to consider it, a critical personal data

Sure, you can't store them. But who are you going to send the 1s and 0s to without noting the IP? Storing them in full needs withdrawable consent, or explicit consent in certain circumstances. Which brings me to...

If a user contact us and ask us to remove his information such as IP address from everywhere, we are supposed to do that right? These information could be on server logs, Sucuri, Mailchimp, theme, analytics and the list goes on, it would be a headache

Lots of those, you can just save the first three octets- that's then non-identifiable. I think server logs are going to be something to parse and modify before storage- then you would not have anything identifiable to delete.

You can always collect stuff for "legitimate interest" - as long as you delete it as soon as that interest it fulfilled. So for short-term use, there will no practical liability to user-led deletion. Your long-term storage strategy should mitigate against such a liability arising, via anonymisation.

If a user contact us and ask us to remove his information such as IP address from everywhere, we are supposed to do that right? These information could be on server logs, Sucuri, Mailchimp, theme, analytics and the list goes on, it would be a headache :(

In one word, "Yes", and the worse, is that it applies to data collected in the past too. So for example, I visited your site a couple of times the last few days, then "in theory", starting on May 25, I have the right to ask you to remove all traces of my IP from everywhere related to these visits.

Now, about IP removal, I guess that a user has to prove this is his IP. Which can be something difficult to achieve, excepting for users with fixed IP address. For example, if I contact you, and ask you to remove my IP xxx.xxx.xxx.xxx , I assume I'll have to prove this IP was really associated to my computer/device at the time I visited your site. So IP removal by itself might be something extremely rare (but possible).

But, starting May 25th (or earlier, if you can), you have to inform your visitors which information you are collecting, why, and with whom you'll share them. And in theory, you should have to obtain the consent from each visit to achieve this (especially the sharing with third parts). For example, I visit your site, I know that your server will certainly record and store my IP address, which is okay, but I don't know that you are sharing this information with others , and I don't know what these others will do with this information, may be they'll share it too, etc, etc...

So yes, it's a headache, ... now , we are talking about situation which "might" be a bit extreme, but it's good to keep them in mind, and work around them. the EU GDPR introduces the ideas of "privacy by design",all you are developing needs to focus on how data are collected and used.

I don't think we should jump to conclusions about IP addresses. On their own they probably don't constitute personal information in the hands of anyone who cannot easily identify an individual from them, as they would in that case be examples of pseudonymisation (see GDPR Definitions, Article 4, paragraphs 1 and 5, [gdpr-info.eu ]).

However, a further test is introduced in Recital 26 ([ico.org.uk ], page 10), which is what would have applied in the CJEU ruling in October 2016. In the case of data like IP addresses:

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.

The CJEU ruling addressed a case in which BRD (the Federal Republic of Germany), the respondents, were in a position to compel the plaintiff's ISP to disclose his identity, so in their hands his IP address - even though in his case it was dynamically assigned - constituted personal information.

How this would be interpreted in a GDPR case where a respondent or defendant couldn't identify an individual from their IP address without other information they didn't have and couldn't get isn't absolutely clear - I agree with Shaddows that a lot of points like this will have to be tested in the courts - but I don't think we have to assume we're all going to receive 20-million Euro fines for logging IP addresses.

Where an IP address forms part of an individual's record (or can easily be connected with an individual), I think it clearly becomes an item of personal information. Examples would include the use of web forms or login pages, where the IP address is recorded alongside other personal information. In that case, you would have to inform the individual (a boilerplate T&C page would almost certainly be enough) that their IP address is included in the information you have about them, why you need it, and how you will use it.

However, rules on disclosure - you have to keep personal information secure - would prevent you from telling an unidentified caller which IP addresses you have, or deleting a record that was not personal to them: they would have to give you personal information before you could know an IP address was theirs.

Even where someone whose identitiy you can confirm has asked you to delete a record that includes their IP address, I'm not sure you would also need to delete other isolated instances of the IP address - in server logs, for example - that could no longer be connected with them (again, see pseudonymisation, Article 4 paragraph 5 in the first link above).

All of us who run a business need to know who our customers are for at least long enough to process payment and post the goods. In the UK you probably need to keep a record of who they are for at least five years, as without it HMRC cannot carry out a full audit. The next time a customer calls me and asks me to delete my record of them will be the first time it has happened to me in over thirty years of trading, so I'm not going to lose much sleep over the possibility. My expectation is that the main casualties of GDPR will be the main culprits (and social media, Google and Bing are probably top of the list).

Additional information to think about :

The Court of Justice of the European Union has held that IP addresses are "personal data" in certain circumstances.
[whitecase.com...]

@Travis

That link gives a summary of the CJEU case to which I referred. The point is that "in certain circumstances" in that case meant when:

1. there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
2. the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.

Earlier cases (and ICO guidelines in the UK) haven't taken that view, but I think it is safe to assume that where you can easily link an IP address to an individual (like when your from mailer append the user IP address to the personal information on the form) the courts will in future take the view that an IP address is personal information in those circumstances.

This is Yahoo's (Oath's) offering today: [policies.oath.com ]

Note that they are assuming - wrongly - that they have implied consent to associate tracked activity with users.

Note that they are assuming - wrongly - that they have implied consent to associate tracked activity with users.

Big Internet companies are still playing cat and mouse. They release changes to "prove" that they are taking in consideration the GDPR and adapting their terms and behaviors to be compliant. Then, they'll wait for the EU to come after them about such or such point, so they'll claim they'll review it, then they'll explain they did what they "understood" from the text, and argue around the meaning of such or such thing, the EU will insist, and like that things will last for years,... and eventually at the end, they'll apologize for their misunderstanding of the text, claim this was not intentional and that they will make changes.... whereas the part about explicit consent is very clear and simple.

Important update for AdSense publishers: [searchenginejournal.com...]

Also, is this line "We don’t store personal information except the IP address on our servers" okay in privacy policy page?

Important update for AdSense publishers: [searchenginejournal.com...]

Lot of non European articles, seem to confuse "consent" and "information" :)

Also, is this line "We don’t store personal information except the IP address on our servers" okay in privacy policy page?

You can do anything you want, as long as you inform the users. So eventually, you might tell why you are storing the IP.

[edited by: Travis at 12:05 pm (utc) on Apr 27, 2018]

You need to state what you use it for. And that is not watertight phrasing (you could be saving personal information somewhere other than your servers, which is not what you meant).

"The only personal information we store is your IP address in order to make the site function" should be ok.

I run a couple of tiny websites that use Google Analytics and Google Adsense. I'm a little freaked out by the upcoming deadline. I had hoped that Google would have been more proactive. But even their latest email with a link to a tool to help us with consent leads to a page that says it has nothing there. I had hoped that Google would have a simple step by step by this point to help us out instead of letting us hang.

Worst case, I guess I can turn off Google Analytics and Adsense until this shakes out. A couple of other questions I have is about things I don't have any control over. I use shared hosting and thus do not control the webserver. Webservers log IP address. Is that something I have to worry about even though I can't do anything about it? Forum software uses cookies in order to function. Even for people that don't have an account, it has cookies. Do I have to get consent for these cookies? I wouldn't even know how to keep track of these consents let alone be able to handle requests from anonymous people asking me to clear their data.

about things I don't have any control over

In your case, this shouldn't be a big deal, but just as a reminder, the publisher of a site is responsible of everything related to his site. so even things you do not have "control over". it's up to the publisher to have control over everything related to his site. but as I said, in your case, this shouldn't be a problem, but still it's not fully compliant as, your webhost collects IP addresses from EU visitors, so it's like if YOU are sharing with a third part (and outside the european union), personal data. But I wouldn't bother too much with this.

Do I have to get consent for these cookies?

if it's just the forum software, you don't need an explicit consent, but you should have a cookie banner to inform EU visitors.

However, about the forum, it rises other kind of concerns. you store the email address, which is personal data. Also, "in theory", you shouldn't let other admin or moderator see this email address and the IP Address of posters. In theory, at the moment someone registers at your forum or post a message, if you allow anonymous posting, you should obtain the explicit consent for storing their email address, AND about the fact that others than you (if you have other admin/moderators) accessing these personal data. By explicit consent, it means a check box, which is NOT checked by default.

A couple of other questions I have is about things I don't have any control over.

GDPR applies to data controllers and processors.

If you have no control over it and are not yourself processing the data then GDPR does not apply to you.

Do I have to get consent for these cookies?

If the cookies are or can be used to identify individuals then they are subject to GDPR. Cookies that are are purely functional and do not contain PII are not subject to GDPR.

Consent is required if there is no other lawful basis for data processing (see [gdpr-info.eu ]). Being able to identify forum members is probably a legitimate interest (1. f.), but collecting PII from casual visitors to a forum page almost certainly isn't. If you are in effect the forum controller, then you need to know what your cookies do, and ensure that their use is GDPR compliant.

Personally, my interpretation is that server logs belong to website as a Controller, and the hosting company is collecting them as a Processor. If you do not have access to the logs, then you have not set up your contracts in a way that is GDPR compliant.

Which is probably not a problem if you are a publisher, but is a problem if you can tie PII to IPs elsewhere within your company.

See also this thread:
[webmasterworld.com...]