I just would like to add.

If enabling interested based ads (for EU visitors) or not, both results in needing to obtain an "explicit" consent, then why would Adsense have bothered offering the option to disable interested based ads for EU visitors? If all ends in obtaining an explicit consent, then Adsense would not have created the option, and instead would have said: publishers need to ask EU visitors if they accept 1-cookies, 2-personalized ads, 3-or not and then pass the answer to adsense to select what to serve or not. Or, if the explicit consent was mandatory, then Adsense would have proposed an option where they ask for it, themselves, instead of leaving publishers obtain it, considering that lot of publishers are not coders...

BTW my humble prediction.. this EU law will be modified for sure.. this should be implemented at the browser level not server side! Imagine the pop-ups galore when EU visitors visit multiple sites! That too on mobile..

You need explicit consent even when serving non-personalized ads

[edited by: SpookyFairy at 5:52 pm (utc) on May 9, 2018]

You need explicit consent even when serving non-personalized ads. I Checked with support.

Okay, if you say so. So forget all my previous posts, may be a moderator can delete them, for not misleading future readers.

@travis I removed that part because this is also interpretation of what I've read. IF you want to discuss it privately message me. So from my understanding, I can't just use non-personalized ads and not get consent. I am not a representative, not an official nor a person who is fully qualified to give an answer. I am like you trying to make up my mind about the best solution with the minimum impact on revenue and user experience.

II am quite surprised that things are so unclear and aren't written ins a very easy-to-understand form so we won't need to discuss this so much.

I'm inclined to agree with @Travis but I am not a legal eagle either. However why not just switch all ads off for a few days as I suggested? In that way you will definitely have no problems and you can assess what others are doing and perhaps "borrow" the best ideas. TBH if your business can't run for a few days without revenue it is probably time to move on anyway.

@bgweb I prefer not take business suggestions from you as I don't know who you are and what are your intents. Regarding turning ads off, I intend use cookiebot so all my sites will be GDPR ready, I am just thinking of different alternatives that has less negative impact on user experience and revenue. I'm sure I am not the only one with that thought. I will share more information as soon as I have more information.

Guys check out this Google Adsense website help page:

[support.google.com...]

====
Non-personalized ads are targeted using contextual information rather than the past behavior of a user. Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply.
====

So even for non-personalized ads consent is required.

This from the (UK enforcer) ICO:

"Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do."

[ico.org.uk...]

@born2run, that's been mentioned a few times on this thread.

Which is why I'll probably use the standard cookie message. With something like a 'That's fine' / 'Ok, got it' button. They're then accepting what I've just told them.

"Consent does not necessarily have to be explicit consent. However, consent must be given by a clear positive action. You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website. To ensure that consent is freely given, users should be able to disable cookies, and you should make this easy to do."

A more info button to a privacy policy can include a bit on how people can disable and delete cookies.

steviec79 say if the user doesn't want to set cookies for non-personalized adsense ads.. what action would the code have to do so that adsense ads are displayed accordingly?

A more info button to a privacy policy can include a bit on how people can disable and delete cookies.

That would be my view too, however to repeat:

1) I'm NOT a legal expert
2) My example was UK specific and enforcers in other EU countries may interpret differently

You enter a site and get at least 2 annoying popup messages asking for consent. You then go to another website and the same thing happens.

It'll make browsing the Internet a complete pain in the backside.

This is exactly why I find what they are asking completely nonsensical.

Because remember, what you mentioned is per browser so if at some stage I change my browser, I would have to do the process all over again.

In a perfect world there would be only ONE website per advertising network and those settings are then applied to all publisher website using that particular advertising network. But asking the user to opt-in wherever he goes is insane.

It's already a pain the cookie banner you have to close with each website you visit, let alone.

This from the (UK enforcer) ICO:

The same website says "Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent." here:

[ico.org.uk...]

Google had years to implement an inbuilt consent for their adsense for publishers and what have they done?

Thrown the publishers under the bus..."Your problem, you deal with it" kind of approach...

Surely they could have given an option as simple as 'No ads for any EU visitor' so we can use a default.

The web is becoming less about content, more about the EU trying to micro-manage it.

Just came across this one, I wonder if this can work?

[preview.ibb.co...]

For those worried about requiring explicit consent for all cookies, why only now? The law has been around for years, if it does apply this way, you and the vast majority of websites are in violation already.

What do Google themselves do? All I see is a popup with "remind me later" and "review now". There are options to disable use of data, though these default to on. So for the pre-existing cookie law, they're not interpretting use of their cookies (see [policies.google.com...] for a full list) to require explicit consent. Some of this will have to change of May 25 (since explicit consent is required for personalised cookies). Now who knows, perhaps they'll use the opportunity to change how they get consent for all cookies. Maybe on May 25 I'll see a big modal popup on Google's sites that requires my explicit consent. Though I'm not aware of any legal basis for that.

Google's Cookie Choices site has been around since around 2014. I note that this site also only displays an info banner, which "See details" and "OK", and doesn't even allow an opt out, so if that's not good enough for Google, they're not following their own recommendations!

this is a horrid mess!

The pre-existing law is indeed a horrid mess, though there's years of debate on this, and we can see what's happened both in terms of what websites do, and what enforcement there is (by countries or by Google). (In contrast to the GDPR which would cover personalised ads, and is new.)

For example, an interesting case is [webmasterworld.com...] from 2017 where some people were warned by Google about having no "consent" for cookies - however it seems like they weren't displaying any info at all, and people's responses suggested that they fixed this by displaying messages - no one said they had to implement a request for explicit consent before using any cookies.

In an older thread from 2015, there was confusion and discussion about whether consent had to be explicit: [webmasterworld.com...] . So yes, I'm not denying there isn't confusion over what kind of "consent" is required for use of even non-personalised cookies, but it's been around for years.

The same website says "Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent." here:

But that's talking about the GDPR, not the pre-existing cookie law. Yes, explicit consent is needed for personalised ads when the GDPR comes into force.

There seems to be so much confusion on this and occasionally misinformation being given too. I've been clarifying my own thoughts on GDPR and Adsense this evening and thought it might be helpful to share them here. This is a long post.

I'm definitely not an expert but I did watch an Adsense webinar on GDPR last week and I've been following this closely, being UK based. This is how I understand it.

Remember it is all about DATA.


~ PERSONALISED ADS ~

We cannot show personalised ads to EU visitors without their consent. Before we get their consent we must tell them exactly how their data will be used and by whom (which could be a link to a long list). Before we can tell them how their data will be used, we have to find out how it will be used from the "processors" of the data. There are many different companies providing those ads and processing that data - the advertisers, the ad-tech companies, the ad exchanges etc. According to GDPR we have to have a written contract with every processor of data that we provide [which I don't think has been discussed here yet].

If we can meet all those requirements, we have to keep watch to be very sure that the "processors" are using the data in the way we have specified they are - because we as the "controllers of data" are responsible. The buck stops with us.

Even if we manage to jump over all these hurdles, it is very unlikely that visitors are going to consent to personalised ads when they are given an easy option to opt out. If they opt out of personalised ads, we have to find a way to show them non-personalised ads and make it clear to them that we will still be using some cookies, and get their consent to that.

NIGHTMARE.

Therefore it is MUCH EASIER AND SAFER to

A) show only non-personalised ads to EU visitors

B) show no ads to EU visitors (running Adsense through DFP perhaps)

C) if outside the EU, block EU visitors

D) stop running ads entirely.


~ NON-PERSONALISED ADS ~

Adsense has now given us the option to show only non-personalised ads to EU visitors. Yippee. You can find this under All My Sites.

But it's still not easy.

If you ask Google to show non-personalised ads to EU visitors, you still have to get visitors' consent because there are still cookies involved and where there are cookies there is DATA. Google says "Cookies will be used for frequency capping, aggregated ad reporting, and to combat fraud and abuse".

Now, some people are arguing that using cookies for frequency capping, aggregated ad reporting and to combat fraud and abuse doesn't require "consent" according to the GDPR, because it can be covered by another GDPR provision, "legitimate interest". In the Adsense webinar, the response was to "GET LEGAL ADVICE".

Most people seem to think that consent is required. (Note I'm not giving an opinion here).

Getting consent will look very much like the cookie consent pop-up we have been seeing for a few years now, EXCEPT THAT we must now specify exactly how we are using data (all uses), provide easy access to our Privacy Policy, confirm that we are complying with GDPR and so are all the "processors" that will have access to the data etc. And the visitor must TICK YES to give EXPLICIT consent rather than continue browsing to give IMPLICIT consent. If they do not tick yes, we cannot use the data, so we must not show them advertising. If they tick yes we must record that and keep it. If they tick yes and later change their minds, we must be able to tell them what data we have on them and delete it at request. We must provide them with a simple way to change their minds.

[It is worth noting that if there are any other personally-identifying cookies on the website (eg Analytics) you might still have to show the explicit consent pop-up, and get consent for each type of cookie. Tick yes to consent to cookies for advertising, tick yes to consent to cookies for analytics, tick yes to consent to cookies for the social plugins and so on...]

These requirements may be possible through cookiebot, civicuk or some other service, configured (if possible) to turn off Adsense completely if necessary.

I haven't entirely made up my mind what I will be doing from 25th May, but it is likely to be A, B or D.

I haven't entirely made up my mind what I will be doing from 25th May, but it is likely to be A, B or D.

The decision I have taken is to remove Google Analytics and Adsense completely from my website, using adverts from another network publisher and not showing ads to EU citizens.

I'm yet to figure out how to do the last part though.

I have taken is to remove Google Analytics and Adsense completely from my website, using adverts from another network publisher and not showing ads to EU citizens.

Why do you remove Adsense, to replace it by another network, if this is to stop showing ads to EU citizens? And is this other network more GDPR compliant than Adsense?

I think iubenda has a good solutino and they are much cheaper than cookiebot

[iubenda.com...]

Why do you remove Adsense, to replace it by another network, if this is to stop showing ads to EU citizens? And is this other network more GDPR compliant than Adsense?

Of the two the other network is more profitable, I'm in talks with them to understand how they are tackling GDPR, hopefully they don't need a Legal Entity and a Data Protection Officer like Google.

At this stage my intention is:

1) Switch to AdSense contextual
2) Build and deploy an enhanced cookie banner (based around Silktide possibly)
3) Do the same with Taboola. I'm talking to them about how that is achieved and have been told they will respect the IAB framework. I'm trying to determine whether there is a simple on/off switch that can be applied to their tags
4) Encrypt storage of all user data on the site (e.g. em addresses for newsletter, comments sections)
5) Request a positive action from existing em newsletter subscribers and introduce a new process for future ones
6) Document, document, document!

On day 1 I will see what the big UK publishers are doing. If they're going down the explicit consent route for ALL ads I will build and deploy a similar solution (if necessary switching off ads in the interim period whilst I develop). If they're requesting explicit consent for personalised ads only (and keeping a cookie banner for the rest) I will look to implement a "best of breed" solution based as quickly as possible.

The basis for my actions are what the ICO commissioner has said:

She added that she accepted that some companies will need time to become fully compliant.
"The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime," she added.
"Do they have a commitment to the regime?
"We're not going to be looking at perfection, we're going to be looking for commitment."

[bbc.co.uk...]

[edited by: bgweb at 8:27 am (utc) on May 10, 2018]

@bgweb That sounds like good action plan. If you use Analytics (or similar) do you consider that your action plan covers the data that they collect?

I am considering turning off Analytics because I have no understanding of what data they collect and how they use it. I just know that they do collect masses of data and assume they use it beyond providing reports for me.

I would disagree that ad serving needs to be turned off on May 25th if development of a solution for explicit consent for ALL ads is required. No-one, not even G, is going to hit small to medium websites who don't comply fully for a week or so?

@nomis5 wrt Google Analytics my current intention is to:
1) use the anonymise data option
2) ensure personalised data is not passed in the url when a user clicks a link. For example, encrypt or only pass the outer part of a postcode

Contextual ads and a modified cookie consent banner for me. Will take it from there.

Anything more extreme than this will be the end of my business model... Yes, I know I shouldn't have put all my eggs in the Adsense basket, but I've spent the last 10 years trying to find an alternative and nothing has come close yet...

@surfgatinho, that is exactly what I am doing, as well as rewriting privacy policy to mention GDPR and user options (in part to show, as mentioned above, an understanding of and effort to comply with the new rules) and yesterday I added ip anonymize option to google analytics (which I also mentioned in the privacy policy).
I will only take more extreme measures (explicit consent) if there is literally no other choice. By that stage half the internet will have closed down anyway!

4) Encrypt storage of all user data on the site (e.g. em addresses for newsletter, comments sections)

Websites can self-certify at Privacy Shield [privacyshield.gov] and be fully compliant with GDPR for data storage.

I think iubenda has a good solutino and they are much cheaper than cookiebot

I guess it depends what "with some limitations" means.