joined:May 10, 2018
Hey, everybody. Long time reader, first time poster. Wanted to share my thoughts on all this. Fair warning: This is just another long opinion.
Now, as a U.S. citizen with a relatively small website that runs Adsense, I'm mostly just concerned about Google's policies and how they want us to treat non-personalized ads for EU users. So...
Looking at Google's updated EU user consent policy, it's actually not much different in practice from the original. They haven't really changed much, they've just added a few details. In fact, they've always "required" consent for cookies for EU users.
The majority of what's been added is about what happens after you've been granted consent (if you must seek it) under GDPR, i.e. retaining records and allowing revocation of consent. They've also added the bit about consent for cookies and local storage "where legally required" (meaning that not all cookie types require explicit and prior consent under the GDPR, only ones containing personally identifiable information, or PII).
Now, things get particularly murky when you look at how Google displays their options for personalized and non-personalized ads for EU visitors.
If you go into your Adsense account, Allow & Block ads, All My Sites, and then the EU user consent tab, it gives you two options: Personalized or non-personalized ads. If you click personalized ads, it gives you the option to select ad technology providers. Under this, it says the following:
"Under the Google EU User Consent Policy, you must identify each ad technology provider that receives end users' personal data as a consequence of your use of a Google product and provide information about the use of that data. Ad technology providers (including Google and other ad networks and vendors) use data about your users, for example, to show them personalized ads or to report on conversions."
Then, it asks you to "follow the instructions to set up consent gathering," with a link to a page explaining how to do that. This is all in line with what they say in their new EU User Consent Policy. They spell it out clearly, and link directly to implementation resources.
Now here's my problem: If the cookies for non-personalized ads contain PII and therefore fall under the GDPR, why would Google add "where applicable" here? More importantly, why is the other information missing? Why is the "follow the instructions to set up consent gathering" link present under the personalized ads option, but not the non-personalized ads option? What is the real distinction between these two options, if not the presence (or absence) of personally identifiable information as defined under the GDPR?
Now wait just a second. This is another big hang up for me. I thought we were talking about the GDPR, which covers ALL EU users, or data subjects, in ALL EU member countries and beyond. Now they're saying consent for non-personalized ads is only required "from users in countries to which the EU ePrivacy Directive’s cookie provisions apply." This is an entirely different thing!
It's my understanding that the EU ePrivacy Directive is not the GDPR, but rather the previously enacted (and soon to be updated) so-called EU cookie consent law, which the original Google EU User Consent Policy covered. Google also mentions the EU ePrivacy Directive at the top of the EU user consent tab in the Adsense UI. However, it would make no sense for Google to mention it in relation to the new options, and specifically the non-personalized ads option, if non-personalized ads also fell under the GDPR.
There seems to be a distinction here. Maybe. Personalized ads = GDPR, non-personalized ads = ePrivacy Directive? Who knows?
Put another way, if the cookies used for non-personalized ads contained personally identifiable information, then there would be no distinction between personalized ads and non-personalized ads at all. Therefore, non-personalized ads would 100% be covered by GDPR rules, and the ePrivacy Directive wouldn't be mentioned. The two options would be pretty much identical, and thus pointless.
It's all a confusing mess, that's for sure. It would be immensely helpful if Google would clarify whether or not cookies for non-personalized ads contain any PII at all, or even give us the option to simply not serve ads to EU users and move on with our lives.
Anyway, I'm not a lawyer, and I'm not giving advice here, just pointing some things out. But I don't think even lawyers know what's really going on, or what will happen. I'll be very curious to see what other websites do come May 25.
[edited by: BoredMeteor at 9:20 pm (utc) on May 10, 2018]