@surfgatinho My site is based in the US, but of course it can be accessed by anyone on the planet with an internet connection. So yes, you're correct. Even a site like mine in the US has to comply with the GDPR. Now, would they actually come after me for 4% of my measly earnings instead of going after big sites that rake in millions? I doubt it.

How would they even know what my earnings are? Is Google going to provide them with that information, or is that in itself not a violation of privacy?

@cralamarre you made me laugh, but so true.

Yes, we US-based sites are supposed to comply if we receive any EU visitors.

If Google sends out mass shut down notices on May 25 - which is just not going to happen - then ad-monetized websites will start to disappear, and people will want to know where their favorite little cooking site or travel site went. There will be a backlash. People won't opt into cookies if they can browse a site without doing so, but they'll also start to realize that without cookies, a lot of sites will no longer exist. There will be economic repercussions, too, as websites shut down and jobs disappear.

And the EU is going to come after small sites, ruining the livelihood of mom and pop shops who don't have teams of lawyers and developers? Doubtful. The EU is after the big players who lose tons of user data and then don't tell anyone for months.

[edited by: ember at 5:30 pm (utc) on May 10, 2018]

Here is another (slightly more positive) thought:

Whilst it might be prohibited to save user data without consent, surely it would be OK to read this data if consent was given to do so elsewhere.
So (in the unlikely event), a user has given consent to run interest based ads somewhere else, any stored data would be accessible for other Adsense publishers to at least display an interest based ad.

@ember - as long as it isn't me who goes belly up before the backlash!

@surfgatinho Actually, if they came after me, I was going to give them your name and tell them to go after you first.

Just kidding. Maybe. Probably. Who knows. :)

Now, would they actually come after me for 4% of my measly earnings instead of going after big sites that rake in millions? I doubt it.

The fine is up to 4% OR up to 20 millions euros based on what is the higher. If you make $100, the EU has the right to fine you $10.000 if they want.

How would they even know what my earnings are? Is Google going to provide them with that information, or is that in itself not a violation of privacy?

No, it's the US IRS which will provide your tax declaration to the EU.

then ad-monetized websites will start to disappear,

There is not only Adsense. In my case, Adsense represents 10% of my earnings. The remaining comes from affiliate programs.

For EU businesses, the easier remains to write to your local regulator , and simply expose the situation of Adsense, their cookies and so on, and they'll tell you what to do, you keep their answer, and you are safe. For non EU Business, write to the UK ICO.

And in all events, in a near future, this will be handled at the level of the web browsers themselves.

There is a big difference between what can happen and what will happen.

Here's what I'm doing.

1. I'll stop showing personalised ads to EU through AdSense and I'll track few web forums like this one to see what others are doing, browse around a bit and see what other sites are doing. I suspect strongly I'll be turning those personalised ads back on within 7 days.

2. I've prepared a big gdpr.html page in which I talk about what we are doing in regard to personally identifiable information, I'm adding a checkbox to our membership section being bit more explicit about how we use email addresses and getting consent for that.

3. I was going to wait until the summer to switch over to https, probably get it done in the next couple of weeks - although even on that, might hold off.

In short, I'm doing the absolute minimum with a view to going back on even some of that. Everyone has their own decision to make but after what happened with the EU Cookie Law (which I never implemented at all), I'm going to wait and see, especially as the UK ICO (who I would deal with in the event of a problem) seem pretty laid back about it.

Google, as others have said, are doing the classic Google "oh well, we told them!" move. They are not about to shut down swathes of good earning websites. Worst case scenario, you'll get some emails sent out saying "right, you really need to do this".

If some people's vision of GDPR comes true, you'll end up with the EU internet totally decimated and tens of thousands of websites gradually disappearing behind paywalls - or closing! Then, yes, there would be a backlash. That's why I really don't think that is the intention of the GDPR and I also believe the sites/companies in the crosshairs are not sites with a few thousands visitors a day sending out monthly newsletters (which covers most of us on here). If we were the target, then the EU would be placing the very essence of the internet in the crosshairs and nothing I have seen makes me think that is the case. They are after the big data abusers and I for one think that's actually a grand scheme.

Hey, everybody. Long time reader, first time poster. Wanted to share my thoughts on all this. Fair warning: This is just another long opinion.

Now, as a U.S. citizen with a relatively small website that runs Adsense, I'm mostly just concerned about Google's policies and how they want us to treat non-personalized ads for EU users. So...

Looking at Google's updated EU user consent policy, it's actually not much different in practice from the original. They haven't really changed much, they've just added a few details. In fact, they've always "required" consent for cookies for EU users.

The majority of what's been added is about what happens after you've been granted consent (if you must seek it) under GDPR, i.e. retaining records and allowing revocation of consent. They've also added the bit about consent for cookies and local storage "where legally required" (meaning that not all cookie types require explicit and prior consent under the GDPR, only ones containing personally identifiable information, or PII).

Now, things get particularly murky when you look at how Google displays their options for personalized and non-personalized ads for EU visitors.

If you go into your Adsense account, Allow & Block ads, All My Sites, and then the EU user consent tab, it gives you two options: Personalized or non-personalized ads. If you click personalized ads, it gives you the option to select ad technology providers. Under this, it says the following:

"Under the Google EU User Consent Policy, you must identify each ad technology provider that receives end users' personal data as a consequence of your use of a Google product and provide information about the use of that data. Ad technology providers (including Google and other ad networks and vendors) use data about your users, for example, to show them personalized ads or to report on conversions."

Then, it asks you to "follow the instructions to set up consent gathering," with a link to a page explaining how to do that. This is all in line with what they say in their new EU User Consent Policy. They spell it out clearly, and link directly to implementation resources.

However, if you click the non-personalized ads option, it says none of this. It simply states, "Google will show only non-personalized ads to users in the EEA. You are required to obtain your users' consent to the use of cookies for this purpose." It then provides a link right back to the new EU User Consent Policy, and that's it. It says nothing about non-personalized ads using "data about your users" or needing to "identify each ad technology provider." It also ends with "where applicable."

Uh, what?

Now here's my problem: If the cookies for non-personalized ads contain PII and therefore fall under the GDPR, why would Google add "where applicable" here? More importantly, why is the other information missing? Why is the "follow the instructions to set up consent gathering" link present under the personalized ads option, but not the non-personalized ads option? What is the real distinction between these two options, if not the presence (or absence) of personally identifiable information as defined under the GDPR?

If you click the link to "Learn more" under the non-personalized ads option, it'll take you to Google's support page titled "Comply with EU user consent policy." This is where Google states that non-personalized ads still use certain cookies for "frequency capping, aggregated ad reporting, and to combat fraud and abuse." These are, as far as I know, technical cookies required for the actual function of the ads and the Adsense service. The ads themselves are "based on contextual information rather than the past behavior of a user." They don't use cookies for ads personalization. Does this mean they don't contain PII? Google should clarify.

It goes on to state, "Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply."

Now wait just a second. This is another big hang up for me. I thought we were talking about the GDPR, which covers ALL EU users, or data subjects, in ALL EU member countries and beyond. Now they're saying consent for non-personalized ads is only required "from users in countries to which the EU ePrivacy Directive’s cookie provisions apply." This is an entirely different thing!

It's my understanding that the EU ePrivacy Directive is not the GDPR, but rather the previously enacted (and soon to be updated) so-called EU cookie consent law, which the original Google EU User Consent Policy covered. Google also mentions the EU ePrivacy Directive at the top of the EU user consent tab in the Adsense UI. However, it would make no sense for Google to mention it in relation to the new options, and specifically the non-personalized ads option, if non-personalized ads also fell under the GDPR.

There seems to be a distinction here. Maybe. Personalized ads = GDPR, non-personalized ads = ePrivacy Directive? Who knows?

Put another way, if the cookies used for non-personalized ads contained personally identifiable information, then there would be no distinction between personalized ads and non-personalized ads at all. Therefore, non-personalized ads would 100% be covered by GDPR rules, and the ePrivacy Directive wouldn't be mentioned. The two options would be pretty much identical, and thus pointless.

It's all a confusing mess, that's for sure. It would be immensely helpful if Google would clarify whether or not cookies for non-personalized ads contain any PII at all, or even give us the option to simply not serve ads to EU users and move on with our lives.

Anyway, I'm not a lawyer, and I'm not giving advice here, just pointing some things out. But I don't think even lawyers know what's really going on, or what will happen. I'll be very curious to see what other websites do come May 25.

[edited by: BoredMeteor at 9:20 pm (utc) on May 10, 2018]

People with WordPress, don't forget to contact your theme and plugin developers about GDPR. It's better to remove any outdated theme and plugins!

And WordPress 4.9.6 Beta 1 comes with GDPR tools [wptavern.com...]

I'm surprised adsense doesn't have code to set to not display ads if EU user doesn't grant consent.

I"m still looking for a suitable script to do this consent popup. Adsense should have supplied this code within the tags itself. Unfortunately this has been thrust upon us publishers. Now I have to worry about all adsense ads not displaying if consent is not given by EU user myself.

So far i can see many of us will go for non-personalized ads for EU because of implicit consent.

Quote:
vegasrick: "For non-personalized ads, the eprivacy directive applies - where you have to obtain consent. For personalized ads, GDPR applies and you have to obtain "explicit" consent - big difference. The eprivacy directive can use implied consent with the whole "if you continue to use this website, that means you agree" - where with GDPR for personalized ads, the user has to make a choice one way or the other or be given a very easy way to opt out."

Then we need just to update privacy policy with choices to opt-out / opt-in linking to
[policies.google.com...]
[google.com...]
[youronlinechoices.com...]

where visitor can make its own choice.

With nearly 2 billion websites out there, I wonder how the GDPR agencies are going to keep track of everything. I can see them focusing on the big sites, but do they even know that most of our smaller sites exist? I suppose (and I'm just talking out loud here) that the GDPR police, or whatever you call them, will need to rely a lot on complaints they receive from users.

Vegasrick wrote:

>>>
The eprivacy directive can use implied consent with the whole "if you continue to use this website, that means you agree"
<<<

However, even if this was correct, of which I am absolutetely not convinced (please note that each single EU country may have a different view on that issue, and some countries, like Germany, even several due to the federal law that gives its states the lead on data protection).

1) the cookie agreement needs to be changed, because consent has to be given, BEFORE a cookie is being set - meaning switching to a modal cookie notification

and

2) the consent has to be documented. This means, you have to put the consent into a database of who when gave the consent for what.

3) Not to forget, that consents can be revoked and deletion requests are allowed at ANY moment. This means that you have, on every single page of the website, a button that leads to a revocation/deletion option.

Problems can occur when you do not follow the GDPR could come from various directions:

a) From the ad serving company (eg. Adsense)
b) From national data protection entities (of EU countries)
c) From competitors (accusing you to break the law)
d) From consumer organisations and lawyers (letting you sign a compliance declaration, which costs money eg. in Germany)

In this regard, if will need a different approach for publishers in different EU countries - what will work in one country does not have to work in the next (see eg. exemptions for Austrian publishers in place already).

And one other thing, that has not been discussed throughly is the situation when you do not operate your servers by yourself. In this case, you need a written contract with the hosting company and this hosting company needs to be in compliance with the GDPR or, for some countries, a specific compliance policy.

What I see coming that most of the small/middle publishers will go under (financially) which benefits the bigger ones that have revenues allowing them to approach the GDPR with legal supervision. And, yes, the law has, of course, been influenced by lobbyist ... which stem usually from the "bigger" companies.

Oh well...

>>>
LOL, all month I am just working on this GDPR thingy It's insane how unclear all that information is and they want us to have a clear privacy policy :)
<<<

Well, even the data protection offices in some EU contries have said meanwhile that they will be unable to monitor the whole thing unless they receive a whole lot more money and can employ a whole lot more employees.

Not to forget ... the GDPR pertains not only to websites, but to eeach and every case where information is being stored. I just had my bike in the repair shop yesterday and was asked to sign a GDPR compliance that allows the shop to telephone call me (if I did not sign it, they would not be allowed to contact me at all). If I write a bill, I have to ask my customer for their consent that I can store the bill with their name on it on my computer - if they decline, I will store it anyway, because another law mandates it, though. However, I will have to encrypt it...

This GDPR is a mighty fine law act - and it will take umpteens of court decisions and many years to figure out, in each and every EU country, how to comply with it even in the most simple cases.

EUmember: "What I see coming that most of the small/middle publishers will go under (financially) which benefits the bigger ones that have revenues allowing them to approach the GDPR with legal supervision. And, yes, the law has, of course, been influenced by lobbyist ... which stem usually from the "bigger" companies."

I really, really don't think this will happen. Maybe within the EU itself, but certainly not outside of it. Something would give long before it ever came to that point, as it would mean changing the face of the Internet forever internationally. And people are so hung up stateside on things like net neutrality and a "free" Internet that the push back would, I think, be immense. I mean, the EU may like to think it has the power to enforce itself in such ways world wide, but...well, we'll see.

I mean, if you're right, so be it. Let the chaos come.

>>>
then ad-monetized websites will start to disappear, and people will want to know where their favorite little cooking site or travel site went.
<<<

Well, it has started already - some german language forums, even some that have operated for 10 and more years, have already closed down or have announced to close down in 2 weeks time.

The forum that I operate (leading market on topic) for 13 years will go down as well (resp. switch to a pure news site) - I simply cannot devote the time involved in monitoring the cookies that might appear in the forum, pictures that are displayed, asking for consent of storage for all former members unless I delete them and everything they posted, making threads in some parts unreadable and answer data information and deletion demands. Sorry - but with all this involved, it simply is, for me, not worth the effort anymore.

On a website of a popular tourist destination city, I will pull the whole photo section, all photos were taken by me, but of the street scenes, I would have to have the consent of each and every person that can be identified. Again, it is not worth the effort to keep the photos up, let alone update them regularly.

Some other, smaller, websites I might turn into non-advertise sites, because the information on them are quite unique - and, for now, wait and see what happens with the GDPR. Maybe once the chance for an adsense type of advertising will reappear, maybe another option presents itself ... or maybe I ultimately have to decide to let them die as well.

I am certainly not a big fish in the pond, with 100k-200k visitors per month, but I assume there are quite a few publishers smaller than me which will decide now to shut the doors. And it will not make the web "cleaner" - just slicker and less deep, with quite a lot of information on niches disappearing. And this will contribute to the decreasing of the "old" internet of which I am a part for more than 20 years ... and the growth of the new "businessnet".

Just my 2cts...

>>>
Maybe within the EU itself, but certainly not outside of it.
<<<

Yes, sorry, I forgot to explicitly write that. Many small/medium sites that have most of their visitors from the EU will go under, that is what I meant.

If someone has a small website on how to knit sweaters, and the site on how to knit sweaters isn't GDPR compliant as of May 25 because the sweet old lady who runs the site doesn't know anything about it, I highly doubt that grandma is going to GDPR jail. There will be big sites with blatant disregard for user privacy that will be targeted (I'm looking at you, Facebook), but I just can't see them going after the online equivalent of lemonade stands. There's nothing to gain by making examples of small fish.

I highly doubt that grandma is going to GDPR jail... I just can't see them going after the online equivalent of lemonade stands. There's nothing to gain by making examples of small fish.

@Cralamarre - no, but this discussion is about Adsense. Google may very well close your Adsense account if you, I mean your Grandma, violates the GDPR since they don't want to be liable for publishing ads on your, I mean your Grandma's, site.

>>>
There's nothing to gain by making examples of small fish.
<<<

Well, if you and the server are based outside the EU, there is nothing they can do anyway. Some countries will not even respond to a request to reveal the address of an owner of a website/server. Outside of the EU, you will only be harmed if you conduct business with EU citizens and/or if you have eg. adsense type advertises on your website (and then not by the EU, but by eg. Google).

In the EU, however, it is a different theatre. Competitors will quite fast accuse you of not being compliant with the GDPR ... and in this case, the data protection agency needs to act. You know how things work with greed amongst people, and even more if there is a chance to inflict costs on the competitor.

And, as I mentioned above, in some countries, like Germany, there is another problem: Lawyers will write you and tell you that your website is not following the law - they will offer you the option to pay a fine and sign a compliance declaration/indiction ... or take the issue to court (where you will loose, because you are not compliant).

Please note that, in some countries of the EU, you have to have an imprint on the website, so it is easy for a lawyer or agency to go there after you, it costs them just a stamp and a piece of paper. We have seen quite some of such activity in past years, when even one element of the imprint was not exactly as the law required it.

Nope, NOBODY in the EU will be safe - not even the old lady.

Ummm ... not exactly, because some will be, the big ones, the ones this law was made for to prevent them from doing what they will continue to do, by simply using some tricks and some lobbying. I also suspect that this might be the entrance into smaller and bigger paywall strategies, like what Google is doing with the founding project.

Yes, sorry, I think I got a little ahead of myself there and forgot we're talking only about AdSense. I think it's fairly easy for grandma to meet the AdSense requirements for the GDPR. I was thinking more about the rest of it, like if grandma has a comments section, or a members section, things like that. And for the record, grandma, in this case, is a fictional character. :)

It's weird, I'm in Canada, my web host is in the US, and yet I'm worried about laws in the EU. Things were much simpler in grandma's day.

I am agree with what keyplyr and EUmember comments.

I mentioned it weeks ago, Adsense will not bother getting ride of publishers, and in fact, it can be an excuse to purge the low quality publishers from Adsense.

And it's not only about the EU going after a website, it can be any of the 500 millions EU citizens going after anyone for any reason, rational or not. Do not underestimate what a single individual can do.

Remember advertisers will still want to advertise and the budget will need spending. As I said before it may be a good thing for everyone (non EU citizens / publishers too) if this forces a rethink and leads to smarter and more meaningful advertising on the web. Regulation can stymie but it can also encourage innovation. I'm seeing this from a glass half full rather than half empty perspective.

Why would a EU citizen go after a small site? Is there any reward for reporting such sites? :/

Why would a EU citizen go after a small site? Is there any reward for reporting such sites? :/

I have some competitors who I would love to shop. Sites that have been publically (EU!) funded and have basically used my ideas (and actual content on one occasion).
Believe me, it would be very rewarding to report them!

And I'm sure there are others who feel the same way about some of my sites...

Here's what the UK ICO is saying: [iconewsblog.org.uk ]

Long story short, they will only fine in the most extreme cases and only after trying to force compliance in umpteen different ways. They currently fine in 0.1% of cases.

Why anyone would pre-emptively close their website business due to GDPR is beyond me.
People need to sit down and take a deep breath.

I read similar over-reactions years ago on the EU Cookie law and it was mostly a lot of hot air about nothing, with thousands of sites getting implicit consent for cookies they had absolutely no need to worry about.

Please don't do anything hasty.

Why would a EU citizen go after a small site? Is there any reward for reporting such sites? :/

surfgatinho gave a good example.

Additionally, I would say, look at how hateful people are (especially on social networks), even when there are not reasons. The Internet gave this power. So, for no rational reason, someone might not like you , and decides to cause you troubles. This can be for any reason.

Also, it doesn't matter if at the end you get condemned to a fine or not. This is like if you have a tax audit, even if at the end all is clear, it can still be a stressful moment and cause you lot of troubles.

People need to sit down and take a deep breath

There are lot of trolling too, to scare publishers, and I suspect that this is set up by all these companies, which created services and products "said to make you GDPR compliant"... Here in this topic, I even read "going to jail" ! The 4% or 20 millions fine, is the very-very extreme situation (even if I have no doubt that Facebook, Google, Microsoft) , will end having a significant fine one dayor another, about the GDPR.

Now, what is a real worry, in my opinion, is the behavior of Adsense, they can perfectly decide to kick out small publishers, using the argue of the GDPR compliance. This makes me think, that, yes, the terms of Adsense are made to protect themselves for any further problem, and leave the door opened to blame publishers , but, keep in mind that in EU, terms of service have only a limited legal value, it happens that judges consider terms to be abusive or misleading. In the case of Adsense, if the EU one day, sues them about a GDPR related issue, and if Adsense defends by arguing this is the fault of the publishers, chances are the judge will consider this is not acceptable defense even if it's written in Adsense' TOS.