Not a month goes by that someone doesn't try to sabotage my company listing with Google Business by trying to edit details (business is no longer open, changing business hours, etc) So I have no doubt people will start reporting GDPR discrepancies indiscriminately.

Not a month goes by that someone doesn't try to sabotage my company listing with Google Business by trying to edit details (business is no longer open, changing business hours, etc) So I have no doubt people will start reporting GDPR discrepancies indiscriminately.

Yes, exactly.

By the way, it could be great if @pubpolicycomms could talk with us. His help will be more than appreciated to clear things up and bring more serenity...

Long story short, they will only fine in the most extreme cases and only after trying to force compliance in umpteen different ways. They currently fine in 0.1% of cases.

@ChanandlerBong - as I have pointed out before, it isn't the EU that scares me, but having my Adsense account closed. That said, I'm not going to panic and will be taking a similar approach to you.

>>>
Why would a EU citizen go after a small site? Is there any reward for reporting such sites?
<<<

Of course there is - if a webmaster has to shut down his site because of what he BELIEVES is not his fault, he will do his best to have his (former) competitors having to close theirs too.

Or what about a forum member who has some feud with the forum owner? Now he can easily get back at him. People with a different political view? Politial and gender activists? Privacy activists? ONE of those out of 1000 members of a forum can now easily attack a forum owner (or even website when it has the wrong approach/topic/whatever) very effective unless the forum/website complies 100% with the GDPR - which is, given the current state of affairs, neary impossible.

Here's what the UK ICO is saying

Another problem is that, national regulators are more or less strict. I always heard that Spanish and French regulators are extremely picky and sticks.

>>>
Here's what the UK ICO is saying:
(...)
Why anyone would pre-emptively close their website business due to GDPR is beyond me.
<<<

Well, the UK is not the other 25 EU states and the UK is not part of the EU soon anmyore anyway. For other publishers, it is more relevant what the data protection agency of THEIR country has to say (or not).

In Germany, not long ago: having forgotten to write ONLY the word "supervision authority" into the imprint resulted in payment of 1500€. And there are 100s of lawyers browsing the net constantly for such details (of german companies). So, for German companies/private persons, the risk of having forgotten one single detail of compliance can turn out to be an expensive thing. I can, therefor, easily understand why smaller publishers close down or lie very low in the coming months. And, most probably, each and every EU country has such a "specialty" for their companies/publishers.

Did you know that some data protection agencies require now all website forms to be on https pages? There is even a discussion that any cookie at all requires https protection. How will a site handle children protection? For each and every child (usualy under 18) consent, the parents have to consent as well (and this needs to be documented). Again, I can understand why someone would say "it is not worth the effort".

Yesterday I read in an hobby forum that ran for almost 20 years (german depeche mode forum). The owner, a lawyer(!) wrote: "I am not able to guarantee the full compliance with the GDPR rules, therefore, I will close it down effective 13th May".

Oh well...

And there are 100s of lawyers browsing the net constantly for such details

I bet they receive a percentage of the fine, as payment ...

So, bottom lime I guess, is that if you want a website, or any type of business where there's a computer in the room, don't live in Germany. Which I don't, so I'm good.

Keep in mind that it's not only publishers who benefit from online advertising. It's also the primary way that companies get their products and services out there. No law will ever be passed, for privacy reasons or not, preventing ads from appearing on websites. The web would disappear overnight if that happened, and then we wouldn't need online privacy laws because no one would be online. We'd all be sitting on our couches watching Netflix, assuming we're not homeless and unemployed. So there's no reason to panic about any of this. Just show non-personalized ads to people in the EU, make sure you have a basic cookie consent form in place that people can click "Continue" to agree, and you're good. As I understand it, if you're not showing personalized ads to visitors in the EU, then when it comes to AdSense, the GDPR doesn't apply to you anyway. It's only the existing e-privacy laws, which have required the cookie consent banner for years, that you need to worry about.

>>>
I bet they receive a percentage of the fine, as payment ...
<<<

No, they actually get ALL of it - which is why there are so many lawyers doing it.

It is not really a "fine", it goes like this: The lawyers tells you that you made a mistake and he will go to court where you have to pay dearly. To prevent from that, you may sign a letter telling him you will never do it again and pay a sum to the lawyer for not going to court and his expenses.

>>>
Just show non-personalized ads to people in the EU, make sure you have a basic cookie consent form in place that people can click "Continue" to agree, and you're good.
<<<

This will work from 12:00am to mid-day. The eprivacy update is due next year and it will require the access to the content even without consent for cookies, so one will have to put another system in place in a few months anyway, might as well been done now. Notwithstanding that you live in a country where the data protection agency is of the opinion that you need explicit consent even for non personalized ads (and there are good reasons why this might be case). This is, btw, why Google writes "where it applies", because they are very aware of the differing opinions ... however, in the end it is not theirs, but the publishers responsibility.

GDPR is a headache...

[edited by: MayankParmar at 1:12 pm (utc) on May 11, 2018]

@EUmember, are you sure you're not the Grim Reaper in disguise? I've never seen so much fear talk.

I'm going to do what I can with the information I have and go from there. I'm sure I'll be fine.

Just thinking how to tackle the consent to cookies request:

As we know, all and every cookies will in some way utilize Javascript. Now, what about putting up a modal popup saying: "This site can only be used by accepting cookies. If you do NOT consent to cookies, disable Javascript and refresh the page". Then two options: [About Cookies on this website] [Continue with cookies].

In this way, people can, right away, use the site with cookies - or, and you are giving this option rightfully, they can visit the site without Javascript (and then do not even see any cookie banner at all). This should be superior to the "decline cookies" option, because most people will decline ... but only a few will bother to disable Javascript. For the regulators, you can prove that you promote even the most radical and perfect option of declining cookies PLUS you do not even have to put out a cookie of declining (for which you theoretically need another consent).

If one has a website that requires javascript only for adsense, this might be something worth to think about...

>>>
how is the data protected.
<<<

Indeed, you also need to explain that on your webpage - including what you will do to minimize exposure to breaches and what you will do when a breach happens.

Cralamarre i agree with you.It looks as EUmember works for GDPR :)

It renember me similar discussion 3 years a go when was same doubt if we need explicit or impliciet Cookie pop-up

>>>
I've never seen so much fear talk.
<<<

Hehe, I have no fear at all. All my websites are run by non EU entities with no EU exposure on non EU servers. However, if I am deciding to comply with the GDPR, I will do so with the possibly best compliance (why would I take efforts else?). I will get by with or without adsense, so this is also not an issue - however, if I decide to go along, I will do it, too, with the highest possible compliance. And I certainly do not want to have to change everything again in 6 or 12 months time.

In order to take an informed decision, I am exploring the GDPR and the EU data protection laws and I write here about considerations to be taken and some observations I made. It is absolutely clear to me that each and every publisher has to make his own decision based on where they live, where they have their customers and their possible exposure. There is no one-fits-all solution here.

In this regard, I welcome as many solutions (and what they are based on) as possible and a discussion on best and worst case scenarios.

I have no fear at all. All my websites are run by non EU entities with no EU exposure on non EU servers.

Correct me if I'm wrong but if EU citizens can access your website, and they can, then you have to make the GDPR required changes.

All my websites are run by non EU entities with no EU exposure on non EU servers

So, I can see why you called yourself EUmember then.

Anybody managing to get any proper work done at the moment?! I think this month will be a write off for me.

Today I have built a self-hosted geo-ip lookup and am testing running cookie consent off this. Seems to work so far....
I might do some very unreliable filtering to lighten the lookup load using browser language settings...

It is not really a "fine", it goes like this: The lawyers tells you that you made a mistake and he will go to court where you have to pay dearly. To prevent from that, you may sign a letter telling him you will never do it again and pay a sum to the lawyer for not going to court and his expenses.

Sounds like blackmailing.

I have no fear at all. All my websites are run by non EU entities with no EU exposure on non EU servers.

Correct me if I'm wrong but if EU citizens can access your website, and they can, then you have to make the GDPR required changes.

Since he mentioned "no EU exposure", I guess he means no EU visitors.

I take the opportunity to mention that, regarding the GDPR, storing personal data about EU citizens, outside the EU is not forbidden, but require extra precautions.

>>>
Since he mentioned "no EU exposure", I guess he means no EU visitors.
<<<

No, it means no business with EU citizens and no EU subsidiaries ... and no content that is directed to any EU country.

>>>
storing personal data about EU citizens, outside the EU is not forbidden, but require extra precautions.
<<<

And exactly what will they do about it? Sites that exist only for being read (information/research/etc.), not selling anything and not offering any services ... how can they force those into compliance? :-)

>>>
Sounds like blackmailing.
<<<

Yes, that is how many people in Germany call it - however, it is (mainly) legal, so you can't do anything else than to try to run your websites without exposition to any risk (no wonder quite a few german websites "emigrated").

Is everyone assuming (as I am) that GDPR will have no impact on link units? Might be about time to experiment with swapping a regular unit for a link unit...

This thread is losing its focus. Let's keep the conversation to how the GDPR affects AdSense and what publishers need to do to comply. Are we all in agreement that the easiest course of action, at least for the time being, is to serve only non-personalized ads to EU visitors, and make sure a basic cookie consent banner is in place? Anything else?

No, it means no business with EU citizens and no EU subsidiaries ... and no content that is directed to any EU country.

That doesn't mean that a EU citizen cannot visit your website though and since he can do it, you have to take action.

A basic cookie consent banner is in place? Anything else?

If by basic cookie consent banner you mean the "old" system where you show a bar and "OK" or "I agree", then no, that is not enough:
[cookiebot.com...]

If by basic cookie consent banner you mean the "old" system where you show a bar and "OK" or "I agree", then no, that is not enough:

Oh, well I hate the big banner describing the entire privacy policy. How is that even user friendly? It sucks.

@mike1972 Are you sure about that? As I understand it, non-personalized ads do not use any cookies that can be used to personally identify a user, and therefore fall under the old E-privacy laws requiring only implicit consent (the basic cookie consent banner).

[edited by: Cralamarre at 2:03 pm (utc) on May 11, 2018]

If by basic cookie consent banner you mean the "old" system where you show a bar and "OK" or "I agree", then no, that is not enough:
[cookiebot.com...] /

"All cookies that process personally identifiable data are subject to the new regulations."

Non-tracking cookies, used with non personalized ads do not have personally identifiable data.

On the AdSense website, if you select non-personalized ads, you'll find links to sites like Silktide that offer ways to add the old cookie consent banner to your site. So according to Google, that seems to be enough.

So according to Google, that seems to be enough.

Yes and no. As usual Google is taking great care, with "might" , "should", and ultimately tells you to seek with a lawyer :)

@pubpolicycomms , please help us , after all this is also in the interest of Google that publishers do the right things and continue to generate money.