Why not show the cookie notice to all visitors, no matter where they live?

All I see is talk about what you have to do to not get penalized by the EU but what about real concern for your visitor's privacy?

Do that, and I think the rest will fall into place in a more logical way.

what about real concern for your visitor's privacy?

Most publishers do not mind. If they were minding, a regulation wouldn't be needed... This is what I said at another topic, it's too bad that it requires menaces, to force professionals to move and make "efforts". The GDPR also has a pedagogic approach. It's to make businesses to realize the important of personal data, and to pay more attention to how they deal with these data.

Now, I think that non EU publishers, worry that the cookie banner would annoy and scare visitors. This is what EU businesses were worried about, when the Cookie Law appeared some years ago. But after all, I don't think it had any negative impact of this kind.

However, the only disadvantage, in my opinion, is on mobile devices. The Cookie banner are often taking lot of the room on the screen. I did my own implementation years ago, and tried to find a good compromise between information and annoyance, but it 's still taking significant room on the screen, and I am sure it annoys people, but EU citizens learned to live with this :)

Why not show the cookie notice to all visitors, no matter where they live?

Why do you think a cookie notice is helpful to any visitor? Everyone know that all websites use cookies.

As a visitor, I personally hate that cookies popup :)

what about real concern for your visitor's privacy?

I respect visitor's privacy and as I run a news/information site, I am not collecting any personal information except IP address without readers consent. The IP address is just collected by Sucuri for security purpose.

GDPR makes more sense for forums, not the general websites.

*Why not show the cookie notice to all visitors, no matter where they live?*

Why doesn't google chrome get them to opt into the cookies on a browser level, rather than each individual website.

If you don't agree, cookies won't work and websites may not load properly.

Let me guess. This is already coming to auto approve you. To qualify you must have 100 million impressions per month minimum; sigh

[edited by: Steven29 at 1:20 pm (utc) on May 15, 2018]

@sudarshanms

Apparently such a system would not work because a EU citizen on holiday in the US should still be able to see the bar, opt-in stuff, etc.

Everyone know that all websites use cookies.

Nope, personally I do not plant any cookie, never have done, the only cookie(s) on my sites are from third parties like AdSense plus I know many other sites that do similarly.

Why doesn't google chrome get them to opt into the cookies on a browser level

Yes, that is a solution that would work nicely, such as all websites having a sort of robots.txt with a full list of cookies and then the browser allowing the users to review them and opt-in/opt-out as they please.

Why doesn't google chrome get them to opt into the cookies on a browser level, rather than each individual website.

This will be like that in a near future. The upcoming EU ePrivacy regulation defers the handling of cookie consent to the Web browser : [webmasterworld.com...]

@mike1972 I agree but I get less than 1% EU visitors and I don't want to show popups to all my visitors, any suggestion to counter that would be great. Thank you.

Everyone know that all websites use cookies.

Not all site use cookies, and I doubt that everybody knows what cookies are. In fact, I bet that only a minority of people know what cookies are. They may have heard the word, but I doubt they know what it is and what's their purpose.

Most people have no idea what cookies are, and they don't care. They're now used to websites doing fairly amazing things, like recommending friends or things they might like to buy. This is what people now expect, and they don't care how it all works. They just want it to work.

This is what people now expect, and they don't care how it all works. They just want it to work.

And in 10 days time they're going to find out that if they do not accept cookies that their easy peasy net may fall apart!

You all understand that this is not ALL cookies which require an explicit consent, right ?

On the 25th this is only third part cookies, which are processing personal data which are concerned by a consent.

I use a cookie notification hosted on my server not from somewhere else. I've seen too many 3rd party resources get hung up or not load at all. Wouldn't want people to not see the notice then get upset, possibly even filing complaints.

I delay it slightly so that the other page components all load first, but the script itself loads instantly. I include a link to my privacy policy where I outline PII compliance and how I store data.

I load it for every visitor, even for those in countries who have not joined in to the new privacy concerns. I see no difference in upholding the privacy right of one person to another, no matter where they may live. Everyone has this right.

What solutions are people putting into place for Cookie Consent for EU users to comply with GDPR and Google's new EU Terms of Service requirements?

The new Google Consent TOS for Analytics, Adsense, DFP, etc explicitly states that using Google products on sites must "obtain end users legally valid consent to the use of cookies" and to "retain records of consent given by end users" along with "provide end users with clear instructions for revocation of consent."

This is from: [google.com...]

So what are the solutions people are using? This clearly impacts Adsense, even if a small amount of traffic is from EU residents.

Honestly I am a bit surprised that Google hasn't offered a solution for this to their analytics users, adsense publishers, DFP users, etc, since each of those services already has a javascript embedded on pages, they could easily update it on their end to trigger a pop-up to EU users only and handle the entire process, storing the consent data within each individual account somewhere.

What solutions are people putting into place for Cookie Consent for EU users to comply with GDPR and Google's new EU Terms of Service requirements?

This is what Google recommends : [cookiechoices.org...]

@RainMeetsSun from the link provided:

You must obtain end users’ legally valid consent to:
- the use of cookies or other local storage where legally required; and
- the collection, sharing, and use of personal data for personalization of ads or other services.

If you are not doing any of the two points above you do not need "legally valid consent". AdSense is easily solved turn-off ad personalization for EU users. What I am not clear on is the implications with regards to Google Analytics.

@NickMNS As I understand it, Analytics does not track any information that could be used to personally identify a user, so consent is not required.

As for AdSense, my intention is to simply turn off personalized ads for EU users in the AdSense UI and show a basic cookie consent banner that users can just click to close. There's no point going through all the hassle of giving users the option to agree to personalized ads because no one will anyway.

@travis which of those solutions did you go with? The trouble I see from investigating this for a while is that each of them becomes very technically complex as soon as you're trying to get cookie consent, allow cookie customization, acceptance / rejection, and maintaining a list of consent, etc.

@nickmns I get the impression that turning off ad personalization for EU alone is not sufficient for Adsense compliance. Additionally, any use of Adsense requires cookies, I think so that Google can 1) knows the user is opting-out and 2) to help detect scams and accidental clicks. And yes, I have the same question with regard to Analytics, DFP, etc.

@travis which of those solutions did you go with?

I implemented my own cookie consent solution since 2009. but if I had to go with a third-part-ready-to-use solution , I would go with [cookieconsent.insites.com...]

I get the impression that turning off ad personalization for EU alone is not sufficient for Adsense compliance.

This has been discussed many times here. Google states that explicit consent to use cookies is only required for personalized ads. Non-personalized ads still use cookies but none that track any personal information, which means they fall under the E-Privacy law that only requires implicit consent (the basic cookie consent banner).

NickMNS: "If you are not doing any of the two points above you do not need "legally valid consent". AdSense is easily solved turn-off ad personalization for EU users."

I agree with this, despite protests from some. And just 'cause I'm bored, I'll elaborate. Sorry for the longish post in advance.

Google's use of the phrase "where legally required" is very interesting. Also "where applicable" on the Adsense UI.

According to UK's ICO GDPR guide ([ico.org.uk ]), consent is just one possible avenue out of six lawful bases, with no greater weight over the others. I imagine "legitimate interests" will be invoked quite often. I'm sure this has been talked to death, though.

Consent is one lawful basis for processing, but there are alternatives. Consent is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative.

and:

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

and more specifically, for legitimate interests ([ico.org.uk ]):

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

Also, for ad-based websites in particular:

If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.

There just seems to be a lot of wiggle room as far as how the regulators themselves see it, and consent in general isn't necessarily the way to go. UK's ICO also seems pretty reasonable to me, I should add. They don't seem like they're out to get anyone.

---

Now, Google is saying you must "obtain end users' legally valid consent," but only under two conditions, as NickMNS pointed out:

> the use of cookies or other local storage where legally required

As far as I can see, GDPR does not REQUIRE consent for everything. Consent is one of several possible lawful bases, as mentioned above. It's really on the publisher to determine which lawful basis that is. Perhaps, given that non-personalized ads do not use cookies for ads personalization, and therefore have minimal privacy impact, "legitimate interests" might actually be more appropriate here.

A cookie banner in compliance with the EU ePrivacy Directive may, however, be legally required, regardless.

> the collection, sharing, and use of personal data for personalization of ads or other services.

According to Adsense themselves, non-personalized ads "don’t use cookies for ads personalization." So I don't see how this condition is relevant for the use of non-personalized ads, according to their own policies.

All of that said, the main spirit of the GDPR is transparency and the responsible handling of personal data. So, updated privacy policy. Disclosure of what personal information, if any, is gathered. Assessing what information is gathered and why. Etc. That stuff's not too hard, and if I'm being honest, I've personally followed this ideal for years on my websites, right down to allowing commenters to request deletion of their data.

As I've said before, all I'm really worried about is complying with what Google wants for consent. And I certainly don't think it's in their interests to just massacre thousands of Adsense accounts if they don't really have to.

They've also technically required publishers to "obtain consent" for cookies for years, and that hasn't led to mass terminations, has it?

Still, we each have our own individual decisions to make on how we face the GDPR and implement solutions, so don't take my word for it.

Wanted to clarify a part of my above post (can't edit anymore), 'cause I kind of left out a piece.

When Google says:

the use of cookies or other local storage where legally required

I mentioned legitimate interest as another possible lawful basis, but I still don't believe non-personalized ads fall under the GDPR, anyway (as, presumably, they don't involve personally identifiable information).

I just think it's interesting that, even if they did, it looks like you could arguably invoke "legitimate interests" instead of consent under the GDPR, and so aren't "legally required" to use consent (of course, Google then adds the bit about "the collection, sharing, and use of personal data for personalization of ads or other services," so you'd have to anyway, but only because Google says so).

One thing I'll definitely be doing for the GDPR is adding some kind of extra privacy policy check box to my comments sections, and potentially even removing Analytics for a while, until I figure that out. I'll be anonymizing IPs, either way.

Someone here must have an Adsense account manager. If so, have you asked him/her about what is required?

On another note, there doesn't seem to be a lot of worry about GDPR in the help forums (at least not like here).

I plan to turn off personalized ads for EU folks and run the implicit consent banner. If that is not enough, then my Adsense days are probably over. It might actually be a relief - no more worrying about losing my account for one reason or another.

@Cralamarre Which plugin are you planning to use for standard cookies popup?

Trusting a random WordPress plugin is probably not the best idea.

@Mayank, Even I have very little traffic from Europe.. I can across this solution for wordpress [wptest.means.us.com...]
Please check and let me know your thoughts, thank you.

@ember the big danger I see is arbitrage. Those of us who switch off personalised ads losing out to those who leave them switched on. There will be a lot of jockeying for position in the next few months and personally I would like to see the suggestion raised by Johnny Ryan / PageFair being adopted globally:

"Instead, he said, use targeting segments that group users in ways that can’t be employed to find an individual."

[martechtoday.com...]

Great post BoredMeteor!

Someone here must have an Adsense account manager. If so, have you asked him/her about what is required?

LOL, I see you don't have an adsense account manager :) when they answer, they just do a copy and paste , from the Adsense's help.

But you know, we have better here, in the name of @pubpolicycomms, I don't know why s/he remains silent :-(

"Instead, he said, use targeting segments that group users in ways that can’t be employed to find an individual."

Google has its AI, you know, the two letters they put every two sentences, they can perfectly guess interest based ads, without having to rely on personal data!

How can we disable personalized ads on AdX in EU? :/

Which plugin are you planning to use for standard cookies popup?

@MayankParmar I was actually going to ask you the same question. :)

I'm not sure yet which one to use. I'd like to just use a Wordpress plugin, but I'm not sure which one is good. Another problem with Wordpress is the page caching. I use WP Rocket for my caching, but I don't know if there' a way to get it to work with Geo-targeting. I've contacted them about it but so far, no reply, which isn't good news. Do you use a caching plugin?