Has anyone updated the Privacy Policy? It shall be great help to community if someone posts content of Privacy Policy that comply Adsense updated policy in respect of GDPR.

I have summarized the privacy policy page

We have a few fundamental principles that we follow:

- We don’t ask you for personal information unless we truly need it.
- We don’t share your personal information with anyone.
- The only personal information we store is your IP address in order to make the site function.

We use your Personal Information for three primary purposes:

- To help you quickly find services or information on the site.
- To help us create and deliver content most relevant to you.
- To serve advertisement.
- To act in urgent circumstances, protect the personal safety of users of the site, or the public.

Thoughts?

@MayankParmar+ if you have visitors from the EU then you cannot store IP Address without consent as far as i understand. If you are using Google Analytics, then it should be set to anonymize IPs.

You cannot serve Ads without cookies, and for that you need consent again.
Also, prior to serving content that uses cookies, you need to block cookies and serve only when consent is provided by the user.

Your privacy policy should have the data controller information, unless you are a processor where you need provide the processor information.

The privacy policy should also mention categories of cookies used, and information on how to withdraw.

I may be wrong, but this is what i have understood so far.

Everyone's storing IP addresses, isn't it? It is necessary for security reasons. Sucuri stores IP addresses too :/

Your privacy policy should have the data controller information

The site uses the following Google services:

- Google AdSense.
- Google AdExchange.
- Google Analytics.
- Google DoubleClick.

The site may send the required data to the following third-party networks:

- Google and their partners –
- Disqus commenting system –
- MailChimp Newsletter –
- Cloudways –
- Amazon AWS –
- Sucuri –

This should be enough?

What if the user doesn't consent to you providing there IP address to Sucuri?
The privacy/cookie policy should have information on how the user can withdraw or stop those services storing the cookies?

Well the popup and privacy policy page both says the user is agreeing to our privacy policy its browsing the site.

I don't have any opt out settings for users.

Sucuri tracks IP address to block DDOS attack.

What if the user doesn't consent to you providing there IP address to Sucuri?
The privacy/cookie policy should have information on how the user can withdraw or stop those services storing the cookies?

Tough cheddar. You'll still wake up in the morning.

There was the cookie policy - never used it. Never bothered with it. I couldn't give a flying saucer about it. This will be similar. The people who earn a million a week will be targeted.

It seems like anyone can file a complaint with the EU GDPR so it would only take one complaint for the EU Guys to get accesses revoked such as with Adsense as far as i understand.

It seems like anyone can file a complaint with the EU GDPR so it would only take one complaint for the EU Guys to get accesses revoked such as with Adsense as far as i understand.

It doesn't work like that. For some 'authority' to take action they need X complaints and even then they'll use common sense (admittedly only 0.01% of the population have that) and than take action.

Still not seeing much from the big UK publishers. The Daily Mail have been trying something out but the Sun, Mirror, Guardian, Independent, Telegraph and Reuters don't seem to have made any changes yet.

I'm expecting one of the big players to flout the GRDP so they can contest it in court.

I'm expecting one of the big players to flout the GRDP so they can contest it in court.

I can go one better than that.

Somebody will say this hasn't been 'done' properly and sue for loss of earnings.

GDPR and Log Data (IP addresses) Storage [webmasterworld.com]

@engineerqasim, [appuals.com ] this should help you configuring your Privacy Policy - using iubenda, you just need to select a service and embed or link directly to the Privacy Policy.

It would be useful to start making a list of major European websites that have implemented their advertising related GDPR solution. Should that be a separate thread?

I'll still wait and see on this whole GDPR thing. The whole cookie banner craze of a few years back taught me just how much fearmongering can go on around here. Had a banner up for about a week and took it down.

To this day the Queen has not contacted me to complain.

It means that if you run AdSense on your website you will need to first, request consent from your users to collect and share their PII with Google and perhaps other parties as well. You will need to state for what purpose you are collecting their data and with whom you intend to share it.

Finally, Google has its own ideas on who is the data processor and data collector in their weird relationship with publishers where it basically places all the responsibility on the publishers' shoulders for compliance.

Bottom line, if you run AdSense on your website, you have EU traffic, and an EU "presence" you will need to be compliant.

You can be compliant by turning off personalized ads for EU people, running an implicit cookie banner for the other cookies that do not collect personal information and updating your privacy policy. BTW, I am not a lawyer. This is just my opinion.

>>>
What if the user doesn't consent to you providing there IP address to Sucuri?
The privacy/cookie policy should have information on how the user can withdraw or stop those services storing the cookies?
<<<

It is even more:

The GDPR states that you need to explicitely inform people that you store their IP in a logfile. This must be accompanied by the paragraph of the GDPR which is used to store this information. In case you claim a rightful interest ( §6(1)f ), you must outline why you have this rightful interest (eg. to ensure operations and possible server attacks, etc.). This all has to be in an "in an easy-to-understand language". Also, you need to inform about how long you will store their information.
In addition, you need to inform peple about their rights from the GDPR, amongst it, that they can complain with the data security office of their country.
You also need to inform people, where the information is stored (eg. with you or a third party company) - if it is a 3rd party company, you need to have a written contract with that party that this party follows the GDPR. If the 3rd party company is not located in the EU, it becomes complicated, because then it depends on where the party is located (needs a public and accepted "safe haven policy" declaration).

This all pertains, of course, only to people who (1) live in the EU, or (2) sell wares or services to people in the EU or have a free offer for wares or services directed at EU people. In case (2), when you have no physical presence in the EU, you also need to denote a person who lives in the EU and who acts as your data security officer.

If (1) and (2) are not true, then you do not need to follow the GDPR, unless a third party requires it, eg. Google Adsense.

For EU publishers, it really depends on where they are located.

Worst case is Germany, where you need to comply at least 110%, some groups of lawyers have already announced that they will start their work ("Abmahnung") on the 25th sharp. It is quite important that the "paperwork" (privacy policy, etc.) follows the GDPR to the letter - or that you have a good legal division in your company...

Best case are the countries that did not manage yet to transfer the GDPR into national law, because there nobody knows what exactly is up and what is not. I think, there are 8 of them that will not manage until the 25th. Good is also Austria which has stated that any breach of the GDPR will result first in a (free) notification, steps are taken from the 2nd breach on.

Final hint: I am not sure if it was reported here yet that EU companies should not transfer pictures/videos by WhatSApp anymore - because these pictures are transferred "TO" WA first - and this may constitute a forbidden data transfer. If you are in the EU, check further and in-depth with your local data security office on that.

Please note also, when you are an EU based publisher, the GDPR needs to apply to ALL customers (website visitors), NOT ONLY to those from the EU. It is therefore not possible to differentiate with personalized ads for EU, non personalized ads for not-EU (while publishers who are not in the EU can do so without problems).

You can be compliant by turning off personalized ads for EU people, running an implicit cookie banner for the other cookies that do not collect personal information and updating your privacy policy.

Agreed. That's what I'll be doing.

And for Analytics (if you use it)? Someone suggested turning on the anonymise feature of Analytics. Seems like a costless precaution.

This is all getting very interesting. Is it a case of t-3 and "Houston we have a problem?" or will there be a stampede in the next 48 hours to deploy frameworks or are most of the big players ignoring this? I can't find one major UK publisher which has implemented a solution yet (the Mail appear to have taken their attempt offline?) . I've also had a look at France 24 and Meteo France, and it appears they've also done nothing yet.

You can't just flip a switch to anonymise Analytics, though, right? You have to code it?

@ember if you're using gtag it is:

gtag('config', 'UA-XXXXXXX-X', { 'anonymize_ip': true });

Is it okay with GDPR to locally host Analytics?

Thanks, bgweb.

Maybe the big guys are going to ignore this? Or flip the switch on the 25th?

This is what cookiebot.com has on their site. With just an Okay button, no Decline, and a checkbox with various cookie types. You can still use the site even if you do not accept cookies.

"This website uses cookies
We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website."

I can't find one major UK publisher which has implemented a solution yet

[bbc.co.uk...]