Cralamarre, if you sign up for cloudflare, one thing they can do is tell you which country the request is coming from. Thus you can decide on your own whether to show the cookie consent or not.

@Cralamarre I am not even showing any popup right now :P Still waiting for theme update, they will probably add a option to show popup to everyone.

Looks like I will have to buy the expensive plan of Cookiebot :(

@fretfull So whether I sign up for Cookiebot or Cloudflare, either way the GDPR is going to cost me money.

I know this is related to Google Analytics, not AdSense, but does anyone know if it's mandatory to anonymize IPs in Analytics? Or is it just something to consider?

@cralamarre, I have three GDPR lists, things I've done, things I won't do, things I will do if pushed further down the line. The "anonymize IPs" in GA is on the last list but I won't be doing that off the bat come Friday.

I had another webmaster in my niche write to me today, also UK based, they're much bigger than me. They are doing NOTHING for the 25th, they're reworded their privacy policy a bit to make it seem like they're on top of things, but they've not made any changes at all...they don't run ads tbf, so that helps. And they said they'd liaised with couple of other sites and those were taking the same course of action. It really seems like most sites are in "wait and see how serious this really is" mode.

I did hear from my hosts today re: logfiles, they're looking into either a) anonymising IPs or b) allowing much faster deletion than current 45 days, so I'm happier on that score too.

Looks like I will have to buy the expensive plan of Cookiebot

A basic cookie notification script shouldn't cost anything, there are lots out there. You can then tweak it to reflect your own preferences. I suggest moving the script and the css file over to your own server to make it faster and to safeguard against 3rd party downtime.

but does anyone know if it's mandatory to anonymize IPs in Analytics?

Google sent an email notifying Analytics users that they are GDPR safe. I don't use GA but I think there's a setting to anonymize IPs. If so, I would certainly do so... then you know you're safe.

The IP on Analytics can be optimized by adding --> ga('set', 'anonymizeIp', true); to the script.

More: [developers.google.com...]

@Cralamarre You can do it easily on WordPress with that CAOS plugin.

I'm doing what keyplyr suggests (using adsense option to disable personalised ads for EU visitors). I don't see why people require paid solutions to set up consent for personalised ads - I suppose that could work out cheaper depending on the loss in revenue for disabling personal ads, but it's unclear if many people will actually opt-in to personalised ads anyway.

Unless people are referring to the cookie law. For that, silktide cookie consent is free - and you should have already been doing this. If you weren't worried about that before, why suddenly worry about it now?

Btw, whilst things seem a shambles for adsense, things are dire for admob: Google have not provided an option to disable personalised ads for EU visitors (which is the quickest/easiest solution for GDPR), and it's unclear they will be offering it, instead, they require developers to integrate a new SDK into their applications and release updates. This SDK was only released yesterday (with 4 days to go), hardly time for most developers to integrate, test and release updates! (Not to mention the issue of people still running old versions of the software, for which it seems Google is happy to continue pushing personalised ads to EU users...)

It's so goofy that publishers would be expected to provide a site-based "cookie opt out" functionality when that very functionality already exists in every single web browser worth its salt.

Perhaps a link to a tutorial on how to use their own software would suffice? It would in any sane world. But then, that's the GDPR in a nutshell.

Note, it's the pre-existing cookie law that's responsible for all the cookie opt outs (and where browsers could handle it), and is indeed goofy/insane. (My understand is that this law will be updated next year, to reflect a more browser-based approach.)

I don't think browser settings could replicate the GDPR's focus on personalised ads (well, an ad-blocker would do it, but I'd rather my readers don't block all ads, when it's just personalised ads that are the issue!)

Cralamarre, cloudflare has a free option. It's their most basic service but should do for geolocation. You can also roll your own by downloading periodic databases. I also don't want to send people's IP addresses to a another service for geolocating since that's sharing PII isn't it?

ChanandlerBong, what I think is going to happen on the 25th is absolutely nothing. Yes, I am freaking out a little but that doesn't change what I think will happen. While these new regs are well intentioned, I support the spirit. They have not thought out what the implementation will entail. I think much of it will not be legally enforceable. Particularly applying these regs to EU citizens world wide. Good luck with enforcing that one. It's impossible. What will happen is that if the EU even tries to enforce it, it will take years if not decades for the first cases to work it's way through court. Until precedence is set, it's all bark with no bite. How many people have they gone against for not putting up a cookie banner. That's been required for a couple of years. It's still widespread that people ignore it. Many MAJOR websites didn't bother until very recently.

So being a small player, the history of EU not enforcing the cookie banner and most importantly not being in the EU the chances that the anything will happen to me is pretty much 0. Even if they tried, what can the EU do to me? Nothing.

So why am I even bothering? Google. But Google hasn't exactly been shutting down sites for not putting up a cookie banner either. Also considering that I'm thinking about giving up Adsense altogether since it's not worth the hassle, why do I even care? Because I'm a worrier and I don't want some secret Google ranking algo to penalize me.

I just want confirmation that pseudo anonymized IPs, last number deleted, are considered non-PII enough that it's OK to log those. Right?

The emails I got about Analytics dealt with setting data retention length. Nothing about anonymizing IPs. The email also said they'd be letting us know about " a new user deletion tool that allows you to manage the deletion of all data associated with an individual user." Haven't seen that yet.

Is there any downside (besides the obvious lack of statistics) to unlinking my Adsense and Analytics accounts? I'm thinking about just switching to a non-cookie based form of stat tracking for a while, just to simplify things, if only temporarily. I've admittedly never used the added info for anything other than curiosity, anyway.

Doing so would mean my website itself wouldn't actually put out any cookies at all. Coupled with non-personalized Adsense ads, that'd mean EU users would have a grand total of zero personal information floating around about them (if I understand Google's explanation of non-personalized ads correctly, and discounting their technical cookies, anyway).

fretfull: " Also considering that I'm thinking about giving up Adsense altogether since it's not worth the hassle, why do I even care?"

I'm getting there, myself.

Probably been mentioned long ago, but I've found this page pretty helpful: [google.com ]

Talks a bit more about the difference between personalized and non-personalized ads, and clarifies a few things. Some choice cuts:

Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?

Cookies or mobile identifiers are used to support personalized and non-personalized ads served by Google to combat fraud and abuse, frequency capping, and aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.”

What choices do I need to present to my users?

Google’s policy does not dictate the choices that should be offered to users. Some publishers may want to present a choice between personalized and non-personalized ads; others may wish to present different choices to their users.

Why do we need consent to ads measurement — isn’t that legitimate interests?

Google uses cookies or mobile ad identifiers to support ads measurement. Existing ePrivacy laws require consent for such uses, for users in countries where local law requires such consent. Accordingly, our policy requires consent for ads personalization and ads measurement where applicable, even if ads measurement can, for GDPR purposes, be supported under a controller’s legitimate interest.

Do I need the consent before the tags fire or can the consent come afterwards?

Our understanding of GDPR requirements is that consent for personalized ads should be obtained before Google’s tags are fired on your pages. The ePrivacy Directive requires consent for the placement of, or access to, cookies but the regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.” Some regulators have issued guidance specifically requiring user action prior to setting of cookies, while others have permitted consent concurrent with the setting of cookies.

Regulatory guidance indicates that the GDPR will affect the consent required for cookies under the ePrivacy Directive, but there isn’t clear guidance on how these laws will interact. We await more guidance from regulators and will update our support materials accordingly. In the meantime, for those customers not seeking consent to personalized ads, we will continue to apply national standards for cookie consent, and we are not requiring changes to current cookie consent implementations.

And finally...

We are also developing a consent solution for DFP and AdSense that will become available more widely soon.

I have read about 15 "updated" privacy policies this morning, most saying "applicable from May 25th" and not one single one, IMHO, is GDPR-compliant. And none of these are knitting blogs, these are big sites (Udemy, TradingView, Upwork to name three). Huge amounts of legalese and fudge to say things including:

* yeah, we run ads, we have a right to, some of that may be personalised
* we set all types of 3rd party cookies, if you want to block, go into browser settings
* our log files are in the US (no mention of Privacy Shield) and we collect IP addresses and no, they're not encrypted, we need to do all this to run the site properly

basically, there's a LOT of leaning on "we need to run our site" as a legal basis for much of this stuff. The case law is going to be very interesting regarding logfiles, IP addresses and ad cookies.

The deep pocket the EU will likely go after is Google. Guess who will get thrown under the bus if Adsense accounts become an issue?

If I have Adsense on my pages, but violate other provisions of the GDPR, there's a good chance my account could come under scrutiny.

I've just been witnessing what Google does with empty ad space when brand safety is questionable. I have no doubt they'll take similar (or worse) action when their back is pushed against the wall with privacy violations of their account holders.

The last part I thought refers to the FundingChoices tool, like the consent options they are showing people halfway down this page - [cookiechoices.org...]

I've read figures of 70% opt-out rates for those who have beta tested it.

If you provide visitors with an option of not seeing ads, the majority of them will jump at the chance. It could be different if you have a much bigger dedicated and regular audience though.

I'm probably going to write my own streamlined banner and geo-lookup code to show it to any EEA country.

If an EEA user actively 'Declines' to see non-personalised ads that use cookies, then a non-cookie advert such as an affiliate, personal promotion or donation info will be shown instead...in the form of a sticky banner at the bottom of all pages.

As it seems to me, now Google doesn't know what to do like others. And we are all waiting for the first moves from regulators. How do you think, guys, do I need to worry about that if I'm running tech blogs: I'm not selling anything, I'm only providing the information for my users (and I must say I provide it FREE)m I don't have even a log in form for users. So in such case I need also to ask user if it's OK to show you ads? It's sounds like pretty unfair as for me - I'm spending a lot of money for the content which I'm giving for free for users and now I won't get revenue even through ads? How can I earn money to build content in such case?

Christ. Open Engadget with VPN (UK) and see the large banner with so many options!

@Cyril I am in same niche and I also run a information site.

This is playing on words, and this is not because everybody else is doing it, that it means it's the right legal way. Even if most regulators are not going after this behavior, it doesn't mean others won't. There are lawyer offices, which are specialized in tracking web sites which are not compliant, and making profits from these actions. You can see how this is easy money, and how motivated they can be to develop this kind of activity more and more, especially nowadays. And for these offices, it doesn't matter where you are located, they'll track all sites which can be accessed from the EU.

You require to obtain your users' consent to the use of cookie

A consent needs to be obtained BEFORE a cookie is set. You can turn and return the sentence, a consent is "before", not once things are done (cookie written).

A concrete example, the cookie set by Adsense/DoubleClick/Google.

- a user visits your site,
- you display adsense ads,
- you display your cookie consent banner,

So, before the user is even able to make a choice/give consent (or not), the cookie from Adsense is already set.

At this point, no matter what the user does, the cookie is set. If you offer a mechanism to refuse cookie, the Adsense cookie will still be there, (you can't delete a cookie set by third-party). If the user does not continue to browse your site, because he is not accepting your cookie statement, the adsense cookie is still set, and will continue to exist on the user's device for a while (which means potentially continuing to be exploited by Adsense)

So as you can see, at the end, the user has no choice. The cookie is here, and will stay, no matter what he does. So if the user has no choice, it means the "consent" procedure is not valid.

A consent, is the right to accept something or not. If you do this something before the user answers the consent request, this is illegal, period. This is just common sense.

The only acceptable way, is when, on the first page viewed by a user, you do not insert Adsense ads (or other ads generating cookies), and in your cookie banner, you can mention that "by continuing browsing this site, you accept..." . Then if the user visits another page, you can consider that he granted his consent for the use of cookie. This is the only implicit consent acceptable.

Now, I know, that nearly no one is doing this, I am just warming you, about what things really mean, and that this is not because you consider that such or such behavior is acceptable that it means it is. The day you fall on someone not that tolerant, you can be in troubles.

@MayankParmar

I do remember we are working in similar niches. What's your thoughts on GDPR? What are you going to do with that for your website?

I saw a cookie consent yesterday, but forget where it was. It was certainly one of the bigger sites.

It basically said, to continue using our site, you agree to cookies. If you don't, this is how you get rid of them, linking them to instructions on how to disable and remove cookies from their browser.

I also heard about a spokeswoman for this GDPR and she said, people just need to make 'reasonable effort'. Turning off interest-based ads inside Adsense + telling people by using the site they're accepting cookies + telling them how they can disable/delete cookies stored in their browser = more than enough. Regardless of the scaremongers posting on this thread.

It's interesting that if you take no action at all in your AdSense settings, AdSense will default to showing personalized ads for EU users. You would think that if Google was concerned with keeping the AdSense program GDPR compliant, they would automatically set all publishers to non-personalized ads, and only allow personalized ads by clicking something to agree that you are responsible for making sure your site is compliant. But that's not the case. If you do nothing, either because you're lazy, don't care or know nothing about the GDPR, AdSense will continue showing personalized ads as if nothing was wrong.

Interesting point Cralamarre; however, they may be doing that because they know if they made it automated it would overall result in lower earnings and so will only do something like that if pushed into it.

Or maybe their legal team has told them as it's all up in the air, not to bother yet.

Turning off interest-based ads inside Adsense + telling people by using the site they're accepting cookies + telling them how they can disable/delete cookies stored in their browser = more than enough.

I know that agreeing to your statement doesn't make your statement correct, but for what it's worth, I agree. :)

The GDPR is brand new. People are doing their best to comply without losing the farm. I don't believe that ad tracking is really the big issue here. I think this has more to do with companies collecting your information and doing whatever they want with it, like Facebook. I have a simple site that uses AdSense to monetize it and Google Analytics to see how many visitors I get. I have a contact form visitors can use to email me, but the emails are not stored on the server. And I was happy to find out that my web host is Privacy Shield certified, so log files are stored securely. Honestly, I have no interest in the personal lives of my visitors.

People on here have been going out of their way to scare us. For all I know, those people probably work for Cookiebot. But I'm done with worrying. I set non-personalized ads for EU users in AdSense, I'll have a basic cookie banner in place that people can ignore if they want, and I'm updating my privacy policy with as much information as I can think of. That's all I'm doing.

@steviec79 I think you hit the nail on the head. Google won't automatically set all publishers to non-personalized ads in the EU for the simple reason that it would cost them money. And I have no doubt that Google's lawyers are taking a wait and see approach. Let the GDPR lawyers make the first move, if any move is even coming. I think we should all take a wait and see approach on this. Do what you can within reason, then go back to business as usual.

Small countries around EU that are not actually in EU are modifying their namespace to fit GDPR because they need EU traffic.

For all I know, those people probably work for Cookiebot

That wouldn't surprise me at all.

Page Fair got back to me and said they are putting "new deployments of our GDPR products on hold" due to "insufficient demand". I spent a few hours last night visiting major European websites (English language and non English language) and UNLESS things change in the next 48 hours it is clear what the default solution being deployed is. Is it sufficient? That's beyond my pay grade.

Regarding privacy policies, to help people learn more about cookies and how to disable them in their browser, I'm simply linking to the Cookies and You website provided by Insites. Does anyone have a better suggestion?
[cookiesandyou.com...]