So provided that if I am using non-personilized ads for Eu users, does that make it compliant with Adsense GDPR policy? Does that come under explicit consent?

My answer would be yes, if you're not using personalized ads. It's not explicit consent, but explicit consent is not required for non-personalized ads.

I just spent my entire day updating my privacy policy, and I have a sneaky suspicion that it was all for nothing because no one is going to care. I've been running my website for 12 years and in all that time, not one person has ever contacted me about my privacy policy. But, at least it's done.

@engineerqasim Never heard about that company, sorry :P

In other news, Maxcdn is using Cookiebot.

A lot of sites are now showing banner in EU,. Discovered this (via VPN), and I still trying to find out the best solution.

I was Googling in incognito, and "A privacy reminder from Google" appeared at the top of the SERP explaining the data collection...

[quantcast.com...] It seems good too.

@MayankParmar or @ember, With Cookiebot, can you disable the "Show details" button on the banner so it only shows the "I accept" button? I'm trying to test it out on their website but it's not giving me access to all the features.

Actually, can you replace the Show Details button with a link to your Privacy Policy page?

@Cralamarre I don't think so, and that 'show details' is its key feature.

>>>
So provided that if I am using non-personilized ads for Eu users, does that make it compliant with Adsense GDPR policy? Does that come under explicit consent?
<<<
>
My answer would be yes, if you're not using personalized ads. It's not explicit consent, but explicit consent is not required for non-personalized ads.
<

An explicit consent is required for the setting of cookies, and this has to be done before the first cookie is set. A modal consent box would be sufficient in this case. However, before the new eprivacy rule is in place (2019, it demands that you can visit content even after declining cookies), something along the line of two options, "Accept" and "Show me your privacy policies" should do the trick. If they do not accept, they cannot visit (but in 2019, you will then have to change it anyway).

However ... as Google says, they will apply national requirements on cookies for the time being. So, if you're not located in the EU, do not sell wares or services for money or for free to EU citizens and if your content is not targetted specifically to EU citizens, the GDPR will simply not apply to you, hence the current cookie handling should be sufficient in this case.

Engineerqasim, I don't think that Iubenda statement is good enough. Since one of the changes is that there cannot be a default choice and you can also not limited functionality based on choice. The visitor has to make a explicit yes or no consent. Implicit consent just by using the website is no longer good enough.

Cralamarre, my answer would be no. Since having personalized or not personalized ads don't matter. It's actually besides the point in terms of cookies. What matters is whether there's PII in those cookies. Google cookies are considered PII. So whether ads are displayed or not doesn't matter. There still needs to be consent before those Google cookies are placed. Google says as much. But even if a site asks for consent, the fact that Google provides no way for a site to delete those cookies, it's not GDPR compliant. Thus any site using Google Adsense or Google Analytics cannot be GDPR compliant no matter what they do. Thus the only solution I can think of is to not use Google at all or at the very least not in any sites served to the EU.

Is there a way to delete Google cookies that I don't know about?

[edited by: fretfull at 9:43 pm (utc) on May 23, 2018]

As ist stands, here is how the GDPR will affect me:

Visitors from EU countries: 75%
Visitors from non EU countries: 25%

Adsense earnings from EU countries personalized: 66%
Adsense earnings from EU countries non-personalized: 33%

Considering that a number of EU visitors will click on non-personalized ads as well, and that I have to close down a few sites entirely (which are not worth the effort to make them compliant), I estimate an earnings loss of around 50%-60%.

If much of the sites weren't a labor of love, I would walk away...

>>>
Google cookies are considered PII
<<<

Not really, but they are considered tracking (they can be read from on other sites).

>>>
But even if a site asks for consent, the fact that Google provides no way for a site to delete those cookies, it's not GDPR compliant.
<<<

I fully share this view. Normally, Google would have to ask for the cookie consent AND offer a direct access to the removal.

>>>
Is there a way to delete Google cookies that I don't know about?
<<<

I am not entirely sure why 3rd party cookies should be non-deleteable in the browser? In Firefox, I can delete each and every cookie even when the session is still on. After the session, I delete everything automatically anyway.
But even if so - the regulation states that the one who sets the cookie must provide the means to delete them ... which is not me in my browser.

There is another funny thing - in which language is one providing the consent and privacy information? In Chinese, if you happen to be located in China? In Arabic, in Thai and whatever other languages and letter systems(!) are there?
What good does a privacy statement in German when a person living in Germany writes in english?
What good does a privacy statement at all, when the local data laws are, even after GDPR, different in each and every EU country and what is ok in one country won't be in the next (eg. while you can take a photo in Sweden and publish it without asking every person for their consent, you can't do so in Germany)?


Oh .. and did you read THIS?
[linkedin.com...]

I'm perpetually falling down a GDPR rabbit hole.

Learned some javascript today, though. Don't know if I'll use it but, hey, why not?

Oh .. and did you read THIS?

The fun never ends! Gonna be an exciting weekend for a lot of people.

as Google says, they will apply national requirements on cookies for the time being. So, if you're not located in the EU, do not sell wares or services for money or for free to EU citizens and if your content is not targetted specifically to EU citizens, the GDPR will simply not apply to you, hence the current cookie handling should be sufficient in this case.

That sums me up. Sounds good.

... if you're not located in the EU, do not sell wares or services for money or for free to EU citizens and if your content is not targetted specifically to EU citizens, the GDPR will simply not apply to you...

False. This is about Personal Identifying Information (PII) not just about selling or giving services.

@fretfull Have a look at [civicuk.com...] You can, if you can cope with the javascript, set the banner so that the visitor needs to consent to various categories of cookies before you set them. If you ask their permission to set statistical cookies, for example, no cookies are set by Google Analytics unless the visitor accepts (assuming you have the code right).

If you use one of the paid versions, you can also log and store consents. So as far as I am concerned, it complies with GDPR.

Be warned though. I turned it on at about midday and my stats are now worthless. I'm now "seeing" 1 visitor from the EU for every 40 or so ex-EU. Those numbers would have been about even yesterday.

>>>
This is about Personal Identifying Information (PII) not just about selling or giving services.
<<<

No. It is a question whether the GDPR applies or not. The GDPR has no legal power outside of the EU -AND- when the company/person does not have any commerce (even for free) with EU subjects -AND- the content is not targeting EU subjects.

In this regard, a travel blog or information site by a Brazilian, Chinese or Moroccan blogger about Ukraine, South Africa, or Japan has no relevance at all for the GDPR. Google imposes the GDPR compliance on their clients (eg. adsense publishers) because they (Google) HAVE subsides and business in Europe and for Europeans - which is why THEY must comply with the GDPR.

Why, do you think, has Facebook moved all their non-EU customers (formerly served by a company in EU) to a different company in the US? In the EU, they have to comply for those customers with the GDPR, but when those customers are served by the US, they don't have to. :-)

Yes, no, true, false, right, wrong... This is why nothing is going to happen on the 25th. Even people serious about doing the right thing can't agree on what the right thing is.

In the FAQ, Google writes this:

"Do I need to follow this policy for all users if I’m an EEA-based publisher or advertiser?

Google’s EU User Consent Policy applies only to EEA-based end users."

The GDPR, however, imposes the consent for ALL users of EU publishers and advertisers - because they are based in the EU and to them, the GDPR can be enforced. This Google information is therefore correct, as long as it pertains to the Google policies, but misleading at the same time, because they do not reflect the GDPR itself.

>>>
Even people serious about doing the right thing can't agree on what the right thing is.
<<<

Yup, this is why it is a nightmare. I wrote it in an earlier post - in the end, what matters, is, where you are living (since the GDPR is defined even differently in different EU countries). People outside the EU, though, can act a lot more relaxed on it. :-)

This is about Personal Identifying Information (PII) not just about selling or giving services.

No. It is a question whether the GDPR applies or not. The GDPR has no legal power outside of the EU -AND- when the company/person does not have any commerce (even for free) with EU subjects -AND- the content is not targeting EU subjects.

How are you going to stop EU citizens from accessing your web properties? How about when they connect from outside the EU?

This is about PII. Other countries (Canada, China, Australia, USA etc) also have strong privacy requirements to soon be enforced. Make sure your site is in compliance. Treat all visitors with equal safety and you won't have to keep doing all these changes every time.

So this is what I've decided so far, provided there is ONE day left:

I have technology blogs that are monetized by Adsense.

1) I have selected non-persolized ads serving for eu from inside Adsense.
2) Setting a cookies policy page where I will add link to each browser on how to clear cookies and also link to Google Adsense and analytics etc. on how to opt out of cookies by them.
3) Show consent message stating that "this website use cookies for proper functioning. If you want to opt out, please read instruction our cookies policy page. Scrolling down, closing this banner or clicking on accept, you agree to our use of cookies.

Is that enough for now? Anxiously awaiting response from dear fellow members of this forum :)

Like this --> [jmp.sh...] (Screenshot)

I'm sticking with my belief that if you're not showing personalized ads to EU visitors, you don't have much to worry about. A simple cookie consent banner with an "I agree" button will do. This thread is not about being in total compliance with the GDPR, it's about keeping your AdSense account valid. The information Google provides on the AdSense site makes it quite clear. All of the issues with getting explicit consent from visitors are related to personalized ads only, which I won't be showing.

Cralamarre: "I'm sticking with my belief that if you're not showing personalized ads to EU visitors, you don't have much to worry about."

Same.

This thread is not about being in total compliance with the GDPR, it's about keeping your AdSense account valid.

Yeah, that's always been my #1 concern. This stuff gets funky when you consider all the different ways people are approaching it, and a lot of folks are talking about different things.

First you have:

> EU-based (which means you have to be especially on your toes, especially in Germany, from what I've read)
> Not EU-based

Then:

> following the GDPR exactly
> following Google's interpretation of the GDPR

And then, after choosing the above, you have:

> using personalized ads
> using non-personalized ads

For me, I only care about following Google's interpretation of the GDPR while using non-personalized ads as a publisher in the United States. I think they're pretty clear on what they want, in this case, as you say.

Anyway, the actual sense I get, after reading through every page of theirs that I can, is that in many ways they're just as "wait-and-see" as we are. I expect, if this GDPR thing turns serious, they'll do what they can to work with publishers to sort things out. I don't really think it'll even go that far, though. I doubt they're just itching to ban everyone.

engineerqasim: "Is that enough for now? Anxiously awaiting response from dear fellow members of this forum :)"

That's just about what I have planned. We're all on our own on this one, though!

Using a cookie consent notice & non-personalized ads is not enough to keep your Adsense account safe from action. Google Adsense [google.com] says...

You must obtain end users’ legally valid consent to:
• the use of cookies or other local storage where legally required; and
• the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
• retain records of consent given by end users; and
• provide end users with clear instructions for revocation of consent.

In regard to collection & storage, read here [webmasterworld.com]


- - -

Using a cookie consent notice & non-personalized ads is not enough to keep your Adsense account safe from action.

I disagree with that interpretation, as Google's EU User Consent Policy is a catch-all, and on other pages they've elaborated on the distinction between personalized and non-personalized ads (especially with their phrasing, "for those customers not seeking consent to personalized ads...we are not requiring changes to current cookie consent implementations." - [google.com ]). Their previous policy also required all publishers to obtain consent, but in practice they haven't been hunting people down.

Also note that while they say, "Our understanding of GDPR requirements is that consent for personalized ads should be obtained before Google’s tags are fired on your pages," they do not say the same for non-personalized ads. Instead, they keep invoking the ePrivacy Directive, which is status quo.

But this thread is a big circle. You do you.

Also, if I implemented an actual 100% you-don't-see-ads-period-if-you-don't-consent, Google may as well just ban me, anyway, because that'll be the end of it.

[edited by: BoredMeteor at 2:07 am (utc) on May 24, 2018]

Keyplyr, earlier you said:

"3 Steps to GDPR Compliance for Adsense Publishers

• Use an opt-in/out cookie notice, shown to all visitors*

• Disable personalized ads for EU visitors: Adsense Account > Allow & block ads > Content > All my sites > EU User consent

• Be explicit in your (linked from cookie notice) Privacy Policy to explain what Personal Identifiable Information (PII) is collected (or not), if cookies are being used & for what purpose, and if server log data files [webmasterworld.com] are retained, for how long & for what purpose. "

Now you are saying that "Using a cookie consent notice & non-personalized ads is not enough." I'm confused.

if I implemented an actual 100% you-don't-see-ads-period-if-you-don't-consent, Google may as well just ban me, anyway, because that'll be the end of it.

If we have to get explicit, affirmative consent before any non-personalized ads are shown, then Adsense is about done for everyone, including Google.

>>>
Other countries (Canada, China, Australia, USA etc) also have strong privacy requirements to soon be enforced
<<<

This is correct, also the eprivacy regulation will change in the EU in 2019 - as it stands today, it demands that websites cannot deny access to people who declined to accept cookies. However, if you really want to be compliant with every possible regulation in every possible country in advance, it will be a constant and probably never-ending task.

>>>
How are you going to stop EU citizens from accessing your web properties? How about when they connect from outside the EU?
<<<

Don't need to, don't care - not on the grounds of the GDPR which is only effective for the groups I have mentioned earlier. Being compliant with Adsense regulation is, however, a different pair of shoes.

I do agree, though, with the general intent of the GDPR - with the exception of adsense, I have, on my websites, never collected any personal data and never transferred any personal data to a third party (including authorities) since 1996, and it is my full intention to continue to do so. :-)