>>>
If we have to get explicit, affirmative consent before any non-personalized ads are shown, then Adsense is about done for everyone, including Google.
<<<

I would imagine that Google will find a way - the "funding choice" is, I suspect, just a test balloon for that.

Plus, let's be realistic, Google controls a huge part of access visitors already, everyone using Android (with explicit or implicit knowledge of location, gender, age and so on). If this percentage, just look how many people are using android mobiles right now, continues to grow, Google won't need us publishers anymore, not the small ones and not the big ones either, they can push their adverts then directly to the end user. For those they are still missing, well, they dominate the web search (in western countries) as well - and if then people are still slipping through their net, they keep a selected few of the biggest companies/sites. :-)

BTW, when you look at some current Google examples, they use a trick with double modal consent boxes. In the first box, you can accept or decline the use of cookies for personalisation. If you click "no", you are being brought to another consent box in which you only can select "accept" (for cookies in contextual ads) or "Back" (to the former box).

In other words: They implement, using other words, the principle "no cookies - no content". :-)

>>>
This thread is not about being in total compliance with the GDPR, it's about keeping your AdSense account valid.
<<<

Yup - but I imagine that many publishers from EU countries lurk in this thread as well. For EU publishers, the GDPR compliance is even more important than (just) the one with Adsense. They also should find here some food for thoughts. :-)

I was just checking out the Cookiebot plugin for WordPress, and noticed some negative reviews claiming that Cookiebot counts every image as a separate page. This can't be true, can it? On my site, that would quickly cost a small fortune.

>>>
Be explicit in your (linked from cookie notice) Privacy Policy to explain what Personal Identifiable Information (PII) is collected (or not), if cookies are being used & for what purpose, and if server log data files [webmasterworld.com] are retained, for how long & for what purpose. "
<<<

Just a short note - The acronym "PII", as being used in the US, is a different thing from GDPR "personal data". The GDPR considers, for example, IP addresses and even referrers (because they might contain delicate or private information) being "personal data" as well.

Oh, and another thing ... people who are underage in some countries cannot give a lawful consent. How someone will make sure that such a consent is indeed given/authorized by the parents, is one of the -yet unsolved- mysteries. As well as the case that someone is sharing his computer (eg. in a family, or generally multiple machines in a network on one IP with NAT) and one consents on a webpage, while the other won't (or vice versa). Oh well, I better stop ... :-)

The GDPR considers, for example, IP addresses and even referrers (because they might contain delicate or private information) being "personal data" as well.

Agreed. That's why it's required to declare how log data storage [webmasterworld.com] is handled.

For any UK visitors, worth remembering what's in the PECR regulations, which are based off the E-Privacy Directive.

"You must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent. Consent must be actively and clearly given"

"To be valid, consent must be freely given, specific and informed. It must involve some form of unambiguous positive action – for example, ticking a box or clicking a link......You need to be confident that your users fully understand that their actions will result in specific cookies being set, and have taken a clear and deliberate action to give consent. This must be more than simply continuing to use the website"

"Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies."

BUT, the key thing in the UK as the ICO mentions, they have had relatively few complaints about cookies (with nearly every webmaster not doing anything more than implicit consent banners) and at least up until now have taken a risk-based approach in the area of cookies.

In Adsense's case with their line of: "You must obtain end users’ legally valid consent to: the use of cookies or other local storage where legally required", I'd say in the UK at least, legally you should be getting consent for cookies.

BTW, when you look at some current Google examples, they use a trick with double modal consent boxes.

Yep. Noticed that with their AMP examples. It's Google Wonderland. I mean, on the AMP Consent Flow tutorial:

Ads can also be blocked until consent is given, but ad networks can implement own behavior (e.g. default to non-personalized ads without consent, as seen documented here for Doubleclick).

And "documented here" leads back to [support.google.com ], which says:

If your AMP ad tags do not use Real Time Config (RTC), you may simply enable non-personalized ad serving in the DoubleClick for Publishers or AdSense UIs, and no further changes to your AMP pages are needed.

Farther down, under the section regarding a consent choice between only personalized/non-personalized:

If the user has responded negatively to the amp-consent component (user rejects the consent prompt), non-personalized ads will be requested.

And in this implementation example, by default, only if the user chooses not to choose will no ads be displayed. But this can be changed to allow non-personalized ads by default, requested before consent.

So, uh, yeah.

So can we do a tally of what cookie plugins or scripts you guys are using? So far I'm testing Cookiebot, Cookie Control 8 Civic UK, Cookie Law Info. Also looked at Quantcast and Iubenda (seems a little too expensive for big sites)

Be careful... any time you rely on a 3rd party remote file, there's a real chance of failure. The 3rd party may have server issues, there may be a down point in the network, or the user may not allow 3rd party scripting or cookies in their browser settings.

Plugins are OK, but always best to serve any script from your own server.

Understood. Which one would you recommend?

I would install the free cookiebot version, then go get that script & CSS file from Cloudflare and put it on your own server, then change those file paths in the HEAD of your pages... voila!

The free cookiebot version shows that big ugly banner everywhere. It certainly makes no sense to disturb the Americans and Asians with that banner. Nobody (big companies) doing that.

You'll soon need to show "that big ugly banner" to everyone anyway. Why keep going through this every month.

California is soon to announce their cookie notification & privacy requirements. Canada, Australia, China and others will also.

[webmasterworld.com...]
[webmasterworld.com...]
[webmasterworld.com...]
[webmasterworld.com...]

Treat everyone's privacy rights the same and be done with it.

[fix typo]

[edited by: keyplyr at 7:32 am (utc) on May 24, 2018]

Here Iubenda writes about "active consent" to cookies according to the ePrivacy rules: [iubenda.com...]

So it seems like their solution should be enough?

I think their solution is superior to the others (consent obtained with scrolling, clicking, closing notification), but of course it is also more expensive.

Hey guys, put this Silktide code in header. I customized it a little and it will show only in EU!

<snip>

Preview: [imgur.com...]

[edited by: MayankParmar at 8:31 am (utc) on May 24, 2018]

[edited by: engine at 8:34 am (utc) on May 24, 2018]
[edit reason] Please don't post code that is subject to copyright [/edit]

We can also host the css and js locally for better speed and reliability.

MayankParmar, have you got a screenshot of what the above code will result in?

Also, does anybody have a privacy policy they can share, which has added information about all of this? I have one, and it mentions cookies, but just want to make sure the wording is adequate.

And finally, for those using Wordpress, can you share a link to the one you have used (excluding any paid service such as 'cookiebot').

@Steviec79 Here you go [imgur.com...]

Thanks MayankParmar, that seems straightforward enough. Although the code has now been removed from your post.

@steviec79 Mods removed it because of copyright, but Silktide itself says it's open source :)

No worries, if anyone needs that code, message me :)

You'll soon need to show "that big ugly banner" to everyone anyway.

Not necessarily, by next year, the ePrivacy Regulation will transfer the cookie consent request to the Web browsers. So web publishers will no longer have to mind about cookie consent. Good news? Not so sure.

The draft stipulates that when the browser (or a new update) is installed for the first time, users must "set" whether they accept cookies and, if so, what kind of cookies. Since 90 % of users will choose a restrictive setting, thus in particular not allow third party cookies, "the regulation effectively shuts off the device" (according to VPRT, the German Association of Private Broadcasters and Telemedia). The regulation does not provide for an automatic mechanism which, with the user's subsequent consent, releases the browser. In fact, this means that cross-domain tracking and the storage of information about the end device by third parties are prohibited. Retargeting models are virtually impossible to implement.
[eprivacy.eu...]

90% of users (at least EU) will have a browser blocking third-party cookies. So, Adsense (and others), if they want to continue their business, will have to propose real cookie-less ads. And no matter what they argue about their legitimate use of cookie, web browsers can't tell what a cookie is used for. It blocks it, or it doesn't.

This is the end
Beautiful friend
This is the end
My only friend, the end...

Not necessarily, by next year, the ePrivacy Regulation will transfer the cookie consent request to the Web browsers.

Yes, I'm aware of that. It may take a lot longer for every browser (there are a couple dozen) to add that preference to their settings.

Good news? Not so sure

Agree. Along with this may be other choices that may not be very kind to ad publishers.

Crikey, can we get any more pessimistic people on one thread. We might as well slit our wrists now. It's called evolving - Google I'm sure will evolve and bring something out that publishers can use instead. There's always something else to jump on, that's just around the corner.

I use Statcounter on my sites and was interested to see how they are handling this - this is their FAQ page on GDPR:

[statcounter.com...]

Particularly interesting I think is this bit - the Irish High Court ruling should be relevant as I believe the Adsense HQ for Europe is in Dublin:

The GDPR makes it clear that an ip address and other cookie identifiers may be considered personal data.

However, for an IP address and other identifiers to be considered personal information, a user must be able to identify the person behind the IP address. As a regular user of Statcounter is not able to do that, an IP address should not be treated as personal data. There is legal precedent for this in the Irish High Court. They made the eminently sensible ruling that in the hands of an ISP (who controls that ip address range) that should be considered personal data, however in the hands of a record company who can't identify the individual behind the ip address it should not be considered personal data.

@darthtoon - your Privacy Policy must describe how, where and for how long your server data logs are stored.

[webmasterworld.com...]

IP adresses and other server log data are absolutely sensitive personally identifiable data.

While server logs are necessary for running a site, they clearly reveal the location of the user, the address of their computer, the browser they're using, their operating system, the time they arrived on your site, which files they requested, whether they purchased products, and the time they left.

I am not sure how long the logs are stored on AWS :/

Has anyone here come across sites that are using a server side check and using the AdSense api to do something like:

if consent == true
.requestNonPersonalizedAds = 0
else
.requestNonPersonalizedAds = 1
endif

I've been trawling through websites and found nothing yet.

My AdX partner advised me to do that for non personalized ads in EU.

On posting the Silktide code - if that was actually the server side script itself, then that would be fine if it also includes the MIT licence text.

If he was just posting the snippet to invoke, quoted from their website - they obviously expect you to do on your site to use it. And if it was a customised rather than quoted version, then arguably MayankParmar is the copyright owner, no different to writing any other code using someone else's language or API. Even if it was a quote, there have been numerous people quoting from websites, copyright law doesn't change just because it's JavaScript (are we also not allowed to post examples on how to do things with the AdSense or Analytics JavaScript code...)

(Of course if the mods don't want code examples posted that's up to them, I'm just pointing out things regarding copyright.)

"I'd say in the UK at least, legally you should be getting consent for cookies."

Well what does the ICO site do for it's cookies? It just puts up an info window, and assumes you're ok with them unless you take the steps to disable them. "Otherwise, we’ll assume you’re OK to continue."

So I don't see why anyone in the UK should need explicit consent under the cookie law when almost no one else does, even in the UK, and even including the ICO. (And if we're worried about Google enforcement, well Google who have a clear UK presence don't do this for UK viewers on their sites either.)

[edited by: markwmo at 10:37 am (utc) on May 24, 2018]