Good, it's almost over. Or is it only just about to begin?

All this for ~5% of my traffic.

This could easily turn out to be one of those laws that slowly gets ignored because enough sites do not comply and users just don't care.

@MayankParmar You're just using the basic "I accept" button, right? You didn't set up Silktide to let people opt out of cookies?

All this for ~5% of my traffic.

~10% for me. But 100% of my headache.

I think how the EU reacts coming out of the gate will set the the tone. If tomorrow morning they send out warnings to big companies not in strict compliance it that will be one thing. If they do nothing like they did with the cookie banner law from 2 years ago, that will be something else. My guess is that they will do nothing if for no other reason than they have self admitted that the eprivacy law coming soon will change some of implementation of GDPR.

BoredMeteor and Cralamarre, less than that % for me. Thus I'm not showing ads in Europe at all. No need for a banner or anything else since no cookie drop or PII or anything.

Cralamarre, he didn't write that banner he's just using it. That exact same code was posted in another thread earlier. The way that banner works was good for the cookie banner law from 2 years ago. It doesn't fulfill the requirements in GDPR which require an explicit consent or not. It's notification and not consent since a visitor can just not even click I agree, ignore it and go on their merry way. I guess you can rig your site to default to not showing ads until the person hits I agree. That would work.

I guess you can rig your site to default to not showing ads until the person hits I agree. That would work.

That's just not going to happen. I might as well close down now if I can't show any ads unless someone agrees to it. But I honestly do not believe that visitors need to give explicit consent for ALL cookies. Only cookies that track personal information. Non-personalized ads don't track anything that can be used to identify you, and therefore do not require explicit consent.

@MayankParmar
Do you use Anchor/Overlay AdSense Ads with [cookieconsent.insites.com...] - Banner top (pushdown)?

According to Google, even if you use non-personalized ads, you need to get consent. Since even without personalized ads, the cookies it sets does track you and thus it's PII. Turning off personalized ads in Europe doesn't mean visitors aren't tracked. It just means in Europe Google will not use that tracking. Outside of Europe Google still will. So those Google cookies are still PII. Turning off personalized ads in Europe is not a magic bullet that some people have made it out to be. You mentioned that only 10% of your income comes from Europe. So what I was suggesting is that you do that only for Europe. You can geolocate the same way that that script does. You can even do it without sending a full IP address and thus not send PII.

even if you use non-personalized ads, you need to get consent

Yes, but not explicit consent.

@Cralamarre Yes, "i got it" button and that's it.

@Kurono_Kei I don't use Anchor ads. But I guess that would do the job. Show top cookie consent and reserve bottom for ads.

Even at the Adsense level, how is all this actually going to be enforceable?

Manual review of all publisher sites? I can see them checking your Adsense account for the EU ad settings but that's about it. So many different interpretations and implementations that are popping up and some implementations are only seen by EU traffic - so manual reviews will be hit and miss.

On Google's CookieChoices.org site, it states:

If visits to your site do not influence the ads served elsewhere, the following notice might be appropriate:
"This site uses cookies to analyze traffic and for ad measurement purposes.", followed by a link to learn more or a button to click OK.

Since non-personalized ads do not track information that influences the ads shown to you, a notice such as the one above should be fine, according to Google.
[cookiechoices.org...]

[edited by: Cralamarre at 5:09 pm (utc) on May 24, 2018]

Ember, where does it say that? Since GDPR is about getting consent for PII. Not personalized versus non-personalized ads. Regardless of what ads you show, that cookie still unique identifies you AKA PII.

@fretfull Non-personalized ads do not track personal information about you. The GDPR does not require explicit consent for all cookies. Only cookies that track personal information. Cookies used for things like ad frequency capping don't qualify.

Cralamarre, dig a bit deeper. That's Google's general guidance. They specifically call out Europe separately and specially say you need to get consent before dropping those cookies even for non-personalized ads.

[google.com...]

"Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?

Cookies or mobile identifiers are used to support personalized and non-personalized ads served by Google to combat fraud and abuse, frequency capping, and aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required."

Cralamarre, look at the policy from Google I just posted above. The policy does say you need consent even in the example you brought up. Also, non-personalized ads don't show ads based on the tracking. Your unique identifier is still there in the cookies. Since Google still uses that outside of Europe. It's like having passport. They may not ask you to show it moving around Europe, but they sure do if you leave Europe. Just because they don't ask you to show it in Europe, doesn't mean you no longer have a passport.

[edited by: fretfull at 5:21 pm (utc) on May 24, 2018]

There were Y2K problems - they didn't happen, because they were fixed. It's like saying a vaccine was unnecessary because an epidemic didn't happen after the vaccine... Not that I see the relevance to this law.

"May be because the site of the ICO is not displaying Adsense ads? The ePrivacy directive concerns only cookies which are used to track users, and collect personal information. If a cookie is neither tracking, nor collecting personal information, it doesn't need to obtain a consent. "

Yes but in that case, it's still not true that consent is needed for all cookies - I was responding to the claim "I'd say in the UK at least, legally you should be getting consent for cookies."

Now, it is an interesting question as to whether non personalised ads use cookies that might still be the kind that the ICO care about - but the law has been around for years, and I see no evidence of them or anyone else caring about this. I've never seen a site (UK or otherwise) where I had to opt into ads because of the cookie law. I didn't worry about the cookie law before (other than displaying the info banner), and nothing changes on that law tomorrow.

Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply.

It says consent. It does not say explicit consent, which is different from implicit consent.

It says consent. It does not say explicit consent, which is different from implicit consent.

Agreed.

This reminds me of the Y2K Disaster - that never happened.

It never happened because software and hardware engineers worked during 20 years , in order to fix software, convert data, and progressively replace hardware impacted.

The same is happening with the upcoming 2038 issue. Software developers are updating software and databases so that you , feel like there is no problem.

Many big sites didn't start doing it until recently for this deadline. Was that because there was no enforcement penalty until now?

The ePrivacy Directive (Cookie law), concerned only European businesses, and the fine was up to €150.000 or €300.000 (I do not remember). The GDPR and the upcoming ePrivacy Regulation, concerns all businesses across the World, and the fine is up to €20 or 4% of the annual worldwide turnover, whichever is greater. It concerns much more companies, and the fine is also a lot more higher. So it's no surprising that big companies are making more efforts. (keep in mind that GDPR is not only about Web sites, it's much wider).

Yes but in that case, it's still not true that consent is needed for all cookies

I don't know why some are still thinking that it concerns all cookies. The ePrivacy directive only concerns cookies which are used to track user activity, or/and collect personal information. All other cookies are not concerned by a consent. Also, the ePrivacy directive applies only to EU businesses. So non EU businesses, with personalized-ads disabled for EEA do not even have to display a cookie banner. However, it remains a good and fair practice to inform your visitors.

[edited by: QuaterPan at 5:30 pm (utc) on May 24, 2018]

I've had my cookie consent banner up and running now for a couple of hours, with a link to view my privacy policy or just click "Got it!". Not one single page view for my privacy policy.

Ember, Google doesn't say implicit either. So why can't it be argued that it defaults to explicit? Google says it has to be consent that complies with the law, such as the EU GDPR law, that says it has to be explicit and implicit no longer does the job.

Cralamarre, here's more guidance from Google about whether there needs to be consent even with non-personalized ads. It is required.

[support.google.com...]

"Non-personalized ads are targeted using contextual information rather than the past behavior of a user. Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply."

@fretfull Yes, but all it ever says is "consent", not "explicit consent". There's a big difference between the two, and if Google required explicit content, they would state very clearly "explicit consent", as they do for personalized ads.

Cralamarre, do they? I don't recall Google ever saying explicit or implicit consent ever. They simply say consent. But they do say that there needs to be consent before any cookies are dropped. Thus there needs to be consent before any ads are displayed since by displaying ads with Adsense, you are dropping cookies.

That cookie consent adds 140ms to page load time lol.

I have had cookie consent banners up for a couple of years and looking at my main site, based in the EU, I see my cookies page (linked to from the banner) received 0.2% of my page views and the Privacy Policy page, 0.01%

Even at the Adsense level, how is all this actually going to be enforceable?

I'm wondering that, too. They know if you have EU traffic, and they can check for cookie consent code, but how do they know if the user actually consented?

So why can't it be argued that it defaults to explicit?

It is vague on purpose. It protects them and to some extent us.

Thus there needs to be consent before any ads are displayed since by displaying ads with Adsense, you are dropping cookies.

If that is true, then it is game over for most sites starting tomorrow. Online advertising is done. I don't see that happening.

Not one single page view for my privacy policy.

That's because no one but regulators cares about this.

If that is true, then it is game over for most sites starting tomorrow. Online advertising is done. I don't see that happening.

But the ePrivacy Regulation is signing the end of cookies :

The draft stipulates that when the browser (or a new update) is installed for the first time, users must "set" whether they accept cookies and, if so, what kind of cookies. Since 90 % of users will choose a restrictive setting, thus in particular not allow third party cookies, "the regulation effectively shuts off the device" (according to VPRT, the German Association of Private Broadcasters and Telemedia). The regulation does not provide for an automatic mechanism which, with the user's subsequent consent, releases the browser. In fact, this means that cross-domain tracking and the storage of information about the end device by third parties are prohibited. Retargeting models are virtually impossible to implement.
[eprivacy.eu...]

@fretfull You may be right, and my mistake, if Google does not state "explicit" consent anywhere. However, with there being such a big legal difference between explicit and implicit consent, I have to assume that if Google requires explicit consent before an ad is shown, they would state it very clearly.

So here's what I'm going to do. I'm going to leave my simple cookie consent banner in place, which people can agree to just by ignoring it if they want (as everyone will), and I will continue to enjoy revenue from AdSense until such time that someone from AdSense contacts me about it. If you want to pull your ads until someone gives you permission to display them, that's your decision. Personally, I'd rather keep earning money unless someone says I can't, rather than stop earning it unless someone says I can.