If people do not want to give up data in return for free access to websites, then maybe they should stop using the internet.

Amen!

What? Everyone has a God-given right to the internet and everything on it. Don't you know that? Everyone knows that. Just ask everyone. They'll tell ya'.

The only people in the world who have no rights at all are content creators. We're all lazy bums who don't deserve anything.

@engineerqasim

I have updated the banner asking for consent to be very obvious, the wording I have used comes from another website, it is

"We use cookies and other tracking technologies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By clicking OK or continuing to use this site you agree to our privacy policy and our use of cookies."

Below this is an "OK" button followed by a link to my privacy / cookie policy if users want to go there. The privacy / cookie policy has been cobbled together from other websites today. The OK button does nothing but make the banner disappear from the current page if selected. Whatever the user does, a cookie is written and the message will no longer appear for that user.

I have decided to let Adsense display personalised ads, I believe it is their responsibility not mine for those.

I have updated Google Analytics to anonymise any data they collect from visitors to my site. I did this because I have no idea how much data they collect and what it is.

Any thoughts of creating an email newsletter have now been totally forgotten. The complexities are too much for me.

I do write a cookie from my own website which is not stored on my computer, it is stored on the users computer. I make no analysis or any thing else regarding the cookie I write. The cookie is essential to some users of the website and can be considered as a service cookie. So the EU can go hang itself if they object to that.

The above is what I have done, not advice to anyone else.

Any thoughts of creating an email newsletter have now been totally forgotten. The complexities are too much for me.

I have a newsletter but I'm kind of afraid to send it out now. Newsletter sign-up on my site has always been a two-step process. First you enter your email address on my site, but then you also have to confirm by clicking a link sent to you in an email. So everyone who is a current newsletter subscriber has confirmed their intention to receive it.

Does that mean it's legally okay to still send it out?

I also have a newsletter list and I absolutely intend to keep sending it. I fully discuss it in my privacy policy - what their info is used for, how to opt out, tracking beacons, etc. Every single person entered his own information to receive emails from me, which in my book is explicit consent. I am now, though, adding a required country field and will delete anyone from the EU.

Wow, this is all so confusing.

I run a midsize site. I turned adsense personalization off in the EEA.

I really don't want any dumb pop-ups talking about cookies when personalized ads are off anyways. Are these pop-ups NECESSARY?

It's probably just easier to block all the EU countries, especially if they are an extremely low percentage of visitors. Very few people from the EU visit my site. I don't care if they come there or not, personally.

Azlinda, how are blocking them?

Some companies might just accept the GDPR fines as a cost of doing business and write it into their budget as a line item. If I got hit with a 4% global earnings fine each year it would hurt but not put me out of business.

@azlinda I am in a similar situation. I have simple information site with no possibility for users to log on or create any sort of an account. I switched off personalized ads for EEA, but otherwise I am doing nothing. I have very little EU traffic and my site targets a US audience. It is very unlikely that anyone will legitimately, and through the proper legal channels will come after me.

@NickMNS You don't even have a cookie consent banner?

I really don't want any dumb pop-ups talking about cookies when personalized ads are off anyways. Are these pop-ups NECESSARY?

Based on my own experience of not having a cookie consent banner in all the years I was supposed to have one, I would say the answer is yes, they're necessary if you care about being compliant, but no if you don't. I've never received a complaint for not having one. But having said that, I do have one starting today, just to be safe.

Use Cloudflare or any other firewall to block EU.

I am not going to block them. It's too harsh, and they don't deserve this.

>>>
Does that mean it's legally okay to still send it out?
<<<

Since you are not in the EU, you should not worry too much. But, if you want to it correctly, you need to purge the old userbase and start a new one - because a) one can argue that they did not have the privacy policy information once they signed up and they did not give the consent to the new policy and b) you need a documented consent to target someone by email.
However, this issue is one of those (many), where the opinions, even amongst the "specialists" widely diverge. :-)

But, if you want to it correctly, you need to purge the old userbase and start a new one

Nope. :)

I tried the Cloudflare firewall and they still get through.

you need to purge the old userbase and start a new one

Not going to happen. It took 15 years to build it, and nobody is going to tell me that I have to purge it. If someone does, that will be when I get a lawyer and sue.

[edited by: ember at 6:18 pm (utc) on May 25, 2018]

Using Cloudflare. You can block any country through Cloudflare. Problem solved. I don't care anything about EU traffic. They're no big loss to me.

@ember You need to block all EU countries one by one.

In other news, Google holds an AMA-style meeting with dozens of publishers on GDPR [martechtoday.com...]

From what I see in Cloudflare, unless you have the Enterprise version, all you can do is challenge people. They can still access the site if they pass the challenge. Am I missing something?

Well, AdSense isn't doing too badly anymore, especially with the long weekend. Page RPM and CPC have all improved since this morning.

After all, it may well turn out that it is Google's responsibility to get consent for their Adsense ads which appear on my pages. Who knows.

I have decided to let Adsense display personalised ads, I believe it is their responsibility not mine for those.

Answer:

The principle of shared responsibility set out by European legislation, both website publishers and third-party companies may be held liable for the data collection by a cookie set before the user has given consent.
[cnil.fr...]

And here is a thought. If people do not want to give up data in return for free access to websites, then maybe they should stop using the internet.

It's not about it. The GDPR allows you to do whatever you want, form the moment people agreeded.

I have a newsletter but I'm kind of afraid to send it out now.

Newsletter is one of the easiest thing to deal about. Your subscribers did agree to receive it, when they signed it, so you have their consent. And, I guess, you are allowing them to unsubscribe, and, I guess, you are not using their email address for anything else. So all this is already fine.

If I got hit with a 4% global earnings fine each year it would hurt but not put me out of business.

This is up to 4% or up to €20 millions, whatever is the higher. So if 4% of your earnings is 100, they can still fine you 1000 if they want.

I doubt if they can catch and fine me in India. Probably easy in the US.

If you have got Cloudflare and WordPress. Add this to htaccess.

# Block UK
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:CF-IPCountry} ^(GB)$
RewriteRule .* - [F]
</ifModule>

Works :D

Nomis5, that's what I said too about being required to store consent and allow people to revoke consent. That's the irony of GDPR. It requires a site that doesn't deal with PII, to manage PII in order to be compliant. So the reg makes us take PII in the name of protecting PII where we otherwise wouldn't.

MayankParmar and others asking about blocking. I talked about this in another thread. You do not need to use cloudflare or block countries one by one. Just geolocate for free with ipstack, it's the same geolocating service that cloudflare uses, and block the entire continent of "EU". Blocking all of Europe is the tack that many big sites have taken. It's also a protest. Since the page they serve to Europe explains exactly why Europe is blocked. By geolocating yourself and setting up your own block, you can also display such a message.

I doubt if they can catch and fine me in India. Probably easy in the US.

In Canada, if they want to catch you, they just grab a coffee at Tim Hortons and wait for you to show up.

Sorry, a little Canadian inside joke.

I doubt if they can catch and fine me in India. Probably easy in the US.

Because of the shared responsibility, and since this is the topic about adsense, "if" the EU has something against you, about your adsense implementation, they'll sue You and Google. If they cant' reach you, then they'll get on Google only, so Google will certainly cancel your account. However, this is unlikely to happen, because you are too small, no hard feeling.

@Cralamarre, no banner. If Adsense objects I will consider changing this.

@QuarterPan -> sue me!
I'm not European, I do not target European users. If Europeans wander onto my site then great, they are welcome. But I have no obligation to conform to laws in a country that my company does not reside in or operate in. If the EU wants to come and get me then let them. But I assure you their expense in executing a judgment and obtaining any sort of payment will be orders of magnitudes greater than the value of my company. And I am certain that there are many other companies/websites around the world that are do not meet the wishes of the EU. So unless the EU wants to send me a check to cover the cost conforming to their half-baked legislation I ain't changing anything!

But I have no obligation to conform to laws in a country that my company does not reside in or operate in.

So why not just turn personalized ads back on then?

@NickMNS I agree wholeheartedly!

I agree as well, but the problem as I see it is that while they may not be interested in coming after a small fish like me, they may go after Google for allowing small fish to continue using AdSense without following the rules. And that would be reason for Google to suspend or terminate accounts.

For anyone blocking EU traffic, make sure you explain it is because of GDPR and what the issue is. This is what I'd be doing if I didn't have significant EU earnings...