If they click 'got it' then that should surely mean they don't mind it. If they do - they can exit the website.

I've gone through the entire thread but unfortunately it seems nobody knows exactly what will happen and what website owners have to do ahead of next month.

Let's start with what we know:
[ico.org.uk...]

"Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent."

This means that the old-fashioned cookie bar at the top of the page where "OK" means I opt-in is now obsolete. If I understood correctly, the website must make it clear what data is collected, how it's stored and processed and a way for the user to either accept or deny.

In case of a checkbox, it has to be unchecked, in case of a switch it has to be off. So contrary to how it was before May where the default was "I agree" and "I got it" was enough, from next month the default has to be be opt-out.

Whatever the case, who is responsible for the opt-in/opt-out mechanism, the website owner, Google Adsense or both?

For example I run a static website with no login, no registration, no e-mail subscription, no comments but I have Taboola and Adsense ads on the website.

Do my users have to opt-in before I'm even allowed to display adverts?

Or they have to opt-in only for personalised adverts, meaning that an opt-out means showing different type of ads?

And if I am to implement an opt-in / opt-out mechanism before displaying adverts, how on earth will I be able to differentiate between EU and non-EU users?

There's no way users will opt-in so might as well shut down the whole thing.

To be honest i do not care about EU GDPR at all but but only to follow Adsense/Analytics guidelines to implementing mechanism that they are satisfied with it.

2-3 years after introducing Cookie bar probably more than 50% websites did not placed at all any kind of Cookie warning for visitors.And I'm talking about EU websites.

I hope too that over 10-15 days should be more clearly what we need to implement and how.

In case of a checkbox, it has to be unchecked, in case of a switch it has to be off. So contrary to how it was before May where the default was "I agree" and "I got it" was enough, from next month the default has to be be opt-out.

What about an "I agree" and an "I disagree"?

If they disagree, they can be redirected to another page on your site, which explains why they can't view your content, until they accept.

There's no way users will opt-in so might as well shut down the whole thing.

They're more likely to opt-in, if they have to, in order to see the content. If they can read the content without opting in, they're less likely, as they don't have to bother.

Also, I'm seeing this mentioned quite a bit on other forums:
[cookiechoices.org...]

The above link shows this image:
[cookiechoices.org...]

Something could also be added to the above, such as: "As we rely on adverts to fund our site, if you disagree, you'll be redirected away from our site".

I don't see the harm in telling people if they don't agree, they can't see the site.

What about an "I agree" and an "I disagree"?

The problem is not how the choice is presented to the user, it's that by default the user's selection is a No.

Take this as an example:
[cookiechoices.org...]

If the user ignores it, it's as if he said "No". Also, what should we do when someone says "No"?

a) Don't display any ads at all
or
b) Display non-personalised ads

And regardless what the answer is, there is still an issue on how to understand where the user is coming from in order to decide the default opt-in selection (No for EU, Yes for the rest). If such a distinction is not made, even non-EU users will end up in the "No" category.

And it gets even more complicated because apparently if I'm European but using a website during my holiday trip in the US, I should still be considered as European by the website.

I don't see the harm in telling people if they don't agree, they can't see the site.

That could work for an original-content website but my site has content available elsewhere so such a strategy will definitely not work, the user will simply start using another website.

To be honest i do not care about EU GDPR at all but but only to follow Adsense/Analytics guidelines to implementing mechanism that they are satisfied with it.

I received three e-mails from Google and I'm yet to understand exactly how to move forward. Something else I did not understand is whether I have to register with the Information Commissioners Office(that £35 a year thing) or if it's Google which has to do it.

The problem is not how the choice is presented to the user, it's that by default the user's selection is a No.

Take this as an example:
[cookiechoices.org...]

If the user ignores it, it's as if he said "No". Also, what should we do when someone says "No"?

a) Don't display any ads at all
or
b) Display non-personalised ads

I would go along with (B)

If they aren't from the EU, not message is shown.
If they are from the EU, they have a yes or a no.

No = none personalised ads
Yes = personalised ads.

It seems that's the only real route.

A) no message
B) none-personalised ads
C) personalised, default ads.

Has anybody done a report on earnings with vs without personalised ads? To see how much better personalised ads are?

> I would go along with (B)

Fair enough but in that case there are still a couple of issues such as:

1) What about a static website with no server scripting at all? Can Javascript determine the location of the user?
2) What if the user is using some sort of proxy and the IP address is not enough to understand where he is located? I could end not asking for consent to a EU user.
3) What if I'm using an ad service which is not as big as Google and does not provide non-personalised ads?

Besides, don't we need the user's consent to retrieve his IP address? So how would it work, you display two windows, one to ask for consent to determine the location and the second one to ask whether or not he wants personalised ads? :)

All I can say is what I'll be doing at this moment in time...

2) If the user is using a proxy, then that's out of my hands. I certainly won't be worrying about people using a VPN, VPS, proxy.
3) Then I wouldn't bother, myself.

Is somebody seriously going to take the time and money to hunt you down.

As for retrieving an IP address, again, I wouldn't be concerned about it, in that case I wouldn't display any message.

Basically, the only time I plan on displaying the visitor a message is if their IP address is mapped to somebody in the EU - and even then, I might give it a random factor, so it doesn't always check and display.

I really can't see this being so exact and specific that if you fail to show a message for every single person visiting from the EU, your website will blow up. I know many people who use Adsense and don't even have a cookie policy shown.

Google is supposed to be coming up with a tool for consent collection. That should relieve a lot of the current angst.

Google is supposed to be coming up with a tool for consent collection. That should relieve a lot of the current angst.

A technical process and UI to obtain explicit consent will quickly be defined by the big players and I'm sure we'll all be able to implement / follow it. The FAR bigger issue is whether targeted advertising will remain viable in the EU. If it doesn't then what will happen to existing revenue streams? Will contextual pick up the slack? Will a new format come to the fore? Will the advertisers take their money elsewhere?

Google is supposed to be coming up with a tool for consent collection. That should relieve a lot of the current angst.

That's nice to hear, hopefully other networks will do the same. May I however add that it's a little too late already, many websites have to go multiple steps of testing, we're just a month away.

No one is clear on exactly what to do. There are webmasters out there that have no idea that this coming. I seriously doubt that the world is going to end on May 25 if you haven't implemented steps to comply. There will court challenges, changes and more. The EU is not going to go after mom and pop sites. And if they do, it will be years down the road. They're after the big guys who lose massive amounts of data to hackers and don't bother to tell the public for months.

I agree with Ember.

I also agree with Ember. Even Google has seems to be struggling with how to comply with GDPR requirements. I read above that Google is supposed to release a consent collection tool. Less than a month out and there's no tool. Google said elsewhere they were going to roll out a non-personalized ads option. I don't see those available. There will undoubtedly be court challenges. If anyone is really worried, they can use Wordfence Premium to block access to the individual countries that make up the EU. If you're a U.S. publisher, most of your traffic is probably coming from the U.S.

There will no doubt many MANY free Wordpress plugins that can decipher EU to Non EU traffic. I remember using Maxmind a few years ago for a site I ran. They're not 100% accurate, but close enough.

I see a few references to denying access to visitors who say NO.

I can't find that reference again (I lost the link) and maybe I'm wrong, but ...
I seem to recall that the the spec says that is not allowed. In other words we can't deny access to a visitor just because they click NO after arriving at our site(s).

Hopefully someone who knows this stuff better than I will know if my memory is accurate or not.

I am in the same boat. From my understanding, you can just choose between personalized and non-personalized ads, because even the non-personalized ad put cookie, and by doing so, you are required to get consent. So this means that the only way to place and Adsense ad is by getting consent for it and then you can place it.

What I think Google might do is to create a solution for publisher with the option to display Ads that do not put cookie, or a cookie that is of the type that doesn't need consent (it's a 3rd party cookie, so I don't know which type is allowed if any). Without a solution , we need to disable all ads until we get consent.

I've already did it for all my Amazon ads. I deleted all social buttons, deleted all comments on my blog, disable registration, removed all users, disable commenting and any disable any other script or service which is not necessary. I also closed two active forums because I cannot comply with them in time.. I am using Cookiebot. I did it on the server side, so even if the user consent, the ad doesn't appear, only after page refresh, so it's not a good solution, but right now it was the easiest for me to implement.

I intend to use Cookiebot for all my sites, because it's not just the problem with adsense, but with many other cookies, including those placed by so many other services that are used throughout the site. The cookies might change also, so I need Cookiebot to continue scanning the site for new cookies and update the cookie table. You also need to keep consent approvals for everything, Cookiebot does that for you.

If there won't be any available solution, I will just block All ads until consent is given. The solution for all my site will cost me about $150 per month, but at least I know that I am good to go. I still going all over my websites, because I need to manually modify the code for any script server or client that put cookie and modify it to support Cookiebot.

As a developer is a lot of work, but I don't know how non-developer people will be able to adjust to it in time, especially if someone starts late and in the case where there aren't so many tools that help you doing so.

Also having Adsense tool might not solve all your cookie problems, because these are not the only cookies you are going to have on your site which you need to get consent. So I say it's better to search for current solution and start implementing them, then waiting for the last moment and not being ready.

Another thing that I am not 100% sure about. Even if I use personal ads, many ad network put douzan of other cookies. I don't know if those cookies will be disabled when I use the new non-personalized ads or not, but that's yet to be seen. If not, this means that I need to monitor which ad network comply with GDPR and block ones that do not comply. Lots of home work to do on the subject. Hopefully Google clears everything out soon enough.

I don't even do regular work now, 3 weeks I am all into GDPR and intend to invest until May 25th until I am sure that all my sites are complaint.

Tough time, but we'll survive eventually, I hope.

I won't worry about it. All my traffic is from US, Canada, Australia and New Zealand. The rest I don't care about.

I also read this post on Google.

[support.google.com...]

So from my understanding, when that section is active, I need to go and choose up to 12 GDPR compliant ad network, and I need to get consent for every one of them from the user. Explain for each what data is collected as well.

I need to read more about it. I hope there is a report of some sort to see which ad network perform best, so I know which 12 to pick up.

I deleted all social buttons, deleted all comments on my blog, disable registration, removed all users, disable commenting and any disable any other script or service which is not necessary

It would be nice to have a FAQ about what is allowed and what is not allowed.

From what I understood, if your website has:

1) A registration system
2) A comment system like Wordpress' native system or Disqus
3) Adverts which show ads according to the user's location
4) A system which identifies the user's location to suggest the localised version of the website

Then you have to ask user consent before the user can do all of the above.

Something else, not sure it's been asked already. What about CDN? Do you have to ask consent before serving your homepage from a server located in Italy to an Italian user? And if yes, where will the page be served from when the Italian user visits your website for the very first time?

It's much more in-depth than that. This is why I've decided that it's easier for me just do deal with cookies than the all the other requirements for websites that store user data, has forms and other similar functionality. Just by spending a week to go over the document, I've decided that either I pay thousands of dollars to services and developers, or just disable all that functionality and just leave myself dealing with cookie consent, which is by itself takes me hours over hours to implement working on this 8 hours a day. Even a little script that you put in a single post that leaks cookies that expose private data and you are risking needing to deal with huge fines that can close a small business for good.

It's better for anyone to follow the official online resources. I am not qualified to answer, just sharing what I am doing on my path to comply with GDPR.

I would strongly advise people to read the BBC article that quotes the ICO (the body in the UK responsible for enforcing GDPR). I've included the most important section below. To me it sounds perfectly reasonable and should help to allay a lot of the concerns that have been raised in this thread.

Policing the law
The watchdog responsible for all this in the UK will be information commissioner Elizabeth Denham.

"We will have more powers to stop companies processing data, but we only take action where there has been serious and sustained harm to individuals," she explained.

"What this new fining power gives us is the ability to go after larger, global and sometimes multi-national companies where the old £500,000 fine would just be pocket change."

She added that she accepted that some companies will need time to become fully compliant.

"The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime," she added.

"Do they have a commitment to the regime?

"We're not going to be looking at perfection, we're going to be looking for commitment."

Large fines will be reserved for the most serious cases, she said, when a company refuses to comply voluntarily.

[bbc.co.uk...]

Thank you, bgweb. That article should help people relax.

Does this apply to USA based content website that run Google Analytics? Most confusing sh*t ever.... May just block EU traffic so I don't have to deal with it... Any advice? Thank you

I'm sure that Adsense will come with easy or moderate solution to prevent confusing but they are still working on it. Otherwise, imagine how many are webmaster are there who does not have any idea what to do and how to implement.

In mean time it is always good to follow Google self what and how it do. Youtube have simple top message:" To be consistent with data protection laws, we’re asking you to take a moment to review key points of our Privacy Policy, which covers all Google services and describes how we use data and what options you have. We'll need you to do this today." 'Remind me later / Review now'

You can still use website as usually, only top message does not disappear.

In May 2012, the EU government decided that it was necessary for every website available inside the EU to have to give visitors the option to allow or disable cookies. And how many webmaster did implemented it? Adsense started to send warning a couple months later regarding Cookie bar and from other side many website who does not run Adsense but running Analytics, soc. media plugins, forum etc.... did not implemented it all.

There is still not any reason to panic.

To me it sounds perfectly reasonable and should help to allay a lot of the concerns that have been raised in this thread.

I think we all agree that they will not go after the small websites/blogs, at least initially, that's not what many are concerned of.

I believe the concern of many is what actions need to be taken for the website to comply with the rules. Small or big website, if I have to ask my users for permission before even displaying an advert, I know a big percentage of my users will opt-out and will damage my revenue. Same goes for a typical comments section on a blog.

This reminds me of being back at school and not knowing what to do for homework, and so having to ask friends - but they didn't know either. The whole class would go back with only a handful of students completing it, and so the teacher helped make it more clear.

mike1972, from m understanding it's also about Google's Adsense terms of service, I think you need to be GDPR compliant, but I am not sure 100%.

"Do my users have to opt-in before I'm even allowed to display adverts?

Or they have to opt-in only for personalised adverts, meaning that an opt-out means showing different type of ads? "

That is my question as well. Google should be more clear about this.

Google has a faq here:

[google.com...]

Do I need the consent before the tags fire or can the consent come afterwards?

Where consent is required, consent should be obtained before Google’s tags are fired on your pages.