A french friend of mine, pointed this to me, my french is a bit limited so someone might have a better interpretation of the text:

(translation)
Many French media sites found themselves inaccessible to advertisers following the application of the new rules by Google, who felt that these media did not offer enough guarantees in terms of consent.
Advertisers can no longer buy space on sites like lefigaro.fr, and these sites are no longer receiving advertising revenue via the automated purchase of digital advertising.
[francesoir.fr...]

UDA, UDECAM, SRI, GESTE and IAB France wrote a letter to Google on this subject:
[strategies.fr...] (french)

Your translation is accurate..Basically the French media companies are complaining that Google did not consult with them before blocking advertisers access to them because they ( the French media companies and sites ) are not respecting GDPR.

This is true..they ( the French media companies complaining )are not respecting the GDPR law..many French websites are not..including the CNIL ( which is responsible for policing the GDPR ) which uses a pre ticked "accept" box and drops two cookies ( one of which is social media tracking cookie..to see who is "following them on facebook, twitter etc )..I spoke to the CNIL's web department earlier this week to point out that they were breaking the law that they are supposed to police..They told me that their legal advisers had said that the GDPR does not apply to them..It does..The text ( available here [eur-lex.europa.eu...] in all the EU languages..including French at is very clear re "pre ticked" buttons and social media tracking and what applies and does not apply to official bodies such as the CNIL.

So I have informed the relevant EU department directly, and made a formal written complaint to the CNIL..about the CNIL.

Thank you Leosghost,... I mean, merci mon ami

About your comment about the CNIL and cookie from third-parties. See, they are totally wrong, because, even if they are not subject to the GDPR, this would concern only THEIR cookies, and their right to track users THEMSELVES. Here, what they are doing, is that, they are letting a third-party collect information, and of course this is totally different.

Here in Italy, ALL major newspapers' websites have changed almost nothing. Most of them just updated their privacy and cookie policies and added "personalised" or "targeted to your needs" to the ad-cookies line of their (quite short) consent banner text. Many still use the accept on scroll method.

What a mess. It looks like the EU has released a regulation which is substantially impossible to comply with without destroying the ad revenues and financial balance of those who apply it strictly. So many have adopted the approach "We don't really apply it - since if I do that we will be ruined in weeks - and let's see what happens".

Not to mention, they have a gazillion of legal consultants and can manage an infringement procedure better than me...

Again, those who say that the GDPR is clear probably haven't read it. It's wide open to different interpretation. What the heck does it mean "explicit consent". Who'll decide when it's explicit and when it is not?

PS, historically, contextual ads on my sites perform exactly as personalised ones (slightly less CPC but slighly more CTR, so CPM is roughly the same); yet, since I have disabled personalised ads my revenues plummed down dramatically (and most of my ad revenues comes from the US). My idea is that there isn't simply enough demand for contextual ads for my websites; therefore their average value and quality nosedived.

[edited by: riccarbi at 9:30 am (utc) on Jun 11, 2018]

In the UK it seems that a number of big sites have tightened further in the last week or so. However, a number are still doing very little or nothing. Ironic that despite Brexit it sounds like UK sites are doing more to comply than Italian ones.

In the UK it seems that a number of big sites have tightened further in the last week or so. However, a number are still doing very little or nothing. Ironic that despite Brexit it sounds like UK sites are doing more to comply than Italian ones.

Yep, I'm trying do understand what the Guardian is doing and it's still pretty unclear to me.
They've put a rather simple banner saying "We use cookies to improve your experience on our site and to show you relevant advertising. To find out more, read our updated privacy policy and cookie policy. OK / more information"

Which is not too different from that they're using in Italy (but it doesn't accept scrolling on page as consent).
Yet, I didn't realize what happens if you click OK and what if you go on visiting the site without clicking the consent button.

By clicking OK, do you accept also personalised ads? (it seems so)
If you don't click anything they still serve you ads? (it seems they don't neither personalised or contextual, the ad space is empty).

In the cookie and advertising setting page linked from the banner (which is different from the cookie policy linked in the footer) you have the option "to manage relevant advertising" which "will immediately reduce the number of advertising partners who will serve you with relevant adverts, although you may still see some advertising that has been tailored to you". What on Earth does this means? (apparently, this restricts the personalised ads to that coming directly from the Guardian and nothing else).

Is that (rather conservative) approach compliant to GDPR? Yes, no, fully, partially...? Who knows...

PS. I've always found the "scroll consent" a bit tricky; yet, I think a user shouldn't be allowed to visit a site without clicking anything, so without making a choice. Remember that you are still collecting some users' data (at least, their IP and country). At least, the banner should be large enough to impede the user seeing the website's content at all.

[edited by: riccarbi at 10:54 am (utc) on Jun 11, 2018]

What the heck does it mean "explicit consent"

It means it requires an action from the user. For example, clicking on a button saying "I agree/accept/ok"

A message like "by continuing to browse this site you accept..." is in the gray zone. Because, yes, there is an action form the user, continuing to browse the site, but, there is no evidence the user read/saw/understood the text. So legally, continuing, scrolling is NOT an explicit consent.

Ironic that despite Brexit it sounds like UK sites are doing more to comply than Italian ones.

British medias/sites are much bigger than anyother European sites, so they have more to loose, if they are the target of a legal procedure.

By clicking OK, do you accept also personalised ads? (it seems so)

Yes.

(apparently, this restricts the personalised ads to that coming directly from the Guardian and nothing else).

Yes, and also, in a way, contextual ads are also tailored to the user. A user visiting a page about Harry Potter, will be served ads about Harry Potter, AND books which can be related. So in a way, this is also tailoring / guessing what is interesting the user.

but, there is no evidence the user read/saw/understood the text. So legally, continuing, scrolling is NOT an explicit consent.

Yes, this makes sense.
Nevertheless, how can I be sure someone "understood" the text? I have an English / Italian language website. Yet, I am aware that a lot of people landing on an English language page on it probably don't understand a single word of English; they have reached it through Google images, and all they want is to see pictures. So, I can't be sure they've understood what's stated in my banner and I'll never be. Maybe they click on "OK" because they want to get rid of that annoying banner and the only button there is that.

My sincere opinion is that (even more than the Cookie directive) the GDPR deems the average user a complete idiot who can't make a personal choice without you explaining him everyting as he is a 4-year-old boy, and not a very smart one indeed....

[edited by: riccarbi at 11:33 am (utc) on Jun 11, 2018]

how can I be sure someone "understood" the text?

Add a Multi Choice Question form that people have to answer to proceed... joking.

You can't of course, but the fact the button to agree/ok is next to the text, then you use reasonable ways to inform the user. if he didn't understand your text (considering the text is understandable and the design not misleading, of course), this is no longer your fault.

Now, if you really want to be picky, you can put two buttons "accept/okay/yes" and "refuse/no" , this would be adding to the fact that the user made an explicit choice, even if he randomly click on these buttons.

The site xe.com , had a banner, taking 1/4 of the screen , where you had to explicitly click an "agree" radio box, and then validate by clicking on a button before ads show. Which is "very good" from a GDPR compliance point of view. But people certainly totally ignored the banner, in spite of its size, now, they went to a smaller banner (still bigger than the average), and a "Got It" big blue button, the kind that people click by reflex now, without reading what it is about.

Maybe they click on "OK" because they want to get rid of that annoying banner and the only button there is that.

Yes, in 90% of the cases this is like that.

My sincere opinion is that (even more than the Cookie directive) the GDPR deems the average user a complete idiot who can't make a personal choice without you explaining him everyting as it was a 4-year-old boy, and not a very smart one indeed....

Welcome to The Z-generation.

Again, those who say that the GDPR is clear probably haven't read it. It's wide open to different interpretation. What the heck does it mean "explicit consent". Who'll decide when it's explicit and when it is not?

I think the intention is pretty clear. What is not clear is how it can and will be enforced.

I'll be doing as little as possible to maintain my earnings until we have something more draconian forced on us.

PS, historically, contextual ads on my sites perform exactly as personalised ones (slightly less CPC but slighly more CTR, so CPM is roughly the same); yet, since I have disabled personalised ads my revenues plummed down dramatically (and most of my ad revenues comes from the US). My idea is that there isn't simply enough demand for contextual ads for my websites; therefore their average value and quality nosedived.

This is something I was thinking (and kind of hoping) as when I have shown non-personalised CPM has dropped by over 30%. I'm not sure how the supply side of Adsense works, but it would be nice to think Google would take care of this?!

Anyway, if it is the case, if/when at some point we absolutely have to show only NPAs the market will be tighter and CPC should be up...

Again, those who say that the GDPR is clear probably haven't read it. It's wide open to different interpretation. What the heck does it mean "explicit consent". Who'll decide when it's explicit and when it is not?

Completely agree. In fact, this was intentional on the part of the EU commission. It allows them for additional flexibility and to figure things out as they go along.

The ambiguity of the GDPR is even worse when it comes to Article 3 and who the GDPR actually applies to

So has anyone gotten a warning notice from Adsense for not being compliant? Or lost their account? Has any large site been fined yet? In other words, is anything happening?

Everything is fine. No warnings, nothing.

If Adsense bans me for such a #*$!, it means it's time I have to go paywall and start living witou

If Adsense bans me for such a #*$! as GDPR, it means it's time I have to go paywall and start living without this nightmare made of adsense ever-changing policies, adblockers, website speed requirements, and the like. Maybe, I 'll be free at last...

If you think that I am a silly dreamer; well. I am making way more income from paid listing and photographic fees from my websites than I make from adsense, these days. So, withdrawing from all the adsense stuff, won't be a tragedy, at least.

So has anyone gotten a warning notice from Adsense for not being compliant? Or lost their account?

In all events, Google explained they were not going to ban account. They said "our first step is not a 'decision' as such; rather, we contact the customer to indicate an issue, and we will try to work with them to achieve compliance." - [support.google.com...]
As for Google, I don't think that there will be any movement until the end of summer. By that time, Google claimed they'll release "something", to handle all consent and mechanisms around it. So until they release this code, I don't think Google will go after web publishers. However, once their code is ready, it might become mandatory to use it.

Has any large site been fined yet?

This is not the USA here :)

- Complains have already been filled against some companies,
- then it will take time for regulators to study these complains,
- then it will take time to investigate,
- then if there is "really" a problem, the regulator and the company will enter in talks to fix the issues,
- if the company is not applying the recommendation of the regulator, then a fine can bet set up,
- finally, the company has the right to dispute the fine, and make an appeal,

So as you can see, it will take a while, before first fines be really applied.

In other words, is anything happening?

As I reported earlier in this topic, at least in France, many media sites found themselves inaccessible to advertisers following the application of the new rules by Google, who felt that these media did not offer enough guarantees in terms of consent.

Everything is fine. No warnings, nothing.

Based upon what, precisely?

Everything is fine. No warnings, nothing.

I suspect Google are sitting on their hands somewhat waiting for browser-based privacy regulations to come into force.

I suppose on the other hand they could try to make the case that publishers are being responsible so we don't need default browser-based 3rd party cookie blocking...

Google is always playing the clock, and trying to make web publishers and site users to stand up against the GDPR. "If" the GDPR causes a huge wave of anger (web publishers seeing their earnings collapsing, users complaining about being annoyed by cookie banners all over, and being blocked by some non EU sites), then Google and other internet giants might expect the EU to move on and refined the rules, which, if it happens, will take years, but it "might" put the pressure on the talks about the e-Privacy Regulation.

This is what already more or less happened with the "cookie law" (e-Privacy Directive), the EU recognized that it lead to an overflow of consent banners, impacting the user, and this is why in the "regulation", it's supposed to be handled at the browser level. This will be good for web publishers , who will no longer have to worry about anything, but, it's hard to tell if it will be good for our bank account.

This will be good for web publishers , who will no longer have to worry about anything, but, it's hard to tell if it will be good for our bank account.

Hmmm. As a web publisher, anything that is bad for my bank account is bad for me...

Hmmm. As a web publisher, anything that is bad for my bank account is bad for me...

:)

Just noticed that some of the big UK publishers are using different approaches on their amps and normal websites. Laughable really.

Any news from France? As far as I can tell France 24 has done nothing and just shows the pre GDPR cookie banner.

About UK sites, I have the impressions that they are "adjusting" and still experimenting, certainly to find a good compromise, to avoid problems, and still preserve their earnings.

Beside Italy and France, how things are doing in Germany? (EUMember?) and in Spain?

The site of the FIFA is straight "We use 'cookies' to collect information. Click here to read more. [ I accept ]"

It's the same in Germany. The big publishers have changed almost nothing with regards to the GDPR. Most of them simply amended their privacy policy and continue to serve personalized ads without consent, claiming that it's "legitimate interest" under the GDPR to "optimize their ad revenue". Which is ridiculous, of course, since the GDPR prohibits any unnecessary data collection without user consent. A few publishers started to put up cookie banners but opt-out solutions violate the GDPR as well. Cookie banners aren't even required in Germany where the ePrivacy Directive was implemented only in a lax way.

Just to clarify because some people in this thread got it wrong: An EU Regulation like the GDPR is immediately enforceable law in all member states. An EU Directive only requires member states to implement naitnoal laws on their own.

Just to clarify because some people in this thread got it wrong: An EU Regulation like the GDPR is immediately enforceable law in all member states. An EU Directive only requires member states to implement naitnoal laws on their own.

Again, this is true "in theory". Since local authorities are in charge of making people comply with the "regulation" as well as to apply appropriate "punishment" if they do not, and since terms such as "explicit consent" have been interpreted in different ways by local authorities since 2015, there is no such thing as "a regulation implemented throughout the EU coherently".

In Italy acceptance on scroll is accepted by law (and used by all), in UK it is not. Same regulation, different laws, "de facto". Period.

Even if someone claims that a directive is a completely different animal than a regulation, they do not understand how the EU legislative system works, to date. Countries always have the final word. A directive and a regulation are actually the same animal, but one looks tame and the other looks savage and ferocious. Yet, they are both puppies, actually.

What the EU can do if a country doesn't respect a "regulation"? They could start an infringment procedure and maybe eventually giving a fine of some millions of euros that no one will give a damn about, that's all.

Again, this is true "in theory". Since local authorities are in charge of making people comply with the "regulation" as well as to apply appropriate "punishment" if they do not, and since terms such as "explicit consent" have been interpreted in different ways by local authorities since 2015, there is no such thing as "a regulation implemented throughout the EU coherently".

Right, enforcement and penalization is up to member states, except maybe for large multi-national companies.

In Italy acceptance on scroll is accepted by law (and used by all), in UK it is not. Same regulation, different laws, "de facto". Period.

IMO, the GDPR is pretty clear that methods like "acceptance on scroll" are not a legal way to acquire consent. From Article 7 (also see Recital 32):

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. [...] The data subject shall have the right to withdraw his or her consent at any time. [...] It shall be as easy to withdraw as to give consent.

A directive and a regulation are actually the same animal, but one looks tame and the other looks savage and ferocious. Yet, they are both puppies, actually.

The main difference is that the implementation of Directives can differ substantially in each member state, see the ePrivacy Directive, for example. In general, both are not "puppies", they are (or result in) binding law. I agree that the GDPR is mostly harmless though because, as you mentioned in another post, it takes quite some time until a complaint is processed and fines are (apparently) only for repeat offenders. So there's no immediate pressure to fully comply with the GDPR. It will take years to see how it all plays out.

Has anyone come across any stats yet that show the impact of modal window (cookie bot styke) cookie management screens on bounce rate? As a user I find them awful and much prefer to see a banner at the bottom of the screen giving a choice.

Even the less agressive method, for me, acceptance on scroll, causes a drop in CTR. Result 25-30% in revenue lost. A little bit better that just turning off personalized ads in de EEA (around 40% drop) . I coded the script to gather consent and I just pause ads until the user has given consent by scrolling or clicking on "Accept". There shouldn't be that loss. So my guess is that by pausing the ad requests the ads served are less attractive.

There shouldn't be that loss. So my guess is that by pausing the ad requests the ads served are less attractive.

Could also be that until / unless you mentioned "ads", most people would not know that there were ads on page waiting to snag the unwary into clicking them, most people think ads ( especially blended ones ) are site nav of links to articles or other parts of the site that they may be interested in..adsense is based on that "bait and switch"..Tell them that you may serve them ads if they accept, they may accept, but they will be forewarned that "here may be monsters" , and thus be much more careful where they click after hitting the "accept" button.

My guess is that as 50% of my traffic is desktop, some higher resolutions won't need to scroll. Ads requests are not going to be resumed in that case. Also most of the ad types served in this site are contextual. It seems that when you pause the ad requests, the ads are not that contextual anymore.