Yes, so essentially, from my understanding, you can't display ads until a consent is given, even for non-personalized apps.

Yes, so essentially, from my understanding, you can't display ads until a consent is given, even for non-personalized apps.

Yes but only for non-personalized ads they dont give a list of countries where you need to get consent.

Why does the policy require consent for cookies, even if used for purposes other than personalization, such as ads measurement?

Cookies or mobile identifiers are used to support personalized and non-personalized ads served by Google to combat fraud and abuse, frequency capping, and aggregated ad reporting. Our policy also requires consent to the use of cookies or mobile identifiers for users in countries in which the EU ePrivacy Directive’s cookie provisions apply. We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.”

We are also developing a consent solution for DFP and AdSense that will become available more widely soon.

This could solve the entire problem.

We are also developing a consent solution for DFP and AdSense that will become available more widely soon.

I hope they get this ready soon.

I don't understand why waiting until the last minute if this is old news, I just don't get it.

They're waiting until the last minute because the tool doesn't work yet or doesn't meet all GDPR requirements. They also have to know that it will take some sites awhile to implement the thing, especially if it means putting code on every page. We're all in the same boat. There is safety in numbers. Google is not going to disable Adsense in masse on May 25.

I wonder how it will be for people who most of their visitors are from Europe and they have to ask for consent before running Google ads, their revenue will drop significantly I assume.

I wonder how it will be for people who most of their visitors are from Europe and they have to ask for consent before running Google ads, their revenue will drop significantly I assume.

One thing I have learned in this game - never assume. As the proverb says, Never ASSUME, because when you ASSUME, you make an ASS of U and ME.

For all we know, it could make very little difference. When I see a website I accept all cookies without any hesitation.

Figures I've seen in different places suggest "No" is chosen by somewhere between 1% and 4% of users when presented by the cookie choice bar.

This reminds me of being back at school and not knowing what to do for homework... ...and so the teacher helped make it more clear.

I agree but I think in this situation the teacher is just as clueless as the students if not more so.

I wonder how it will be for people who most of their visitors are from Europe and they have to ask for consent before running Google ads, their revenue will drop significantly I assume.

Possibly, possibly not. I've been running since 2003 and over the years there have been many worries about changes. In actual fact what I've seen is a steady improvement in the quality of advertising across the board. Hopefully that will continue to be the case. We could also be reaching the point where people are prepared to pay to access websites that offer good quality content and services.

My top 15 revenue Countries for the last 30 days:

United States
United Kingdom (EU)
Canada
Australia
Germany (EU)
India
Netherlands (EU)
Italy (EU)
France (EU)
Brazil
Singapore
South Africa
Indonesia
Switzerland
Spain (EU)

I've already mechanism to show warning only to EU countries based on their IP Address and not for the rest of the world but if we really need consent from EU visitors to be able to show any kind of Ads to EU visitors then i except that revenue will drop for sure for the visitors from EU.

So if explicit consent is required to show ads, how do any of the consent mechanisms (cookiebot, cookieconsent, cookieassistance, etc.) bring a site into compliance? They still let visitors wander an ad-filled site without giving consent.

@ember, from what everything I know, you do not need consent to show non-personalized, non-tracking ads.

I have a VPN and I've gone under a ton of EU and non-EU based websites in recent days.

Almost all of them had no cookie notice up until the last few days. Now most of them have a cookie notice and none of the notices are explicit. Some of them, even from major giants, were nothing more than "we use cookies" blah blab blah with choices of "ok" or "change settings" - and the majority had the usual, "we use cookies, if you continue to us this website then we assume you're ok with us, or else "change settings" - and all were showing ads on first view.

I'm not making any moves until I see how the major sites like MSN, AOL, major newspapers, etc. handle it.

And I hate to break it to a lot of people, you're not that important to the EU.

I've spoken to quite a few EU based lawyers on this. The GDPR was mostly created for large corporations that have data breaches and there are few consequences. Now if someone like Facebook has a major data breach, the EU investigate and see that they weren't following the GDPR and they can levy the fines of $20 million or more. Before it was $500K, which is nothing to those companies.

This was not created for websites with ads, it was created for companies that collect data - regardless if there is a website involved. Cookies are just a section of the GDPR because they collect data.

Each country will have their own people handling the GDPR.

I read an interview, where someone involved in the GDPR said in most cases they will issue letters if they get complaint that someone is non-compliant.

Their issue is not whether or not ads are showing, but that companies are not advising visitors about the data being collected and for what purposes.

If anyone bothered to read the EU Cookie Directive, which has been in force for years, the law is nearly identical to GDPR with respect to cookies and ads.

And Google did flag websites that did not comply with the EU Cookie Directive, but every site I know that got flagged was based in the EU or the majority of their traffic was EU based. And all they did was add that cookie consent banner and they were suddenly in compliance.

The EU is not going to be out there actively flagging websites, wasting money, time and hiring what would have to be a staff of hundreds to regulate millions upon millions of websites in every country.

For all they know, you might have 25 EU based visitors. They have zero way to determine how much EU traffic you even have.

I get very little EU traffic outside the UK - and the UK is officially leaving the EU - with their break already stamped down for March 2019.

@vegasrick good post, I think you've nailed it there. The only point I would make is that my understanding as a UK citizen is that GDPR will apply in the UK regardless of Brexit.

@bgweb, That's correct. But for me, based in the U.S., I don't have to show any cookie banner at that point to UK traffic. I might roll the dice and not show it now to be honest.

@ember, from what everything I know, you do not need consent to show non-personalized, non-tracking ads.

What about this statement from Google:

"Although these ads don’t use cookies for ad personalisation, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive’s cookie provisions apply."

If, though, you are right, Vegasrick, then turning off personalized ads for EU people should be sufficient.

If the worst comes to the worst and it was a requirement to gain user consent before showing an ad, I'm sure some bright spark will come up with a solution.

For example, tedious though it might be, it would be quite possible to initially display the top five lines of a page first, as a teaser, and then a note asking for consent. After that the full page can be displayed.

Let's be realistic, the last EU requirement for cookie consent has trained users to just press the YES button nowadays. It is a totally meaningless consent. In fact, I bet if you posted a couple of lines at the bottom of a page now asking the reader to do almost anything, they would click YES just out of habit.

The EU have got this totally wrong and turned it into a huge pretence that anyone's data is being protected by this new law. What a joke.

It's the classic case of people-in-power making up laws/rules about a subject they know nothing about (remember Senator Ted Stevens and the internet being "a series of tubes"?).

The EU's becoming that one kid in class that's allergic to peanuts - so now no one gets to bring a peanut butter/jelly sandwich to lunch anymore.

An F.A.Q. article on the subject:
[pubexec.com...]

In the example below, notice how this company requires people to consent to cookies before even browsing their site.

The above part, for me, is pure madness.

In response to a group of large publishers challenging Google's new GDRP terms, Google [techcrunch.com ] said this:

"Guidance about the GDPR is that consent is required for personalised advertising. We have always asked publishers to get consent for the use of our ad tech on their sites, and now we’re simply updating that requirement in line with the GDPR."

So maybe Google is only asking for consent for personalized ads. Still, what kind of consent? The confusion/fear that this is causing is ridiculous.

Although these ads don’t use cookies for ad personalisation, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive’s cookie provisions apply.

Regarding consent for non-personalised ads - I think part of the confusion is that there's both the new GDPR, and also pre-existing EU cookie law. So Google is referring to the latter when it talks about non-personalised cookies - but the Entire Internet has basically come to the consensus that showing a popup with info about cookies is good enough. I'm in the EU, and I see those popups all the time, but I've never seen one require explicit consent.

But the GDPR says that for cookies that are considered personal data, you need explicit consent ( [itgovernance.eu...] has some info). So that's why things change for personalised ads. But I don't see any evidence that anything changes for non-personalised ads.

Google's wording is rather confusing, still talking about consent, though this probably comes down to the original cookie law being unclear.

In the example below, notice how this company requires people to consent to cookies before even browsing their site.

But for all we know, that's a website that implemented that in response to the pre-existing cookie law (in which case, I take it back - I guess there is at least one that requires explicit consent, but this is exceedingly rare!)

And consider - that article has Google adsense ads on it, are they going to be asking me for explicit consent for any ads in a few weeks' time?

Regarding Brexit, EU law won't suddenly disappear on March 2019, one of the many complications is for the Government to decide which bits of EU will or won't still apply. In fact, the Government has already introduced a bill to move the GDPR into UK law.

(I was amused when signing up to this website to see the "Subscribe to Newsletter" being pre-ticked, and even reticks itself if the you need to re-enter data - that's a No under the GDPR as I understand it!)

So maybe Google is only asking for consent for personalized ads

I could be wrong but if I remember correctly, back in the days Google had a checkbox at the top of adverts allowing users to decide something (I completely forgot what). I believe they will adopt something similar where:

a) Either the advert shows some text linking the user to the page where he can opt-in and after opt-in adverts are displayed in the block
b) Non-personalised ads are displayed in the block with a link saying the user can have a "much better experience", linking to the opt-in page

I see those popups all the time, but I've never seen one require explicit consent.

That's the so-called old system, from May that system will no longer be enough.

That's right.

I think people are getting confused about two separate, although related, items. From my research within the EU:

1) You have to tell people if you are using cookies (cookie consent). That didn't change for EU websites and especially Adsense publishers, who should have been doing it already. Most people, including many public bodies and others, like national chambers of commerce, use 'implied consent'. This works like the cookie notice many have seen where you tell the visitor that continuing to use the site involves cookies and, if they don't like it, they can turn off cookies in their browser. This may or may not be the strict legal implementation but if your national chamber of commerce and government entities are using this, imo, it provides cover in the unlikely case that this would be an issue with a smaller-scale web publisher.
(Ironically, some of my sites only have one cookie being used by the site and that is the cookie consent cookie required by Adsense.)

2) You have to comply with the GDPR which involves personal data, in other words, data which can be related to an individual person, whether that is informational, transactional or personal. Thus Adsense can be personal (with the personalised ads) or it can be impersonal (with the non-personalised ads). If you or you acting as a secondary data collector (thus, with Adsense personalised ads) are collecting and storing personal information through actions on your website, you need to have 'express consent' from every individual, where they (for example) move a slider to yes or no. And you need to stop storing information about them (in other words, stop showing personalised Adsense ads) if they say no.

Interestingly, and this obviously varies from country to country, some EU website owners who also offer goods or services are raising the conflict of the GDPR and actions required by the tax authorities in their country. For example, it is a legal duty where I live to store full records of all transactions and related items (such as email correspondence) for at least seven years in case the tax inspector wants to do a deep dive on your records. (This is obviously to stop off-the-book transactions and agreements.)

If you or you acting as a secondary data collector...

See, this is interesting. Let's take a comments system as an example.

a) You use Wordpress' native system
Information goes inside your database which is hosted with, let's say, GoDaddy.

What should happen here? You ask users for their consent because the database is yours and GoDaddy does the same because ultimately the database is on their servers and therefore name and e-mail is stored on their servers? For sure is that you must have a page for the user to opt-out, hence having the option to delete ALL past comments from your database (good luck in creating this page if you're not a developer).

b) You use Disqus
Clever, it's not your database, it's not your server, it's not your hosting platform, you don't have to worry about opt-out because ... it's all on Disqus.

But still, what should happen here? You simple redirect the user to Disqus' website for them to understand how Disqus handles GDPR and you're safe? Or you still have to ask users for their consent, something which surely Disqus has to do as well? For sure is that here you don't have to worry about the deletion of old comments, that's for Disqus to worry about.

As mentioned above (I think), if it's all done at Google's end, where people can opt out of interest-based ads, then Google no longer shows them for that user, it would be simpler. We wouldn't have to do anything then.

@mike1972, I don't think it is quite that simple. I believe that as part of your obligations as a controller (which we are as publishers) you must have a written contract with each processor. So I think if information is stored on (say) GoDaddy servers, we would need a written contract specifying who is responsible for what with GoDaddy.

That in itself is going to be a problem. Whether Disqus would quality as a processor I'm not 100% sure, but I think it would.

This is what the UK's ICO says about these "contracts":

Whenever a controller uses a processor it needs to have a written contract in place.

The contract is important so that both parties understand their responsibilities and liabilities.

The GDPR sets out what needs to be included in the contract.

In the future, standard contract clauses may be provided by the European Commission or the ICO, and may form part of certification schemes. However at the moment no standard clauses have been drafted.

Controllers are liable for their compliance with the GDPR and must only appoint processors who can provide ‘sufficient guarantees’ that the requirements of the GDPR will be met and the rights of data subjects protected. In the future, using a processor which adheres to an approved code of conduct or certification scheme may help controllers to satisfy this requirement – though again, no such schemes are currently available.

Processors must only act on the documented instructions of a controller. They will however have some direct responsibilities under the GDPR and may be subject to fines or other sanctions if they don’t comply.

If information is stored on (say) GoDaddy servers, we would need a written contract specifying who is responsible for what with GoDaddy.

Fair enough, but at the end of the day my responsibility is to make my users aware that:

a) My website is hosted with GoDaddy
b) My comments section is entirely hosted by Disqus

Then it's up to these two companies to safeguard the privacy of the users. I don't think every website using Disqus will be fined if Disqus fails to comply with GDPR even if they are talking about "direct responsibilities".

Having said that, what is still unclear is how we shall proceed as publishers.

Do I inform my users about a) and b) above and then let those two companies do the rest? In other words, is making my users aware enough?

Or my users have to opt-in, hence they can only see the website if they agree on the GoDaddy part and they can only use the comment system if they agree with the Disqus part?

On Adsense I found this in the meantime:

As part of this proposed consent arrangement, Google reportedly wants publishers to maintain records of consent and provide opt-out instructions for users who later change their minds, according to the Wall Street Journal. Much is at stake in how these policies are implemented, because failure to comply with GDPR could bring severe financial penalties of up to 4 percent of annual global turnover (revenues) or €20 million, whichever is greater.

Additionally, Google is developing technology to serve “non-personalized” ads in cases where consent hasn’t been obtained.

- [searchengineland.com...]

In poor words:

1) Ask user to accept personalized ads
1.1) If yes, use <script> A, if no, use <script> B.

2) All opt-in information must be kept somewhere

3) Users must have a page on the website to be able to change their mind, hence changing Yes to No and No to Yes.

That's the so-called old system, from May that system will no longer be enough.

I know, but the quote I was referring to (the one that people brought up for non personalised ads) was also referring to the old system (ePrivacy Directive’s cookie provisions). So either way, I don't see anything in the new GDPR that suggests explicit consent is needed even for non personalised ads.

Personally I'll be disabling personalised ads (and not all ads) for EU visitors once Google make that option actually appear, then later see what other possibilities there are based on tools or information that becomes clear later on, or what I see other sites I visit doing.

It is starting to be a little clearer. All sites should have been running the implicit consent banner (we use cookies; you are okay with this if you continue using the site) for several years now. It was good enough for non-personalized ads and personalized ads. You still need to run that banner but now under GDPR you need to get explicit consent for personalized ads. So if you turn off personalized ads for EU folks, then you do not need to collect explicit consent but you do still need to run the implicit consent banner.