It is starting to be a little clearer. All sites should have been running the implicit consent banner (we use cookies; you are okay with this if you continue using the site) for several years now. It was good enough for non-personalized ads and personalized ads. You still need to run that banner but now under GDPR you need to get explicit consent for personalized ads. So if you turn off personalized ads for EU folks, then you do not need to collect explicit consent but you do still need to run the implicit consent banner.

I think this will be right. The obvious question is will (EU) publishers even bother requesting consent to run personalised ads? As I see it presenting a modal window before the site can be viewed will increase the bounce rate significantly and may hit SEO. It may well mean the additional revenue from personalised ads is more than offset by the higher bounce rate / reduced number of visitors. To my mind it raises questions about the viability of personalised ads in the EU.

Can you imagine having to show people two messages - it would just completely p*ss people off. Common sense (which is certainly not common), makes this obvious. You need a maximum of one message.

Surely Google's non personalised ads would fall under a legitimate interest exempting the need for a consent.
Protecting their network from fraud seems a pretty legit and compelling reason.

Not one person likes seeing stupid popups about cookies and privacy. They have interrupted and become a nuisance to the experience of the web.

4300 opt-outs, 60 opt-in, only 10 opted in for marketing. Just sharing some statistics of mine testing my implementation. I still implemented it because it's needed. Obviously, the impact on revenue is significant if ads are blocked by default until you get consent, which is true for my implementation.

Significant, if a lot of your traffic comes from the EU. Yet, I'm sure it won't be as bad as your stats suggest.

Trying it now, now I show the consent only for EU. I'll update when I get some data.

Trying it now, now I show the consent only for EU. I'll update when I get some data.

I assumed you'd have already done that. Maybe add a random factor in too in a later test - only show it to 50% of EU visitors. I don't imagine you'll have lawyers banging on your door. You could just say it was an error in the code ;-)

I also recommend reading this post, for those who thought that if they have a small site it wouldn't be a problem: [meta.discourse.org...]

Now it's probably going to be an even bigger problem. I am not playing with the law. I do my best to comply, but thanks for the suggestion :)

4300 opt-outs, 60 opt-in, only 10 opted in for marketing

Let's be honest, few will opt-in for adverts knowing that they can browse your website without ads, hence also eliminating the risk of a malware-infected advert.

Those who thought that if they have a small site it wouldn't be a problem

I still believe they will not go after smaller websites but it's also true it takes very little time to understand that a blog is using images/photos found in Google Images without permission.

Here's what i have done to so far:

1. Updated the Privacy Policy to show each and every cookie my site uses.
2. Added a consent push down from top pop-up showing "ticks" for the user to accept or reject.
3. Now, working with the developer to modify javascripts "analytics, etc" to allow the user to opt out.

Am i going in the right direction?

1. Updated the Privacy Policy to show each and every cookie my site uses.

I believe that is something which should have been already in place.

2. Added a consent push down from top pop-up showing "ticks" for the user to accept or reject.

Yes, remember by default it has to be switched off.

3. Now, working with the developer to modify javascripts "analytics, etc" to allow the user to opt out.

Yes, and you can have it in the same page of step 2. In theory, all sections of your website collecting personal information should be available in an opt-in/opt-out format for the user to switch on or off.

Can i show this only to visitors from the EU?

Can i show this only to visitors from the EU?

I'm no expert but apparently no, because a European on holiday in America should still be able to see it from what I understood.

I'm starting to see this a lot more recently. It seems a lot of sites are just going with this:

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners. See details.

Do you have a sample site doing this that i can also take a look at?

Many.eu website with Adsense di not use any kind of warning.Here are a couple where they say similar to by continuing your browsing, you implicitly consent to our use of cookies on this website
mopar.eu
eurid.eu

Bear in mind that some variation of those kinds of messages have been around for ages, as a result of the pre-existing cookie law. Though the one at [mopar.eu...] looks in depth enough that it almost looks like the sort of thing needed for the GDPR, but the personalised cookies would have to default to disabled. Perhaps they'll change that on 25 May - it's hard to be sure what other websites are doing until that date.

My question is will google help us or we have to hire developer to implement this law for European visitors? What exactly do we publishers have to implement? Thanks!

Ok so I don't make much money from Europe visitors excepting UK. Is it ok if I don't make any changes ie non-personalized ads... then what other changes do I have to make. Meanwhile I'll read the google email carefully. Thanks!

What craziness this is... now EU visitors will get pop-ups galore for every site they visit! Someone will visit the court for sure I guarantee it. The user should be allowed to set his privacy prefs on his browsers.. not the websites! This will drive visitors from EU crazy!

Google help says:
==
If you've met the requirements of our Consent Policy and you want to serve non-personalized ads to all users located in the European Economic Area who visit your site, no changes to your ad tagging are needed.
==

I think I might serve non-personalized ads for eu visitors then..

Also google says:
===
Sign in to your AdSense account.
Click Allow & block ads and then Content and then All my sites and then EU user consent.
The “EU user consent” page appears. Update the settings for the sections on this page as described below.
===

My account doesn't show this section above, so we'll wait for a few more days and see what to do..

'"I think I might serve non-personalized ads for eu visitors then""

I don't think it's an option.

From Google: "Although these ads don’t use cookies for ad personalisation, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the ePrivacy Directive’s cookie provisions apply." (source: [support.google.com...]

So you need to figure out those countries which ePrivacy Directive's cookie provisions apply and make sure you also disable the cookie for the ads as well. In case of Adsense, this means not rendering the ad, blocking the script so it won't present ads until the user consent for placing that cookie. This what I understand.

We'll just have to wait for google to post their page on adsense interface/website.

Suppose to come after May 7 from what I understand:

"The controls will launch on Monday, May 7 for DFP and shortly after for Adsense and Admob"

However, when they mentioned that they offer users to use tags in order to change if serving personalized ads or non-personalized ads and addressed the cookie option, which all that is manual implementation, I can't see why the tool would offer anything different, other than just automating this process, making it easier to implement, add banner and hopefully log user's consent which is also a requirement of GDPR. Time will tell.

My gut feel is that a big publisher (or collective of publishers) will use legitimate interest as the basis to continue serving personalised ads in EU and test that in a court of law. I could be completely wrong of course and have no insider or specialist knowledge.

You should not allow to put a cookie before consent. This what I understand. Even if you put non-personalized ads, it still use cookie, and you need to get consent for that cookie as well, therefore, I just don't show ads until user consent for marketing cookie.

I just finished implementing consent for YouTube embedded videos on my site, those need to get consent as well. I hide the videos with a consent button. When the user enables marketing consent, his response is logged (using cookiebot) and the video is displayed, if he opt-out, the videos are disabled. Some programming needed to be done using php on a non-GDPR compliant video plugin. It was easy to do with cookiebot and now I don't need to worry about YouTube video embeds dropping cookies.

"Even if you put non-personalized ads, it still use cookie, and you need to get consent for that cookie as well, therefore, I just don't show ads until user consent for marketing cookie"

It is only for certain countries from EU and not for all countries from EU.Google did not specific which one.I'm gonna to show implicit consent for non-personalized ads for all EU countries.

I'm edging on doing nothing - and if I get a phone call from a solicitor, I may do something about it. They can take me to court - any Judge with a bit of common will realise how nobody has a clue of what to do regarding this.

So if i understand well i cannot display ads in my website until the user consents (which no user will consent for sure) and i cannot prohibit any further usage of my website (which belongs to me and not to EU) if the user denies cookies. So if i cannot monetise my website then i am losing money. Losing money means i cannot sustain my business and my website so am doomed. So here is an idea! What if we all sue european union for losing profits caused from their insane laws?

You do not have to obtain the explicit consent for non-tracking cookies. As for adsense, when disabling personalized ads for EU visitors, Google mentions that the cookie created is non tracking. So you just have to disable interest based ads for EU visitors (when the function is available), and display a banner to "inform" visitors of the use of cookie and to let them have the choice to refuse. If they refuse, refresh the page, and stop displaying Adsense banners, you can use other ads which are not generating cookies.

If you want to continue displaying interested based ads to EU visitors, that is a more complex story.

Again I think people are confusing the pre existing cookie law with the new GDPR.

There was much debate about whether the cookie law required explicit consent for cookies - but I've never seen a single website actually ask me for explicit consent before using any cookies. Indeed after years of confusion, even the website responsible for cookie law enforcement in the UK switched to using a simple info popup for their own cookies ( [silktide.com...] ).

The GDPR does tighten requirements for cookies (saying consent must be explicit) - but only for "personalised" ones, as far as I've seen.

The reason Google still talk about needing consent for non personalised ads is because that's what the existing law says, even if no one ever asked for explicit consent. Plus if you're worried about the cookie law, it's been around for years, so you should have long done something about it :)