There was much debate about whether the cookie law required explicit consent for cookie

The content was supposed to be explicit, yes. But no one respected it. But yes, it was "supposed" to be explicit. But even governmental sites used implicit consent, BUT, the acceptable compromise is to display the banner, informing users. That is the minimum mandatory.

but I've never seen a single website actually ask me for explicit consent before using any cookies.

[mysql.com...] and [oracle.com...] (same company) I've seen other sites, but I can't remember them right now.

The reason Google still talk about needing consent ...

This is to cover itself. If one day, Google has a problem with this, they'll be able to blame publishers, and claimed they gave all the information, and that this is not their fault if publishers didn't follow the instructions.

There's another issue I can see with this. The cookie pool is going to shrink therefore publishers who continue to display personalised ads will see their revenue increase. In other words they have an incentive to test out legitimate interest as a basis for using targeting. What will be a pain is if those who have tried their best to comply (either through displaying non personal ads or by gaining explicit consent) lose out financially to those who are able (because they have expensive lawyers to argue their corner) to run the gauntlet. Having said that I've heard today that two of the leading UK sites WILL be requesting explicit consent, so it's possible all the big players will follow this route at least initially.

in all events, it's always the small publishers, being penalized at the end. The small publishers are often those who are making the more efforts to do things right, but of course we are not rewarded at the level of our efforts.

Yes this is a mess and Europe is not a priority for my site.. (excepting UK). As far as I've read, I'll be implementing non-personalized ads for EU visitors. But I'll wait for Google to release their webpage for adsense and EU setup.

What most of you probably do not know is that there will be, around next year, an updated e-privacy regulation that comes IN ADDITION to the GDPR regulation. For those who do not know about what I am speaking - it is the regulation that mandats the cookie banner.

This update of the regulation is currently in the legislative process, meaning it can still be changed due to negotiations between the eu member states an the parliament and other EU institutions,

Having said that, here is the current state of affairs of this regulation:

The new regulation has a positive and 2 negative sides:

On the positive side, the acceptance of cookies that are used will be abandonded for CONFIGURATION cookies of a website.

On the negative sides, however, are issues that will certainly have an impact on websites - namely on advertising.

1) All browsers will have to be set per default to privacy mode (when they are delivered to the user = installed) - meaning, for example, that third party cookies will be disabled. If a site wants an user to enable cookies, the browser (not the website) will have to ask the user whether he wants to enable it or not.

2) If a user denies cookies, it is NOT PERMITTED to shut the user out of the contents of the website. In other words - the current "I accept cookies" workaround will no longer be allowed. If a user do not want to accept cookies, then he needs to be allowed to browse the pages of this website without cookies. So, no chance anymore to let only users browse the website that accept cookies.

As a result, publisher organisations fear a loss in advertising of up to 35% - and that comes on top of the loss due to the GDPR.

Like I wrote above, this regulation update is still in the parlamentiary process - but don't bet on that it will become more lenient, many EU states are on a warpath towards the big companies like Facebook or Google. And the new regulations on e-privacy will pertain not only to websites and browsers, but also to apps and webservices - whatsapp, skype, imessage, gmail and so on...

@EU, if that goes into effect - whats going to happen, at least with big companies, is they will began to run their ad servers through a sub-domain (instead of an off-site) to create first party cookies for the browser, which in turn will eliminate that problem.

For the smaller sites, with high EU traffic, it could be brutal.

>>>
they will began to run their ad servers through a sub-domain (instead of an off-site) to create first party cookies for the browser, which in turn will eliminate that problem.
<<<

Yes, that is correct - however, it won't work with Adsense. I think, though. that the other issue (with cookie acceptance) will have an even bigger impact, at least for the small and medium Adsense publishers.

I think there's a lot of scaremongering around forums on GDPR.

I mean lets just take the ICO itself. It has a Commissioner's Blog and several of the head honcho's have posted on it.

Visit their site:

[iconewsblog.org.uk...]

See the cookie banner at the top. "Close and Accept"

They drop analytics cookies and also 3rd party Twitter cookies.

See the Leave a Reply section.

Standard WP reply section - Only a checkbox if you want to be notified by email.

I'd keep an eye on this ICO blog after May 25th to see if anything changes. They might switch to the 'Cookie Control' they are using on the main ICO site itself, but I think it's useful seeing what sites like that are doing and taking the lead.

As a result, publisher organisations fear a loss in advertising of up to 35% - and that comes on top of the loss due to the GDPR.

Another reason for switching to a lower traffic volume subscription model.

Also look at the pricing changes that are being introduced by Google Maps globally. That's a big change for websites that load more than 28K dynamics per month.

Considering how the majority of people on the Internet believe that everything is free, you'll need a really exceptional site to make them pay a subscription.

Broadly agree @Travis. The only thing I would say is that as more and more smaller publishers drop out of the game it may become easier for those who remain. It depends on margins and retained profits to a greater degree. There's also the possibility of selling out as sites coalesce if you have a value proposition.

The only thing I would say is that as more and more smaller publishers drop out of the game it may become easier for those who remain. It depends on margins and retained profits to a greater degree.

Natural Selection.

[mysql.com...] and [oracle.com...] (same company) I've seen other sites, but I can't remember them right now.

The Oracle one just shows the usual cookie popup "By using this site, you accept that Oracle uses cookies to remember your log-in details, collect statistics to optimize site functionality, and deliver marketing based on your interests." The popup does allow me to disable different levels of cookies, but it defaults to allowing all of them. Also note that whilst it allows me to disable some cookies, it doesn't let me disable all of them.

So as far as the pre-existing Cookie law is concerned, it's neither disabling all cookies by default, nor letting me do so.

Fair enough, MySql does at least block before being able to meaningfully browse. My point was not to say that no such sites exist, just that they seem exceedingly rare (such that it's feasible in years of browsing to have never come across it). And if people think they should be blocking all ads in the EU due to the Cookie law - well, that law has been around for years.

For the GDPR, it's interesting that Oracle decide to lump all advertising cookies together (rather than only offering to disable personalised ads) - will be interesting to see if they still default that to On after 25 May. Also curious to note that disabling advertising cookies also disables some functionality (posting comments).

I wonder what the financial effect might be on Google if, on May 25th, a large % of publishers opt out of personalised ads?

Think of it from Google's perspective. If the impact of that might be financially significant, then G might well have an interest in maintaining their revenue by confusing everyone. I'm certainly confused.

But not concerned.

I might be if I was aged below 55 but by the time the EU tie all this up I suspect I will be pushing up daises.

First off, how many companies / individuals have been fined / imprisoned for not complying with Cookie Consent regulations? I haven't heard of anyone.

Second, the EU will go after some big sites first (if indeed they legally can) before they hit any of the small fry, and that will take many years to complete. Google can be kept satisfied by some minimal, non-intrusive attempt to comply.

First off, how many companies / individuals have been fined / imprisoned for not complying with Cookie Consent regulations? I haven't heard of anyone.

[cookielaw.org...]

There are tens of other examples since.

I'm glad we're nearer to know what we have to do...

I'm glad we're nearer to know what we have to do...

hum... I bet that on the 25th it will still not be 100% clear, and Google / Adsense will still use carefully selected sentences to stay unclear.

This reminds me of the Y2K panic when all of the world's computers were supposed to crash at midnight in the year 1999 - didn't happen - or when Trump was elected and the stock market was supposed to crash - didn't happen - or when we were going to be at war with North Korea at any moment - didn't happen. I suggest everyone wait and see what the big guys are going to do come May 25 and then follow their lead. If the EU comes after smaller sites, it won't be for years down the road.

Apples and carrots

Could someone please clarify what Google require us to do to comply with their ToS - just the bare minimum. This is what I will be using as a starting point, then worrying about the EU as things (possibly) become clearer....

Could someone please clarify what Google require us to do to comply with their ToS

No.

Joke apart (in fact, this was not totally a joke), Adsense put a lot of efforts not to make things clear, like that, if they get problems, they can blame "us" the publishers.

Now, form what I "understand/interpret" is that :

- You can (will be able to) disable interested based ads for EU visitors from the Adsense 's dashboard. In that case, you "should" still display a banner, "informing" EU visitors that "non-tracking" cookies are used, with a link to your privacy policy, where you have to explains all what is being done by whom. You "should" also let EU visitors opt out from third part cookies, even if they are not tracking. And if they decide to opt out, then you should stop showing them Adsense ads. This might not be 100% compliant, but I think this is a good compromise, and show your good will and that you are making efforts to do things right.

- If you decide to continue showing interested based ads to your EU visitors, then you have to obtain the "explicit" consent from each visitors to do so. Meaning that , you need to show a message on the screen, and wait for the answer of the visitor before injecting/running the Adsense code on your page. AND, you have to let visitors change their choice at anytime. (And you still need a privacy policy, with all the details of what is done by whom, why and how).

That there were some wild predictions on y2k doesn't mean that there weren't real problems that needed fixing - and were fixed. Vaccinations have the same problem, "Oh look we spent all that money vaccinating everyone, and the epidemic didn't happen!" - it can be hard to assess whether action was needed after the event, when taking that action has an impact.

Trump himself claimed the stock market was a bubble before his election. I don't recall that being the main thing people were worried about anyway, but I think it's better to keep politics out of this thread please.

I agree there's no point scaremongering, or worrying too much, though at the same point that doesn't mean that people should be doing nothing at all on the things that we do know. I agree we'll get a much better idea of what big sites are doing after May 25.

surfgatinho: to add to Travis's answer, a helpful site for code to generate banners for cookie info is at [cookieconsent.insites.com...] . (This is for the already existing cookie law, not the new GDPR; for the GDPR, disabling personalised ads for EU seems the easiest step imo.)

In terms of what Google require, the page [support.google.com...] seems to stress optional tools that Google provides. Meanwhile the new policy at [google.com...] seems somewhat stricter, lumping the cookie law in with the new rules, and implying that consent for all cookies is something we need records for, and something that users can revoke. But that then links to [google.com...] which seems more relaxed, clarifying "The policy requires that end users are told how to revoke consent to ads personalization. At a minimum, end users need to have information sufficient to easily reach their ad controls for your site or app, or the general controls provided by Google or via their device." For the cookie law, it says "We understand that regulatory guidance on ePrivacy laws is not consistent across Europe, which is why our policy calls for consent to cookies or mobile identifiers “where legally required.”" In my opinion, it sounds like Google need a tos that complies with the law but where that doesn't necessarily mean they'll be the ones policing it - and it's therefore vague because they can't say how it's enforced (either for cookies, or the GDPR).

Small update on this one.

It seems some websites are using pages like the below to allow users to opt-out from advertising or whatever:
[youronlinechoices.com...]
[networkadvertising.org...]

In the meantime, I strongly recommend using this website to generate a report of all the cookies of your website:
[cookiebot.com...]

It's free and of course I'm not affiliated with them in any way.

One thing I noticed on one of the websites I ran the test is the cookie "PHPSESSID" used by PHP-based websites. Some websites may not function properly without it, yet users have to give consent?

One thing I noticed on one of the websites I ran the test is the cookie "PHPSESSID" used by PHP-based websites. Some websites may not function properly without it, yet users have to give consent?

As usual, there is no clear answer to such question. All depends of what you (your site) is doing with the session id, and for example, if it's shared among several sites. However, I think I am not taking too much risks saying that, in your case, I don't think such cookie requires an "explicit" consent. But it would still be good to have an informational cookie banner.

nb: In Firefox, you can use the "Storage Inspector" from the Developer Tools [developer.mozilla.org...] . It will show in real time all cookies set, with whom is setting them. This is good to understand what is going on at a site. There is certainly a similar function in Chrome.

Nope, not apples and carrots. My point is that there is a lot of unnecessary panic. Just wait to see what happens on May 25. See what large companies do. Then go from there.

I don't think it's a matter of "panic", I think it's a matter of trying to do things right. Lot of publishers, no matter their size, and especially those taking part to this forum, have a professional approach of their activity. We try our best to do things right and because of it, we like to understand things ahead so we can plan and do what has to be done, for not having to do things at the last minute, which in that case would lead to panic.

Travis:
"You "should" also let EU visitors opt out from third part cookies, even if they are not tracking. And if they decide to opt out, then you should stop showing them Adsense ads"

You said "then you should stop showing them Adsense Ads". But is it really necessary and good understanding what to do when you chose to Turn off personalized ads?

Check out this link: [support.google.com...]

'You can't stop getting ads online, but you can remove some unwanted ads. You can also stop getting ads that are based on your interests and info.'

'Blocking a Google ad or turning off ad personalization can't:
Stop all ads: If you turn off personalization, Google ads will use info like your general location or the content of the website you’re visiting'

What I meant, was that, "ideally", you should allow visitors to refuse ALL cookie (no matter the purpose of the cookie). So if they refuse the cookies, then you can't serve Adsense ads, since they drop a cookie, even if you turned off personalized ads. So in that case, you should set your site to stop using Adsense code if someone refused all cookies at all.

Of course it can sound excessive, that is why I said "ideally".

@docelvita I think that information is not yet updated. The option to turn off personalized ads exists already.
The new option would be: Allow & block ads and then Content and then All my sites and then EU user consent.

What i thought by reading [support.google.com...]

is that by disabling personalized Ads through Adsense Cpanel for EU, simple link to Google own page, within your own Privacy policy, with option to opt-out will.be enough to satisfying Google.And if they chose to opt-out on google page non.personalized cookie then google should take care.of they will still show non.personalized Ad to visitors or not.