AdSense and Cookies. The EU user consent requirement explained
AdSense publishers were notified back in July that they would need to make changes to their websites to comply with the new EU user consent policy. The notification required that changes were in place by September 30th 2015.
Despite the looming deadline, many publishers are yet to implement changes. One of the key reasons cited has been confusion about what is expected. To help, we’ve put together this simply guide to the policy and what our expert team understand to be expected from AdSense publishers.
Background to the EU user consent policy
What products does this policy apply to?
AdSense, DoubleClick for Publishers (both editions) and DoubleClick Ad Exchange (AdX).
Do I need to comply with this policy?
If serve any of the above products to users in the EU, then yes. Even if you are located outside of the EU but have EU users you must comply with this policy.
Why is this changing?
The EU has some strange ideas about Cookies and is also giving Google quite a hard time in the European courts. There are a lot of possible reasons for this, but a large part of it is an attempt to bring Cookie usage by Google within what the EU courts now expect.
What do AdSense publishers need to do?
The jury is still very much out on what the European Courts and the national courts within the union expect. Google though is clearer, and arguably more likely to enforce their expectations.
Google’s EU user consent policy states the following:
“You must use commercially reasonable efforts to disclose clearly, and obtain consent to, any data collection, sharing and usage that takes place on any site, app, email publication or other property as a consequence of your use of Google products; and
You must use commercially reasonable efforts to ensure that an end user is provided with clear and comprehensive information about, and consents to, the storing and accessing of cookies or other information on the end user’s device where such activity occurs in connection with a product to which this policy applies.”
If you are using Google Analytics Advertising features then you also need to comply with the policy requirements for that.
OK, but what do AdSense publishers actually need to do?
It’s hard to say for certain until the policy changes start getting enforced at the end of September. Consensus seems to be building that this boils down to three things:
- Add a notice for new users of your site
- Provide a link for more information
- Obtain consent by making them click to remove the notice
Requirement 1 : The disclosure notice
These tend to be alerts that appear at the top or bottom of the page for users who have not previously visited the site and provided consent. Many publishers are assuming that their existing Cookie notice is enough, but the wording of the policy suggests otherwise.
The policy requires that two separate issues are disclosed in relation to use of Google products
- Collection and sharing of data
- Storage on users devices (such as by cookie)
This notice needs to be shown to all users in the European Union. If you don’t have the means to geographically target your message you can display it to all users and accept that other users will be as irritated. One common issue we are seeing is websites implementing a user consent system, but not displaying this to mobile users. The requirements (both from Google and the EU) are the same for desktop and mobile users.
Requirement 1 : Full details
It’s not practical to provide full information in the sort of pop-up notice that most sites are using, so a link for full details is a necessity. Some publishers are having this link load a new page, others have it expand the consent notice to give more details.
The bigger question though is what information to provide. In terms of Google products the simplest solution seems to be to explain which types of product you use then link to this page on Google.
This might not be the best solution for the users: Not only do they need to follow a link to another site in order to get answers, but the answers don’t reflect specifics of the publisher site. In practical terms publishers are not usually aware of the details of how Google uses that information or when the usage changes, so linking to that page might not be ideal, but is probably the simplest solution and seems to be enough to satisfy Google.
For many sites just covering the Google products probably isn’t enough. If you use other third party scripts these might also need to be covered. This guide though is about becoming compliant with the Google policy changes, not the EU requirements.
Requirement 3 : Consent button
The EU ruling says that consent “must constitute a real indication of the individual’s wishes”. This and the tone of communication from Google suggest that just informing users that continuing to use the site is acceptance is not enough.
The “click to agree” or “got it” button is the usual implementation of this. This can make the notice disappear and store a cookie to ensure that user doesn’t see the notice again.
Many are interpreting that the EU requires that consent is gained before a cookie is set. For most website owners this is difficult and could fall outside of what is “reasonable”. At the moment it seems that this isn’t being expected by Google.
Some sites have been implementing the consent button by offering users a choice of “agree” or “decline”. We’d urge caution with this. If a user declines permission to set a cookie and share date you could be expected to honour that. If you have ad units on the page then it is already too late.
Will this be enough?
This is out best guess based on the messages put out, our team’s understanding of the topic and communications that we have had with the AdSense team. The situation is likely to develop though and we wouldn’t be at all surprised if the EU push for more efforts by publishers. If you want to be kept up to date with the changing advice then we’d suggest joining out monthly mailing list for the insider view.