[someguy2018]

Because I apparently need affirmative check-the-box consent before I can actually use those ad networks.

I'm not doing anything shady: all the information I collect and why I collect it has always been in my privacy policy. But making people have to opt-in to see ads on the site is a big problem.

[donohoe]

Correct. There are a few things to note here:

One single ad unit may try and load several tracking services so that it can re-target you later, track that the ad was served, and also load in extra services (Facebook Like button) that in turn track you for their own reasons.

On any given Page Load you DO not know in advance what ads will be in your page.

In getting User Consent before you load ads you cannot possibly know what the services are that will eb injected into the page ahead of time.

Thats an impossible situation.

Even if, and I stress this is hard, even if you were able to limit your ads from one network to direct-sold campaigns under the control of just a few agencies that agree to use only a subset of trackers and other services, you might still be talking 20 to 80 items you need to provide the user in a Consent Form.

[viraptor]

You can do non-targetted ads without explicit consent as far as I understand. You only need it for the extra personal information use. Sure it's a bit worse for the publishers. (But I'm happy with that)

[someguy2018]

Where would "non-targeted" ads even come from? How can you use an ad network or even run a standard ad server in a way that doesn't share at least the reader's IP Address?

Mom and pop publishers who don't have the resources or ability to staff their own ad sales team are going to be in trouble. The big players who can work around this obstacle are going to be fine. I'm not happy about this.

[Angostura]

IP address is only personally identifable info if it is coupled with other info that links it to a real person.

Storing an IP address by itself and sharing it is not, by itself PII

[someguy2018]

No, I'm pretty sure that is incorrect. The EU believes that an IP itself is personally identifiable and it must be secured and processed like any PII [1]. I think you could make a case that the IP being sent to an ad network is an "acceptable" business practice for which you don't need consent, but IANAL.

[1] https://www.enterprisetimes.co.uk/2016/10/20/ecj-rules-ip-ad...

[donohoe]

That is incorrect.

In the US, legally thats fine. In the EU they classify it as personal information.

[LoSboccacc]

like, have you read the guideline?

[halfjoking]

As a joke I might make a popup for each URL in our ads.txt files (at work) asking for consent. There are over 300 lines which I've always thought was ridiculous but maybe this will drive the point home to my boss.