They are not mandatory, it's a choice by the site owner to include them. They are only mandatory if you include tracking features that track users across the web (= ads and Google analytics).
One can include ads and analytics without consent being granted - they're "just" restricted to a method of delivering ads and performing analytics which don't track the user.
IANAL, mind you - but that's how we implemented it - you're opting-in to the ads that target you and analytics which track you, or you get the non-tracking/non-targeting ads and analytics.
If you do this you don't even need to check for consent since you're not tracking the user or storing any PII. In my case this is what I call if the user doesn't accept advertising cookies, but there's no reason you can't disable them completely on your site if that's what you'd like.
You also have pretty tight control over the categories of ad that Adsense can display, and you can even go as far as to review individual adverts. I've booted a couple of ads that I found to be unethical/distasteful from my site using the review feature in Adsense.
The only issue with Adsense is that there are a gazillion ads it might show on your site, so I'd recommend filtering out any categories you don't much like first, and then reviewing ads sorted by popularity/impressions in descending order, otherwise you'll quickly go mad.
[1] Obviously not an option if you absolutely don't want to do business with Google.
> If you do this you don't even need to check for consent since you're not tracking the user or storing any PII.
Google seems to disagree [1]: Non-personalized ads are targeted using contextual information rather than the past behavior of a user. Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply.
What's not clear from Google's documentation, but what I assume, is that they also do not use the info about the context & visitor to serve them personalized ads on other websites.
Hmm, that's interesting because that would suggest that if somebody declines advertising cookies then you can't serve them ads via Adsense at all... which would be an odd decision by Google.
That's not the issue. The issue is that if the user has and sends Google cookies AdSense will use them. (And many people have third party cookies on, and AdSense might be using some tricky bypass there too.) Getting sneaky about tracking is their business model. And then cookie law is in full force.
Well, sure - you can still send some signals to see ads that are relevant to the _content_ as opposed to the _viewer_.
Example: you're seeing an article about devops and you get an ad about AWS instead of an ad that has followed you around from another website you visited previously.
The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.
The other types of cookies can be pretty much disabled at the point of calling the google tag, or enabled (along with more tracking/targeting ads) if the user consented to that.
> The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.
But the comment you're responding to says it right there: Even google is telling you it requires consent. It's a cookie, so it requires consent, period. Don't fool yourself.
Could google serve ads without cookies, and do fraud detection by other means? Yes, perhaps lowering payout due to increased risk. But it much better to pretend that a cookie-banner is needed, so that you might as well enable ad-tracking cookies.
Since it's a technical cookie that's required for ads/marketing, it very much falls under marketing, I believe. Imho "technical cookies" are e.g. Cloudflare's __cfduid or your framework setting a session cookie because it wants to be stateful.
> > What are some good non-tracking & non-intrusive ad providers?
> You don't need to look far. You can simply tell Adsense[1] to serve up non-personalised ads
This discussion describes exactly the problem. How long has this tracking consent law been there now??
And it's just an option in Adsense?!!!
So whenever I see a cookie banner, you can assume they are simply too greedy to flip the switch.
Clearly the adtech and adtech-supporting industry hasn't even slightly bothered to look for alternatives, instead opting to annoy the public with banners. It's pure propaganda in the hope that the annoyance will turn into defeat, and somehow they manage to turn people's disgust towards the EU law instead of them, simply continuing to do their useless crap business and pretending the EU got their hands tied ... when there's a literal boolean switch to tell their shit to behave.
Affiliate marketing is the best way to go. You have full control on how you advertise products.
For my website [1], I have build close relationships with local experts. They provide services my readers need, and I know they can be trusted. I get a commission from resulting sales. I like that model because advertisers have zero access to or control over the readers' data. Unfortunately, it's simply not applicable to all websites.
Which means any website that does anything useful. That doesn't mean ads, but Google Analytics (or another comparable service) is just about everywhere these days.
The only reason you need consent is when you're tracking people or storing data that isn't required for the functionality of the site.
Shopping carts, subscription services etc. will still work, you don't need to consent to that, as long as you're not tracking people or handling their data unecessarily.
When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.
> When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.
Or the owner of the website has failed to understand the nature of the law. Given the amount of confusion in this comment section this also seems likely.
The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.
As with most law, you're not excused from following it if you fail to understand it.
If the admin of a site thinks they need a cookie banner when they don't, it's really because they haven't really bothered to give much thought to reducing the amount of data collection they do on their users.
But I bet it's not really that common, website admins who think they need a cookie banner when they really do not. What is WAY more common: the website admins that do need a cookie banner, but ONLY because they use Google Analytics, and don't realise this is a choice they get to make.
Or people (right here in this thread) saying "I can't make a useful website otherwise" -- it's not that the law is hard to understand, it's not. It's that they refuse to give the problem any thought. The ones "failing to understand the nature of the law", actually just don't give a crap. It's like a butcher complaining "Why do I have to label my meat with 'made from tortured animals', I have to kill them right? I can't possibly produce any meat without using this rusty spoon that I've used for decades".
> The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.
You can easily not act maliciously, and still be a crucial part of the problem. That's also what laws are for, even if you cross them non-maliciously, you get punished. That's because people "not understanding the nature of the law", when it directly applies to their business, is undesirable, and really a responsibility they should carry.
> Or the owner of the website has failed to understand the nature of the law.
Oh, sure, but if they don't understand it then they probably shouldn't be gathering people's data either.
GDPR is pretty complex, but website operators have proved for years and years that they can't be trusted to do the right thing themselves, so here we are.
Tracking has a giant cost to society, the sole reason it exists is so we can be manipulated by advertisers into spending more than we otherwise would have.
GDPR isn't very hard to understand, it's just that website owners want to have their cake and eat it too. Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting, and all this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".
It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.
> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...
Totally agree, and this shouldn't be done.
> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".
This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
> it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints
The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".
If that wasn't the "constraints" they were operating under, they have no problem now either.
> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
This is indeed where we disagree, except the law also disagrees with you:
It's. Not. About. Cookies.
It's simply about collecting and storing more data on your users than you strictly need to run your business.
There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.
> It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.
As a developer, I agree. As an end user, I am OK with this.
If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.
It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.
> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive
My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".
I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.
> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.
For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.
Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.
> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.
> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:
"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."
The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.
It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.
> The only reason you need consent is when you're tracking people or storing data that isn't required for the functionality of the site.
You forgot one more... you're a citizen of an EU member state. I live in a sovereign nation and EU law doesn't apply to me.
It's been quite funny seeing Americans fall over themselves to comply with GDPR requirements. It won't be funny when they also fall in line behind Chinese law.
> Which means any website that does anything useful.
That's a ridiculous over-generalization. My bank's website doesn't have ads on it; is that not useful? Wikipedia doesn't either, can you earnestly say you've never found wikipedia useful?
There is much more to the web than shitty ad-riddled websites.
It doesn't have to be a modal popup either. If your default is truly "off" then you could have a banner on top or bottom or somewhere saying something like "please help us make the site better..." or whatever.
Google Analytics doesn't do anything useful for the visitor of the website, only for the lazy administrator of the site. But the latter isn't the one giving up consent, are they?
Also it's kind of sad if you believe you can't make a useful website without having to hand over private user tracking data to Google. In fact you are using a website just like that, right now.
Facebook personalizes the Facebook wall. Google personalizes almost every other page you visit and mobile applications/games you use. Not sure how Facebook is more dangerous here.
You don't have to assume your user wants to be A/B tracked, or wants to purchase anything. You can allow the user to enable them nicely and non-intrusively without a popup. You can ask the user intrusively when they actually initiate a purchasing action.
Most sites choose do popup instead because (they think) it is more effective. So be it, but don't say it's "mandatory" or that "they are forced to".
Crazy how people whose job it is to build this crap, don't even know what the actual rules are.
It's almost as if they just want to collect all the data on all the users forever without any oversight, by continuously rehashing bad and misunderstood versions of the GDPR and pretending it's hard and complex and vague.
I refuse to include them. I am not a citizen of an EU country and I don't give a rats arse what the EU thinks of my website. They aren't the boss of me.
IANAL, mind you - but that's how we implemented it - you're opting-in to the ads that target you and analytics which track you, or you get the non-tracking/non-targeting ads and analytics.