New AdSense APIs for gathering user-consent

Google has published some developer documentation on how AdSense publishers can opt for non-personalized ads and comply with European consent laws. The General Data Protection Regulation (GDPR) is just around the corner, so I thought I’d have a look at what Google is providing to publishers.

Google AdSense will require that publishers update their ad serving implementation to be compatible with Europe’s new (and existing) privacy laws. Google will let publishers take AdSense back to its roots and only display contextually targeted advertising based on a page/site’s content rather than visitors’ online behavior.

Publishers also have new tools to prompt their visitors for consent to online profiling so they can continue to rely on personalized ads. However, publishers will be pressed to find a compelling reason to convince their visitors to opt-in to personalized ads and I fully expect that many will opt for contextual-only advertisements instead.

To even have a discussion on this topic I need to get something out of the way first:

The AdSense APIs referenced in this article don’t go live until . Google is giving publishers a window of 0 seconds to update their ad serving implementations before the GDPR comes into effect on the same day. Google also warns publishers against deploying these APIs before that date.

Quick introduction to the European consent requirements

GDPR is probably annoying to implement for engineers, but for consumers of Internet services in the EU it’s the best thing ever.

Christoph Nakazawa, Twitter

Tracking of peoples’ behavior and activities online have been the default way advertising on the web works. The General Data Protection Regulation changes the web’s default of “everything is allowed and maybe give people an opt-out” to “people have rights and companies and websites are required to respect them.” Clear information and opt-ins are the new mode of operation under the GDPR.

AdSense’s new Application Programming Interfaces (API) aren’t just about being compliant with the GDPR. Some are also catching up with the European ePrivacy Directive, better known as the “cookie law”. Notably, an EU directive isn’t EU-wide law unlike a regulation. The adoption of the ePrivacy directive varies quite a bit from country to country. Some countries considers “browser settings” such as the settings for cookies sufficient, while other requite more explicit consent prompts, and others still allow for cookies-by-default but that publishers inform and provide an opt-out method.

AdSense requires the use of cookies for “frequency capping, aggregated ad reporting, and to combat fraud and abuse” even for their new non-personalized ads. Publishers may be required to not let AdSense set any cookies before they’ve obtained consent to do so.

“Super-cookies” or “evercookies”, alternative ways of storing information that bypass the browsers’ normal local storage settings may be tempting workarounds but still doesn’t comply with the law.

The upcoming ePrivacy Regulation (as a Europe-wide regulation and not a directive) will simplify things considerably. The current draft regulation indicate it will get away with the cookie consent banners and rely on browser privacy settings and detailed privacy policies instead. However, for the time being the old directive is still in effect yet websites can improve the user experience by listening to web browser settings today.

Likewise, the publisher is required to obtain consent before allowing AdSense to store and personalize advertisement based on a visitor’s online activities.

Pausing ad-requests until cookie consent have been given

Google AdSense has provided a new pauseAdRequests API method that can be used to load AdSense resources but not load any ads or set any cookies. Setting this to 1 or true pauses ad loading, and 0 or false resumes ad loading.

The following code example demonstrates its use by pausing ads unless a specific consent cookie has been set in the browser:

var google_ads_cookie_lacking_consent =
    (!document.cookie.indexOf('google_ads_cookie_consent=1') >= 0);

(adsbygoogle=window.adsbygoogle||[]).pauseAdRequests =

The above code must be executed before any ad requests are sent to AdSense (before window.adsbygoogle.push() to take effect.

Publishers then need to inform their visitors about the website’s use of cookies and ask for permission to set cookies. Once permission has been granted, the publisher can store that consent in a cookie and resume ad loading:

document.cookie='google_ads_cookie_consent=1; max-age=47304000'; // 18 months

Note that ads won’t display until you get consent and resume the ad request.

Opting out of personalized ads

You separately have to obtain consent for the use of tracking and personalized/behavioral ads. This can be tricky to implement as you’ve to inform visitors in great detail about which of Google’s many ad partners you may or may not share data with. You can look into your AdSense revenue reports and assess the impact of outright disabling personalized ads on your website. It may be easiest just to disable them altogether for all users.

Google AdSense has provided a new requestNonPersonalizedAds API method that can request non-personalized ads instead of personalized ads (the default). Setting this to 1 or true requests non-personalized ads and setting it to 0 or false (the default) requests personalized ads.

It’s up to publishers to explicitly request non-personalized ads! Publishers can opt-out of personalized ads quite easily:

(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds = 1;

The above code must be executed before any ad requests are sent to AdSense (before window.adsbygoogle.push() to take effect.

Handling consent permission for personalized ads

If I haven’t been able to persuade you to abandon personalized ads and you wish to take on additional risk and work with personalized ads, then we’ve reached the section you’ll be the most interested in.

One of the best things about the GDPR is now every time a stakeholder at works asks me to do something I don’t feel like doing, I can go ‘um, I’m not sure if it’s GDPR compliant, do you know?’ and they’ll give up and die before figuring it out.

Zoe Stavri, Twitter

We’ll use the same method as for opting out, but introduce some consent cookie and browser settings checks instead of just banning personalized ads outright. The following example looks for a consent cookie and also checks the Tracking Preference API, a web standard for opting-out of tracking, to make sure the user isn’t signaling that they don’t consent to tracking using another browser preference.

var google_ads_personalized_consent =
  (document.cookie.indexOf('google_ads_personalized_consent=1') >= 0 &&
  (navigator.doNotTrack != 'unspecified' && navigator.doNotTrack != '1'));

(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds =

The above code must be executed before any ad requests are sent to AdSense (before window.adsbygoogle.push() to take effect.

Take special note of the Do Not Track (DNT) implementation as the draft of the ePrivacy Regulation doesn’t specify which browser setting the user must use other than it being in the general privacy settings in their web browser. A standardized setting that’s specifically designed to let users signal that they don’t consent to tracking must be respected under the ePrivacy Regulation.

Note that you should also not prompt users who send the DNT signal. Not only are they more unlikely to grant consent, but you’ll still have to deal with the problem of mixed signals from the same visitor.

Publishers will now need to do a thorough job of informing their visitors about online profiling and how it relates to personalized ads. They also need to inform their visitors about which companies, specifically, are involved in collecting data about their online activities. Google has some resources to help publishers with this, but you’re pretty much left on your to get this right.

Once a visitor agrees to online tracking and personalized ads, then you need to record/document that they gave consent and how you obtained it. I suggest adjusting your web server log format to log the value of the DNT HTTP header as well as the value of the google_ads_personalized_consent cookie along with the users’ IP address and the date of their visit. See also “EU GDPR and personal data in web server logs”. I’m not sure if this is sufficient, however.

Finally, you can let them have personalized ads by setting the cookie we introduced a check for earlier.

document.cookie='google_ads_personalized_consent=1; max-age=23328000'; // 9 months

This wouldn’t take effect until the next pageview, unless ads are also paused (see the section on cookie consent).

Handling consent withdrawals

The GDPR requires that it must be as easy to withdraw consent as its to give it. You can’t say “just delete cookies” when you provided an easy prompt to let people opt-out.

Consent must be easy to withdraw; indeed ‘it must be as easy to withdraw consent as its to give it’. No more retention scams that allow online signups but demand users phone a call centre to delete their accounts.

Cennydd Bowles

I suggest displaying an “opt-out of personalized ads” link either underneath advertisement banners or at least at the bottom of each page.

Here is an example opt-out link mechanism that removes the consent cookie:

<a href="#" onclick="document.cookie='google_ads_personalized_consent=0; path=/; max-age=60';alert('You’ve opted out');">Opt-out</a>

However, you also need to inform people about how they can remove the data that Google has already collected about them. I’m frankly not sure how to go about that and I haven’t found any information from Google regarding this either.

At the close, I’d like to remind everyone of the huge yellow disclaimer you read in the beginning of the article. The information in this article may not be accurate, and publishers must read through their contracts with Google and AdSense in detail as well as all the information Google sends them regarding the GDPR.