Google has published some developer documentation on how AdSense publishers can opt for non-personalized ads and comply with European consent laws. The General Data Protection Regulation (GDPR) is just around the corner, so I thought Iâd have a look at what Google is providing to publishers.
Google AdSense will require that publishers update their ad serving implementation to be compatible with Europeâs new (and existing) privacy laws. Google will let publishers take AdSense back to its roots and only display contextually targeted advertising based on a page/siteâs content rather than visitorsâ online behavior.
Publishers also have new tools to prompt their visitors for consent to online profiling so they can continue to rely on personalized ads. However, publishers will be pressed to find a compelling reason to convince their visitors to opt-in to personalized ads and I fully expect that many will opt for contextual-only advertisements instead.
To even have a discussion on this topic I need to get something out of the way first:
The AdSense APIs referenced in this article donât go live until . Google is giving publishers a window of 0 seconds to update their ad serving implementations before the GDPR comes into effect on the same day. Google also warns publishers against deploying these APIs before that date.
Quick introduction to the European consent requirements
GDPR is probably annoying to implement for engineers, but for consumers of Internet services in the EU itâs the best thing ever.
Tracking of peoplesâ behavior and activities online have been the default way advertising on the web works. The General Data Protection Regulation changes the webâs default of âeverything is allowed and maybe give people an opt-outâ to âpeople have rights and companies and websites are required to respect them.â Clear information and opt-ins are the new mode of operation under the GDPR.
AdSenseâs new Application Programming Interfaces (API) arenât just about being compliant with the GDPR. Some are also catching up with the European ePrivacy Directive, better known as the âcookie lawâ. Notably, an EU directive isnât EU-wide law unlike a regulation. The adoption of the ePrivacy directive varies quite a bit from country to country. Some countries considers âbrowser settingsâ such as the settings for cookies sufficient, while other requite more explicit consent prompts, and others still allow for cookies-by-default but that publishers inform and provide an opt-out method.
AdSense requires the use of cookies for âfrequency capping, aggregated ad reporting, and to combat fraud and abuseâ even for their new non-personalized ads. Publishers may be required to not let AdSense set any cookies before theyâve obtained consent to do so.
âSuper-cookiesâ or âevercookiesâ, alternative ways of storing information that bypass the browsersâ normal local storage settings may be tempting workarounds but still doesnât comply with the law.
The upcoming ePrivacy Regulation (as a Europe-wide regulation and not a directive) will simplify things considerably. The current draft regulation indicate it will get away with the cookie consent banners and rely on browser privacy settings and detailed privacy policies instead. However, for the time being the old directive is still in effect yet websites can improve the user experience by listening to web browser settings today.
Likewise, the publisher is required to obtain consent before allowing AdSense to store and personalize advertisement based on a visitorâs online activities.
Pausing ad-requests until cookie consent have been given
Google AdSense has provided a new pauseAdRequests API method that can be used to load AdSense resources but not load any ads or set any cookies. Setting this to 1 or true pauses ad loading, and 0 or false resumes ad loading.
The following code example demonstrates its use by pausing ads unless a specific consent cookie has been set in the browser:
var google_ads_cookie_lacking_consent =
(!document.cookie.indexOf('google_ads_cookie_consent=1') >= 0);
(adsbygoogle=window.adsbygoogle||[]).pauseAdRequests =
google_ads_cookie_lacking_consent;The above code must be executed before any ad requests are sent to AdSense (before window.adsbygoogle.push() to take effect.
Publishers then need to inform their visitors about the websiteâs use of cookies and ask for permission to set cookies. Once permission has been granted, the publisher can store that consent in a cookie and resume ad loading:
document.cookie='google_ads_cookie_consent=1; max-age=47304000'; // 18 months
(adsbygoogle=window.adsbygoogle||[]).pauseAdRequests=0;Note that ads wonât display until you get consent and resume the ad request.
Opting out of personalized ads
You separately have to obtain consent for the use of tracking and personalized/behavioral ads. This can be tricky to implement as youâve to inform visitors in great detail about which of Googleâs many ad partners you may or may not share data with. You can look into your AdSense revenue reports and assess the impact of outright disabling personalized ads on your website. It may be easiest just to disable them altogether for all users.
Google AdSense has provided a new requestNonPersonalizedAds API method that can request non-personalized ads instead of personalized ads (the default). Setting this to 1 or true requests non-personalized ads and setting it to 0 or false (the default) requests personalized ads.
Itâs up to publishers to explicitly request non-personalized ads! Publishers can opt-out of personalized ads quite easily:
(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds = 1;The above code must be executed before any ad requests are sent to AdSense (before window.adsbygoogle.push() to take effect.
Handling consent permission for personalized ads
If I havenât been able to persuade you to abandon personalized ads and you wish to take on additional risk and work with personalized ads, then weâve reached the section youâll be the most interested in.
One of the best things about the GDPR is now every time a stakeholder at works asks me to do something I donât feel like doing, I can go âum, Iâm not sure if itâs GDPR compliant, do you know?â and theyâll give up and die before figuring it out.
Weâll use the same method as for opting out, but introduce some consent cookie and browser settings checks instead of just banning personalized ads outright. The following example looks for a consent cookie and also checks the Tracking Preference API, a web standard for opting-out of tracking, to make sure the user isnât signaling that they donât consent to tracking using another browser preference.
var google_ads_personalized_consent =
(document.cookie.indexOf('google_ads_personalized_consent=1') >= 0 &&
(navigator.doNotTrack != 'unspecified' && navigator.doNotTrack != '1'));
(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds =
!google_ads_personalized_consent;The above code must be executed before any ad requests are sent to AdSense (before window.adsbygoogle.push() to take effect.
Take special note of the Do Not Track (DNT) implementation as the draft of the ePrivacy Regulation doesnât specify which browser setting the user must use other than it being in the general privacy settings in their web browser. A standardized setting thatâs specifically designed to let users signal that they donât consent to tracking must be respected under the ePrivacy Regulation.
Note that you should also not prompt users who send the DNT signal. Not only are they more unlikely to grant consent, but youâll still have to deal with the problem of mixed signals from the same visitor.
Publishers will now need to do a thorough job of informing their visitors about online profiling and how it relates to personalized ads. They also need to inform their visitors about which companies, specifically, are involved in collecting data about their online activities. Google has some resources to help publishers with this, but youâre pretty much left on your to get this right.
Once a visitor agrees to online tracking and personalized ads, then you need to record/document that they gave consent and how you obtained it. I suggest adjusting your web server log format to log the value of the DNT HTTP header as well as the value of the google_ads_personalized_consent cookie along with the usersâ IP address and the date of their visit. See also âEU GDPR and personal data in web server logsâ. Iâm not sure if this is sufficient, however.
Finally, you can let them have personalized ads by setting the cookie we introduced a check for earlier.
document.cookie='google_ads_personalized_consent=1; max-age=23328000'; // 9 months
(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds=0;This wouldnât take effect until the next pageview, unless ads are also paused (see the section on cookie consent).
Handling consent withdrawals
The GDPR requires that it must be as easy to withdraw consent as its to give it. You canât say âjust delete cookiesâ when you provided an easy prompt to let people opt-out.
Consent must be easy to withdraw; indeed âit must be as easy to withdraw consent as its to give itâ. No more retention scams that allow online signups but demand users phone a call centre to delete their accounts.
I suggest displaying an âopt-out of personalized adsâ link either underneath advertisement banners or at least at the bottom of each page.
Here is an example opt-out link mechanism that removes the consent cookie:
<a href="#" onclick="document.cookie='google_ads_personalized_consent=0; path=/; max-age=60';alert('Youâve opted out');">Opt-out</a>However, you also need to inform people about how they can remove the data that Google has already collected about them. Iâm frankly not sure how to go about that and I havenât found any information from Google regarding this either.
At the close, Iâd like to remind everyone of the huge yellow disclaimer you read in the beginning of the article. The information in this article may not be accurate, and publishers must read through their contracts with Google and AdSense in detail as well as all the information Google sends them regarding the GDPR.