How to Comply with GDPR in Adsense?

Got a email from Google Adsense with title: [Action Required] Compliance with Google’s EU User Consent Policy

Scary? no need to feel worried. It is actually very easy to fix this (to comply with GDPR in Adsense).

On 25 May 2018, we updated Google’s EU user consent policy to coincide with the General Data Protection Regulation (GDPR) coming into force. This Policy outlines your responsibility for making disclosures to, and obtaining consent from, end users of your sites and apps in the European Economic Area (EEA) along with the UK.

It has come to our attention that the site(s) or app(s) listed in the attached file do not comply with our policy, which reflects our understanding of GDPR compliance based on guidance from EU and/or UK data protection authorities (DPAs), because they:

do not seek to obtain consent from users, and/or

do not correctly disclose which third parties (including Google) will also have access to the user data that you collect on your site/app. You can view these controls and the list of ad technology providers in your Ad Manager,AdSense or AdMob account.

Action needed
Please check the site(s) or app(s) listed in the attached file and take action to ensure that they comply with our policy. We will re-review your site(s) or app(s) regularly and monitor your account.

We may take action, including suspension, if the policy violations have not been resolved by XXXXXX.

Policy requirements
The EU user consent policy outlines your responsibility as a user of our ad technology, including to:

Obtain EEA along with UK end users’ consent to:

the use of cookies or other local storage where legally required; and

the collection, sharing and use of personal data for personalisation of ads.

Identify each party that may collect, receive or use end users’ personal data as a consequence of your use of a Google product.

Provide end users with prominent and easily accessible information about those parties’ use of personal data.

Find out more
You can refer to our policy help page for more information on complying with Google’s policy including a checklist for partners to avoid common mistakes when implementing a consent mechanism. We also recommend that you consult with your legal department regarding your compliance with the GDPR and Google’s policies.

Comply with GDPR in Adsense?

The GDPR (In Europe) requires websites to display a message to users so that they are aware of the fact the users’ data such as cookies are recorded to allow personalized ads. We can turn of the personalized ads in Adsense (Privacy & Messaging). However, we still need to show the message. Below is the response from Google Team:

If you do not serve personalized ads to users that visit your site, and visits to your site do not influence the ads served elsewhere, you are still required to obtain consent for the use of cookies or mobile identifiers, where legally required. Consent for cookies or mobile identifiers is still required because non-personalized ads still use cookies or mobile identifiers to combat fraud and abuse, for frequency capping, and for aggregated ad reporting. CookieChoices.org also provides an example of a notice that might be appropriate in this case. Please see our Help with the EU user consent policy for more details.

We can directly turn off the Personalized-Ads, but still we may have to show the GDPR notification form as stated above – as cookied is often used to combat the fraud and abuse.

I’ve tried some Cloudflare App, but it is just a few clicks using Adsense inbuilt GDPR Message. We can safely turn this on at Google’s GDPR Tab (Privacy and Messaging). We can customize the options shown in the GDPR notification message. You can also provide a Decline Option.