The Quest for GDPR Complience With AdSense
To reach compliance with GDPR while using Adense on out sites, we need to disclose our ad providers and obtain consent from users.
By. Jacob
Edited: 2022-02-24 00:25
I have previously written about how I am trying to comply with the GDPR by using maxminds GeoIP databases; I have however not written much about the legal requirements until now. Unfortunately, as bloggers and small website owners, we will be forced to figure this out on our own when building custom consent options.
The following is, as I understand, what an AdSense publisher needs to do to comply with the GDPR. Also, before I dive in, let me just state that I am not against better privacy laws; what I am against is the unnecessarily complicated solutions that are being worked out. I believe a built-in browser feature would be better. This would, in theory, allow users to manage their own consent directly from their favorite browser.
A browser solution could probably also work automatically with known ad providers. The only thing website owners needs to do, would be to maintain their privacy policy—the rest could be handled by the browser itself (and the users). We also should not ignore the fact that this already exists in the form of various privacy and cookie controls—it is just too complex and hard to configure for most users, and it also does not prompt the user for consent.
What needs to be done
1. The first technical obstacle we run into, when making our own GDPR consent mechanism, is that we need to know the location of users; since we probably do not want to annoy users from the US with our consent dialog, we should find a way to only show it to users in relevant countries. For simplicity, some might choose to show the consent dialog to all of their visitors, regardless of which country the visitor is in—as far as I know, this is fine, so do not spend too much of your time implementing GeoIP if this will work for you.
2. We also need to store the consent somewhere. To a web developer, this part can easily be solved with an extra database table. This makes sure that we will be able to prove that we obtained consent, probably in case someone claims otherwise.
3. Users must have the ability to handle their consent from their browser. This means we should also create a way for them to revoke their consent, and this page or popup should be easily accessible to the user.
4. When the consent dialog is displayed, we should also show a list of ad providers, and it should be possible to disable them individually.
5. According to the most extreme interpretations, there should be a way to dismiss the dialog without giving consent. Effectively, this means we will need to implement an alternative way for users to access our website—probably by paying a small fee?
1: Integrating GeoIP to find users location
Maxmind offers GeoIP databases that we can install, but it should be updated occasionally for higher accuracy. The advantage of using Maxmind's databases is that they allow both to tell which country and continent that a user is visiting from.
Using Maxmind
echo $_SERVER['CONTINENT_CODE']
Install and Enable Mod_maxminddb for Geolocation
If using CloudFlare, they provide a header to tell where the user is coming from. They do not offer a continent code, however, which makes it hard to determine if the user is within the EU.
Using CloudFlare:
echo $_SERVER["HTTP_CF_IPCOUNTRY"];
Since CloudFlare only provides the country codes, we will need to maintain our own list of EU countries. This should probably also include Canada in relation with PIPEDA, and other non-eu countries with similar data protection laws. A list like that might look like the below (only with EU countries included):
$europe = array('AD', 'AL', 'AT', 'AX', 'BA', 'BE', 'BG', 'BY', 'CH', 'CZ', 'DE', 'DK', 'EE', 'ES', 'FI', 'FO', 'FR', 'GB', 'GG', 'GI', 'GR', 'HR', 'HU', 'IE', 'IM', 'IS', 'IT', 'JE', 'LI', 'LT', 'LU', 'LV', 'MC', 'MD', 'ME', 'MK', 'MT', 'NL', 'NO', 'PL', 'PT', 'RO', 'RS', 'RU', 'SE', 'SI', 'SJ', 'SK', 'SM', 'UA', 'VA');
So, as you can see, this is certainly doable; and since local privacy laws might also change, we would probably need to maintain a list anyway.
It might simply be easier to show the consent dialog to everyone, regardless of where they are located. Micromanaging this stuff is certainly no fun.
2: Storing the consent
To store the consent that we obtain from users, we can use a MySQL database table. The table should contain a field for the IP address of the user at the time, as well as a field to keep the consent id—it might look like this:
CREATE TABLE user_consent (
consent_id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY,
ip_address VARCHAR(45) NOT NULL,
time_of_consent TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
Note. The ip_address field should be large enough to store an IPv6 address.
3: Allow users to handle their consent
You should create a modal, or ideally, a separate page where the user can handle their consent.
Modal overlays has a tendency to cause usability problems, so I would personally go with a separate page.
The idea is to make it easy for the user to revoke their consent. A visible link to the page should be placed somewhere, probably in a header or a footer element on our pages.
4: Custom set of ad technology providers
To live up to point 4 with AdSense, we should go to our AdSense controlpanel and select the ad providers that are most often used. AdSense has provided a list in a .csv (comma seperated values) file that can be opened in Excel or Libreofice calc.
You should note the ones with the highest revenue, and then manually select them on the "Custom set of ad technology providers" within AdSense. This ensures that your providers does not change without you actively changing them.
Then, to include them in your consent dialog, make a simple .json list, and load it with JavaScript or PHP.
In order to allow the user to deselect individual ad providers, we probably need to use some sort of AdSense API - I have not been able to find out exactly how yet.
5: Avoid take-it-or-leave-it terms
Obviously, this is not always possible, since we are legally required to obtain consent if we use AdSense.
We can not just ignore the law if a user dismisses the consent dialog, and then include our ads anyway; and we also can not remove the ads entirely, since we need to make money.
Luckily, with AdSense, we can also show non-personalized ads to users who does not give their consent; note that consent to cookies might still be required, as cookies might still be used to serve non-personalized ads (this might fall under legitimate interest?).
To show non-personalized ads when a consent is not given, we can call the following piece of JavaScript:
function requestNonPersonalizedAds () {
(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds=1
}
As you can see, this would be easy to invoke by the click of a button. If a user changes their mind, and gives their consent, we can call this one instead:
function requestPersonalizedAds () {
(adsbygoogle=window.adsbygoogle||[]).requestNonPersonalizedAds=0
}
A big thank you to Google for making their documentation easier to understand!
Ads personalization settings in Google’s publisher ad tags - google.com
Note. Disabling personalized ads might cause a drop in revenue of 52% on average. Google ran a test where they disabled personalized ads for some publishers, and found that it could cause a drop in earnings for as much as 75% in the worst cases; you can find the test here: https://services.google.com/fh/files/misc/disabling_third-party_cookies_publisher_revenue.pdf
An alternative to to doing this might be to ask the user to pay a small fee to access the site, but that might also exclude search engines from crawling the site properly.
Whatever we do, there seems to be no easy solutions.
Tell us what you think: