Sally, thanks for calling attention to GDPR, an important topic that isn't getting sufficient attention, particularly not in the US. I've taken the liberty, as a mod in Google SEO News, of broadening your title, originally focused on anticipated trouble for Google Ads, making several edits and additions, and also of moving this thread to a more general forum. For reference...

Your original title and description...
More Ad Trouble Ahead For Google
- GDPR to limit data collection

The Huffington Post article you've cited is an excellent introduction to the data collection and privacy concerns that have motivated the current situation and EU's new regulations.

Here are several additional references to get into some of the details of the Regulations, which will affect webmasters and web marketing in significant ways.

For one, we currently have an excellent discussion here in our Analytics forum. The thread title should be self-explanatory....

EU GDPR (General Data Protection Regulation) and Analytics cookies
How will this affect webmasters?
https://www.webmasterworld.com/analytics/4877103.htm [webmasterworld.com]

The discussion goes into a lot of the concerns about operational questions raised by the law and how they might affect webmasters.

Also, here's a Business Insider article interviewing a privacy expert, which I've felt was particularly good in explaining what marketers need to know about the law and discussing some strategies. I'd call the article a "must read"...

Marketers need to comply with coming European data law or risk fines
Business Insider - Oct. 4, 2017
[businessinsider.com...]

A web privacy expert lays out everything you need to know about the new rule that could upend the marketing business....

- European regulators will start cracking down on the use of data for web ad targeting starting next May.
- Any digital media company or ad tech firm doing business globally will need to make adjustments or risk major fines, says web privacy expert and Evidon CEO Scott Meyer.
- "Somebody is going to get strung up really fast."

To give an idea of the language of the law, here's a quoted section from the GDPR language on consumer data consent:

Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

The article points out how unprepared many marketers are for these new regulations. Not all US businesses need to be concerned, but some doing business internationally should be. As I've said, I think the article is worth a careful read.

I can't resist mentioning that one of the other articles I chanced to read today was a fairly long overview in a major online marketing publication about the importance of personalization in 2018... but with absolutely no mention of GDPR on the horizon, which could have a significant effect on those predictions.

Here's a link to the UK's ICO. It appears there is no US equivalent to compare it to, but they are responsible for policy in regards to data handling (a wider remit than GDPR):
Guide to the General Data Protection Regulation (GDPR) [ico.org.uk]

Key Terms
Data Subject - The visitor
Data Controller - The entity the visitor intends to interact with
Data Processor - Any entity doing anything useful with the data
Personal Data - Anything that can be conceivably used to identify a person. Includes email addresses, IP addresses and the obvious stuff like names, street address, unique official references (Social Security number, National Insurance number, passport number, etc)

While Facebook and Google might be facing problems (and analytics and re-marketing for all EU-serving sites will be affected), consent is by far the weakest reason for justifying data-processing. Try these:

Grounds For Collecting Data
Consent [ico.org.uk]
You ask, they give. Be explicit. Also, Avoid.

Contract [ico.org.uk]
Data processing essential to a contract. This is a good one for ecom - but excludes remarketing or analytics.

Legal Obligation [ico.org.uk]
Possibly applicable to ecom, especially for Export and tax reasons. I would also argue that some Consumer Law requires evidencing of comms to consumers. You would need to keep the contact info to prove you sent it to an appropriate place.

Vital Interests [ico.org.uk]
Not my remit, but only for life and health. And only then when "Consent" is not possible.

Public Task [ico.org.uk]
Generally, you are part of the State, or a contractor for same.

Legitimate Interests [ico.org.uk]
IANAL. But this one is for you. Certainly it is for Big Data. Look what it covers:

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Obligations under GDPR
So you have collected data for a legitimate reason, probably without needing consent (either explicit or unambiguous, depending on how sensitive). Easy right? Wrong!

Now you have obligations. Some of these are onerous. Be afraid, very afraid...

Right to be informed [ico.org.uk]
Easy. This is a privacy notice. No problem.

Right of access [ico.org.uk]
Without delay, and no more than a month after request, you must present all data, free of change, and without breaching anyone else's privacy. Across your organisation, and within any partner organisations. I suggest mining your own data automatically, and having a utility that displays it to a customer behind a login, on request.

Right to rectification [ico.org.uk]
If you have done the above, then rectifying should be easy.

Right to erase [ico.org.uk]
Be aware this is not a universal right. But it is for anything gained under "consent" - think of the nightmare of IPs and analytics.

Right to restrict processing [ico.org.uk]
Basically like Erasure, but when you are not obliged to erase. You can't touch it. Pseudonymisation is the way forward, IMHO.

Right to data portability [ico.org.uk]
"It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability."

Right to object [ico.org.uk]
As far as I can tell, this is effectively the same as Right to restrict Processing, but includes making use of data.

Rights in relation to automated decision making and profiling [ico.org.uk]
This apparently requires consent. Good luck to airports. Or indeed concert organisers.

Grounds Vs Obligations
Some grounds for data processing mean you do not have to undertake all obligations. For example, on the "Legal Obligation" grounds, you are not obliged to Erase or Port data.

For a Pro Vs Con breakdown, see this table. [ico.org.uk]

It appears that Google <and Facebook> will be required to change their TOS.

OR...

It appears that residents of the EU may be required to use something other than google <and Facebook> in the near future.


Also, likely coming soon from the EU: Residents of the EU will no longer be required to buy one in order to get one free...

This whole thing confuses me a lot. I've tried to read whatever I could, but I'm still confused. I have 2, ok maybe 3 basic questions, I fear the answer to both is "maybe".

Does this apply to websites outside the EU?

Does this apply only to ecom sites?

Does it apply to an ad supported info site?

Does this apply to websites outside the EU?
Yes- it affects any website that captures personal data, if that site is served in the EU.

Does this apply only to ecom sites?
No. Any site that captures an IP, or drops a cookie will be covered. IANAL, but I would be relatively relaxed* until you start collecting explicit data, such as email addresses.

Does it apply to an ad supported info site?
Yes, if you drop a cookie. You might not need consent for this any more- see my above post (3rd in thread) about "legitimate interests" which covers commercial interests.

As I've said elsewhere, it's not the collecting that is the problem- it's the obligations you then have. Especially the Right to Access, and the Right to Erase.
________
ETA
*Relaxed, because you are likely to receive very few demands on your obligations. And if you did receive a request, you could almost certainly interrogate your own system to present the data. 3rd Party analytics, or remarketing widgets, may present a problem with Right to Erase.

We will be making some changes to our website as a result of this, mainly around cookies the retention of IP addresses and specific privacy policies and others.

Thanks Shaddows

When it comes to EU "stuff" I always go and see what "they" have done to conform since if it's good enough for them then a slight modification, if necessary, is good enough for me:

Cookies, note that they do not use a pop-up check box:

[europa.eu...]

Legal notice, note they do not have Privacy but Personal Data Protection:

[europa.eu...]

On this page there is also a submittal form for enquiries which states The collection of only email as a means to communicate with the European Commission does not fall under Regulation 45/2001 on processing of personal data. and contains a link to this Regulation which is a 22 page.pdf.

Regulation 45/2001 is an internal regulation for the EU, and how it handles it's own data processing. Unless you are an EU Institution, it has zero bearing on you.

As I say, the cookie popup is deprecated as it is covered by "Legitimate Interests". You just need to talk about it somewhere.

Besides the "legal notice" link, they have a separate link about Analytics [europa.eu]. That is probably more the info you are required to disclose.

Staying Off Grid
Rather than comply with DP rules I much prefer to not fall foul of them in the first place. This was the case with existing rules and I would like to do the same with GDPR.

This time it seems a bit more difficult, as there is much FUD, and there there are many holes with GDPR. Contact I have had with ICO and other organisations does give vague and conflicting views. The following is my interpretation of it.

Skateboard Scenario
Assume fictional skateboard fan site

"Eudemonic Boarders"

(side note: It's taken me about 5 minutes to invent an "acme" example site. There are just too many sites out there!)

At it's basic level the site is just a forum and runs a monthly newsletter. There are no sales, no reason to collect names, addresses or telephone numbers. The only PI could be IP and email addresses. The task is to try and avoid GDPR ...

The site's first two visitors are "Gnarly Dude" and "George North 275". Both signup for the forum. They enter their email addresses:

gnarlydude1885 at somefreeemailsite dot com
georgenorth275 at wernaham-hogg dot co dot uk

When they visit the site they do so to read the forum. There is no sales or marketing. There are no analytics.

What PI?
Forum Database Email Field:
If gnarlydude joined first then there is no email PI. gnarlydude1885 can not identify anyone at all so there is no PI in the email part of the DB.

Only when George North joined did this then become PI because the EU rules state that a business or work email that has your first and last name in it makes it PI.

Presumably this would be the same for any forum username. If gnarlydude registered his forum name as Gnarly Dude and not something like "Travis D Garrett" (I gave up trying to find a fictional real name :-) so apolgies to any existing Travis D Garrett") then presumably that then makes the database PI, whereas it previously was not.

So if you wanted your forum database being GDPR exempt you have to ensure that no-one enters an email address like:

firstname.lastname at companyname dot com

which is stupid because something like

firstname.lastname at freeemailhoster dot com

does not constitute PI !

Now when george north registers he uses

georgenorth275 at wernaham-hogg dot co dot uk

But does that really identify him? Could it be that wernham hogg has 275 george north's working there?

IP Address:
The site does not do analytics. The IP address is used purely for administration purposes such as:

Site bandwidth monitoring / speed optimisation
Site security (using RBLs to detect and block spammers)
Site security (checking one user does not share his / her forum password with other users)

Does that make it GDPR exempt? It surely can not after George North registers. Prior to that all IPs were from anonymous users or bots. Even when Gnarly Dude joined his IP was for a non PI email address.

Now that George North has registered we know that his IP is being used for this account

georgenorth275 at wernaham-hogg dot co dot uk

and thus the WHOLE IP list would be identified as PI.

What if George North wants his "site visit data". What would he be required to receive? What if there are many employees of Werhnam Hogg who were skateboard fans and they all accessed the website from the same Werhnam Hogg IP address? How would you determine, which lines of the log file were generated by George North, and which by other employees?

What about data retention? What if you only kept the logfiles for 30 days, or 7 days. or just 1 day? Would you only have to comply for days in which George North accessed the website? What if George North does not visit the site for a month? Can the log file become PI for one month but not another?

Other Contact Conundrum
This is one that that ICO stated earlier today. I asked them about Gnarly Dude and they accepted that his details as is would not be PI because there is no name associated with it.

BUT. If Gnarly Dude ever emailed you and said something like:

>>>>>>>>>>>>>>
Hi Eudemonic Boarders

I love the site to the max!.

Keep up the good work
Travis D Garrett.
<<<<<<<<<<<<<<

then he has mentioned his name and the whole email database now becomes PI because you can personally identify:

gnarlydude1885 at somefreeemailsite dot com is Travis D Garrett

The task therefore is to make NO connection at all with the name and the email. If you used a contact us form for gnarly to contact you, and that contact form stores the senders email and message body (which in this case contained his name) then you have just tripped PI.

But how would this work with the contact form sending an email to the admins inbox? It is still an electronic listing stating gnarley's email and name. If this now makes it PI what happens if you delete the email immediately, after a week, after 30 days?

End Note
Just as with the EUVAT debacle this is a sledgehammer to crack a walnut. Whilst the intention is mostly to keep the techgiants inline and protect the consumer (which I am in total agreeance with), and it is to stop smaller business being cavalier with user data (again: I am in total agreeance), this does seem heavy handed for the much smaller sites, who have no intention to use or store PI and just need some mechanism to do so to make basic forums "work".

Hi,

Good post Frank_Rizzo.

I also have unanswered questions about GDPR.

- When someone post a message at a site, it's common to record the IP address from where the message was posted. In my case, I do not need this IP, so according to the European documentation, an information which is not necessarily, shouldn't be recorded. I don't need the IP, so I shouldn't record it. But, what if one day, a legal action is opened against the poster of a message. I guess that the justice might ask me to reveal the IP address of the poster. So what happens if I don't have this IP ? I don't want to be in trouble. See what I mean?

- I am considering encrypting the IP address (a reversible encryption). So if someone asks to obtain all reference to his IP, then it means that to do so, I need to run a script which will decode ALL lines of the database, in order to find which one match this IP. Which can be very long.

- About people asking you to give them the list of data you have about them. In case, of a registered user, okay, it's easy to present the information. But what if this is a non registered member. For example, someone who wants to know when I recorded their IP. I don't mind giving the information, but,how to know if it's legitimate request? And if we ask the national organism in charge of all of this , it can take days or weeks, before getting an answer on what to to do.

- Like Frank_Rizzo said, there is also the problem if someone send an email. Emails are coming to my personal computer, in my mail software. So can I keep these emails ? Do I have to delete them? What if I print them?

Another worry, about the GDPR is that , I think there will be abuses from individuals. People will start accusing any web sites of not respecting the GDPR to try to hurt them. you dont' like a site, or a site banned you, and you'll start reporting it, it's easy to claim a site is not respecting the GDPR. Without talking about reporting concurrent.

Thankfully I don't live or do significant business in the EU. Unfortunately for the very few people from/in the EU that need our services/information we will be denying them access to the site. We will be sure to let them know that EU regulation is the reason they will not have access to our services/information. Will this cause an avalanche of complaints to the EU governing bodies, no. But if a big player did this it might.

What are the odds a Travis D Garrett turns up! I chose that name purely at random based on a singer and a film character, with a D added for fun.

Agreed IP retention causes a big conflict. It would be possible to run some admin tasks without the IP, or it can be deleted after the admin task is done. e.g. If you use an IDS to block certain traffic you do not need that IP again and thus do not need to log it. This can all be done in realtime so nothing is retained.

But then the Snooper's Charter hinted that site owners were responsible for keeping IP logs, and the EUVAT scheme also requires that you definitely keep IP logs.

Another point. Let's say your site sends an email (user creating an account, resting a password, a contact form, etc ...).. It's going to leave a trace at the level of the mail server. Each mail server logs activity. and the recipient server too. So what about it? even if the message itself is not save, the e-mail addresses will be logged.

I guess that the justice might ask me to reveal the IP address of the poster. So what happens if I don't have this IP ? I don't want to be in trouble.

I think they can only ask for information you have recorded.

On the other hand, there are exemptions for legitimate interests, so you could argue that you need to record posters IP addresses to provide you with a chance of tracing them if required (for example if you get sued over a post, or want to sue a poster in turn).

Thank you graeme_p.

Another point not to neglect is that you are not supposed to store or process personal identifiable information, outside of the European Union.

And a point that no one is seeing is that, processing also means exposing. So for example, let's say you have a PHPBB forum, or other message board. And you have moderators, all across the world. These moderators have access to the profile of members, including their IP address and e-mail. So this is considered exposing the personal identifiable information to third parties , and to third parties who are outside of the European Union, without controlling these third parties.

(This was pointed at the Security Cloud Forum during the Cloud World Expo)