- browser settings should disable cookies by default.
- both the European Parliament and the Council agree on the necessity to implement by default “Do-Not-Track” mechanisms in browser settings.
[lexology.com...]

About the Do-Not-Track, the funny is that Chrome has DNT by default, if I don't make mistake, but this is not preventing Google to track users through adsense or analytics :)

Been compliant with the EU ePrivacy Regulation along its several updates.

Even though I don't track users (either on my site nor after they leave) I support the DNT headers and display my Do Not Track Compliance Policy linked from my Privacy Policy.

I see at least three bots request the DNT file every single day. Two from large EU ISPs, one from a security company, presumably for their corporate firewall clients, and a couple times per month from Googlebot.

The proposal also clarifies that no consent is needed for non-privacy-intrusive cookies improving internet experience

The cookie set by Adsense for not personalized ads, should be in this category.

Waiting for this does not seem like an acceptable solution, when GDPR day is fast approaching and Google new contract terms specifically says Google product users (Analytics, Adsense, DFP, etc) must gain consent, allow consent rejection/acceptance, and manage a list of consent for using cookies.

So what should people do? The third party solutions are technically complex and do not have cookie consent, cookie rejection, or a consent list, without diving into a bunch of software engineering, JSON, database calls, geolocation, etc.

Waiting for this does not seem like an acceptable solution,

If you disable interest based ads for EU visitors form your Adsense dashboard, the cookie dropped by Adsense is a non-tracking cookie, with no personal information being recorded (claims by Google). As a result, it's no longer covered by the GDPR. However, it's covered by the ePrivacy "directive". The ePrivacy "directive" exists since 2002, and was refined in 2009 , and concerns only EU businesses. So if you are a EU business, you already have setup your cookie consent procedure since 9 years, if you are not EU business you are not (yet) concerned (in case of non-personalized ads).

Things will change with the "upcoming" ePrivacy "Regulation", which will replace the "directive", and this time it will concern all businesses, inside and outside the EU, but cookie consent should be handled by web browsers themselves.

This is my reading and understanding of all this.

The best being to write to your national regulator, if you are EU business, or to the UK ICO : [ico.org.uk...]

For those not familiar with EU arcana:

A Directive is an instruction to National Governments to pass a consistent law, which will then be enforced at a National level. National courts refer to the national law. CJEU rule on if the National law is consistent with the Directive, not if the case is in direct breach of EU law.

A Regulation has direct effect in the EU. National courts refer to the EU Regulation directly, and it supersedes national law where there is a conflict. CJEU judgements are on the case itself.

I'm quite interested in how the Google situation works out in practice. The website definitely has the "relationship"* and Google is clearly a controller. But my reading is that you can't collect consent on behalf of the third party (Google)- any consent is just to provide PII to the third party. But then, I suppose, Google can do what they like under "legitimate interests" and subject to Art 14 [gdpr-info.eu]. I note that Art 14(5) contains exemptions that are missing from Art 13 [gdpr-info.eu] (the equivalent rule if the data is collected directly).

*The word "relationship" crops up a lot in the law, as written. See for example Art 6(4)(b):

the context in which the personal data have been collected, in particular regarding the relationship between data subjects and the controller;

how the Google situation works out in practice.

I forget her name, but a representative of the EU went to meet Internet Giants of Silicon Valley, regarding the questions of the GDPR, and she was impressed (negatively) seeing how these companies had battalions of lawyers tracking everything in order to bypass the state of the mind of the regulation.

This ePrivacy Regulation will be the end of Adsense, and more generally Ad networks, (excepting if they change their way to work)

The draft stipulates that when the browser (or a new update) is installed for the first time, users must "set" whether they accept cookies and, if so, what kind of cookies. Since 90 % of users will choose a restrictive setting, thus in particular not allow third party cookies, "the regulation effectively shuts off the device" (according to VPRT, the German Association of Private Broadcasters and Telemedia). The regulation does not provide for an automatic mechanism which, with the user's subsequent consent, releases the browser. In fact, this means that cross-domain tracking and the storage of information about the end device by third parties are prohibited. Retargeting models are virtually impossible to implement.
[eprivacy.eu...]

Thinking about it, I realized that this ePrivacy Regulation will also end affiliate programs. If nearly everybody blocks cookies at the level of the web browser, then, it will no longer be possible to know from where users are coming from, and so affiliates will no longer be credited for sales/leads!

Session cookies are necessary to make baskets work.

No reason not to tie the affiliate referral to the session cookie- at least if they complete on their first visit.

No reason not to ...

Agreed, but there is also no reason to set a cookie, for just displaying an Adsense ad, and still Google does it... So you know ...

Additional reading - [script-ed.org...]

I was thinking, if the ePrivacy regulation really delegate the cookie consent procedure to the web browsers, will we really be free of this? Because, it will be only for "new" version of web browsers, what about old browsers, which are not updated? (there is all kind of reason to continue to see old browsers).
Does it mean that web publishers will have to identify the browser version, in to continue to display a cookie consent to old browsers ?

Depends on the law, whether it is permissive or restrictive.

Given the GDPR, it seems likely to be restrictive- probably to the effect

"You must not serve cookies unless you have permission. Permission may be granted by explicit consent at the site or browser level"

In which case, yes. But User-Agent detection is trivial- especially in the age of RWD.

There's still the issue of secure data storage and the user's right to request all PII collected... none of which are changed if the browser handles cookie consent or not.

There's still the issue of secure data storage and the user's right to request all PII collected... none of which are changed if the browser handles cookie consent or not.

Of-course since it's two different regulations...

Indeed.

Collecting PII is easily the least onerous part of the GDPR, though the most visible. The hardest parts are

• Right to Access (Art 15) [gdpr-info.eu] - Including, for example, any emails you have exchanged with the Subject, or internally about the Subject, or Instant Messages of same
• Right to Erasure (Art 17) [gdpr-info.eu], including when not to comply, and encompassing backups
• Right to Portability (Art 19) [gdpr-info.eu] Drafted without exemptions. We have no idea how we will comply with the spirit of this. To the letter, we are just sending everything in html, .pdf, and various Office formats
• Security by Design and Default (Art 25) [gdpr-info.eu] - which I would read as requiring encryption everywhere
• Record-keeping (Art 30) [gdpr-info.eu] - The most onerous part of all
• Security of processing (Art 32) [gdpr-info.eu] - Explicitly including encryption and pseudonymisation, plus resilience (the needs of which sit oddly with "minimisation" and non-retention provisions)
• Impact Assessments (DPIA or PIA) (Art 35) [gdpr-info.eu]Oh look, something the Big Business lobby inserted to screw over Small Business

Just reiterating the data storage issue again since so many just see privacy as having to do with cookies.