GP - EU user consent policy

edited July 2015 in General Discussion
Hi guys,

I received an email:

Dear Publisher,


We want to let you know about a new policy about obtaining EU end-users’
consent that reflects regulatory and best practice guidance. It
clarifies your duty to obtain end-user consent when you use products
like Google AdSense, DoubleClick for Publishers, and DoubleClick Ad
Exchange.


Please review our new EU user consent policy
as soon as possible. This requires that you obtain EU end users’
consent to the storing and accessing of cookies and other information,
and to the data collection, sharing, and usage that takes place when you
use Google products. It does not affect any provisions on data
ownership in your contract.


Please ensure that you comply with this policy as soon as possible, and not later than 30th September 2015.


If your site or app does not have a compliant consent mechanism, you
should implement one now. To make this process easier for you, we have
compiled some helpful resources at cookiechoices.org.


This policy change is being made in response to best practice and
regulatory requirements issued by the European data protection
authorities. These requirements are reflected in changes recently made
on Google’s own websites.


Thank you in advance for your understanding and cooperation.





Regards,

The Google Policy Team



How exactly are we supposed to implement a mechanism for user consent?
«1

Comments

  • There is sample consent text for apps at https://www.cookiechoices.org/. You can use the existing EULA for this, although there is no provision in Andromo to limit that geographically. You will either need to ask consent from all users, or you may prefer to make separate apps, and only make the version that asks for consent available in EU countries.

    I've created a ticket so we might look at adding a geographically restricted option for EU consent in the future, however we have no immediate plans to do so at this time.
  • edited July 2015
    This might be a bit more serious issue than it looks like on the first glimpse (btw, I was just about to open a ticket about this EU nonsense).

    While the EU users will get accustomed to this idiocy, the rest of the world won't know what the hell is happening, and they'll think that it's some kind of a spying thing (trust me, you can not believe how 'funny' some of the users are). The recommended message for us to include is:

    "We use device identifiers to personalise content and ads, to provide social media
    features and to analyse our traffic. We also share such identifiers and other
    information from your device with our social media, advertising and analytics
    partners."

    This would drive me away instantly. So, what we are looking at here is another "GET ACCOUNTS" saga, where (when & while introduced) the earnings plummeted by 50% in a couple of days.

    I think it's critical, that somehow this consent is limited to the holy folk of EU only. Otherwise, I'm sure, without a slightest doubt, that our earnings will fall badly (I predicted the fall with GET ACCOUNTS and I was not wrong, we predicted the fall in earnings when "Require several interactions before showing an interstitial ad" was temporarily removed, and it happened).

    I kindly ask you to research this issue and see if there is a way to identify EU devices so only they see them. If there's anything I can do to help you, I will, whether you need man hours or anything else.

    @lorne, please give this a bit more thought. Thanks.
  • By the way, what about Google Analytics, do we also need to disclose that if we are using it? Link: http://www.google.com/analytics/terms/us.html (7. Privacy). This looks like a worldwide requirement, or? What do you guys think?
  • and what did I have to do If I use no ads and no anayltics?
  • edited July 2015
    @stephyap: I think that you don't need any consents from the users in this case.

    Btw, I'll ask my account manager at Google what is her recommendation about this "EU user consent policy" and if it's anything useful, I'll report back.
  • thxs Hendrixs
  • This new 'EU user consent policy' nonsense sucks! We need a solution. Users will be put off by the stupid message and won't install the App let alone use it.
  • We better keep our eyes open. Maybe worth checking how top publishers implement this.
  • @anteos: Yeah, that could be a good idea, let's just hope, that they implement this quickly. :)

    I'm on a vacation, but I'll try to message my account manager tomorrow. The internet connections here are terrible and I'm away for most of the day anyway.
  • I've sent the email and I'm waiting for a reply. However, let's keep monitoring how the top publishers will implement this "user consent" and see what would be the least intruding way to do this. I already see people talking about limiting the message to EU only because of various concerns.
  • I got an email saying that yes, if we use Admob / Analytics / other similar Google products, we need to obtain a consent from the user (only in EU region). We need to make clear that the identifiers are shared with third parties and explain why. She then directed me to cookiechoices.org.

    @lorne: On cookiechoices.org there is a sample code for the consent. Maybe we'd need it in Andromo as well? I guess that when Google will scan for this piece of code in apps they'll want to see it or else they'll think that the consent is not present.

    Also, it's probably critical, that the consent is shown to EU users only. Otherwise we risk driving our other users away and a large increase in bad ratings. That will hurt our earnings and our business.
  • edited August 2015
    @hendrixs: the sample code listed there doesn't actually limit it to EU countries, it just does what our existing license text option does. It says this in the text after the code:
    Note that it does not distinguish EU visitors from non-EU visitors, so all your visitors will see the
    notices unless you add your own geographic restrictions.
    We're currently discussing an option to show the license text only in the EU. The question is what method we will use to detect the location or origin of the user's device, and whether additional permissions will be required. Adding location permissions to an app globally just so it can show a license agreement in the EU might also be detrimental to install rates.
  • @lorne: Sure, I'm aware of that, I just wondered if that code actually has to be implemented? We already have a "License Agreement" option in Andromo, but would that alone be enough? I'm sure that Google won't check manually if we comply, but they'll use some kind of code scans and probably they'll search for that piece of code to determine if apps have the user consent message or not.

    OK, I'll keep asking as well about the EU limit option and if I find anything useful, I'll let you guys know.

    Thanks.
  • @anteos: no, they would not just scan for that code, as it isn't even complete code. It's just a very basic example, not intended for use in a real app without modification.
  • edited August 2015
    Just a quick note to let you guys know we're publishing an update (right this minute!) with a new feature to address this.

    We managed to get it implemented without needing any additional location permissions -- just the regular Internet permission is required.

    Unfortunately there still isn't a lot of information out there about what text to show on the notice when you're only using the basic Google services, however we've provided links to the information that Google has made available so far. If anyone finds some better examples, please let us know and we will do what we can to improve the documentation.

  • @lorne
    Your team managed it at ultra high speed, while many seasoned developers I follow still try to find out how.
    Well done for it!
    Personally, I will not use it until I get some notification a little bit more formal. Maybe a GP developer warning message or something.
  • Thank you very much Lorne & Andromo Team!!!
    Awesome as always! =D>

    I just wrote to my admob account mgr and asked, if they could provide me with an example text for the basic google services. I will post, when I hear back from them.
  • @lorne: Respect! You guys are unbelievable! Thank you.

    @sylviathewitch: Nice to see you around. :) Please let us know. I wrote to mine, and while I did get useful info, I didn't ask for a specific text examples. Good idea.
  • Unfortunately my account mgr is on a leave, so I was only able to contact another representative.
    The answers to got:

    1/ I asked if the way of how we determine location and when to show the msg is ok:
    " It looks good to me, the important point is that the message is being shown per session/user."

    Per session? #confused

    2/ I asked if, when using admob, disclosure only is good enough or if we need "disclosure and consent".
    "Unfortunately we cannot advise on the message content and explicit Vs implicit consent for legal reasons: you can find everything on the official online material: http://www.cookiechoices.org/

    Ok, not really helpful ...

    Lorne, are you a 100% certain, that the use of admob does only requires "disclosure" = Implied?

    Here
    https://www.google.com/about/company/user-consent-policy.html
    google always talks about "... and obtain consent to ..."

    I only would like to make really sure, before starting to update any apps.

    Just in case, that we need "disclosure and consent" for admob and/or other settings in the app, can you please add the feature "European Union countries only (uncheck for Worldwide)" also to the License Agreement?

    @hendrixs: maybe you can check with your admob contact once again? As I said, my "real" contact isnt in the office until the end of August. My main concern is Does the use of admob requires "disclosure only" or "disclosure and consent"? Thank you :-)
  • @sylviathewitch

    Lorne's away at the moment, so he can't respond, but we've discussed the feature and I'm aware of all of the implementation details. At this point the only information we have to go on is the information in the links you've pointed to, and feedback that everyone's provided.

    Our code is based on the Android sample shown on cookiechoices.org (with the addition of location detection). Their example is not session-based, nor does it show an accept/decline style of a dialog. It reads a flag as to whether or not the dialog has been shown already, and sets that flag when they close the message.

    If anyone has any further information that says otherwise, your feedback is always welcomed.
  • Sorry, I was a bit busy for the last few days.

    @sylviathewitch: Now that you mention it, I'm starting to think, that I too won't get any specific text examples, because they all point us to cookiechoices.org website and to the "What do I put in my consent message?" part. I think they want to avoid giving "legal" advice.

    However, I can ask her about the "Does the use of admob requires "disclosure only" or "disclosure and
    consent" part.

    Anything else, maybe, before I write the email? @lorne? @darryl?
  • @darryl,

    Ok, I asked the admob rep again if admob requires disclosure only or disclosure and consent and here is the reply:

    "For
    the disclosure & consent piece, we recommend that all of Google’s
    advertising partners get consent to cookies from EU visitors - so yes, I
    would add both to be safe."

    Can you simply please add the "European Union countries only (uncheck for Worldwide)" functions to the License Agreement as well?

    This way we can choose to either obtain the consent or not.

    Thank you!!

    @hendrixs
    Would be great to hear a second opinion from the admob team. Looking at the wording in the reply (be safe of WHAT? google? the EU? user complaint?), I don't have the feeling, that the admob rep is dead certain about this issue.

  • @hendrix, @sylviathewitch

    The information at http://www.cookiechoices.org/ uses the term "consent" everywhere however their code example is just a disclosure type, and is not an "Accept/Decline" style of a dialog.

    We specifically made it a separate dialog based on that example code (instead of using our current license dialog). If they're saying that the example code is wrong, then we'll make the appropriate changes, but we really need to be sure about that before making any additional changes. So my suggestion when speaking to them would be for them to explicitly state whether or not that the example is incorrect or not.
  • @darryl
    I am pretty sure, that we will never hear an explicit "Yes" or "No" from google.
    You saw, the first answer I received (for legal reasons ... bla bla)

    Would it be so much additional work on your end to add the "EU check function" to the license agreement?
    With this in place, we would cover every possible scenario.

    Thank you very much for considering this!

  • Just as some additional information regarding consent, see the following kb section that was written for the feature:

    http://support.andromo.com/kb/common-questions/eu-user-consent#implied-consent-vs-explicit-consent

    @sylviathewitch
    In the end we want what's available to be correct and follow their rules. Once a feature's added, it's difficult to remove/change in Andromo, and does throw a wrench into what has been already implemented. While I understand them not wanting to provide legal advise as far as the message goes, they should be able state whether the dialog is incorrect or not. I have to say, I'm not very confident given the hesitation in the rep's responses. Any type of update to Andromo is time consuming, so it's not something we like to do without good reason.
  • I'll read everything again and send an email tomorrow to my AdMob rep. However, based on @darryl's reasoning, I'm pretty sure that we are covered. :) (the consent is based on Google's example code)
  • This is from another forum - member asked his rep for a suggestion:

    Q: Can you suggest how to phrase the consent message within an app?

    A: Just like with the desktop and mobile web consent messages, it will
    largely depend on your own uses of cookies and other information, and
    the third party services you work with. However, we can give you some
    pointers. Here is a sample message for an app:



    “We use device identifiers to personalise content and ads, to provide
    social media features and to analyse our traffic. We also share such
    identifiers and other information from your device with our social
    media, advertising and analytics partners. [See details] [OK]”
  • Did anyone start implementing the Cookie consent message? If yes, will you use the default texts?

    I'm thinking about using a "softer" versions of the recommended text, something like "We use Google AdMob and Google Analytics which use device identifiers to personalize ads and analyse the traffic. These identifiers and other information is shared with advertising and analytics partners."

    What do you think? @anteos, @sylviathewitch? Anyone else?
  • There may be a small problem with the Cookie consent.

    1) I'm in the EU and if I check the "European Union countries only (uncheck for Worldwide)" option, I don't see the message. If I uncheck it, then I do.

    2) Google recommends to add "See details" for further information (http://prntscr.com/8f3ps7). I did that via HTML link and when I click it, the app crashes. It crashes on my physical device and it crashes on Genymotion as well.

    @lorne @darryl - what if you guys could add a URL form to Launch Notice (http://prntscr.com/8f3qjy) where we could add our Privacy Policy link? Or just make the HTML code work in the notice?

    Thanks!
  • I have not done anything about the cookie law. Some developers never received the email, something is weird with it. I will wait a little more.
    However, I plan to add a softer version as you did, when I implement it. After all, it is not us who collected the data.
Sign In or Register to comment.