Google’s AMP Project announces new consent component ahead of GDPR compliance deadline

With the deadline for the General Data Protection Regulation (GDPR) fast approaching, Google’s AMP team has announced a component to enable publishers to surface a user consent notification for sites using the mobile-friendly framework.

From the announcement:

The features to be launched include the ability to show choices in user interface notices via “accept” and “reject” semantics, and configuration of AMP element behaviors in response to users’ choices.

The GitHub issue page details the component’s format and configuration options, along with future feature suggestions. As the issues surrounding GDPR consent and compliance are complicated — including acquiring per-usage consent (e.g., publishers need to acquire separate consent for users being tracked for both first-party and third-party purposes) — the project team is encouraging publishers and vendors to participate in the component’s development so that support will be available for as many integrations as possible. They particularly note existing support within AMP for these types of features and state that user consent may need to be obtained before loading them:

AMP supports over 100 vendor-provided capabilities ranging from analytics to ad tech to video players and other kinds of content embeds. As a publisher, if you want to ensure your vendors integrate with AMP’s user control features, please encourage the vendor to engage with the AMP Project.

The proposed format is relatively straightforward, as shown in the sample code image below, but it may become a bit messy for publishers needing to acquire many different types of consent for analytics, tracking and ad tech that may be present on their sites:

Proposed AMP consent component

It’s important to note that for now, GDPR compliance applies only to EU citizens visiting a publisher’s site. You’ll want to dig into understanding how that goes beyond mere country detection, however, as EU citizens not physically within the EU are protected by GDPR wherever they are.

In speaking with the IAB Senior Manager, Privacy and Public Policy Matthias Matthiesen at IAB’s annual leadership conference earlier this year, he noted that because of the intricacies of compliance, many publishers and organizations coming into compliance are taking a “GDPR everywhere” approach because parsing out consent for users “of unknown citizenship” is actually the more complicated path.