
Study: Google is the biggest beneficiary of the GDPR - kkm
https://cliqz.com/en/magazine/study-google-is-the-biggest-beneficiary-of-the-gdpr
======
tpush
Yeah, I wouldn't trust this source on anything privacy related.

They present themselves as user privacy champions but primarily make money
via, you guessed it, advertisements.

They are owned by Burda, a large German media organization who, again, make
money by advertisement and processing of their user's data.

"We’re breaking new grounds when it comes to developing our business model.
Bringing together targeting and privacy, we are currently testing a technology
which allows companies and brands to show you relevant offers directly in the
browser."[0]

[0] [https://cliqz.com/en/about](https://cliqz.com/en/about)

~~~
rbinv
This is also the company that acquired Ghostery.

~~~
hddherman
And also the company that caused quite a stir when they partnered with Firefox
to carry out a study, which included collecting and sending browser data to
Cliqz servers.

------
davidhyde
The author of this article didn't bother to read even a summary of the GDPR
law. It doesn't matter what the user consents to, you cannot use their
personal data ad hoc. You need to justify its collection, storage and transfer
to the regulator, not the user. This is in contrast to the ill thought out
cookie law where websites could get away with it by irritating consent
banners.

Sort of like, but not exactly the same as, those consent forms you sign when
you go river rafting. They do not legally protect the rafting company from
negligence. In fact, they're almost a waste of paper.

~~~
nwellnhof
> It doesn't matter what the user consents to

That's not entirely true. If a user really consents to being tracked for
advertising purposes, the GDPR allows tracking. Whether the consent banners
inform users honestly about the extent of tracking is another question. I
think they don't.

What's worse is that Google still tracks users by default, even if they never
visited an actual Google property, let alone have a Google account. That's an
obvious violation of the GDPR but Google will probably try to shift the blame
on publishers.

~~~
kruczek
> If a user really consents to being tracked for advertising purposes, the
> GDPR allows tracking.

That's not exactly true either. For the consent to be valid, it must be freely
given - that is:

1\. The user must have a choice to give consent or not give it

2\. The service provided should be the same regardless of #1, unless the
consent is necessary for the service (e.g. consent to store address for
delivery of goods - although in such case this shouldn't really be based on
consent)

Unfortunately many sites either do not give opt out at all, or make it hard to
find it - in such cases consent can't really be considered to be freely given.

~~~
dogma1138
That is not true you are confusing single purpose with a “valid” purpose from
the users point of view which isn’t actually the case your business needs can
be just as a valid reason under the GDPR as anything, you do not have to
provide service to users who decline if say it affects your ad revenue the
GDPR cannot force you to provide a “free” service to users.

Consent is just one lawful basis for data collection, business justification
is another one and ad revenue is a perfectly valid reason in which case you
don’t even need consent but just to inform the user.

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/lawful-basis-for-processing/)

You can do what ever you want under “vital interests” as long as you feel
comfortable explaining those to the regulator, not the user.

Consent is used often because the current interpretation of most legal experts
is that it shifts the liability to the user however this has never been
tested.

~~~
detaro
The parent was responding to a claim that consent works as a base of
processing, and only talking about that base. That other bases can work is
true (I'm personally really curious how this is going to play out for ad-
financed services), but just because they didn't mention it they aren't
"confused" about anything.

~~~
dogma1138
The parent is not correct however you can use consent as your lawful basis and
deny services to users who do not consent under any business justification as
long as you have one.

If targeted ads give you more revenue and you choose to use solely targeted
ads because thats your business model GDPR does not forced you to provide a
free service or a service that generate less revenue.

So no #2 doesn’t have to be as #1 this is confusing things with the single
purpose clause in which case you can’t make X and Y being co dependent.

E.G. while I can perfectly refuse service if you do not accept ads I can’t
refuse to sell you something for not wanting to join my mailing list.

Also not only that does nothing stopping you from having multiple bases for
consent it’s actually the recommended approach.

~~~
kruczek
Please see GDPR Article 7, §4:

"When assessing whether consent is freely given, utmost account shall be taken
of whether, inter alia, the performance of a contract, including the provision
of a service, is conditional on consent to the processing of personal data
that is not necessary for the performance of that contract."

And then Recital 43:

"Consent is presumed not to be freely given if it does not allow separate
consent to be given to different personal data processing operations despite
it being appropriate in the individual case, or if the performance of a
contract, including the provision of a service, is dependent on the consent
despite such consent not being necessary for such performance."

If:

1\. You ask users for consent

2\. The consent is not strictly necessary to provide the service

3\. You deny the service to users who decline to give consent

Then the consent isn't freely given and therefore invalid.

> GDPR does not forced you to provide a free service or a service that
> generate less revenue.

True, but then consent isn't the right basis for processing of data. As you
mentioned, business justification, or "legitimate interests" as GDPR puts it,
is what you should be using.

~~~
dogma1138
Article 7 does not violate what i said this is a single purpose clause.

Meaning i can't force you to sign up to my mailing list or refuse to sell you
items on my store, the current interpretation of most DPA is that it doesn't
apply to single purpose processing.

Also again as stated below people confuse the "I agree" button to a GDPR
consent, the fact that there is ok/opt-out UI for GDPR does not mean that they
are seeking consent as their lawful bases but they still need to inform the
user and allow them to opt-out (even if opt-out means that they opt-out of the
service).

Only about half the GDPR popups I've seen were actually worded solely for
seeking consent even tho they had the agree/opt-out buttons below the text
itself stated the legitimate interests of both them and their partners in why
they need the data for most things with maybe a handful of purposes relying on
consent alone.

------
tveita
Oh no, not the smaller advertising trackers.

This is interesting data but I'm not sure it supports the title - It shows
Google's market share in the EU going up a tiny bit, but total tracking goes
down in the same period, while the baseline is probably runaway growth like
the US. Google may be hurt the least, but I doubt they're a "beneficiary" in
economic terms.

It's a shame Project Wonderful just shut down - it felt like the kind of
project that the GDPR should help. There must be a market for content-based,
non-tracking ads that you can put up on any website without GDPR concerns.
Google can and will fill that market, but since they can't lean on their
global panopticon other ad providers can compete on fair terms.

From Project Wonderful's shutdown notice:

> Some advertising networks have held on by adopting more and more invasive
> user tracking, forcing their publishers to sign binding contracts, or by
> trying to train publishers (and readers!) to expect that "sometimes a bad ad
> will sneak through", but that's something we always refused to do. We
> believed - and still believe - that you deserve better. We believed - and
> still believe - in a world where an ad blocker wouldn't be an obvious thing
> to install, because advertising would be good, interesting, and non-
> invasive.

~~~
ucaetano
> Google may be hurt the least, but I doubt they're a "beneficiary" in
> economic terms.

Quite the opposite, if you pass a 20% tax on every company, except for Google,
who gets a 10% tax, it is a beneficiary.

Everything is relative.

~~~
kerng
Yeah, beneficiaries are the end users and their privacy being worth something
now. Which is something that wasn't the case before.

~~~
ucaetano
Probably not, having a few large companies benefiting from it compared to the
rest of the market reduces competition, resulting in a loss to consumers.

------
mattlondon
Is Google the biggest _" beneficiary"_ here, or is it more that a lot of shady
operations were totally shafting people on their data/privacy and so they've
finally had to close down or expose themselves to massive legal risks?

The significant drop in trackers on EU sites reported here (and not a huge
surge in Google trackers on EU sites) suggests to me that it is other
adtech/tracker companies that have lost, rather than google gaining.

Either way, it is good to see some hard figures on tracking being rolled-back
a bit. Now we just need some enforcement to fix the badly-implemented consent-
walls (e.g. slate.com).

~~~
wastedhours
You're not looking for a _surge_ from Google though - they're already the
1000lb gorilla, what you're looking for is the limitation in competition,
which is what's occurring.

As with a lot of EU digital regulations, they're essentially centralising
power to organisations who have the legal resources to either go through the
process (and find loopholes), or the cash to fight it.

A lack of competition in the tracking space won't really mean the practice
will disappear, but that the organisation who has the biggest consent database
will take all the money by default.

I might be biased as a marketer, but I'd prefer to have multiple small
companies who're tracking limited pieces of info about me across different
parts of my web experience (and who may fuck up occasionally), than one huge
company knowing 100% of my information.

(Edit: as a side note, the linked article is doing something shitty with the
scrolling on the site, which is more annoying than semi-targeted advertising
to me...)

~~~
blub
The multiple small companies tracking limited pieces of info about you would
anyway be happy to sell and share that for money, this is partly how those
huge DMP databases are built.

~~~
wastedhours
You can limit that with _different_ legislation though - the data-sharing and
processing parts would do this, without the additional level of explicit
consent which is the stumbling block (requiring scale).

I'm not advocating in favour of tracking, but the effects of enforcing
collecting explicit opt-in consent appears to be centralising power, rather
than getting rid of the industry. I'd rather have implicit consent across
multiple providers (with processing safeguards and data sharing agreements
stating they're only pooling the data amongst their advertisers), than
explicit consent with only one behemoth.

------
virgilp
> Although the number of trackers is decreasing overall, a few large tracking
> operators such as Google receive even more user data.

This won't be a popular opinion here, but... it's actually good news/ what you
observe is GDPR protecting user privacy. You think that Google is bad? Then,
you probablly haven't seen the smaller players. With e.g. Mouseflow, you can
literally watch users enter their personal email in your "register account"
field, then change their mind and use a disposable account. Or glean other
kind of sensitive details (passwords too, I think).

------
Angostura
From the final paragraph of the article

> In the end, users should never only rely on laws and regulations such as the
> GDPR to protect their privacy. Instead, they should be aware of who they are
> providing which data to.

Ignoring the fact that GDPR is primarily a regulation ensuring that they know
who they are providing which data to, and ensuring they have a choice about
providing it.

------
ericdykstra
Is there any evidence of GDPR having the desired effect for which it was put
in place? Is citizens' data being protected more than before?

The second-order effects that everyone predicted are already happening (big
tech companies change nothing significant, many small companies shutting
down).

The long-term and unforseen second-order effects have yet to bear fruit, as
far as I know (please let me know if you've seen anything).

~~~
yardstick
One nasty side effect is some large organisations are shutting out Europe. I
can no longer access severs popular US based sites and instead get messages
about the content not being available in your region. (Most recently:
latimes.con and fox8.com)

~~~
Cthulhu_
That's also fine - was their content worth your privacy? If they can't be GDPR
compliant we don't want them.

~~~
rdlecler1
Maybe you don’t but can you speak for everyone? The poster seemed to think
that was undesirable.

~~~
anoncake
We, the people of the EU, have democratically decided that we don't want them.

~~~
_nosaj
How did that democracy work with articles 11 and 13?

The European Union is the antithesis of democracy. If it wasn't, those
directives would never have passed.

~~~
anoncake
Democracy does not mean that every decision is good.

~~~
oytis
Democracy can also undermine itself. If people "democratically" decide they
don't want free speech or private property, it's not a democracy any more. I
don't assert it's exactly what articles 11 and 13 are doing, but it's a step
in this direction.

------
raziel414
I'm not surprised. I used to work on a team at Google that had to deal with
GDPR (I still work at Google, but on a different team), and we had to get
legal review for a lot use-cases. For example, we had a backup system that
took snapshots of our user-provided data. If a user requested their data be
purged, should we purge all the backups as well?

Since we had legal counsel in house, it wasn't too terrible. For a smaller
company that doesn't have those resources though, GDPR compliance must have
been a huge burden.

~~~
Angostura
You know what? It's only a huge burden for organisations that process a _lot_
of personal data in a variety of interesting ways.

~~~
Matticus_Rex
As someone leading the privacy program at an organization that doesn't have
that much personal data (relative to most businesses in our industry at least,
and probably overall) and doesn't process it in particularly "interesting
ways," I strongly disagree. The GDPR was and is a huge burden. You can believe
that it's worth it without engaging in the fantasy that it's not burdensome,
but don't deny the reality of the burden.

~~~
Angostura
As someone who was involved in the GDPR work for an organisation that holds
some fairly critical information about people and needs to share it with other
organisations both as Data Controller and Data Processor, it really wasn’t too
bad, mainly because we had already thought quite carefully about privacy and
data security.

As a committee member on a local swimming club, it took about 2 hours.

~~~
Matticus_Rex
There's a huge variance depending on the complexity of the business and how
many different things you do. Most of the variance has little to do with the
shadiness/lack thereof of what you were doing with the data or even how well
it had been thought through. Most of the variance is in how many different
types of things you're doing and how many different data inputs you have.

I've talked to colleagues who do a wide variety of processing for their
controllers in a business with just a few employees, which is paralyzing. The
company I work in is somewhere in the middle. I've also talked to colleagues
at companies who only have a few inputs, and regardless of the volume of input
that seems to be pretty easy.

------
pmontra
Offtopic: am I the only one to see the optical illusion of the 0% line bendin
upwards to the left in the "change in the number of trackers per page, by
category, EU vs US"? [1]

[1] deep link: [https://static.cliqz.com/wp-
content/uploads/2018/10/trackers...](https://static.cliqz.com/wp-
content/uploads/2018/10/trackers-per-page-by-category-eu-vs-us-
uai-1032x575.png)

~~~
pantulis
No, you're not.

------
jansan
What I am still missing from Google is a clear instruction that explains how
to adjust the Analytics settings to be 100% compliant with GDPR. The fact that
this is missing made me decide to drop Google Analytics in the foreseeable
future.

------
anoncake
Saying Google is the biggest beneficiary is grossly misleading. Their reach
increased by a whopping 0.9% while everyone else's declined. Even if reach is
the only relevant metric, that's hardly worth talking about.

The actual biggest beneficiaries are the citizens whose data is protected.

------
maltalex
Market share is only part of the picture. What happened to the size of the
market in the EU after GDPR?

------
TekMol
Plus it knocked a lot of potential competitors off the internet.

I know multiple young startups and entrepreneurs in Europe that killed their
projects/ideas because the additional burden of coping with GDPR was too much
for them.

~~~
Cthulhu_
It's not that big a burden - just have an officer and don't collect certain
types of data without the user's consent. If you can't do that minimal amount
of effort and either ensure the user's privacy, or get the user's consent,
then you shouldn't be in the business.

It's like complaining about how new credit card businesses or banks can't just
start up but need a load of compliancy. That was tried with cryptocurrencies
and billions of user's monies was lost due to poor security and scummy
companies.

~~~
pmiller2
You really don’t think having a data protection officer (even if not a
dedicated one) isn’t a significant burden to a tiny business?

------
vbsteven
If I read that graph correctly the number of trackers per page has gone UP 20%
since April in some categories for US visitors.

~~~
akerro
But it went down in the EU, so I guess they need to make more money on
tracking and profiling somewhere else now.

------
lucian1900
Not terribly surprising.

The purpose of GDPR wasn't to hurt large companies, but to protect citizens.

------
stanislavb
Anyone surprised? It was clear since the beginning that that’s going to
happen...

------
kristianc
This was always going to be the case. Google benefits from having a direct
relationship with the customer, meaning that consent is relatively trivial to
get. None of these third party tracker companies have that relationship, so
rely on securing opt ins on a piecemeal basis. This is why a large number of
the third party tracker companies all shut up shop in Europe in the months
before GDPR.

~~~
Drakim
If I go to a random website and they serve third party google ads, I don't
have a direct relationship with Google in that scenario. It's not enough to
say that because I have a gmail account I consent to being tracked all over
the web on every website.

~~~
kristianc
You don’t have a GMail account, though, as there’s no such thing as a GMail
account. You have a Google account, and GMail is bundled in as a service.

FWIW - ‘tracked all over the world on every website’ also comes with some
significant caveats.

~~~
Drakim
Nothing about what you are saying here is related to my point though.

If I use one product of google, it does not mean they have a "business
relationship" that entitles them to tracking me as a third party on random
websites.

And even if it somehow did, I could merely opt to not be part of that, and
neither the website nor google can deny me service for opting out. That's one
of the main aspects of GDPR, you can't make a service conditional on clicking
"I agree" and signing away all your rights.

~~~
kristianc
If you’re using a signed in Google Account or a signed in Chrome Browser,
Google will argue that the tracking is compatible with the services that you
have agreed to as it helps provide a more personalized experience.

~~~
Drakim
But that's not how GDPR works, if I agree to use a service it does not mean I
agree to be tracked for a "more personalized experience".

Facebook is even worse, they track me without me even having any interaction
with them prior.

~~~
kristianc
That’s exactly how GDPR works - Google will say that they are protected under
the legitimate interest exemption.

~~~
Drakim
Really, Google tracks me while I'm visiting a non-Google website (!!!), and
they expect to be protected as having a "legitimate interest exception"?

Unless Google can successfully argue that every action, every step, every
breath I take, is now a business transaction with them because I made a google
account, then they don't have a "legitimate interest exception" for jack shit.

~~~
kristianc
Google is an advertising company and uses legitimate interests as a legal
basis for collection when using personal data for activities such as serving
contextual ads, ads reporting and to combat fraud and abuse. As for the third
party website using third cookies etc to transact with Google, you have a
choice whether to consent to that with the publisher.

~~~
Drakim
By that logic GDPR actually doesn't affect a single company in the world,
because by having an affect on the company, it will impact their legitimate
business interests, and thus they will be exempt from GDPR.

I'm a company that forwards your postbox content to your house, and I also
sell your nighttime movement data that I've harvested from GPS though my
delivery app. Totally exempt from the GDPR since it's part of my core business
to silently sell your data.

------
awkward
I'm surprised at the US number of trackers count - I would have expected some
degree of free rider benefit for US based consumers. Otherwise, the numbers
seem to bear out some consolidation, with web pages giving up trackers but
more likely to hold onto boutique solutions (the ranked <150 group) for
specialized needs.

------
PunchTornado
>The average number of trackers per page has dropped by almost 4% from April
to July. The opposite is true in the US: there, the average number of trackers
per page has increased by 8 percent over the same period.

since when is this a bad thing? i want my page less bloated with 100
trackers...

------
sleepyhead
"WhoTracks.me is a joint initiative of Cliqz and Ghostery. It provides
structured information on tracking technologies, market structure and data-
sharing on the web and thus creates more transparency. On the WhoTracks.me
website, interested parties will find visualized monthly tracker statistics.
They are based on the evaluation of around 300 million-page loads and more
than half a million websites."

Considering IP-address is considered personal information it sounds like this
study is based on data that was illegally collected according to GDPR.

~~~
Vinnl
I assuming the data was collected through the Ghostery browser extensions,
which requires explicit opt-in to share that data.

------
oh_hello
Outside of the specifics of this article, I've wondered what effect GDPR has
had on smaller companies and even individual developers. My company spent a
lot of time and money to become compliant. Not only was this expensive, but we
relied on lawyers to advise on where we could draw the line for compliance. If
the company were a bit smaller I imagine it would be impossible to tackle this
project.

------
blub
From what I've heard from people with Google and FB accounts, both basically
ignored the law and presented their users with take it or leave it pop-ups on
their online properties. That's why they're getting sued...

~~~
mattlondon
Are they getting sued? I'm not aware of any GDPR-related cases against
Facebook or Google so far?

~~~
icebraining
[https://www.irishtimes.com/business/technology/max-
schrems-f...](https://www.irishtimes.com/business/technology/max-schrems-
files-first-cases-under-gdpr-against-facebook-and-google-1.3508177)

------
oytis
Über-fucking-raschung. Regulation is beneficial to big companies.

~~~
anoncake
Meanwhile, little players like _looks at diagram_ Facebook lose.

~~~
oytis
Too much has happened to Facebook recently to really assert connection of
decline with GDPR.

------
rectang
The biggest beneficiaries of the GDPR are individual citizens.

But that doesn't even enter into the tech industry zeitgeist, where
commentators are enthralled by the bloodsport between corporate champions and
the lives lived by actual humans are incidental and inconsequential.

------
yuhong
There was another HN thread with BrendanEich in it talking about this:
[https://news.ycombinator.com/item?id=18119367](https://news.ycombinator.com/item?id=18119367)

------
VMG
But who could have known?

------
arountheworld
I was looking at a couple of non technical friends browsing the Internet. Not
one took time to read consent prompts, they just mindlessly click whatever
takes the notice out of the way. GDPR is dangerous and doesn't fix anything.

