
Some frustrated publishers are sitting out Google’s GDPR meetings - ilamont
https://digiday.com/media/no-one-thinks-good-idea-frustrated-publishers-sitting-googles-gdpr-meetings/
======
Iv
Judging by the ripples it causes, it feels like GDPR is a well done piece of
legislation that will actually destroy some of the most invasive business
models.

Google should tread carefully there. It is the future of their cash cow that
is at hand.

It is somehow comforting to see an elected body being able and willing to
cause such a stir.

~~~
piokoch
Hmm, I thought that too. I assumed that all banks, cell phone operators, etc.
that I use would have to ask me for consent to sell my data, track me.

But that did not happen, they just send a note with all those GDPR information
what they do with my data and that they have a good news for me: I don't have
to do anything, as all my "agreements" are still valid without any action from
my side. They haven't given me an option to give consent for, say, calling me,
but don't give consent for tracking and profiling. Looks like this is ok,
unless Orange got GDPR wrongly and wants to risk fines but I don't believe
that.

One of the biggest Polish news portal (wp dot pl) has figure out the fantastic
idea - they show a banner with a long, long text, that says at the end that if
I close that banner, clicking on X button, I am automatically give them
permission to track me and do virtually whatever they want with my data. If I
don't agree for their terms and I don't close the banner (which is agreement
as well) I am taken to "advanced settings" page that at the end gives me only
one option - to agree for tracking and all the shady stuff they want to do
with my data. It is impossible to enter their portal without agreeing for
everything they want.

WP dot PL is a big business owned by a big German media company, so I guess
they figured out everything correctly, apparently the regulation has a lot of
loopholes and anyone with smart lawyers can overcome GDPR easily.

~~~
Doxin
The "agree by closing this popup" tactic is, as far as I can tell, not allowed
under GDPR. Here's hoping all the companies that do that get slapped with a
fine.

~~~
Brotkrumen
This forever popup unless you accept should run afoul of the language in GDPR
that forbids the degradation of a service if a user does not opt in.

------
nwellnhof
FWIW, Google blatantly ignores the GDPR and continues to track all users from
the European Economic Area unless they opt out. If you log out of Google,
clear all Google cookies, and visit
[https://adssettings.google.com/anonymous](https://adssettings.google.com/anonymous)
from the EEA, you'll find that "Ads Personalization on Google Search" is
enabled by default and that the default state of "Ads Personalization Across
the Web" is indiscernible.

~~~
beberlei
It is not illegal to track users only if they opt out, by citing legitimate
interest as the ground for processing not consent. That is how all privacy
policy generators and lawyers handle google analytics, facebook pixel, even
self hosted solutions like piwik/matomo. We will need to sit out what
legimitate interests really mean, but at least in germany there are some state
privacy agencies that put forth this approach where you allow to opt out.

~~~
BlackFly
While I think it may be easy to argue that use of Matomo is legitimate for the
purposes of improving your service (and as a corollary, this can legitimately
be outsourced), I think it is a stretch to conclude that it is legitimate for
the third party to assemble a dossier of an individual by tracking them across
multiple sites for which analytics are outsourced to the third party.

This seems obvious since the third party is not going to expose details about
the data subjects use of the other sites so it cannot be of legitimate
interest to the primary controller. If they did share such data with the
primary controller, the privacy violation is so egregious it cannot hope to
pass a balancing test to be considered legitimate.

So while something like piwik may be allowed to be opt out, I think google may
be treading on thin ice.

~~~
beberlei
I agree, and Google is probably well aware that they tread on thin ice and
they will probably fight their version of legimitate interst up to the
European Court of Justice.

------
ysleepy
And here I entertained the thought that for Google the legislation was a form
of regulatory capture.

~~~
gcp
It would seem that having to be GDPR compliant would dis-proportionally favor
large companies with a lot of lawyers and engineers to implement the needed
features company-wide.

If this is not working out for Google, perhaps it's because the business is
fundamentally incompatible? But I have problems believing that. The outcome
would be too good :-)

~~~
Maarten88
> perhaps it's because the business is fundamentally incompatible?

After having read most of the GDPR, that's my conclusion: all advertising
other than 1990's style bannering now needs per publisher, per user, opt-in
for anything that does tracking or is personalized, where the default should
be set to 'no', denying should be as easy as consenting, and refusing access
is not a valid publisher response.

That means i.m.o. that using any form of modern advertising has become illegal
under GDPR, unless you get users to consent in a compliant way, and I have
seen just a few sites even try. I think Google is scrambling to understand
that their business is now mostly illegal in EU.

~~~
Vinnl
I don't think that would mean that Google's business is fundamentally
incompatible. If 90's-style bannering is the only thing that is
allowed/feasible now, of all companies Google is in the best position to do
that profitably.

~~~
chopin
I think the GP means ads need to be served 1st party. For this, Google would
be out, imho.

If Google hosted the ads, how would they not collecting your browsing habits?
It's the same as with the embedded Facebook Like, which is in the same
ballpark.

~~~
Maarten88
I didn't mean ads need to be served 1st party. I think GDPR does not prevent
Google or anyone from hosting ads for their customers. Maybe it's hard to
imagine, but it is really simple to host ads without tracking users... Google
simply has to NOT DO it. And guarantee that in writing to the publisher.

Counting impressions and clicks are no problem, as long as no personal data is
collected. But storing personally identifiable data for the click/impression
(such as the full ip address, or advertising id in a cookie) needs consent.
Unless you need (and only use it) to prevent fraud, which is a valid
legitimate interest. Using it for (Re)marketing is not.

------
yuhong
It is unfortunate that my essay didn't get much attention:
[http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-
mozi...](http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozilla-
essay-final.html)

~~~
ryanobjc
I'm sorry but your essay didn't get much attention because it is not
particularly written well. I'm not really sure what you are arguing here,
except that Google is bad maybe? You aren't clearly arguing an specific
thesis, and there are many non sequitur paragraphs that don't flow. Why are
you talking about OpenJDK in an essay about Google Adsense? Or is the essay
about Doubleclick BMP?

If the point of this essay is to provide an overview of the area, I am not
sure you are well educated in this area. For example, most of doubleclick
publishers dont do retargeted ads. They tend to do BMP only. You didn't
mention programmatic at all. You don't talk about ad networks. Also you don't
mention that Google has done a lot in the area of malware both on the web in
general, and specifically has spent a lot of resources in getting malware off
the ad network. This makes you seem disingenuous, because while Google isn't a
fully "neutral" actor, they are overall a good citizen in the ad space. Ad
targeting isn't inherently evil, a lot of ad targeting is geographically based
-- in fact many people would probably argue that showing geographically
inappropriate ads is even worse -- others are consumer segment (eg:
women/men/age).

I would like to have a non-advertisement internet, but it appears that people
are just unwilling to do so. Also we may be facing very real cognitive limits,
studies on microtransaction fatigue have demonstrated that is not likely to be
a successful mechanism for funding webpages -- people just can't make that
many monetary decisions every day.

~~~
yuhong
There are other known problems with the essay as well. For example, I
mentioned storage costs but it turned out to be more complex than that. The
point is not only to provide an overview though but more importantly to trace
back the problems to Larry/Sergey, which is why it is so important. And yes I
focus on ad tracking using cookies and nothing else. When I was writing the
essay BTW, even tracing back when they began sharing the retargeting data took
some time.

~~~
ryanobjc
You're making an argument, but I think you take it for granted that everyone
knows what "the problems" are. I'm still not sure what that is!

Also, why is it important to trace the problems back to Larry/Sergey? What
about the early engineers who worked on adsense? The early PMs? Surely they
are just as culpable for "the problems" (which ones again?) as anyone else? I
guess they aren't household names?

Also, adsense/doubleclick revenue accounts for 14.9% of total company revenue
as per the last 10-Q filed. So it's a misrepresentation to discuss
adsense/doubleclick as anything other than an important, but not critical,
part of Google. Google could, in theory, lose all that revenue and still
remain in the black.

~~~
yuhong
There are also Google Analytics/Urchin though. Part of the point of the essay
(and one of the hardest parts for me to write) is to figure out when they
merged the tracking data after the acquisition. I would consider the
DoubleClick one worse than AdSense BTW, which is part of the point of the
essay.

~~~
ryanobjc
Except, you’re wrong. Ga data is never joined with other data sets.

~~~
yuhong
What I was referring to is the sharing of remarketing lists. One example:
[https://analytics.googleblog.com/2015/06/remarketing-
lists-f...](https://analytics.googleblog.com/2015/06/remarketing-lists-for-
search-ads.html) [https://analytics.googleblog.com/2015/11/share-google-
analyt...](https://analytics.googleblog.com/2015/11/share-google-analytics-
data-and.html)

~~~
ryanobjc
Well later in the essay you write that google analytics is merged with ad data
in an unqualified statement. That’s what I was reacting to.

Remarketing lists is a feature that would be google neutral. I could imagine
such a feature working for self hosted analytics.

~~~
yuhong
And I mentioned in the essay that "In many cases, advertisers managed
“remarketing” lists of “anonymous” visitors that was being tracked by cookies
from a central console without thinking of the privacy problems, treating
visitors almost as numbers." I wonder if such a use would comply with the GDPR
BTW.

