
A small French privacy ruling could remake adtech - gbugniot
https://techcrunch.com/2018/11/20/how-a-small-french-privacy-ruling-could-remake-adtech-for-good/
======
fyfy18
Good. I always saw the intention of the GDPR as legislation to fundamentally
change the way personal data is processed, to prevent the freely spreading of
it, with blatant disregard to the consequences, by basically any company that
handles personal data. Instead most companies have just opted for clickwrap
consent, and continued as they always have.

The more rulings we have like this, the better. Yes it may cause some business
models to disappear, but I feel it's worth it to take back control of our
privacy.

~~~
isostatic
> Yes it may cause some business models to disappear, but I feel it's worth it
> to take back control of our privacy.

Good, hopefully we'll see some real innovation, with wide spread
micropayments, rather than brainwashing which costs the viewer of the site far
more than the recipient of the site gets.

~~~
apatters
I think micropayments are a classic example of a solution that seems sensible
to engineering under the assumption that humans are rational beings, but in
the real world it falls apart because they aren't.

The hardest part of making a sale isn't the price--it's getting the customer
to say yes. With micropayments you ask the customer to say yes _every time
they click a link._ This imposes a cognitive/mood/whatever penalty every time
they consider viewing your content. No wonder it hasn't taken off.

A better solution from a market psychology standpoint would be to sell an all
access pass to the content on 10, 100, or 1000 websites. Monthly auto rebill.
Just one purchase decision for life and with enough sites the perceived value
is high. Not sure why we aren't seeing more of this -- if anyone works at a
media conglomerate feel free to reply :)

~~~
Mefis
Just make it an all you can eat plafond.

I know I am worth ~50$ a year to the Ad business. I'll gladly pay $60 a year
for access to content. That $60 gets redistributed to content providers based
on the share of my viewership they get.

Basically, cut the middle man (ad companies in this case).

~~~
tonyedgecombe
The thing is someone in our community is probably worth $500 a year to the ad
business whereas 90% of people are worth nothing. Would you be willing to pay
$600 a year to access content, what happens to the other 90% who couldn't
afford that. What media would they be condemned to consume.

~~~
isostatic
$2 a day?

If you really want to be socially inclusive, raise taxes on those that can
afford to pay (wealthy pensioners are massively undertaxed in the UK for
instance), and distribute it as "consumer tokens", or cash, that people can
spend on consuming crap.

~~~
ghaff
Yeah, taxing other people is a simple answer to just about everything.

~~~
isostatic
That's what advertising does. You're taxing me to pay for low income people to
get free adverts

If you want to subsidise low income people, then be honest about it.

------
gnud
> In plainer English, this is being interpreted by data experts as the
> regulator stating that consent to processing personal data cannot be gained
> through a framework arrangement which bundles a number of uses behind a
> single “I agree” button that, when clicked, passes consent to partners via a
> contractual relationship.

Now, I guess it's obvious to complain about the idiotic, user-hostile and
down-right evil Oath consent pop-over that I got when I visited TC. I'm gonna
do it anyway.

Here's hoping this ruling stands.

~~~
peteri
I haven't read techcrunch or any site with that oauth pop-over since GDPR came
in. It's super obnoxious.

~~~
gnud
Pretty sure it's not OAuth, but Oath.

Also pretty sure they named the company Oath so that people would think "oh
this is another OAuth permission box, OK".

~~~
jefftk
It looks like the "Oath" brand is going away, and they're going to use
"Verizon Media Group": [https://www.theverge.com/2018/11/5/18064172/verizon-
oath-med...](https://www.theverge.com/2018/11/5/18064172/verizon-oath-media-
group-rebrand)

~~~
gpvos
Good. It was a truly horrible name.

------
hyperman1
I like the way they are punished:

    
    
      no fine, but CNIL ordered the firm to delete all data it had 
      not already deleted (having judged collection illegal given 
      consent was not valid); and to stop processing data without 
      consent.
    

So this is a warning shot to them and the ad industry: If they change the way
they do business, they were almost not hurt (There is probably the court costs
to pay, plus their defence, plus opportunity costs).

For now, the maximum fines seem to be just that, at least in France: Maxima,
only for those who really do not want to mend their ways

~~~
remify
There's no need for punishment but pedagogy.

Since there is still a lot of moving part regarding RGPD, the CNIL is just
laying the foundation for futur cases.

~~~
hyperman1
Exactly. And the fact that CNIL takes this approach, deserves some applause.
They could take out bigger guns if they wanted.

------
Reason077
The interminable pile of pop-ups on the EU web has become extremely annoying,
and I don't blame ad firms and publishers for seeking to minimise the
disruption to the user experience.

At the same time, the protections that the GDPR seeks to provide are very
important and it's absolutely right to protect them in law.

But what value is there in constant boxes that users become accustomed to
clicking through like trained monkeys? It devalues the whole point of the GDPR
because no sane person would actually read the policies for every single
website to see if their data is being used reasonably or not.

I personally think that there should be a limited, well-defined set of data
that can be transmitted to ad exchanges under an assumed consent. Fully
anonymised and broad demographic data (eg: age range, sex, city, etc) for
example. Anything beyond that should require an explicit consent.

This should encourage most publishers to do the right thing, because if you're
doing something that requires a consent pop-up, it probably means you're up to
no good.

~~~
jeroenhd
The constant boxes are actually against the spirit of the GDPR and it's only a
matter of time until they are banned as well.

The GDPR requires all tracking to be opt-in and to be completely optional.
Blocking access to a page by requiring the users to tick one or more
permission boxes is not opt-in. The same is true for many other GDPR
permission forms (like Tumblr's) where all uses and parties were/are enabled
by default and one needs to disable each one individually.

It's a matter of time before one of these big firms gets investigated for
these practices and a fine is dropped. Publishers will learn to stick to the
rules soon enough.

~~~
hartator
How can you be opt-in and be optional at the same time?

~~~
merijnv
Consent-based personal data processing _must_ be optional. That's pretty
explicit in the GDPR. You _cannot_ predicate service on a user opting-in
(consenting). That's not consent. That's coercion, and the GDPR pretty
explicitly bans it.

"But how can we monetise our service if we can't get paid via exploitation of
personal data of our users?"

Don't know, don't care, not my problem. The ad industry has proven itself
incapable of self-regulation, so the GDPR explicitly destroys this entire
business model. Figuring out a new that works is the industry's problem.

~~~
exergy
Precisely.

What everyone forgets is that one of the biggest debacles with adtech was
their inability to even guarantee that no _malware_ was being fed with the
ads. That's how bad it had gotten. It will take a long, _long_ time before I
have any sympathy for digital advertising.

------
fraserharris
The stronger GDPR is interpreted by the courts, the stronger Google &
Facebook's oligopoly is. To compete as an ad network you will first need to
have consented first-party data at scale - in other words, a (or network of)
website/application that a majority of European's visit daily.

~~~
shakna
That doesn't seem to be the case here. In fact, Google asking other's to
collect consent, and then performing auditing, may well not be considered
compliant after this ruling.'

> The requirement based on the article 7 above-mentioned isn’t fulfilled with
> a contractual clause that guarantees validly collected initial consent. The
> company VECTAURY should be able to show, for all data that it is processing,
> the validity of the expressed consent.

Google hasn't first-party consented through each of the publishing contracts.
They may be able to turn it around.

However, the industry would now favour someone who had no need to collect
consent, if we're just talking about the base ability. The ad-world's
dependency on personalised data is a problem, and may continue having issues
with the GDPR.

~~~
candybar
I think you're confusing Google's ad-tech platform (DFP and such) with
Google's actual primary business as a publisher. Google's ad-tech business
competes with other ad-tech platforms and provides services for other
publishers to monetize their inventory. This is a relatively small part of
their overall business that they could live without and Google the publisher
doesn't need any of that to stay massively profitable. Google's own inventory
would certainly be more valuable in a world where Google's ad-tech platform
could not effectively help monetize other publishers' inventory.

------
buboard
The solution is to replace the cookie consents with an explicit form where
users select their interests, so that the publisher can request ads tailored
to the user. It's a lot more transparent and it can save a lot of publishers
in the EU which are now at a dead end. (People who think that
donations/subscriptions will save websites are deluded. Tracking is bad , but
targeted advertising is not. Advertising is a perfectly valid model but
context-based advertising is horrible - i know because i ve been seeing and
serving those "russian bride" and "click here to get iphone" ads since May).

~~~
reitanqild
> context-based advertising is horrible - i know because i ve been seeing and
> serving those "russian bride" and "click here to get iphone" ads since May).

Doesn't exactly seem like you got context-based ads but rather completely
pointless ads?

~~~
buboard
thats what you will get if you have anything other than a blog, though. I bet
news websites have the same problem. Reporting about a death doesnt mean you
want to advertise coffins.

~~~
reitanqild
And there is the problem:

It seems Russian bride distributors and few others pay best.

And media houses seems to don't care that this is intellectually and
emotionally insulting to their readers.

Had they put slightly more effort into this they might have had a nice income
from non-spammy ads like they have in print.

------
Tsubasachan
Anything that makes it more difficult for the advertising industry is good in
my book. Reminds me of how our ancestors built cathedrals instead of
hospitals.

------
rhacker
I've always felt that one way to change the way internet companies do business
with a loose-style relationship with our data is to pass laws in small towns
or even just one large city. Imagine if Portland OR made severe legal
consequences for specific kinds of privacy breeches for people in its own
town. The giants would have to decide to block people in that city or change
general data processing rules internally. But I think it acts more of a
starting point of an avalanche as more and more places see the good that comes
from that.

It's also NOT just the big corps. Companies that use public records (and
public records in and of themselves needs a LOT of additional laws in the
digital age) so you can find your ex-girlfriends, etc... Can you imagine these
ASSHAT websites being sued for 100k by people in Portland? Then New York,
etc.. I would love to see that happen.

------
Fiahil
Maybe, at some point, ad companies would prefer asking a visitor which topic
he is interested in, instead of trying to collect some giant amount of shitty
data to feed their profiling engine and then being GDPRed for failure to
register consent. Sometimes the best solution is also the simplest.

------
hyperman1
I'm wondering if we can't start micropayments today: Create an ad provider
which bids together with all the others, but in your name (and you give them
some money).

If you pay enough via that ad provider, it will claim the ad space on that
page for you and leave it empty or puts some todolist or whatever you want
there. Ask a monthly fee of a euro for computer costs.

As this is the raison d'aitre of this pseudo ad company, all its GDPR troubles
are resolved at once. If it gains traction, publishers can use it as a
preferred ad provider and resolve their GDPR troubles too.

Only question: Who would want to pay for this. It might prove people prefer
ads to micropayments.

~~~
denisvlr
To my knowledge that's basically what Google Contributor does:
[https://contributor.google.com/v/beta](https://contributor.google.com/v/beta)

I don't think it ever caught on.

------
pmontra
This is not only about advertising, it's about any service that trasfers
consent to another one. There is a full thread about micro payments here, but
they could solve only some cases. There are plenty of legitimate third-party
services added to web sites (example: customer service) that according to this
ruling (if I understood it well) should verify consent on their own. This
could be possible or not, it depends on the nature of the service.

------
throw2016
There seems to be a significant ethical problem of dehumanization and
predation in the tech community that must be analyzed and understood.

Here are people living in a civilized world with rules and regulations and
posture as civilized human beings who function in an ethical society.

But at work they seem to be operating in neolitic wild lands engaging in
increasingly invasive predatory behavior that systematically reduces the
entirety of the human population going about their daily lives into objects of
profit lacking agency, merely tools to be stalked and analyzed for revenue, to
be prodded for value in any way possible. There is a dehumanization here with
no respect of personal space, privacy and basic human dignity.

This would not be as bad if there was explicit consent and self declared
transparency of the all processes in play, and commitments to ethical
frameworks of operation. It's the surreptitious, misleading and often
deceptive communication and behavior that betrays their willful complicity
that is troubling.

------
emiliobumachar
> consent [...] cannot be gained through a framework arrangement which bundles
> a number of uses behind a single “I agree” button [...]

I'm a bit worried that the interface of old Windows installers might make a
comeback in the internet, but with "I agree" instead of "Next" written on that
button that you have to click a dozen times.

------
cm2012
This decision would be super good for Facebook and Google by the way. If you
can't share/pool cookie data, then the smaller ad players will die out even
faster than they are now.

------
Nursie
Perhaps ironically, I can't access this article because I'm unwilling to just
click "OK" and allow TechCrunch to pass my data to all and sundry, and their
'controls' links lead to a warren of pages at their parent company's site, and
eventually to some sort of login page, with no controls in sight.

In apparent contravention of the GDPR, various parts of the page say that I
must agree to their use of my data for third party advertising or I cannot
access the site.

~~~
downandout
_In apparent contravention of the GDPR, various parts of the page say that I
must agree to their use of my data for third party advertising or I cannot
access the site._

They can say that they have a legitimate interest exemption - and they do.
Sites must be able to earn money from their content, or they cannot operate.
Therefore, they have a "legitimate interest" exemption for this practice
(allowed under GDPR) - they cannot provide you with the service you requested
because you are unwilling to help pay for it by allowing third party ads.

Edit: By the way, none of this addresses the other elephant in the room.
TechCrunch is US based, and to my knowledge they do not offer foreign language
translations of their site, at least on the .com version of the site. This
meets the test under Recital 23, which says that if it doesn’t “envisage”
serving EU users, it isn’t even subject to the GDPR. Any privacy notices on
TechCrunch.com are essentially a courtesy.

~~~
Nursie
> They can say that they have a legitimate interest exemption - and they do

They don't. That's not a legitimate interest. Making money from the data is
not covered and if it was then the entire law would be moot.

> they cannot provide you with the service you requested because you are
> unwilling to help pay for it by allowing ads.

You missed the word _targeted_ there. And the massive background dissemination
of data that accompanies them. That's the issue.

~~~
downandout
_They don 't. That's not a legitimate interest._

While I live in the US, I used an EU VPN for a few weeks just to see what
would actually happen under GDPR as an EU user. I couldn't stand the popups
after a while - GDPR has ruined the user experience of the web for 500 million
people. But through that experience I saw that most sites based in the EU are
either a) ignoring GDPR entirely, or b) taking the position that showing ads
from third party ad networks without specific consent is a "legitimate
interest" \- whether you agree with that position or not. I also witnessed
countless sites that _required_ user consent in order to view content.

~~~
tremon
It doesn't really matter whether you or I agree with that position. The point
is that the GDPR doesn't agree with that position -- and that has been made
explicitly in the regulation: [https://www.gdpreu.org/the-regulation/key-
concepts/legitimat...](https://www.gdpreu.org/the-regulation/key-
concepts/legitimate-interest/)

 _Even when data processing is necessary to the controller, such legitimate
interests must be weighed against “the interests or fundamental rights and
freedoms of the data subject”. Should data controllers justify processing
without consent based on this subparagraph, they will need to be prepared to
prove legitimate interests (a higher burden) relative to the implied general
interests of data subjects._

So businesses will need to argue that their interest (income) outweighs the
interests of their users (not to be sold out).

Specifically, when it comes to advertising itself as a legimate interest:

 _Where personal data are processed for the purposes of direct marketing, the
data subject should have the right to object to such processing, including
profiling to the extent that it is related to such direct marketing, whether
with regard to initial or further processing, at any time and free of charge.
That right should be explicitly brought to the attention of the data subject
and presented clearly and separately from any other information._

