
GDPR adtech complaints keep stacking up in Europe - jacquesm
https://techcrunch.com/2019/05/20/gdpr-adtech-complaints-keep-stacking-up-in-europe/
======
brylie
I just leave any site with adtech 'consent' overlays like Techcrunch.

Hopefully, if enough people abandon sites that use dark patterns and invasive
tracking tech, the industry will get the message that these technologies are
unethical and even illegal.

~~~
idlewords
This is like saying in 1950 that companies will take the lead out of gasoline
if we all stop driving.

~~~
wnevets
It's a little easier to stop visiting a website than it is to stop driving a
car in US.

~~~
kcorbitt
I wonder though! If you were to give every American today an ultimatum that
they had to either (1) never drive a car again or (2) never use the internet
again, what percentage would take each side of the deal?

~~~
kgwxd
But websites are _on_ the internet, they're not _the_ internet.

~~~
earthboundkid
Yes, thank you for using your Gopher client to post this highly relevant and
on-topic comment that none of us had already known since forever.

------
judge2020
What is a reliable way to make money from free articles (other than NY times -
style limited articles)? As in, what ad networks can you set up that only use
the content of the page to target ads? At this point, if you don't use Google
Ads (adsense), your advertiser pool drops significantly and you'll likely be
making less money overall.

~~~
Veen
The same way publications made money for two centuries without tracking and
“personalization”, by displaying advertising relevant to the content and the
publication’s target audience.

~~~
mochomocha
This does not work as well. If you take any machine learning model for ads,
"content" related features are way less predictive than "user" related
features. ie who you are matters more than what you're currently reading.

[Disclosure: I've built a lot of these models in the past]

~~~
Jach
It seems to have worked better than well for New York Times:
[https://digiday.com/media/gumgumtest-new-york-times-gdpr-
cut...](https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut-off-ad-
exchanges-europe-ad-revenue/)

Do you think it's not repeatable?

~~~
LaGrange
> except for privacy-minded users

...that's like saying "high standards of medicine are bad except for hygiene-
minded users." The fact that the user has other concerns in their life doesn't
change the fact that it's still bad for them.

------
IshKebab
Sadly the article doesn't mention any complaints against TechCrunch/Oath's
non-compliant consent request.

I've looked into how you file a complaint with the UK information commissioner
about that sort of think but there doesn't seem to be a way unfortunately.

~~~
Nursie
Might be worth shooting an email to casework@ico.org.uk ?

Tempted to do this myself, the Oath GDPR notices are the worst, with no
visible controls and a warren of useless links.

~~~
maccard
I emailed ico about an issue, they told me to get in touch with the company,
who ignored me. I followed up with ICO again, and didn't hear anything after.
Was really disappointed.

~~~
adrianratnapala
Try letters on paper?

------
mochomocha
Ok, given the ads hate on HN this will be a pretty unpopular opinion here
but... RTB is a good thing. It ensures that Google and FB don't become even
_more_ monopolies. Open ad exchanges ensure better efficiency of offer and
demand and a somewhat middle ground between publishers and advertisers. In
theory, it also ensures an alignment of incentives: higher quality ads
(because advertisers want ads that perform better whereas publishers don't
care as much on average, as long as they get paid)... Which of course comes at
a privacy cost. Remove or erode RTB (as it has been the case over the years
with FB closing its ad exchange, Youtube not even offering an exchange etc)
and you'll see the nightmarish closed web we all dread: all the long tail of
websites won't be able to monetize anymore, and everyone will be at the mercy
of Google and FB for any content to be published (AMP etc.). I'm sure Google
and FB lawyers are super happy about GDPR: EU is helping them entrench their
monopolies.

I guess what I'm trying to say is that in the current state of things, you
cannot complain about "ads are evil and don't work", "Google and FB are
monopolies" and "I want privacy" at the same time. The three are linked. If
you push for privacy, you'll hurt open web (because you'll consolidate
advertising to Google and Facebook which are on the publishers side so have
less incentives to make ads work because they fully control inventory).

Patreon, Brave BAT and crypto etc. are good ideas to change the fundamental
economics of the web. But in the status quo, we cannot have everything:
privacy AND free services like Google and Facebook AND these companies not
being monopolies interested in data collection.

[Disclosure: I've built a lot of ads targeting models in the past for a
living]

~~~
zrk
I also had something to do with the RTB ecosystem. You have a point, but I was
also impressed at how low the standards were, how cheaply you could target an
immense amount of people, and how nothing is enforced.

A total nobody could easily spend O($1000) and serve malware to millions of
people, served out of his own ad server. If he was going through a DSP there
would be some sort of approval of ads but no enforcement that the same ad was
the one actually being served. This was when Flash was still around and
unsandboxed on most browsers and buggy as hell.

Oh, and the industry-standard self-hosted ad server was a PHP thing which
carried a backdoor for months/years before anyone noticed. Someone just
replaced the tarball on the developer's site and went unnoticed.

And the people selling data... do most people know that this is possible: you
buy a car, offline, at company X. They have your phone number. You visit
website Y, type your phone number. You visit site Z, they can buy your phone
number from website Y, and match that to your phone from the car company which
sold your data to third-party W, and know for a fact which car you bought. No
profiling, statistics, guessing, inference. They have the actual data. Costs
O($0.25).

This was years ago, frankly I doubt things improved and I doubt they are as
cash-rich now.

~~~
tjoff
> This was years ago, frankly I doubt things improved

It has improved immensely wherever GDPR is in place.

------
SCHiM
I was thinking, maybe it's a great thing the web cannot be monetized on a
gigantic scale? Maybe it's not too late to turn the tide against tracking,
censorship and thought-policing going on on the internet if the giant tech
corps cannot earn money on it anymore.

That leaves just the governments, but hey, it seems like a step in the right
direction...

Naive I know.

------
tschellenbach
It would be great if there was a comprehensive analysis about how much money
was spend complying with GDPR and what the resulting benefits to privacy are.

~~~
Sir_Substance
That's not actually how the law works though.

Restaurants lose a lot of money throwing out food that's probably good enough
by the standards that most of us use in our kitchens at home but because there
was an excursion in the fridge temperature of 2c or whatever the law says they
have to throw it out.

They could make a lot more money if they didn't have to do that, especially if
chefs were allowed some discretion in when things are "out of date" like they
used to have prior to food safety laws.

However, as a society we actually don't want chefs to have that discretion
because although we might trust an individual chef we sure don't trust every
chef. So we set rules for restaurants because we would rather have some
restaurants go bankrupt and there be fewer restaurants around than have
everyone risk eating food that might be below standard every time they go out.
Instead, we set an objective baseline criteria for food standards.

Same thing with privacy. Your personal standard of privacy may or may not be
higher than my personal standard of privacy, but society-wide we don't want
privacy to be a roulette wheel or a tragedy of the commons, so we set an
objective standard for it.

That may or may not bankrupt some ad-tech companies who are reliant on the
dodgy-chef techniques, but that's not a loss to society as a whole any more
than losing dodgy restaurants would be.

------
thrower123
Has anyone actually been fined in a significant way as a result of GDPR?

~~~
icebraining
An hospital in Portugal was fined €400k for allowing its staff to access
patient records without proper safeguards. I think that's the highest so far,
but many cases are still being analyzed.

~~~
SilasX
Wasn't that kind of thing prohibited long before the GDPR based on medical
privacy laws?

~~~
icebraining
Most things in the GDPR were already prohibited by the Data Protection
Directive, but not the amounts of the fines and such.

~~~
NeedMoreTea
Which is the reason most Europeans were talking of GDPR as though it was a
non-event in the many HN discussions. Every European business had been doing
it for decades under data protection. GDPR cleaned up a few definitions,
expanded a few new uses and abuses of personal data, and the headline maximum
possible fine. The fine that was almost the only thing people wanted to fixate
on.

In the run-up, the best guide to GDPR was UK ICO's guide to 1998 data
protection with a few GDPR annotations.

~~~
Mirioron
> _Which is the reason most Europeans were talking of GDPR as though it was a
> non-event in the many HN discussions. Every European business had been doing
> it for decades under data protection._

You must live in a different Europe than I do, because I'm pretty sure that
most companies that don't deal with the internet, don't even know what privacy
they're required to provide. People still regularly use gmail for some
business tasks, they openly list data that shouldn't be shared etc. I don't
think what you said is true at all. I think most companies simply don't know
that they're in violation in some way or another.

~~~
NeedMoreTea
Not every company I've dealt with, or worked for has been net based. All have
had some sort of awareness of Data Protection. Obviously, there were also
exemptions for the smallest businesses. Sometimes awareness was simply a
weekend going through DPA and deciding they were small enough to be exempt.

The biggest problem with Data Protection was the maximum penalty, and that it
had no teeth for data that moved out of area. It simply wasn't enough for the
larger corporations to care that much - unless they were purely national.
Hence some companies being fined multiple times for the same failings. I don't
believe there's a Shell, Philips, Siemens or Glaxo that didn't have awareness,
data protection officer and so on.

------
founderling
From a user perspective, GDPR has no impact so far. I am still being tracked
to death wherever I go.

Neither do companies offer me a way to get the data they have about me.

This guy has been trying to get his Facebook data for 4 months now:

[https://ruben.verborgh.org/facebook/](https://ruben.verborgh.org/facebook/)

Will be interesting to see if he keeps at it and how it turns out in the end.

~~~
thejohnconway
It's very early days, legally speaking, right? I imagine they are still mostly
sending out warning notices, and collecting evidence of violations for the
most part. In a few years, if a few stonking fines are handed out (which I
think there will be) we'll see what's what.

------
punnerud
If most of some companies revenue come from selling analytics of user data, is
the maximum 4% GDPR fine enough to force all these companies to be compliant?

~~~
icebraining
The process doesn't stop with the fine, they're still required to become
compliant, and further violations can lead to more fines.

~~~
kevin_thibedeau
Seems like a valid business model would be to sue yourself, plead guilty, and
pay the 4% tax every year. Legal fees would be minimized by playing both
sides.

~~~
asdff
I love armchair legal advice

------
anonymousDan
So basically I can't use techcrunch unless I consent to letting them use my
data for advertising? Doesn't this violate GDPR?

~~~
Nasrudith
Well the thing about jurisdiction is that it is utterly toothless if they
aren't in reach - hence the lack of arrest of Wikipedia editors for Tiananmen
Square contributions. It is kind of embarrassing really.

Even if "advertising to EU citizens" put them in reach it wouldn't give the
outcome they want - that would likely turn into a full block if they see no
benefit to it and compliance costs.

~~~
HenryBemis
And this is why _we are forced_ (speaking for myself and a few more) to use
PrivacyBadger (on which I keep adding domains), NoScript, AdblockPlus, ublock,
and others.

It is a democracy. The many will win if they want to. I understand the
unethical part of 'consuming content for free' which costs them $. But there
they picked to go to the extreme end of loading a simple piece of news with
10+ trackers.

On TC I get 14 hits on my PrivacyBadger, 9 hits on NoScript, and 2 hits on
ABP. If one day that '25 violations' go down to 2-3, I will consider letting
them go with it.

~~~
skybrian
There is no "forced" here. For most news sites, you can just not read them,
and it's fine, really.

------
a_imho
What is the point of the GDPR if it is not enforced?

~~~
HenryBemis
Wait until it starts raining penalties.. Adtech that gets busted will either
comply (shrink evil profits), die (won't be able to handle the profit loss),
or move to greener pastures (keep their practices away from us).

~~~
Mirioron
But those penalties will also screw over most of the sites people are using in
the EU.

------
lone_haxx0r
Step 1: Give my data to someone.

Step 2: That someone uses it to their benefit.

Step 3: Complain to the authorities.

~~~
judge2020
You don't go to websites in order to give your data to them, you go to
websites to consume the content they're displaying. The role is more similar
to this:

1\. go to a restaurant, eat, give wait(ress|er) credit card to pay for food

2\. wait(ress|er) uses it to pay for the food, but also takes a picture of
credit card front and back, then later uses it to buy an expensive TV

3\. complain to the authorities (or your bank) about the fraud

~~~
Mirioron
But your browser _does_ give out your data. A website doesn't know anything
about you until your browser sends them some data. That's not the case in your
restaurant example, because the waiter has eyes. He gets information from you
by your mere presence whether you want it or not. That's not the case on the
internet.

To be clear, I think some privacy regulation is necessary, but there seems to
be some kind of dissonance. People want a service, but are unwilling to pay
for it nor give their data. Then they complain to the government that they
should be able to get the service without payment anyway.

~~~
clarry
Uh the browser runs code that comes from the website.

The website decides what the browser sends more than the user does.

~~~
lone_haxx0r
The website doesn't decide, the browser does. The website merely suggests what
could be sent by the browser.

~~~
clarry
That's a pointless technicality and irrelevant to the discussion. Largely as
irrelevant as claiming that it's not my software that's spying on you, it's
your CPU and my software is just suggesting your CPU what to do.

For the past two decades browsers have been extended year after year to better
run arbitrary applications delivered via the website. New tracking techniques
crop up all the time and anti-tracking won't keep up, and often can't do much
without breaking compatibility with the existing sites, not something browser
vendors are willing to do, except when it serves Google's ends.

~~~
lone_haxx0r
> That's a pointless technicality and irrelevant to the discussion. Largely as
> irrelevant as claiming that it's not my software that's spying on you, it's
> your CPU and my software is just suggesting your CPU what to do.

It would be irrelevant if we weren't talking about laws, but we are (GDPR).

If I tell someone to kill themselves, should I be punished as if I had
actually killed that person with my own hands? Obviously no. In fact, I
shouldn't be punished at all for saying that. Some people might disagree, but
those people either applying their moral values inconsistently or they want to
live in a totalitarian regime.

Technicalities are life or death when talking about law.

~~~
clarry
> Technicalities are life or death when talking about law.

Yeah right. It's not that I killed you, but you reacted to a bullet in such a
way. It's not that I stole passwords and files from your server, it was your
server that happily gave me all that data after I sent it some bytes.

The spirit of the law takes precedence over technicalities.

