Hacker News new | comments | show | ask | jobs | submit login
Facebook’s tracking of non-users ruled illegal again in Europe (techcrunch.com)
1034 points by pdcerb 4 months ago | hide | past | web | favorite | 379 comments



>“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” said Facebook’s VP of public policy for EMEA

If it is "industry standard", does that make it ethical?


I think the implication is more, "why are you only paying attention to us? If you think this is a bad practice, then you should be going after our competitors, too."

Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time. If you only take it away from one corporation, that corporation will be temporarily outcompeted by the corporations you haven't yet taken the business strategy away from, so they heavily resist that.


Funny. If your site drops dramatically on Google's search results, or if YouTube/Facebook bans your account for reasons, tough luck. They are a corporation and can do whatever they want without resorting to any sort of internal consistency.

But heaven forbid governments hold a dominant corporation accountable in the public interest.


>Funny. If your site drops dramatically on Google's search results, or if YouTube/Facebook bans your account for reasons, tough luck. They are a corporation and can do whatever they want without resorting to any sort of internal consistency.

That's not really relevant to the parent's observation that Facebook is likely arguing that they're being singled out in an environment where their practices are so rampant as to be standard.

>But heaven forbid governments hold a dominant corporation accountable in the public interest.

"accountable to the public interest" is an incredibly disingenuous way to say "enforce their laws". The difference matters in this context because the counter argument would be "why is the law being enforced predominantly against a handful of American companies instead of the industry at large?"


This law has to be enforced somewhere first.

Either it is enforced against Facebook first, and Facebook complains "Why don't all of the the small fries have to do it yet" and if it is enforced against the small fries, they will say, "Why doesn't Facebook have to do it yet"?

And the answer is, the justice department will probably enforce the law in the way that the expect to have the best effect for themselves. It is not necessary to wait until you are sued before you become legally compliant?


That’s not typically how things usually work.

When a government agency (think IRS or FAA) decides on a specific interpretation of a law, rule or regulation, they don’t go after a random guy to prosecute. They publish an opinion, a guideline, or interpretation and a compliance deadline. The industry is given a choice to comply or present an alternative interpretation (through courts, lobbyists or legislative representatives).

It’s one thing if one company out of a hundred doesn’t comply, and somewhat different when the standard industry practice goes against new interpretation.

Selective encorcement is more typical of countries with weak judicial systems and endemic corruption, where “friends” of the current government get compassionate understanding, but everybody else is subject to the strict rule of the law.


Europe hews to somewhat different legal and administrative philosophies from the US, and I don't think the EU is any more corrupt than the US, arguably less so. This subject is discussed very well in a favorite little book, Adversarial Legalism by Robert Kagan.


I don't think corruption is the worry so much here, it's the erosion of the rule of law when regulators and courts are seen to bask in the popularity of enforcing the law against certain high-profile targets, especially when the perception is that this target has been particularly zealously pursued, instead of dryly and boringly applying the law equally to everybody without passion.

That erosion is not corruption on its own, but can lead to it.


Facebook, being huge and hugely invasive, is among those doing the most damage to EU citizen privacy with their collection, so it makes plenty of sense to focus on them.


Its quite normal in my opinion for the police to invest more resources in pursuing a kidnapping case than a bicycle theft.


It'd be more like vigorously investigating a kidnapping case in a wealthy, high-profile neighborhood while ignoring kidnappings in other places.

Which, granted, is something that happens but people largely regard this kind of unequal protection of the law to be a bad thing.


> It'd be more like vigorously investigating a kidnapping case in a wealthy, high-profile neighborhood while ignoring kidnappings in other places.

I don't see the point of this sort of "but johnny did it too" line of argument. So authorities are looking into a report of widespread abuse. Where's the relevance of not advertising how they may or may not look into other small-scale and lower-profile cases? In fact, aren't resources better spent by going after the single largest and more eggregious source of abuse that has a global reach and has been continuously abusing its position for over a decade?


By all means name all the social media sites that are breaking the law on this scale and the EU is ignoring. I'll be sure to contact my local ombudsman.


I don't know what you mean by EU, but most of EU countries except for the west are more corrupt than the US.

EDIT: Downvotes? I'm stating facts. How can you downvote facts?


"facts" with zero sources and an argument which could easily be dismissed/interpreted as stereotypical US centric argument.


You can simply use Google and check the facts out for yourself, it's common knowledge (children even learn this data in school in the EU). There were no sources in the comment I replied to either. Someone also replied with one of these sources. How can my argument be US centric when I'm European and have never even visited the US?


I was explaining why your comment was likely downvoted, it's clearly not common knowledge (hence the downvotes) and the fact someone else provided sources for you doen't absolve your comment from lacking them.

> How can my argument be US centric when I'm European and have never even visited the US?

You don't have to be from the US for your post to sound US centric. It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems." argument which is found everywhere online, especially on sites with a large proportion of US users (like HN).


> the fact someone else provided sources for you doen't absolve your comment from lacking them

The comment I replied to had no sources as well and yet it isn't downvoted.

> It sounds exactly like every other "USA is da best! The east is inferior in every way. We have zero problems."

Actually my comment says the exact opposite, it says that at least the western part of the EU is less corrupt than the US. Do you realize that I said the west [of EU], not the west as in the US? You're the one who is thinking US-centric after all, thinking that when someone says "the west" they mean the US even though it's in a sentence that talks about parts of EU, this possibility didn't even occur to me - that's how foreign it is to me.


> The comment I replied to had no sources as well and yet it isn't downvoted.

Read it again. It stated much less confidence in those baseless claims, inviting sourced rebuttal. You claimed to be "obviously" right without any sources, and apparently you were not.

Edit: also, complaining about downvotes, especially without even trying to admit mistake is considered as a bad behavior here.


"You can simply use Google"

That kind of hand-wavy stuff doesn't fly here. If you're going to make a claim like "EU Countries are more corrupt than the US", YOU have to provide a credible source for that claim.


If you make a claim, you provide source to back it up.

Telling people to go and verify for themselves a claim that you made is just lazy and disingenuous.


I replied with common knowledge to a comment that had no sources as well. Why the comment I replied to is not being downvoted?


Your comment has been flagged by American political correctness.


Correct. On average, EU and US have about the same corruption, at least according to the Corruption Index 2017 [0]

[0] https://www.transparency.org/news/feature/corruption_percept...


I wonder if the index treats lobbying and donation millions to support elections as corruption.

Such activities are illegal and considered corruption in most countries.


From their technical methodology note[1], they require their data sources to account for "state capture" and the usage of "public office for private gain". Take that as you wish, and feel free to look further at their sources[2]; however, I'd assume from that statement that they do account for lobbying and donations.

The US is not unique. If you see something happening here, it is almost always happening in other western countries, and acting like we are the only to have a problem does a disservice to worldwide development.

[1] http://files.transparency.org/content/download/2183/13748/fi...

[2] http://files.transparency.org/content/download/2183/13748/fi...


> I wonder if the index treats lobbying and donation millions to support elections as corruption. Such activities are illegal and considered corruption in most countries.

Lobbying has nothing to do with donating money, and lobbying elected representatives is definitely not illegal in most democracies.


I explicitly wrote "lobbying AND donation".

Please don't twist conversation into debates about semantics: it's not helpful.


> I explicitly wrote "lobbying AND donation". Please don't twist conversation into debates about semantics: it's not helpful.

Yes, and you said that both are illegal in most "other" counties. Except lobbying isn't illegal in any healthy democracy, including in Europe. Donating "millions of dollars" isn't really legal in the US either.


Lobbying as a term in the US is pretty synonymous with donating money. If there was a lobbying group that did not donate money you would have to specify that in conversation


> Lobbying as a term in the US is pretty synonymous with donating money.

This is flat-out untrue, and repeating this incorrect meme ad nauseum simply makes it harder to address actual problems when they arise. Lobbying is simply the process of petitioning elected officials. It's a necessary part of any functioning democracy, or else there's no fundamental feedback loop connecting elected officials to their constituents in between elections.

> If there was a lobbying group that did not donate money you would have to specify that in conversation

Corporate entities are prohibited from donating money to campaigns, whether or not a quid pro quo is implied.


What you've stated is true by the technical definition of the term, but lobbying in the _common vernacular_ of the United States is synonymous with paying money. You can throw dictionary definitions around all you want but it doesn't change how it's commonly used.

The same issue comes up with the word theory to scientists vs it's meaning in the common vernacular.

As to your second part about corporate entities being prohibited from donating money to campaigns, excuse me while I set up a PAC to donate funds to a senator who is aware that I donate to the PAC and that I would really appreciate it if I got a tax break.

What the law intends != what is actually happening


> The same issue comes up with the word theory to scientists vs it's meaning in the common vernacular.

Yes, and just as we ignore people who dismiss evolution because "it's just a theory", we should take the same attitude towards people who conflate lobbbying and campaign contributions, because they clearly don't understand how the democratic process works, and acting on their demands is actively harmful.

> What you've stated is true by the technical definition of the term, but lobbying in the _common vernacular_ of the United States is synonymous with paying money.

Yes, and the "common vernacular" is wrong and actively harmful. The two things are completely unrelated, and perpetuating the conflation makes it harder to understand what's actually going on.

If you think something is broken, you actually have to understand how it's broken in order to fix it. There's no virtue in going out of your way to make it more difficult for people to understand how things work. That's how you end up with people wasting time advocating "reforms" that span the range from "well-intentioned but redundant and/or ineffective" to "completely self-contradictory and nonsensical".


Lobbying in the US is just legalised bribery.


Good question. I have to admit that I haven't read their methodology yet.


My guess is that you've been downvoted, because you've claimed that you don't know what the original poster meant by "EU".


In US corruption is partially legalized as lobby.


EU stands for European Union.


Yeah, but in context, is the claim of being less corrupt being made about pan-EU institutions, or does it extend to the countries making up the union? The relevancy of individual country statistic depends of that distinction.


Yeah but the great-GP's statement is incorrect if he means the European Union as it is now, so he logically must mean something else, e.g. EU before the 2004/2007 enlargement (he might not know that it happened, the most corrupt countries joined during those and thus moved the average) etc. He also might've meant the EU as in the organization itself which is a completely different meaning with completely different results.


> the great-GP's statement is incorrect if he means the European Union as it is now, so he logically must mean something else

E.g. your assumptions being incorrect. You could have avoided a lot of downvotes with showing some humility. Assuming someone does not know about large shifts in EU membership seems like argument in bad faith.


This has nothing to with different legal systems or administrative philosophies but is all about politics.

Europe, Germany and France in particular, has a strong history of state involvement in large corporations.

I suppose you could call that an administrative philosophy. To me it sounds like another form of corruption.


While there's nothing wrong with opining that state interventionism is a form of corruption, be warned that people will not infer your custom definition if you drop the word "corruption" in a conversation. I'm in favor of sticking to popular word definitions for the sake of clarity.


Well, it's not that they haven't been talking publicly for years that they are going to do something.

And I guess Facebook and others have been trying to lobby it away for years already.


Do you even know your checks and balances? This is not about government, it's about court. Facebook only has to pay because individuals (or in that case, a privacy organisation) decided to sue Facebook


Policing is always about setting an example.

The entire tech industry can now consider themselves warned. Not even giant American corporations with direct links to the White House are above the law.


The problem is the example being made is that if you are a big American corporation than European regulators will go after you otherwise ¯\_(ツ)_/¯


Well I personally despise all tech companies selling out their users whether they are from the US, France or Peru. Its a fact on the ground many are from the US though.


> "This law has to be enforced somewhere first."

Still, the lawsuits should be simultaneously served to all companies. Preferably with a courtesy heads up.


The DPR has been implemented since 1998.

GDPR had been announced 2012, implemented fully in 2016. Active enforcement will start May 2018 with again a temporary period to allow companies to correct. Refusal to comply after that can result in penalties up to a maximum of 4% of the companies global revenue.

How much courtesy lead time does a company actually need to comply?


Especially when such company is pushing legions of developers reduce their "time to market".

"You have 20 seconds to comply" says the robocop :-)


Exactly, someone has to be Kinney, and it better be someone already too big for our own good.


Courtesy heads up that they will actually enforce the law. Lawbooks are full of laws that are never enforced.


That's not how the law works in most European countries. Class actions don't exist, so the usual strategy is to sue the biggest company or greatest offender, since that results most likely in the best defence or the best case.

The summary of the court of the case, if ruled in favor of the one suing or in favor of the public interest, will be used to prosecute all other offenders if they do not comply. If the defense wins, it can be used by others as a defense.

While not 'fair' it works as the smaller fish will probably go bottoms up trying to mount a proper defense against larger governmental or lobbying groups which results in a no-win scenario for all: The company is dead and there is still no ruling, or a ruling lacking proper defense.


What, if you get screwed by Google do you ue all the companies or only Google?

Or say Intel users that are now sewing on the meltdown bug should they get involved in AMD too from some feeling of solidarity?

In this case someone did something illegal and someone else complained to the justice, should they first find all (I hope you understand what all means, aka don't forget anybody) and try to do what? start 1000 processes in justice? It makes sense to start with the bigger criminals, if the court decides favorably then you continue to the next ones.


1. Why should their be a "courtesy heads up"? Most of these defendants know they're breaking the law. The regulatory agencies have made their interpretations of the statutes known.

2. Do you realize how much manpower it would take to require that all separate cases be tried at once? You might as well just come out and say you don't want any cases to be tried at all, as that would be the outcome.


Weren't these civil actions taken by private citizens/rights group?

The courts are just agreeing with these citizens/rights group. It's not like an EU agency is targeting Facebook unfairly.

Personally I can only see this as a good thing. As a non-user I don't want Facebook tracking me. Same as I don't want tracked by any other company.


> why is the law being enforced predominantly against a handful of American companies instead of the industry at large?

Because the largest companies that European citizens are using and that breaking the law are American. There is no point in targetting first the Chinese and Russian companies doing the same tracking, as few European citizens are affected. And as far as I know, there is zero European company doing the same thing on such a level.


> The difference matters in this context because the counter argument would be "why is the law being enforced predominantly against a handful of American companies instead of the industry at large?"

That's not a counter argument but dissatisfaction. Are you saying that EU companies also don't follow their laws?


>That's not a counter argument but dissatisfaction.

You're correct but mainly because I wasn't paying attention and phrased it as a question. Written instead as a statement, it's a valid counter argument because it's criticizing the parent comment's ridicule of a different instance of criticism.

> Are you saying that EU companies also don't follow their laws?

I'm insinuating that if someone wanted to defend Facebook's position one avenue would be to argue that the law is being selectively enforced. Obviously this isn't a comprehensive argument but it's an easy platform to jump in other directions from.


> You're correct but mainly because I wasn't paying attention and phrased it as a question. Written instead as a statement, it's a valid counter argument because it's criticizing the parent comment's ridicule of a different instance of criticism.

I doubt a statement expressing dissatisfaction is a valid legal argument responding to a legal ruling. Clearly the term argument in this context is for a legal argument not a colloquial use of the term, since a legal appeal is what is being discussed.

When people get traffic tickets, the judge won't let them off for saying, "But, your honor, the police officer didn't pull over any of the other speeders around me."


I was using the term "argument" in the more broadly applicable but also literal sense of the word. Your explanation is correct but you've either misunderstood what I was saying or I've misread your reply.


No worries. That explains things, either way.


Because Facebook is doing it at scale.


May be it's because one of those organizations has monopoly on violence and other doesn't.


There is a rule in Germany called "Im Unrecht gibt es keine Gleichberechtigung". Meaning when you are breaking the law you cannot point to others also breaking the law as defense.


As far as i know, isn't this basically global? atleast in civil law systems, i yet have to find a country where this isn't the case.


> Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time.

Not so if it is the only way for the business model to be profitable. More generally, this argument assumes that there is a fixed profit to the business, and the only thing to compete for is a bigger share of that fixed profit. The reality is that corporations are amenable to increasing the profit all around so long as they get part of it, and don't particularly care who gets exploited in the process. Conversely, they do tend to protest when the pool is reduced, even if it affects their competitors similarly.


"The privacy lawsuit dates back to 2015 when the Belgium privacy watchdog brought a civil suit against Facebook for its near invisible tracking of non-users via social plug-ins and the like. […] The same year, after failing to obtain adequate responses to its concerns, the Belgian Privacy Commission decided to take Facebook to court over one of them: How it deploys tracking cookies and social plug-ins on third-party websites to track the internet activity of users and non-users."

If I go to the police to complain that my neighbour is spying on me, it's only natural that the police only investigates that neighbour.


> I think the implication is more, "why are you only paying attention to us? If you think this is a bad practice, then you should be going after our competitors, too."

"But, officer, everybody else was speeding, too!"


s/speeding/downloading ;)


To be pedantic, I can attest that in California drivers ed they teach you that it's safest to keep with the flow of traffic. The difficulty is in proving that traffic was going as fast as you.


Is this rule above the other rules like speed limits, stooping at red light ? It seems to me that this kind of fuzzy rules can undermine the others.


They both can apply. The flow of traffic laws, such as the one in California, are to prevent people from going significantly below the speed limit. Its a better approach, in my opinion, then a minimum speed limit law that many states use.

That said, you'll end up driving white-knuckled and fearful of your life if you dare go the speed limit on the Mass Pike. You'd have to drive 70-75 minimum here just to feel safe.


Yes, it makes sense for the minimum speed, here in Europe the max speed can't be exceeded and on top of that you have to adapt your speed to the actual condition, if is ice or the road is wet, or there is fog the law says you have to reduce your speed until you are safe, if you did not reduced it enough and did an accident you are guilty.

I hate when someone drivers respecting the limit and you get jerks with big cars or trucks behind you and force you to go faster(by force I mean get close behind you, use the horn and other bad behavior that can intimidate a new driver).


At least they are not firing missiles.


They were the ones being denounced. It is like a drug kingpin being caught and saying “why am I the only one”, we all do the same?

Well, you are just the fisrt one and the biggest one.


Yeah. How many times this line saved you?

"Officer, The guy in front of me was driving fast too, so why not him?"


nobody likes to be made an example of.

However, regulators like to make examples of bigger corporations since the publicity is more effective with them, and also they are able to both pay up and/or change.


Fair application of regulations is essential to rule of law. Going after one company for a common practice but not others is simply the more tyrannical rule by law.


It's a matter of priorities as well. There's hardly funding to prosecute everyone that breaks any sort of law. So you aim for the big fish. Many more are "hurt" by FB's practices than some random other small player. In that sense, FB is committing the larger crime.


Picking the large foreign company is always an easy target, it can easily lead to protectionism: enforce laws on the outsiders but not the insiders. China is an extreme case of this: foreign companies must walk on egg shells while domestic companies are able to easily break laws now and ask for forgiveness later if the party decides to crackdown.


You are suggesting that the EU is picking on the outsiders. However, do you have any proof of that? For example, if you look at fines handed out by the EU, some of the largest ones concern companies from the EU:

https://www.cnbc.com/2017/06/27/the-largest-fines-dished-out...

If you look at EU court decisions concerning privacy, you see that it mostly concerns European companies and government bodies (e.g. people storing their fingerprints being stored for passport applications). Those cases just don't get as much exposure in the US:

https://ec.europa.eu/anti-fraud/sites/antifraud/files/casela...

Another factor here may be that EU companies generally stick more to privacy rules, because it is easier to get sued directly by their citizens. E.g. in Germany many institutions and companies are paranoid when it comes to privacy and go out of their way to avoid lawsuits.


You add in the word "foreign" for no apparent reason. What makes you think the EU is targeting FB for being American? I see no proof of this. Size, sure, but the EU also has many regulations for the internal market. For example, we actually have net neutrality, and there's now regulations to limit roaming charges.


The argument they’ve made is that they are targeting FB and not their competitors. If true, it has many possible abusive implications, one of the common ones being protectionism. It might not be that, but it is a huge red flag that it could be that.


It's easy to level accusations and then back off justifying by saying it's just a possibility.


I did not edit my original comments where I clearly said “leads to”. If you think that meant an accusation, then that’s your right of course, but it isn’t correct to then say I was using similar language to back out of it.


If you are going to accuse you ought probably be able to back up the argument or don't bother to waste other readers time.


They are targeting companies from personal data protection-weak jurisdictions who want EU customers.

To use your example, US has targeted companies from IP-protection-weak countries. Was it directly targeting China? I'd say not necessarily.


If they are targeting all companies in their jurisdiction, I have no problem with that.


The only people suggesting anything else were anti-EU commentators. Just like the £350m a week the UK supposedly sends to the EU.


But is in this case an EU institution selecting FB or a civil rights organization selecting the biggest offender? If the citizens complain about FB and going after justice why are you asking the citizens to find first other smaller and non US company that maybe did much less damage and start with them. Citizens should have the right to demand justice for illegal behavior of US company that makes business in EU without having the other camp calling protectionism.

It is like the Microsoft anti competition case would not take place until we find some small non US OS vendor to punish first so the Americans won't get upset.


If the law is no cookies or no tracking, then they can literally pick a random internet company within their bidders whose offending. In practice, such broad laws can only be selectively enforced.


And how many people are actually going to pay attention to that? Further, how is that not any different than the "selective enforcement" that you claim is happening against FB?


>they can literally pick a random internet company In this case they are the citizens, the citizens would not pcik at random but the company that affects them.


This business strategy is only viable if your market penetration is huge. No wonder the biggest infringer is tackled first. Also, this probably is a precedent-setting decision with more to follow.


That leads to writing a law for every little technological innovation, which is an arms race legislators can't possibly win. Prosecuting a corporate body for violating a general principle sends a clear signal to other market players using an unethical tactic: comply or you're next.


> I think the implication is more, "why are you only paying attention to us?"

I read that as: why are you only paying attention now? (i.e. after allowing the industry to reach its current, pathological state)


EU is working for years on laws to protect the citizens rights from this internet companies, the laws take years to be created and when done are announced and it also takes a long period of time before the laws will start to apply.

Do you prefer that we create laws for fixing problems that do not exist yet?


You misunderstand. Facebook probably knew that the new law was in the making, but they probably thought: by the time this law passes, everybody is doing it!


That is true, and FB will try to appeal and move the final decision for 10 years like Intel is doing.


I don't think many of their competitors have the same reach as Facebook. Nowadays sites have social plugins to allow their customers to "share" content. This in turn adds the problematic cookie/pixel.


I think this is an odd defence to follow if indeed this is a defence. It's as if a convicted criminal demands to overturn the conviction because some other (alleged) criminals haven't been on trial yet.


...and one obvious answer is: as one of the largest companies doing this, they benefit more than all of those other corporations.

Also: from the jurisdiction's point of view, this is perhaps the only efficient way to allocate legal / judicial resources. You go after a small handful of big-name "make an example" cases, and hope that this deters use of the business strategy by the long tail of smaller companies you can't afford to go after.


>Corporations tend not to mind if you take away a business strategy of theirs, as long as you take it away from everybody else at the same time.

That's not true in this case. As the large incumbent in social media and advertising, Facebook are the company most impacted by this, whether or not their competitors are impacted.


I'm sure other companies do this, but I'm way more familiar with Facebook's indiscretions. If they're made an example of what's going to be a standard, I wouldn't be surprised if it happens to other companies soon.


Actually it sounds more like an excuse.

"Why have you singled us out for dumping 1000 tonnes of ash into environment each day? Look, this guy is dumping his ashtray on the grass right now!"


There is this thing called legal precedent. You set it once and it can be applied over, and over, and over, and over....


Legal Java!


Why don't they point out others and cooperate with EU to stop this practice altogether then?


This is the reason regulation and fair competition should exist.


Whataboutism isn't an argument... if you're going to start somewhere, you have to start with someone, especially in civil court. Setting precedents will open up other websites to lawsuits


> if it is "industry standard", does that make it ethical

Nope, not at all. Standard practice does not override ethics. Tobacco companies would consider advertising and promoting smoking as industry practice, but we cracked down down on that because encouraging people to do something that is demonstrably bad for their health was something we decided wasn't ethical and would be cracked down on.


Besides being a weak argument in such a context, it's disingenious. FB set the industry standard. Maybe half the standard along with Google.

FB's system is much more reliant on tracking though. Google's can at least work anonymously, eg searched 'dentists' in some area. FB's is almost useless without tracking.


>enable hundreds of thousands of businesses to grow their businesses

Seems innocuous enough until you really think about what they're saying. "But, tracking these people without their consent allows companies, including us, to make money off of them".

That's actually a pretty brazen thing to say; as if the fact that people can be monetized should trump their right to privacy.


This kind of corporate doublespeak never fails to raise my blood pressure.


If it is "industry standard", does that make it ethical?

Industry here is essentially Google and Facebook. The other "players" fight for the crumbs. Ethical? They need growth, every quarter.


It doesn't matter, since it doesn't even make it legal.


Stuff like this makes me so mad.

1. I don't have an account on Facebook. 2. Blocked Facebook domains via /etc/hosts 3. Use ghostery

And despite all of these steps it feels like we are wasting our brightest minds to always be a step ahead in surveilling what the humans of this world are doing to exploit it for targeted advertising.


Rest assured, many of the brightest minds are aware of Facebook's business models and incentives, and many of them predicted the current situation and rejected the company many years ago.


...and promptly took a job at a Google? Sorry, but someone is working for these companies, and they’re clearly bright enough to make the necessary tools. I’m sure some extremely bright and principled people refuse to work with anything like an Orwellian nightmare, but enough do to make up the difference.


Do you think that the code that tracks loggedin and not loggedin users differs much? I assume is the same tracking code, but if you are not loggedin FB and Google will give you an unique ID but after that they collect same data, they will need to add some code for merging data if they find that 2 different IDs are the same person.

I am not defending FB, my point is that you do not need an army of geniuses to extend the tracking to everyone.


If you apply your mind doing something evil you're evil and no amount of brilliance can justify it. The visceral example I like to use is: I admire efficiency and leaders, hitler was efficient and a leader, yet I don't admire hitler.


Perhaps there should be a central clearinghouse for people who don't want to be tracked by certain sites. How can you tell facebook to not track you without a facebook account? The best you can do is block various known IPs or other patterns which are bound to change over time.


Yes, how to tell Facebook?

Someone should invent a http header that lets you signal that you don't want to be tracked. It could be named something like DNT, for do-not-track. People could then set DNT=1 and websites such as Facebook would know not to track you...


That could work if:

- it was on by default. You shouldn't have to 'opt-out' of invasive surveillance.

- it was enforceable and backed by a vigilant regulator and credibly enforced legal deterrents. We're far beyond a 'pinky-promise' being enough.


>- it was on by default. You shouldn't have to 'opt-out' of invasive surveillance.

Conmppanies did not liked when IE did this but I think the solution would be simple, when you start the browser for the first time you will be asked if you want to get tracked or not, you will have 2 big buttons to chose.

Then FB. Google and others should ask the users to switch this because they want to track you on a different website and explain to the users why.


Yeah, I found it very disingenuous back then from Google to push against this. It could be a widely accepted standard by now, and it makes a lot of sense. Unfortunately, as long as companies like big players as Facebook and Google ignore it, it won't succeed.


>How can you tell facebook to not track you without a facebook account?

That's the wrong question to ask. You shouldn't have to tell it not to track you. That shouldn't be able to do it, unless you explicitly tell them "hey you can track me."


Precisely. The Overton window for this topic seems to have shifted pretty far. The default position should be one of positive consent and assumed privacy. But then again, I think it’s all moot considering that Facebook’s existence is predicated on them collecting data. Asking them to do less of it is like asking a plant to stop photosynthesizing. That is to say: it’s their whole raison d’être, which means they won’t change it without a little encouragement from third parties.


If only. That battle seems to have been lost long ago, at least in the U.S.

Google, Criteo and other have long had a default opt-in policy for their retargeting products, etc.


You're the one in control of your browser. You know it's side effects when you load pages.


Internet had become an integral part of everyday life. This is like saying air pollution is not a problem, just don't breathe all the time.

Or is my sarcasm sensor not working this morning?


Your metaphor is incorrect.


Most people do not know these things.


How to tell Facebook that I don't want to be tracked?

By not having a fucking Facebook account! it seems to me that's actually the crux of that court decision.


A typical scenario: Your friends and acquaintances have your contact info stored on their mobile phones. Your phone number, an email address or two, maybe a photo and a birth-date so they don't forget to wish you happy birthday. They install Facebook/WhatsApp/Twitter, etc, all of which upload your personal data from the phones to their own servers without your knowledge or consent.

It's more complicated than deciding not to have a Facebook account, though that's a great first step.


Complicated? Remove this “feature” to start:

>all of which upload your personal data from the phones to their own servers without your knowledge or consent.

Our default legal position shouldn’t be one of accommodating a corporation’s existing market-acquisition practices over people’s privacy.


Are you seriously proposing to ban uploading pictures that contain other people to third parties computers without consent? That would go way beyond Facebook. Would I need to track down everyone in a picture before annexing it to a Yahoo e-mail?

I'd think the most pro-privacy reasonable approach would be to stop companies from identifying them beyond "someone who did not consent to being tracked".


How about not maintaining shadow profiles, not allow tagging nor allow facial recognition to be applied to third parties on uploaded photos?

Facebook has such incredible smart engineers that they can file patents to identify you based on the dust of your camera lens [1]. It should be a cinch to them not to track such third parties in any way, shape or form.

The problem was that they gave zero fucks about the privacy implication to third parties, which have nothing to do - and no business relationship with Facebook. It seems quite the opposite: That the go through great length to maintain shadow profiles and track everybody.

I really hope that the GDPR forces them to clean up their act.

https://gizmodo.com/facebook-knows-how-to-track-you-using-th...


I think he's really proposing regulations that limit how such data can be used once uploaded.

For instance, it could still be legal for Facebook to slurp your friend's address book (and your profile, indirectly), but the regulation could require them to discard and purge that information if they can't immediately match it to an account.


Yes, I'm aware of this (and thankfully have never been stupid enough to entrust my address book to any such service), but what I'm really looking forward to is how Facebook and their ilk will be dealing with shadow profiles in relation with the GDPR.

Since I'm not a member of their service there's no valid reason for them to maintain personally identifiable data about me. Let alone that they never asked for my permission and that I never, ever consented to their gobling up of my data and that of other non-members.

At least according to my understanding this is a very clear violation of the GDPR, which - if the courts agree - could cost them dearly.

I wonder how Facebook intends to deal with that. If I interprete the directive correctly they are obliged to delete all such data since storing, mainting and proecssing it clearly violates the law.

Interesting times...


All of the things listed aren't your personal data. It is data about you, but it is not your data.


It knows a lot about you without you having an account though. I’d suggest getting an EU passport might be a good first step.


To put it simply: tracking has to be opt-in only. GDPR actually sees about


They'll still track you without an account.


>Perhaps there should be a central clearinghouse for people who don't want to be tracked by certain sites. How can you tell facebook to not track you without a facebook account?

There should also be a central place for us to put our emails there so spammers won't spam us?If this seems a horrible idea then your suggestion is exactly the same.


The US Do Not Call registry for phones seems to be completely ineffective these days. An internet one is unlikely to work as well.


This is exactly the wrong approach. FB should not need to be told not to track people who aren't their users.


>Perhaps there should be a central clearinghouse for people who don't want to be tracked by certain sites.

This the most G. K. Chesterton-esque comment I have ever read on this site.

Poe's law may apply, but if you're actually being serious, "Let's build a list tracking all the people who want to avoid tracking" first, probably wouldn't work, and second, is the surveillance equivalent of a "standards problem" [1]

[1]: https://xkcd.com/927/


This comment suggests Facebooks ability to "grow their business" via third-party hosted beacons, etc. relies on users not editing their /etc/hosts files. (or on not changing the DNS settings on their mobile device to use a nameserver that blocks Facebook domains)

How much "brightness" is required to carry out such a strategy? If millions of users followed step 2 (or blocked Facebook domains through another means), what would happen? How would the "brightest minds" respond?


As the unethical nature of the practice is an important argument for it being illegal, it is important that this self-serving nonsense is challenged wherever it shows up, and especially where it is not illegal.


> to grow their businesses

Very much not an excuse. It's up to the business to work out how to do this within the law.

> and reach customers

If I am not a Facebook user I am not your customer.


It bears repeating that Facebook users aren’t their customers either. They are the product.

It is even worse to be made into a product that FB sells when you aren’t even a FB user.


Tell that to credit agencies


It doesn't. And it is a mistake to take ethics for granted and think of it as a norm because the majority of people, including those who govern and implement businesses make unethical things every day. I hope this might change once but for today the only constructive strategy is to accept this fact and defend yourselves.


It's totally okay when somebody else is doing it too.

A bit like when you wait for the green light to walk over the street; if you see someone walking the red light, you walk it too.

Of course you still get flattened by a semi-truck doing 50 kph.


Standards, ethics and legality are unconnected.


of course not

I also don't see any advantage for the user, getting ads is not in their interest.


It is, if having access to the site is in their interest. The site needs ads to survive, they are a form of payment.


The internet existed before ads, people created content and hosted websites without invasive tracking.

And let's be honest, most ads are total garbage.


I remember the 90s internet. It was a neat place but I wouldn't call it very useful by modern standards.


usefulness today is not because of ads.


A lot of the usefulness today is bankrolled by ads.


I don't get why you are being downvoted so many huge things are literally funded by ads. Google Maps is funded by ads, so is all of Google X. The money that started the development of self driving cars and made people believe it was something we could be done soon was funded by ads. Where did Facebook get 2 billion dollars to by Oclous to provide funding for VR? Ads. Perhaps in a future we will have a good model for micropayments and you can pay .1 cents for every webpage you visit be in the meantime ads provide the revenue streams that make this work.


Even if, what does that have to do with the parent posting about "modern standards"?


...or the site dies if ads are non-compliant. If there is some vacuum, it'd be filled by other monetization schemes.


What other monetization schemes? Noone is going to pay for access to a page with funny pictures, the site will cease to exist. Everything else will be behind a paywall and you call that an improvement? Up to this point in time, everyone had access to news, videos, science articles etc - for free. Those who didn't like being tracked had numerous options to avoid it. They also had the option to stop using these tracking sites. How is 13 year old poor kid going to read the news after everything is behind a paywall? How about a poor adult?


Well then the site dies. Sites die all the time, why should Facebook be any different (on the long run of course)?

If users want your service, they will pay for it. If they don't, well then your services is not needed.


Because that destroys a whole industry of sites that are not good enough for people to pay for them, but thanks to the economy of scale, they can create quality content (and a living out of it) anyways. Your claim that it is not needed is proven not true by the very existence of these sites. There are many blogs that are sole income of many people, this will now cease to exist. How is that a good thing? This argument works on a free market; the free market that we had no longer exists and your argument is thus invalid, the state of market no longer represents the needs of people, it represents the will of the government and nothing else.


A free market only ideally represents the needs of people if people in fact express their needs. Aggregating user data and using it without consent does not fit that model. There is no obvious reason to believe tracking users "represents the needs of people".


Thanks to data collection and aggregation, the ads are targeted better, and thanks to that, the sites are earning more, and thanks to that, small scale content creation is a viable career. Now that ad revenue will be most definitely cut down to almost zero, a whole sector of small content creators will be destroyed and move to centralized platforms such as Facebook will be encouraged (because only on centralized platforms enough data can be collected in order to properly target ads, because that is the only remaining way how to have at least some audience and because it's free).


What is your reason to believe ad revenue would drop to almost zero?

Revenue might be lower. That is not in itself proof of a worse outcome. Maximising numbers like revenue or GDP is not good per se. Neither is maximising the amount of content created. If you want to know the trade-off is worth it you also have to look at the costs. The impact of tracking on privacy is not zero. The impact of ever more attention grabbing ads is not zero. The impact of persuading us to buy ever more stuff is not zero.

Also, the vast majority of small scale content creators are hobbyists.


This assumes that because it was viable in the past, it must be viable today. Maybe ads had more revenue then, but times and people change, and now ads aren't that lucrative anymore. One needs to factor this in the decision to continue hosting a blog or whatever else. This trend was forseeable. On a personal note, this is good. Ads are either annyoing or outright dangerous. So the less, the better.

If you want to host your blog, then just pay for it. I do the same. Not because I want to earn money with it, but because I want to. I can see why this is a problem for commercial entities, but not for personal stuff.


> Noone is going to pay for access to a page with funny pictures

So the site will die, because nobody thought it had any value.

What's the problem?


Eh, what's the problem? That a business (someone's living) was pointlessly destroyed, maybe? How do you know that people thought it had no value? It had enough value that they didn't care about all the ads, at least.


Nobody owes you a living.

Nobody owes artists a living, a vocation that traditionally was engaged in alongside traditional paying work.

Nobody owes advertisers living, or their eyes and attention.

Nobody owes a living to the person who makes their money from ads all over their blog.

I'm sorry, but if your business model boils down to using your unknown blog and barely visited web site as a vehicle to bombard people with ads for money then you don't have a business model at all.


Nobody said that anybody owes anything. Please read properly.


Many businesses were destroyed by abolishing slavery as well. Just because a business exists currently doesn’t mean it should always deserve to continue existing.


>Up to this point in time, everyone had access to news, videos, science articles etc - for free.

I really don't like your definition of 'free'. wikipedia has been relying on donations for quite some time. guardian.co.uk is one of the recent examples asking for donations and working out for them.

>science articles

Ok that has to be a joke, the paywall journals subscriptions are nothing like ads.

Please, don't conflate any pay method with pay wall (which is a pretty good one). If business cannot retain itself w/o breaking the law and has to shove unwanted images/videos/etc. straight in the face, it may as well not exist. The ads have degraded user experience in so bad ways that having a page with little content and 'next' button just to show more ads is pretty much the norm now.


You overgeneralize. There are many sites with normal ads than don't disturb the users much. And again - no user experience (on a non-existent site) is better than degraded user experience? Why don't you just stop visiting the site when it doesn't matter to you if the site ceases to exist and let us others do what we want to do?

> breaking the law

No one is breaking the law yet. The law has been changed, and has been changed in a way that destroys businesses and people.


So be it. Either make proper ads or don't. Nobody needs that tracking stuff, except shady advertisers.

Or: just make it opt-in.


You don't need to track users up and down the internet to be able to serve a damn ad.


Yes, on their site. Not on any other site.

A somewhat related note: Relying solely on ads is a bad idea. Personally, I'll install an adblocker on every PC I get access to (family and friends stuff).


" thousands of businesses to grow their businesses and reach customers across the EU"

EU doesn't care about this. Like this argument works only in the US.


> ethical?

Yes, tracking cookies is ethical. If some internet users do not want to get tracked - they can run their browser in Incognito Mode.


Opt out crap used to be physically mailed to people until it was made illegal. It’s a new version for the same gross behaviour.


This is inconvenient and disables other functionality.


Looking forward to May (when GDPR officially comes into force). Provided that it doesn't end up like the cookie law (and there are explicit provisions in GDPR and ePrivacy to avoid that) this might shake up the ad industry:

* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service

* Opt-in/out separately for every activity (no more "research purposes")

* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)


What we are seeing is that the ad providers are considering themselves "controllers" under the GDPR and the tracking of device ad identifiers as critical to their business. Hence, their plan is to inform of the collection via a privacy policy but not to offer users the opportunity to affirmatively consent to allowing their advertising ID to be tracked. It's dispiriting.


I'm pretty sure that this kind of behavior will be shot down by EU or Local courts. The GDPR contains parts where it explains what kind of reasons might lead to overriding of legitimate or critical interests.


If this is the case, I imagine a lot of profitable sites will be geo-banning EU users who don't subscribe to a payment plan as a non-profitable drain on resources.


Sounds like a good business model. Look at what US tech companies don't want to abide by EU law. Copy their app, but without all the privacy issues, make it free for all, incl EU. You already know what to copy, you don't need to do any research. Development and business risk is much less.


> business risk is much less

Minus the part where you're giving away your product for free with legally mandated nothing in return.


That's a possibility.

The GDPR does forbid hinging service quality/availability on consent but I don't think it forbids putting it behind a paywall as alternative.


The GDPR does forbid hinging service quality/availability on consent

Although this is one of the areas where it seems some sort of challenge is inevitable. Requiring businesses to give people more control over data about them is one thing. Requiring businesses to do things that make no business sense, like providing services to people despite getting nothing in return, is something else entirely.


It doesn't forbid you to provide free service, to my understanding, you can charge for the service but you can't provide a worse free experience when a user opts out.

Additionally, this does not affect data that is necessary to operate the service. When you run a GPS tracker app then it is entirely okay to ask for the right to process someone's position as part of that contract (as long as you don't share it with a third party).


There doesn't seem to be any problem with either totally free or paid services. The potential problem is with business models that are free in financial terms but instead rely on some form of data or advertising for their source of revenue.


Those services will have to obtain an opt-in for users and can't deny services based on opt-in, yes.

Essentially the GDPR makes such a business model almost unsustainable. IMO rightfully so.


I have very mixed feelings on this one.

Personally, I value my privacy. I don't tend to use services like Facebook, mostly because I don't want to encourage that sort of perpetual surveillance or volunteer that much data about myself (or encourage my friends/family/colleagues to do so for me) to be used for purposes I don't fully understand.

On the other hand, apparently there are literally billions of people in the world who disagree with me. Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.

Requiring such a business to allow users more control over how data about them is being processed is one thing, and there are pros and cons that reasonable people can debate in that area. But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.


>But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.

I would say that being popular does not correlate with being good and moral. Being successful does not correlate with being good and moral either.

>Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.

The patient is not always right. A lot of people would give up privacy for facebook because in the faustian bargain, the short-term benefit outweighs the long-term consequences.


Hopefully it specifies opt in instead of opt out. I can't tell you how many things I've forgotten to do while being conscientious because it was just so out of the way.


GDPR wants absolutely undeniable consent including that if you give consent, the corporation involved has to keep proof that you consented. It is very much opt-in.


Yes it's opt-in, and consent also has to be as easy to withdraw (at any time) as it is to give.


their interpretation isnt nessiarily going to hold up.


Can you elaborate on what you mean by "doesn't end up like the cookie law"? I'm an American and don't have much awareness of this other than I've noticed that sites in the EU like the Guardian tend to have annoying banners saying they use cookies at the bottom of their splash screens.


You can read more about the cookie law here: https://www.cookielaw.org/the-cookie-law/

Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.

This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).

With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).


But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.


If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).

Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.

So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:

a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes

b) stop tracking users unnecessarily in general

As it is written, the options are:

a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong

b) slap an annoying banner on your web site

One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.


Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.


Unless you are charging for the content, I suppose.


Not tracking users.

From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.


Websites in the Netherlands (and German public broadcasters) already follow the original ideal:

Before accessing the website, you get a choice between yes and no.

If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.

If you select yes, you getthe tracking.


Honestly asking... Does anyone ever click yes?


Probably, because many other sites implement it as "yes means you get to go to the site, the no button is a link to google.com"


No, you could outlaw degrading functionality, which is what they are doing in the new law.


How do you do this for services where functionality is reliant on tracking etc? E.g. some of Google's services.


You can only degrade when the users denial exactly relates to the function of the service.

I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.


I may have understood wrong, but it seems to me that for your maps degrade, the tracking may relate very much to the function of the service. How is the server supposed to remember the name you gave to each point without tracking you? Remember, there are many round-trips to the server when you're scrolling and resizing a map. They could always move point-naming override client side, but that's a pretty big change.


You don't do these services without obtaining the user consent first. Simple as that.


IMO the cookie law was good and (ianal) but a banner in your face is not consent, not in an opt-in way at least.


If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]

[0]: https://en.m.wikipedia.org/wiki/Standard_form_contract


EU consumer rights specify many (types of) terms that are considered unfair in various common contracts, so if they're included in a standard form contract offered to consumers, they're automatically considered null and void. I.e. it's a general legal principle that because such contracts aren't negotiated, there's one-sided leverage, and certain classes of terms are inherently abusive to consumers, therefore even if a consumer "agrees" to them and signs a contract including these terms, they shall not be considered binding.

GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.


The cookie banner does not put me in a "take it or leave it" position. By the time I get to learn of the terms—by any reasonable definition a prerequisite for consent—the other party has already set a bunch of cookies.


Contracts of adhesion are almost universally derided as being quite one sided and shitty to people.


How is GDPR different in this regard?


But op-int for what? For being tracked? Using you data? Just showing you an ad?


You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.


Defend it? What happened with "innocent until proven guilty"?


This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.


> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws

Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.

> This is a corporate regulation, not a criminal case.

That doesn't matter in most EU countries.


The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.


This isn't a criminal case.


Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.


The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.


TL;DR: sites were obliged to provide information and ask for consent when using marketing cookies. That is, cookies required for the site to work (e.g. session) were fine, but tracking/analytics were not. Everyone started to show banners saying "we use cookies [OK] [what cookies?]", users just got used to clicking OK on them, and almost nobody has any clue what this was all about.

You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.


I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit

Hello. I have moral objections to excessive tracking, and none of my businesses use things like retargeting based on tracking pixels, even though this would almost certainly improve the conversion rates for our online ads significantly.

There, now you've seen a case where a business self-regulated out of potential extra profit in exactly this area. :-)


Thanks!

Sad you don't link to your businesses in your profile; now that you made me want to check them out and maybe reward with money.


Ah, the perils of pseudonymity! Thank you for the nice thought all the same. :-)


Explicit consent is the principle I'm most curious (and pessimistic) about. It's one of those things that are very easy to describe in everyday terms, but almost impossible for legal enforcement to work with.

There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."

When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.


Its pretty easy: The law says, that you always have to set a willing action to opt in. There can be check-boxes, but they need to be unchecked by default ("privacy by default"). Simple. I have already received multiple communications from Banks and credit card companies, and they are all very explicit about it and it was very easy to see the choices and the effect of the law.


I guess I can't go forward without reiterating the argument, so I guess I'll stop. But, I think considering it easy is naive, considering the mountain of experience to the contrary.

Some things are hard to solve with laws.


At least in Italy, this has been the way it works for years. When I sign something privacy-related I get at least two boxes: one for the treatment of my information for functional purpose (that is, "we can't even take this paper back if you don't give us permission"), the other for research and marketing purposes (that is stuff not essential to the performance of the service). It's working quite well, in my case at least.


It's even harder to solve without laws. And it needs solving.


And, are Italians now enjoying better privacy than the rest of us?


Note: the following questions are not because I'm trying to figure out how to work around GDPR. They are to help figure out just what the meaning of it is. Imagining hypotheticals that try to work around a law is a common method in legal circles for clarifying the law. My employer does not keep any data that would be problematic, and compliance looks like it will be pretty easy for us [1].

> Explicit consent for non-essential data use, [...]

This raises a bunch of questions. Anyone know the answer to any of these?

1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

> [...] you always need to provide opt-out without degrading the service

2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?

3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.

If they say they are, I just send them to a page that says EU people are not allowed to use my site.

What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.


>1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

If you use the data for bank transactions or paypal subscriptions it's essential.

If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.

>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.

>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.

>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.


EU citizens outside the EU.

Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).

https://gdpr-info.eu/recitals/no-23/


I read your link, and I think it depends on what "being in" means in the phrase "data subjects who are in the [European] Union". It could refer either to physical location (as in "I am in Germany") or to membership (as in "Germany is in the EU"), or possibly to both. I would also expect it to refer to physical location after reading this, but I'm most definitely not a lawyer.


Germany is not a data subject, so I don't think it can be read that way. Others agree: https://www.linkedin.com/pulse/gdpr-does-apply-eu-citizens-g...


> What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.


> 1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

IANAL, but intuitively, I'd say no.

In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)

Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.

In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".

More

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: