I am reminded of this, from Paul Graham, about his time at Yahoo: http://www.paulgraham.com/yahoo.html
"...The reason Yahoo didn't care about a technique that extracted the full value of traffic was that advertisers were already overpaying for it. If Yahoo merely extracted the actual value, they'd have made less."
I'm pretty sure that, the more we learn about how well advertising works, the less money people will be willing to pay for it. What's happening to billboards and newspapers right now is probably coming to several other industries soon.
I know Twitter isn't known for being the best at advertising, but it was made exceptionally clear to me that online advertising is a massive bunch of lies when I did my GDPR Twitter data export and it included me in a bunch of incorrect, non-sensical and contradictory ad targeting groups.
Twitter claims I:
* Own a cat, dog and other animal (I don't)
* Have between $100k- $999k liquid investible assets (I don't)
* Have a net worth between $1 and $1m (cool - I own *something*)
* Am highly affluent (/shrug)
* Am a high spender (okay...)
* Am a frugal spender (...but how can I be both a high spender AND frugal)
* Own a house (I don't)
* Have multiple families (I don't)
This is expected. It's not desirable, but it is expected.
The problem is your comparing it to an absolute. I.e. to perfect.
If advertisers had that choice, they would love it. They generally don't. Remarketing is kinda close, but limits the scale.
Rather, the only other scalable options are far worse. Think about it. What are the marketers other choices?
The one that should come to mind, and the one they spend most of their money: TV.
With TV you pick up a huge amount of waste. Say you buy a spot on Big Bang because you want people thinking of buying a new iPhone. Not a big stretch, right? At the same time thinking of all the other people they have to buy, who watch the ad, and aren't buying an iPhone. It's waste.
And that waste is huge relative to what you're talking about above.
So you're asking the wrong question here. It's not how good is the targeting in terms of precision/recall. The question is what's better?
The waste here is generally known & its priced accordingly.
> I was very disappointed that the Google and Facebook data exports don't contain this data.
It's in my Facebook export. Under "Information About You" did you uncheck "Ads"?
That's where the information is contained & it's checked by default.
You can also view it here for both FB & Google, as well as opt of both:
Is it really worse than "this article is about X, Y is related, let's show some ads for Y"?
I bet from the point of view of the advertisement middlemen it is not. Because they capitalize mostly on showing ads of products that people already decided to buy or are very near deciding. But that is yet another racquet that only decreases the value of the industry. My question is, from the point of view of the real advertisers (the ones selling something), is it really worse?
So you'll end up having to try to monetize something that has little no no related things that are profitable to advertise.
Advertise on a tech site, 80+% will be interested in tech.
Advertise on a dog community site is probably pretty spot on if you want to target dog owners...
Far better than what, 5% ? This isn't rocket science, we sold everyones integrity for pennies.
> who watch the ad, and aren't buying an iPhone. It's waste.
No, advertisements like that are more about selling the brand than selling iphones. Something TV is probably pretty good for.
That would probably target dog enthusiasts or dog hobbyists or dog fanatics, which are all subsets of dog owners.
I think that one of the things that makes social media ad targeting so attractive to advertisers is that they can target the dog owners, instead of just the enthusiasts/hobbyists/fanatics.
Big brands struggle with UGC. Witness the events of YouTube & brand safety.
But even without that, what you're saying just isn't scalable. What community site can reach even 50% of dog owners -- let alone what a primtetime sitcom or YouTube can reach?
> No, advertisements like that are more about selling the brand than selling iphones. Something TV is probably pretty good for.
What? Sure, they have campaigns running for awareness, recall, perception.
But you're really saying Apple doesn't dramatically increase its spend when a new phone is released? That's poppycock.
> But you're really saying Apple doesn't dramatically increase its spend when a new phone is released? That's poppycock.
When is the best time to sell the brand? When your flagship is a year old and still costs as much as on launch day and when the competition has surpassed you? Hardly.
If you buy ads, you want them displayed to the non-fanatics that is not influenced by experience and vulnerable to brand exposure.
But the only one who cares is the middleman. They are the only ones that benefit from the scale.
Give me a list of dog community site to target 1 millions dog owners.
Now tell me how expensive it would be to show ads on theses websites.
Plenty of dog owners are on Facebook, much easier to target 1 millions dog owner there instead.
Did I forget to mentions that it's for a dog shop in Montreal? Good luck!
Again, I guess this is because Twitter sucks at advertising.
All the things FB has done to extract things like resturant data etc are product development they undertook. Twitter spent 10 years moving form 140 characters to 280 instead.
There is no reason why Twitter couldn't have done the same 5 years ago. And no reason that they can't do it now.
(Also people are just as likely to follow and talk about things like tv shows and music and politics on Twitter as FB)
IOW, Twitter followers may be total strangers to many IRL, unlike Facebook followers.
I think advertisers have been chasing a chimera via targeting, because not only doesn't it work well, but there is a trade-off to maintaining a brand.
I try to buy quality goods because cheap stuff doesn't last. That means spending more up front to spend less in the long run. So frugal, but also maybe high spender?
My mom always says: if you're poor, you can't afford to buy cheap.
I don't think they pay off long term, at least it seems heavily dependent on the product type. That's because we are playing a lottery game, even if this product breaks in 0.1% cases vs 5% cases for a much cheaper product, we're not buying large numbers of them, we're buying just one and while the probability to break on me is smaller it can still happen and the monetary loss would be much larger than if I were to buy the cheaper product. That is, the warranty doesn't scale with the price (the expensive top quality TV is $2000 and the cheaper one is $500 and both have 1 year of warranty), for the same money I can buy 4 of those $500 TVs and would last at least 4 years (but very likely to find at least one that will work much longer, since I'm buying up to 4 of them).
* Your age bracket;
* The fact that your net worth is positive (not deep in debt);
* Whether you live in a city / suburb / countryside;
* Which part of country is that;
* Your gender;
* Your race / ethnicity, broadly?
* Yes, but the age bracket for me is _very_ wide (it says "alive and not in need of new knees yet probably", but not much more)
* They didn't have this info
* This was wrong
* No, they didn't have this (although the country itself was correct)
* They did not have this
It's a bubble!
I think it is an intentional stretching the interests way to far to look better for advertisers.
In more details:
Maybe it was all the clicking on CafeMom.com (mommy blog with tons of trackers and ads) while I was testing the Pi-Hole set up. :-)
Facebook has it available, if not in their Download Your Information tool. Go to Settings -> Ads -> Your Information -> Categories.
But interesting page. Looking at the "advertisers who have added your details to their targeting list" it again shows how bullshit this industry is:
* Playstation in 19 countries
* Musicians which I definitely don't listen to, like Keith Urban, Post Malone, Jack White, YBN Nahmir, and Ziggy Marley, whoever these people are.
* Pages like "Top Kickstarter Watches" and "Top Kickstarter Inventions"
* A bunch of restaurants that I've never been to, but are in the same complex that I used to live in (thanks whoever sold/'shared' my email, literally probably my former real estate agent)
I also see a lot of PlayStation related ads on my news feed... I haven't used a PlayStation since I got an Xbox one!
Also, one can be high spender and frugal. A person who buy one pair of very expensive shoes and wear them for 10 years rather than buying 10 pairs of inexpensive ones would be such person.
Facebook does have demographics and targeting data. Go to Setting -> Ads -> Your Information -> Your Categories. I haven't found a way to export it.
On the categorization side, Facebook does a half decent job considering I don't upload anything on FB or any other sister sites.
Twitter on the other hand might be running algorithm which tries to extrapolate too much from the available data.
Twitter is just entirely incompetent at everything, so no surprise they get their advertising product wrong too.
The fact that you choose to purchase certain items over other equally suitable items is largely because of advertising.
If that's true, it's not because ad tech doesn't work, it's that most advertisers don't use it properly. A large percentage of my company's revenue comes from performance marketing (running paid traffic to affiliate offers) and it works very well for us. You just have to know what you're doing, make sure you're not getting too much bot/junk traffic, and bid the appropriate amounts. We've written software that handles all of this automatically, and our paid traffic campaigns do amazingly well. Show me another investment in which you can reliably and consistently achieve 30%+ ROI weekly with a fair amount of scalability.
Ironically, native ad networks like Taboola and Revcontent will flourish in the new GDPR world. Since they target ads based mostly on nothing more than the topic of the content that the user is viewing, these ads are effective enough for smart performance marketers to make money with, and GDPR doesn't fundamentally change anything about their model. EU advertisers will flock to native and abandon other forms of advertising that were based on more invasive targeting.
I can't believe nobody is making a profit. I just suspect most of the trick is in generating demand, not finding it. That or diversifying offerings.
I’m not sure what you mean by that. But generally we get about a 30-50% ROI on our native ad campaigns once they are optimized, and most affiliate networks pay weekly if you produce significant revenue. We do better than most because I wrote some clever stuff to identify sites that were sending us mostly bots/bad traffic and automatically blacklist them from showing our ads. There are a ton of these in the native ad space.
I just suspect most of the trick is in generating demand, not finding it.
There are evergreen affiliate niches such as weight loss, hair loss, erectile dysfunction, etc. Aging, bad genetics, and poor lifestyle choices generate the demand for us. Making money in these niches is generally as simple as placing ads on sites where people that belong to certain known demographic groups visit, and reducing fraudulent traffic by as much as possible.
That said, the niches you describe sounds like snake oil markets. :(
EDIT: reminds me of that one story about A/B testing, which pretty much directly told us how adtech companies are bullshitting their own customers.
I highlighted the more interesting parts back then: https://news.ycombinator.com/item?id=10873226.
In it E. Ann Hollier and Tim Ambler make a strong case for what has been known from the start about branding: that mass media do it best, without performing at the personal levewl. One corollary for their case might be, "Not everything you value can be measured, and not everything you can measure has value."
Because digital advertising can be both targeted and measured, the whole advertising business decided that ads perform only when they are targeted and measured. But that's not advertising, really. That's direct marketing, which -- as I say in that post -- is descended from junk mail and a cousin of spam.
It's no accident that the $trillion or more spent on adtech hasn't produced a single brand known to the world.
The unanswered question is the one raised in The Problem With Targeting (https://www.dotcoma.it/2015/06/22/the-problem-with-targeting...), and pretty much everything Don Marti and Bof Hoffman (look them up) have been writing as well: is it possible for online advertising to brand products the way offline print and broadcast media could, and still do?
I suspect the answer is no. But my mind is open on the matter.
Compared to what?
It may be easy to provide evidence for:
* Time and resource intensive prebiased word of mouth has a higher conversion rate.
* Conversion rates for mass advertising are very low numbers.
It is also easy to provide numbers for:
* Conversion rates for targeted advertising are significantly higher than non-targeted advertising.
* Having a non-existent marketing strategy for scale markets has a high probability of failure.
What is your position exactly?
Consider also some of what is implied throughout the article, that changes implied may price smaller companies out of the market. This doesn't bode well for competition, particularly for less funded competition. Small p&l organizations typically need to market to drive revenue, they're rarely in a position to push brand marketing strategies alone. Indeed this is a common huge difference between fine and coarse targeted platforms - when did you last see a small p&l trying to advertise on cable? What about on fine target platforms such as Facebook? Do you want such companies to become competitors to brand giants?
I test drove a car and after I got almost a dozen follow up calls while I was busy with other stuff, I blocked the dealership number. They kept calling me from other numbers, which I also blocked (with the new Android spam filter on my phone). But the amusing thing was that I started seeing ads for the dealership online promoting their "low pressure" sales team!
I made fun of a company called Salsify for naming their business after oyster plant, a root vegetable I can't stand, and now I see ads for them all the time.
That sounds like a statement from someone not very familiar with advertising.
Minimally it's contrary to the agency model & its incentives. A lot spend (the majority?) goes through that model, and it's not likely to change any time soon. And if anything GDPR, will increase it.
That said, even as measurement & attribution improves, the reality is that the effect will be shift to spend around. The better an advertiser can identify waste, they better they can redeploy that spend. Because that improves the ROI, the less it hurts the margin, and the more it makes sense for them to spend.
If that was true, Coca-Cola and McDonald's wouldn't exist.
McDonald's is a funny one. They really don't seem any worse than most other fast food to me. I suspect they saw more expansion from their franchise methods than anything else, though.
Which is not to say the marketing isn't important. I just don't think it deserves the full victory.
- Coke: their branding, market research, and consumer strategy got them where they are today. All are marketing functions.
- McDonald's: franchise go-to-market strategy, branding, consistency of product. All are marketing functions.
Whether or not paid advertising helped them is a whole different argument (and one I'd argue, as when 'tis the season, it's always the real thing...)
Might as well debate that "business" is responsible.
Especially if the success is not repeatable. Which, most early practices of large companies today are not repeatable by smaller companies.
The "business" defines the problem-space and strategic direction (in these cases, food/drink), marketing defines how you address the space (specifics of the products from research and evaluation, market positioning, promotion to audiences), operations executes on the above (supply chain, training, maintenance), and then customer support feeds into all three of the above.
This GCSE Bitesize piece (revision material for UK exams students take at 16) outlines why marketing is more than simply advertising and promotion: http://www.bbc.co.uk/schools/gcsebitesize/business/marketing...
Advertising is a subset of marketing, but marketing is a broad term, and is often mistakenly limited in how it's used in arguments (usually to belittle the role of it).
Consider, as well, that the engineering department is also responsible for the Product. In large, they are also influential in the Price. Yet, I think it would also be unfair to give engineering full credit for a successful product. Even if it was well engineered or poorly marketed.
Which is to further my point that I was not trying to dismiss marketing as a valid area that a company should invest in. I just don't think it should deserve full credit for Coke and McDonald's existing. :)
There is no reason to expect that ad spending will drop in total, because ads never worked very well in any medium, but they worked well enough that it's worth investing in them. The portion of ad spending in TV has not changed significantly the past decades, what has happened is spending has shifted from newspapers to online. but the overall the volume keeps increasing in all media
I saw a similar up-ending of an ad-dependent industry 15 years ago with newspapers. Advertisers for years assumed a certain value based on the circulation numbers as reported by ABC. There was no real way to directly measure that value other than inferred activity within a geographic region that could arguably be tied to newspaper advertising. With the internet advertisers began to be able to track specific value for ad campaigns based on click-thrus, cost-per-action, etc. Those values were lower than the assumed value of newspaper advertising, which began a shift in where money was spent. Combine that with the fact that ABC numbers started to show that they were far less accurate than originally assumed, due in part to gaming by the papers themselves, and revenue started seriously shrinking. The last firewall that newspaper had was classified, which quickly folded in the face of job and real estate sites and of course craigslist.
Internet advertising has been suffering the same game-playing by sites that newspapers pulled with ABC circ numbers, and as advertisers gather more and better performance data about the value of ads and campaigns they're realizing that value is less than they thought and seems to be trending down.
Regardless of whether there's more or less privacy for users/consumers, the indications are that advertising is becoming less and less valuable.
I don't see any evidence to support that. Total spending on advertising is increasing every year. Newspaper spending is down, Google & Facebook is way up. Overall it's up.
The math is 100 x 100, or one sale for every 10,000 eyes who sees your ad.
In a vacuum, those numbers are awful. If your entire marketing strategy is buying ads to convert to sales, then of course, advertising doesn't work, and really, you probably shouldn't be advertising in the first place.
Also about half the market is branding, which is all about exposure rather than direct clicks or conversions.
(Its a virtual-goods product. Not subscription, but usually multiple-return customers. Around 70% gross margin since we have some high upfront provisioning cost.)
I just don't understand the anti-social media agenda. The same people who for 2 years have been saying that social media advertising is so effective that it got trump elected are now saying it is ineffective. They demand that political advertising on social media be monitored because it is so effective that it gets presidents elected. Now, it's social media ad spending is so ineffective that these companies won't be around.
> What's happening to billboards and newspapers right now is probably coming to several other industries soon.
What's happening to billboards and newspapers is that ad money is flooding into digital space ( where the young kids are ).
Why speak so authoritatively about something you obviously know nothing about?
1) US election went “wrong”.
2) The same is happening to them
3) They’re mostly not hitting their own companies
Obviously it’s a lie. The “right” is gaining in Europe like crazy, not because of Facebook, but because the existing governments have seriously underperformed.
But politicians faced with the choice of admitting mistakes that they don’t even know how to fix, or to wildly and randomly strike at whoever got blamed ...
Is it really the same people? Do you have any examples of this?
So does that mean you think that social media advertising is effective as people claim and Russian use of it got Trump elected?
Regardless of whether your "same people" is a straw man, the opposite of a set of inconsistent claims tends to also be inconsistent, so I'm not sure what you are trying to say here.
People think that adtech has some incredible insights but 99% of data is terrible. If you check your profile at any major site, you'll quickly find that you're probably in several conflicting segments that have nothing to do with you. Context is still king for any marketer who knows what they're doing, but unfortunately the industry is overwhelmed with subpar talent and politics through layers of agencies that buy buzzwords like "AI" and "data". Barely any adtech companies have a direct link to a person, and any links that did exist are even harder now with adblocking, 3rd party cookie deletion, ephemeral mobile device ids, IP renewals, and other noisy and loose signals.
Interestingly, big companies like Facebook and Google that have user logins and 1st party data connections will actually benefit from the higher industry regulation and are not going to lose any of the data that users willingly give to them. ISPs are another major source of data, along with credit agencies and banks, and now giant ecommerce companies like Walmart and Amazon, all of which have very accurate and exhaustive histories and will see little change from GDPR. Overall it's well-intentioned, and good progress, but what it will do is vastly overstated.
However, financial firms are usually pretty against open academic research that would allow publication of papers. Many researchers truly value the ability to contribute to this field openly. Perhaps you are right and they will move to health.
We can see the next most lucrative fields where ML can be applied to by Alphabet's portfolio:
* Calico, Verily - healthcare
* Waymo - self driving cars
Another fields which comes to mind is robotics but Google liquidated their holdings related to this (Boston Dynamics) for some reasons.
I wish I knew more about this subject.
EDIT: those two links might give you a quick overview:
- https://spaceindividuals.com/space-jobs?country=Germany (over 50% of all listed, but not surprising, since the site's owner is in Germany as well)
Right now, I'm trying to map the industry myself.
Also you can definitely apply ML techniques to data without PII, it's just harder, which actually makes the job more in-demand for high-quality talent.
Not to mention, no amount of AI powered results can beat a slick sales team. $1M spent on quality salesperson is much higher ROI than $1M on fancy AI engineering when it comes to relationship-powered media spend.
This should be printed in large letters on the wall of anybody claiming to do data science.
I would not at all be surprised if this is enough for the machine learning and data science people to be effective, especially at very high traffic sites like Facebook and Twitter.
Even the most sophisticated ad modeling pales in comparison to fintech and bioscience/pharma where the real money is.
At my particular company in logistics, I can see many places where it can be applied- especially in the dispatching of deliveries and helping to set up a call with customer support.
My guess would be similar learning systems that aren't subject to GDPR, such as government, external to EU (US), the ludicrous information of things (smart sensors, cloud, etc) where information doesn't leave the user's control, AI driven products, etc.
Then you'll have quite a few who will just continue regardless, sometimes it's easier to apologize (and pay a small fine) than it is to ask for permission.
Don't get me wrong, I would love for all of these people to end up in the (Scientific) health industry. (It's worth mentioning Scientific, as there is a lot of useless crap that uses some form of learning and offers no real gain - would be disappointing to see them all end up applying deep learning to homeopathy for example.)
Requiring them to check an "I agree to be tracked" checkbox and signing an agreement (which has just happened to me yesterday in an EU country in accordance to GDPR) before they can use a product/service is hardly much better. This reminds me of the Android app permission system which requires you to allow an app to do everything it wants (including ridiculous requirements like when a game requires access to your contacts list) or just give up the idea of installing it (as for me I just grant the permissions at the installation time and then block everything redundant with XPrivacy). So I doubt it is going to do much good, a way like the cookie law doesn't really do anything but just introduces useless cookie warning banners.
That's specifically not allowed under the GDPR. Either the information is needed to provide the service (and needed means actually needed, not "my business model depends on it"), in which case they don't need to ask, or the use of the service can't depend on that consent.
(By the way, even if the information is needed, they still need consent to use it in other ways, and the same applies)
See the ICO guidelines on the issue: "If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis."
I'm extremely skeptical of regulation that interferes with consensual deals between economic actors. You want transparency? Fine. But you don't get to randomly outlaw certain entire classes of business.
Business models are arbitrary and orthogonal to services provided.
> But you don't get to randomly outlaw certain entire classes of business.
Why not? Some business models are clearly antisocial and don't deserve to exist. GDPR is only outlawing business models based on large-scale abuse of people's private and identifying information. If you can obtain proper consent from enough percentage of your users, then your business model will be fine. If that's a problem for you, then ask yourself why.
I find it funny to see people complaining that their business model will be in trouble under GDPR. GDPR literally only outlaws being a huge asshole (in context of users' data).
that doesn't change the fact that the business model depends on that orthogonal action. Is it unlawful for gyms to charge by subscription instead of per-use knowing that most people don't use them? Should the NYTimes be forced to go pay-per article instead of subscription? Should nightclubs not be allowed to overcharge the bottle?
> GDPR literally only outlaws being a huge asshole (in context of users' data).
It goes beyond that, by forcing you to serve people that don't agree to your business model.
It isn't, and it shouldn't. Either can choose whatever works for them best. GDPR only outlaws a few particular antisocial behaviours, which makes a particular class of business models illegal or much less profitable.
The "but business model!" whining sounds a bit like complaining that you can't make money mugging people, because the government disallows theft and assault. Cry me a river.
That's a very interesting claim. So you're saying it'd be possible to organize fighter jet production as a co-op vegan collective?
Either way, you don't have an inherent right to specific business models and the EU is simply not allowing a business model anymore that has been widely abused. Of course it'll hurt some but I think overall the industry will adapt and change for the better.
This has become the default business model of the B2C Internet, as distinct from offering a service in exchange for payment.
Maybe "orthogonal" was a bit much. But almost always there's plenty of wiggle room to choose alternative business models.
People want more control over how information about them is used.
For web, most people don't understand the scope of tracking and privacy. None of the people I know understand what these web companies are doing, how they are being tracked and what data companies have about them. Nobody reads the privacy notice in those websites. Even after someone tells them facebook is tracking everything, they don't understand and just ignores it. There are no consensual deals on web. So GDPR is for all of them (and for people who understand and wants protection).
Also in America a company is more important than people. That's why there are so much negativity towards GDPR.
Of course if it's essential medication which people can't afford without the discount then that's another matter, but otherwise it seems kind of fair to me. And it gets a bit more complicated if you're in America where that data is going to be used by health insurance to adjust your premiums.
If revoking consent causes a detriment, then it's not freely given, and so that "consent" isn't sufficient to grant the data controller a legal permission to use that data.
Quoting recital 42 from https://gdpr-info.eu/recitals/no-42/ "[...] Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.", so it's quite explicit.
Bigger discounts would be a problem since that would be more of a detriment.
I wonder why not? Personal information is useless for most people, they give it away for free to the state institutions and the police wont even ask your consent. Some websites and services have found a way to make money off it, in exchange for free services etc. Why is this an ethically unacceptable proposition?
It's a bit ironic that you brought up mass surveillance because GDPR explicitly exempts the police and security services from its reach.
Edit (i can't post a reply):
- consent should always be required, but if you don't consent i shouldn't be legally required to service you. GDPR is more than just consent hence the overreach
- The NSA has more data than any single actor on the internet, we can't possibly claim that private surveillance is worse. The NSA may have a better profile of me than any private actor even though (and especially because) i m not american. And their profiling can harm something that businesses generally don't care to harm: my freedom
I didn't consent to shit. GDPR is the response to rampant abuse of personal data without obtaining proper consent. You're still allowed to use my data if I consent, you only have to obtain an actual, informed consent.
> The same way that when you go to a club, a strip club, or a casino you know you 'll be exploited.
What kind of clubs are you visiting? :o. Are you sure they're legal?
> It's a bit ironic that you brought up mass surveillance because GDPR explicitly exempts the police and security services from its reach.
It isn't, because adtech surveillance dwarfs government surveillance. Also, the police and security services are doing something valuable for me, even though they do it imperfectly. Advertising industry exists only to fuck me over. It's a cancer on society.
That's a big point in GDPR, I think -- there never was consent. It's the same as why terms and conditions aren't legally binding: nobody actually considers there to be a valid agreement when they click next. In a sense GDPR is just enforcement of people's expectations, and ending predatory practices that were misusing them.
> consent should always be required, but if you don't consent i shouldn't be legally required to service you. GDPR is more than just consent hence the overreach
Yeah, and in a world where companies were not abusive, it would work that way. As it is, we both know perfectly well what happens - companies have leverage over users, and they'll use it. They'll make you consent to every kind of data abuse and sharing to use the service, exploiting the fact that giving up privacy doesn't feel like it's hurting at the point the data is being taken. GDPR is designed to remove that leverage - to make it unable for companies to extract arbitrary consents on the threat of refusal of service.
This only really affects you if your business model was baiting users with "free" services, spying on them, and selling that data to adtech industry.
> The NSA has more data than any single actor on the internet, we can't possibly claim that private surveillance is worse. The NSA may have a better profile of me than any private actor even though (and especially because) i m not american. And their profiling can harm something that businesses generally don't care to harm: my freedom
Sure, so NSA may have pulled in your e-mail history at some point in time. But it's mostly sitting there. NSA doesn't care about you unless make yourself important to US national security. Adtech surveillance, on the other hand, track you constantly, through pretty much every device you have, every site you visit, and makes use of your data all the time. And all in all, this data might at some point finds its way to NSA too, already nicely packaged. NSA vs. adtech is kind of like choosing high potential loss but very rarely, vs. low loss all the time. I'd say the expected loss is worse with adtech, but I'm still happy GDPR will make the life difficult for both.
I understand you probably move in tech/libertarian circles so it doesn't seem like this, but the majority of the world population is in favor of laws protecting people from themselves and keeping them away from harm.
Now what is overreaching or not is a matter of opinion, and hence politics.
Also, under GDPR, you can always request export and removal of all your profile data from their data stores.
Sounds like something I'd opt-out, request all past data and have it deleted afterwards.
The whole strategy seems to be in bad faith. I wish more sites would react by minimizing usage of cookies instead of just adopting that dumb overlay.
If a company has no official office in Europe, how does this affect them? All advertisement and business focus is say only in the US, is it business as usual? What if an EU citizen decides to sign up?
Are US companies forced to deny customers not par of say an IP block (half assed method I know, but just speaking in general)?
With regard to enforceability outside the EU, that is anyone's guess. If you're in the US, there are already mechanisms that allow for the domestication of EU judgments in the US. Once domesticated, the judgment would have the same force and effect as if it had been issued by a US judge. However, the treaties that allow this are very complex, and allow for a large number of exceptions. So it would be up to a US judge in each specific case to decide whether or not a judgment for a fine issued under the GDPR can be domesticated. There are currently no treaties specifically relating to GDPR in the US, and I'd imagine there would be (very welcome) strong opposition to such a thing.
French in Canada, English and Spanish in the US, German among German expats (of which there are millions.)
Targeting a business for extortion because of the languages offered? Ridiculous. GDPR should only apply to businesses with a physical nexus in Europe, anything else is an attempt to assert extraterritorial jurisdiction.
Europeans don’t have to visit US/Canadian/Chinese websites. If they want to “protect” themselves, they simply stop using services they find objectionable. GDPR is nonsense — individuals should be allowed to do what they feel is right for them.
Why not ban all junk food from Europe? Tobacco? Alcohol? Those harm people far more than targeted advertising. If we actually “cared,” we’d be banning those industries.
GDPR is nothing more than a trade barrier.
Unfortunately, I must use words such as "likely" here because there is a large amount of ambiguity in these tests, along with a major conflict of interest - it will essentially be up to the would-be beneficiaries of these fines to determine whether or not you are subject to them. The EU HN crowd seems to believe that their various governments will only fine "bad" companies "reasonable" amounts under this law, and that it will not be abused to extract government revenue from foreign companies and/or hobble foreign competitors of companies in their countries. I certainly hope they are correct, but this would be the first time in the history of the world that such a broadly worded statute was not abused. The only safeguard we have is that the world is watching. If/when the EU gets too out of control in their abuse of GDPR, hopefully countries like the US will implement legislation that makes it impossible to enforce GDPR fines within their borders.
Pakistan was once considering issuing an arrest warrant for Mark Zuckerberg because someone created a Facebook contest that offended some Pakistanis  . The case would have carried a sentence of death by stoning. Even if charges had been filed, it is doubtful that the US would have extradited him to be stoned to death under the laws of another country. While GDPR fines are civil in nature, this case underscores the importance of not necessarily allowing the enforcement of other countries' laws in your own. If GDPR enforcement becomes abusive, one would hope that similar protections would apply in our home countries.
Also I am sure, half of world will have similar laws in next few years. Private data invasion just went to far, this has to be stopped.
It would be the first time in history that such a law has not been abused. The fear is real and fully warranted.
I am sure warning will come first
There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.
See the Smartphone Charger regulation. It requires all smartphones vendors to come up with a standard for charging, everyone picked microUSB (though moving to USB C now). The EU is fine with that and the smartphone vendors know that if they start pulling the "everyone has their own port" shit again that the EU will get out the stick.
Nobody wants the stick. The EU not and the Vendors not. The carrot was the EU Cookie law, which was largely ignored and the consent dialogs poorly implemented (not even asking for consent the majority of the time). So this is them getting out the stick. Now you can pick which one you want.
>There is no mandate written into the GDPR requiring warnings before fines, nor is there anything preventing multimillion-dollar fines for first-time, minor violations.
Art. 83 of the GDPR details this. Art. 78 details what rights you have against them imposing a fine.
I don’t have to pick either. My company is not subject to the GDPR, and we will never put ourselves in a position to be subject to it. I will not be dictated to or threatened by a foreign government.
People keep saying things like this, and yet neither article a) requires that a warning be issued before they seek a fine or b) limits fines in any way, except for a top cap of $10 million/$20 million (or percentages of revenue, but the caps are more than 100% of the revenue of most companies).
I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.
Canada, Japan and some other countries and even the US have indicated to copy the GDPR if not in letter atleast in spirit, though the US response is a lot weaker.
>I will not be dictated to or threatened by a foreign government.
The US is a foreign government and does it all the time to me, why is it a problem now?
>I would love for someone to just say “yes, technically there are no required warnings or limits other than the $10/$20 million”. Because that’s the only true statement that there is about GDPR fines.
You won't have that. The GDPR has a strict guideline on how to impose fines, it's not a law an won't be enforces as such. The regulatory bodies have bite because large players like Facebook or Equifax that leak large amounts of userdata require more than an angry letter in their mailbox.
As these articles mention, the agency imposing a fine should severely think about the level of fine and ensure it's appropriate. If you get hacked by a 0-day, you followed the advice of your regulatory body, your shit gets leaked and you inform your users immediately, it's very unlikely anything will happen.
If you get hacked because you didn't update your MySQL server in 5 years, you ignored what your regulatory agency said and you don't tell your users, don't expect them to go easy on you.
Easy as that. If you don't like it you can sue back and get the fine reduced or rescinded.
You cannot tell me that there is anything limiting the fines (other than the cap) because it isn’t written. You’re saying that you hope and think that each of the 28 governments involved here will be reasonable, but in truth you have no way of knowing, and they have every incentive to not be reasonable.
Again, if you think the fine you got is too heavy you can escalate this to the courts (even EU courts).
There is also no incentive for the regulatory agency to impose such fines if the business cannot pay them. In that case they would get less or even nothing as the business collapses and it has not been the modus operandi in any EU regulatory body I know or experienced.
If they aren't reasonable than the EU courts will make them reasonable or the EU will add additional paragraphs to the GDPR to prevent excessive fines. Simple as that.
Much like the cookie law or CAN-SPAM?
It covers the personal data of EU citizens. Similar laws exist going the other way. Betfair can't (or couldn't) give accounts to US citizens. IIRC, various poker sites had to close US citizens' accounts. The US even arrested a CEO of a UK company who was only changing planes on his way home to Costa Rica: https://en.wikipedia.org/wiki/David_Carruthers#Arrest_during...
>anything else is an attempt to assert extraterritorial jurisdiction.
Good. The EU should grasp the nettle and fulfil it's role as the leading global hegemony.
You're both correct and incorrect. It covers the personal data of EU citizens. However, not all sites are actually subject to the GDPR at all. EU traffic to these sites is considered incidental and no GDPR protections apply, even to EU residents, on those sites that are outside of GDPR jurisdiction. There are legal tests build into the GDPR (which I detailed in my original comment above) that determine this.
We've have had European and African citizens who've signed up. And that was more than enough for us to discuss "How do we make our stuff comply with the GDPR?". If we ever considered in starting up in Europe, us ignoring the GDPR is tantamount to writing them off before even thinking of them.
We also do things the right way. Deletion requests aren't treated as "ignore kthxbai", but all data is zeroed out then nightly purged from the DB. And I really think, with how current society is slowly turning against orgs like facebook, the way we're approaching this is one avenue of right ways.
There is always the chance that your own government will enforce EU rulings against you but at that point either your own government thinks GPDR should be enforced or you're in a very weak country and are going to have to capitulate to the EUs power anyway, much like small Latin American countries were forced to follow US policies
If a noncompliant company is going through due diligence prior to being acquired, they be legally obligated to disclose that judgement? Even if they didn't, how hard would it be for an associate at a law firm to check public records about the company?
The other side of that is that you can tell foreign governments to fuck off if you aren't dealing with them at all. The only time the foreign governments matter is if they are a superpower able to bend your own country to it's will, and that point you are basically a colony anyway so there's not much you can do
Alibaba for example likely has no plans to concern itself with GDPR compliance in its domestic Chinese operations. They obviously will segment and comply with GDPR as it pertains to the EU operations / EU customers.
This is just like most laws, when you're a tourist in a foreign country you have to follow the local laws, not the ones from your passport country.
Would help me out! I'm trying to put together a one-pager for my team.
Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.
The standard should be: “do you have a physical nexus in the EU.” That’s it.
I use Piwik (https://github.com/matomo-org/matomo) and track visitors without their knowledge or consent, because I need analytics. Piwik is also configured to respect the "Do not track" header, so opting out is as easy as indicating that you don't wish to be tracked.
Is that wrong?
And I use Piwik precisely because it's self-hosted. I know for a fact your data doesn't get sold, because the data never hits any server except mine.
If this seems acceptable, it's also why legislation seems worrisome. There are a lot of corner cases that law tends to overlook. But hopefully the requirements won't be too onerous.
It's hard if visitor numbers would directly translate into revenue or similar. The trouble you're running in then is discerning organic hits from clickfarming.
If all you care about is when, where what content is popular on your website, there's a pretty simple method: Tally 200 and 304 responses. 200 tells you how many visits you get. 304 tells you, how often people hit refresh, or re-visit your page within the expiration time of the URL that 304s.
Also there's little value in identifying individual visitors. Getting a coarse idea where visitors are located in the world might be nice (for a regional news outlet for example). So just slap some coarse grained. GeoIP on it.
Why do you think you can control what I do with data you send to me? Don't send me data I'd you don't want me to have it.
Are you really interested in rehashing this conversation? You got plenty of answers last time¹, I doubt you'll get new ones
Don’t reflect light in my direction if you don’t want me having pictures of you!
Legal protections, like the GDPR.
Not sure what is so difficult to understand about this.
> Shouldn't it be Walmart's right to do what they want on their property, and my right to decide not to visit Walmart if I don't agree with that. Isn't the converse an infringement of Walmart's rights?
No. Property "rights" are secondary to human rights. Like, Walmart can't knowingly sell poison as food just because it's their property...
In your example, Walmart is free to record you on security cameras for security / theft purposes. However, they can't record what you're looking at and reuse that information for targeted advertising without consent - profling is simply not required to do business, so your right not to be profiled wins.
What law prevents them from doing this?
There's an asymmetry between what a company can do politically/legally given it's resources and what an individual can do. This is why countries generally have some kind of laws protecting consumers.
Security cameras recording footage and it not being used in 99.999% of the time when no crime occurs is fine. The tapes aren't kept forever. Just as having server logs to identify malicious actors i.e. hackers or scammers is fine. What's not fine is e.g. running facial recognition on the security camera footage, or figuring out who bought what (cough Amazon Go).
"Tesco is set to install hi-tech screens that scan customers' faces in petrol stations so that advertisements can be tailored to suit them, it has been reported.
The retailer will introduce the OptimEyes screen, developed by Lord Sugar's Amscreen, to all 450 of its UK petrol stations, in a five-year deal, according to The Grocer.
The screen, positioned at the till, scans the eyes of customers to determine age and gender, and then runs tailored advertisements."
I'm not sticking up for all the big data perverts, but what about an individuals right to speak freely and disclose information they have observed/recorded? The 'right to be forgotten' seems at odds with everyone else's right to remember and disclose occurances.
Go read GDPR article 17.3, it's easy to read. A few things for which the right to forgotten does not apply:
- exercising the right of freedom of expression and information
- for compliance with a legal obligation (e.g. keeping records for tax reporting)
- for public interest reasons related to health, science, historical research
Seriously, there is too much FUD about the GDPR.
The only bad thing that I've noticed about GDPR is that some niche sites that rely on ad revenue are getting fucked over by Google (if you turn off personalized tracking for your visitors you still need the consent to track, there is no difference) so their income might break down.
That's quite sad but on the other hand they're exploring alternative methods of income and I'm certain adtech will adapt.
This time it bites back tho.
Also, what pii is tracked (by default) by piwiki or ga or access logs? I certainly cannot think of anything.
Cookies and other artifacts in the request headers or query parameters that can identify a unique user.
How careful are you with tacking cookies to requests? Be mindful, and keep documentation.
PII or not PII it is still covered by GDPR.
You can disable the tracking parts in Piwik, or you can assume a legal stance under one of the 6 exceptions like "Legitimate interests" (https://matomo.org/blog/2018/04/lawful-basis-for-processing-...).
My first thought is that you could impersonate a person by spoofing their IP address. PII identifies a person but I don't think anyone is advocating for (solely) IP-address based bank logins.
Even though in many cases this won't help you identify a specific natural person (ie, you don't know whether whether you're dealing with a specific person or multiple people on a shared connection, and an IP address on its own usually isn't enough for you to de-anonymize a person), they're still a considered a personal identifier, are often coupled to a general physical location, and are now explicitly legally protected.
Couple an IP address with a browser user-agent, and you've got the basis for a strong unique fingerprint for a specific person.
You might not like that, but the regulators are pretty clear on this point.
That's actually the most frightening thing I've heard in a long time. Does the GDPR actually make that connection? If so, it literally links people to an IP address, rather than simply a connection.
If that line is accurate, I'm surprised it hasn't been mentioned before, associating an IP address to an specific person. I have to believe you are wrong, otherwise the legal implications are scary.
For those that don't understand: my concern is that in the US, for a long time, in copyright claims by the RIAA or MPAA, for example, was to go after someone because of an IP address, a common defense was basically: An IP Address is not a person. The above commenter made the claim that an IP address alone can be associate a specific person. So, I'm wondering if 1) that's accurate and 2) what are the ramifications of an IP address being a person in the world of law enforcement?
The ICO (furthermore) has given guidance that they don't think an IP address is uniquely identifying an individual, and have confirmed this to me on the phone.
Where you get into trouble is in transmitting your browser logs/activity to a third party who wants to keep them for their own purposes (e.g. Google). In this circumstance, you have to let people know that you've done this, and to transmit their preferences that you receive onward.
Again, it's not always saying an IP address is a personal identify. It just is often enough.
Well, that's not what you said or implied. I'm just thinking of all the cases in the US were the defense is you can't assume that an IP address ties to a specific person. Anyone could use the computer, or someone could attach to an open wifi.
Basically, if the legal argument is the IP address can be associated with a person, that raises legal concerns.
Can it always identify an individual? No. Is the standard of identification good enough for a criminal case? Certainly not. But why are you comparing these? The GDPR is a standard about privacy and data protection; a UK postcode (like a zip code in the US) is considered personal data for exactly the same reason.
Under GDPR, an IP address must explicitly be considered as personal data, and any processing of them must be written in the documentation of the data processing activities:
As another commenter has mentioned, this is included in the legislation. There isn't much interpretation to apply here.
The GDPR requires informing of use, transmitting preference, and protecting rights, of things that can potentially identify an individual, but this is easy to accommodate by simply not being an asshole. You're not under any requirement to actually identify an individual with your IP log.
"online media services provider may collect and use personal data relating to a user of those services, without his consent, only in so far as that [..] that data are necessary to facilitate and charge for the specific use of those services by that user"
This is related to the DPA; but the GDPR doesn't change anything here, only strengthens it (i.e. making IP addresses explicitly personal data).
So if you're arguing collecting IP addresses is absolutely necessary for you to facilitate the service, no, you don't need consent. But I would not want to have to defend that, since disabling collection is as simple as a webserver reconfig.
I have not read any legal opinion that agrees with yours. I have also been to ICO events where they have stated they expect to treat it as personal data. That's reflected in their site (I gave you a specific example).
I understand that's not the outcome you're looking for.
> if you're arguing collecting IP addresses is absolutely necessary for you to facilitate the service, no, you don't need consent. But I would not want to have to defend that, since disabling collection is as simple as a webserver reconfig.
Using IP addresses for audit and security is best practices; I can use the IP address to make sure that a user isn't logging in from two countries at the same time (and then require a call e.g. to whitelist).
Thinking of an IP address in binary, as you're suggesting is extremely dangerous: The GDPR is not supposed to prevent you from thinking about what you're doing.
> That's reflected in their site (I gave you a specific example).
Your example doesn't come out and say IP Addresses are always personal data. Try again.
They've previously said the opposite:
Second, I've said before IP addresses might not always be personal data. But the issue is they sometimes are, and if you record them without discrimination then you're recording personal data. The old guidance says "An IP address is only likely to be personal data if relates to a PC or other device that has a single user" - ok, so are you able to not record IP addresses that do relate to a single-user device? No?
Third, the ICO do think IP addresses count. I've given you a GDPR reference already, even their DPA tool treats them as such:
It genuinely doesn't matter what the ICO might have said in the past. Right now, they say IP addresses are personal data. The courts say that. The law says that. I've given you multiple references for all of this.
a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
if you're not the Internet Service Provider, or more broadly, that you don't have "legal means which enable [you] to identify the data subject with additional data" then the ruling doesn't mean what you claim it says.
You're being intellectually dishonest by trying to tie irrelevant sources of information. That the high german court took a broader look than the European court is irrelevant.
> their DPA tool treats them as such
It says, as I've agreed, that an IP Address could be personal information. You've also agreed this position. The ICO does not consider IP addresses [by themselves] personal information.
What exactly are you still responding to?
Direct identifiers are pieces of data that allow to target a person, or a very small group of persons from a single data point. Indirect identifiers are anything that you could use to build a marketing cohort.
Combining a few indirect identifiers allows to target very specific groups of people. Or, using the very examples you quoted:
- The tuple (bank account number, country) is enough to target an individual.
- The tuple (full name, zip code) is enough to target a very small group of individuals. By adding just one more element you can identify individuals.[ß]
Each one of the four data points counts as user information under GDPR. Doesn't matter whether they are direct or indirect.
Disclosure: I wear the DPO hat at Smarkets. As a gambling company we are legally required to know quite a lot about our customers.
ß: For the nitpicking armchair lawyers: unless you happen to have a gated community for John Smiths.
https://ico.org.uk/media/for-organisations/data-protection-r... (20th Oct 2017):
> Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data
The ICO. I've called them up, and they've confirmed their 2011 interpretation of personal data:
An IP address is "personal data" in the same way that "lifestyle information" or a "location" is. That someone can combine an IP address with other information to personally identify someone is important, but it doesn't prevent me from logging personal data.
The clause in the regulation is quite clearly worded:
"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
The sensitivity of data can change based on context. My name isn't sensitive until it's attached to something like browser history or medical files.
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.
Since the concepts mentioned in the comment, IP and browser information, are already being used to single people out for tracking, those particular types of information can definitely be viewed as the equivalent concept under GDPR, as defined in Recital 26.
Megacorps comply because of mega fines.
Small business comply because their owners or future buyers are a larger Corp who fears that their sub-subsidiary might be in violation, causing a future mega fine.
So small businesses who care about the value of their company follow these rules. It’s almost exactly the same reason small business buy software licenses. It’s not of fear of fines but because otherwise they don’t look like a serious company.
I question I have been wondering is how many companies will leave some violations such as data in backups - simply because removing it is too expensive so it’s a risk worth taking. I honestly haven’t understood how backup of data fits into the requirement to delete data of a certain age?
I'll pick an example from my work. Data can be deleted from the active set, at which point it takes extra effort to retrieve it. (If you can't SELECT it anymore from the warm slaves, it's gone.) But as long as you can make a point-in-time-recovery from your backups, the data is still present in the inactive set. Using the inactive set requires, by definition, extra effort.
So you need to state that fact in the data protection/retention policy, AND put reasonable technical enforcement mechanisms ("controls") in place to ensure that backups are expired and fully deleted after a given retention period. The older your unexpired backups get, the less valuable they should become.
The maximum fine is defined as €20,000,000 or 4% of your global anual turnover, whichever is largest.
> Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher
Plenty of ordinary people will be actively looking for opportunities to file GDPR complaints. I know I will. This is a crusade. Taking the Internet back from adtech.
I think is fine if you just count the browser,OS, and country the user is from but I don't think is OK to keep more details then that
Now that I think about t I’ve never used analytics for anything ad related.
Everyone's been sucking up all the data they can just in case they need it, and actual people are being harmed by it through data breaches. I get why people are upset about these changes happening to their businesses, but what did everyone expect when the industry has failed to self regulate against their worst excesses? The rest of society isn't just going to let you hurt them so you can make more money
Using that data as well to improve learning so we do a better job of detecting fraud and not flagging legitimate customers appropriately.
Also, using analytics to determine if a user is having issues on the site. For example, are users having a difficult time filling out forms, or becoming confused, and being able to provide help in an appropriate manner.
These are just two things I immediately thought of. Security, and customer support. I'm sure there are many other users of analytics aside from ads and ad-tech.
So, everyone whose IP address ends in 0, 1, 2, 3 or 4 gets the new version, everyone else gets the old version.
You don't need to store the IP address for that, you just need a rule that decides which version to serve as the user requests it.
Then, store only the flow data, discard everything else. Or if you need to keep some data around for the test duration, delete all of it once your A/B test has concluded.