They present themselves as user privacy champions but primarily make money via, you guessed it, advertisements.
They are owned by Burda, a large German media organization who, again, make money by advertisement and processing of their user's data.
"We’re breaking new grounds when it comes to developing our business model. Bringing together targeting and privacy, we are currently testing a technology which allows companies and brands to show you relevant offers directly in the browser."
Cliqz never has collected any personal data on its users, and never will. Over the course of the last 4 years, we started building a private search engine, to only realize that if we are to truly offer a usable alternative to navigate the web privately - we had to do much more. So we quickly found ourselves building an anti-tracking technology, anti-phishing, and anonymous rate limiting using Direct Anonymous Attestation. This research has been published / presented in the WWW Conference, Crypto and Privacy Village at DEF CON and CCC's Privacy Week.
We have packed all these technologies in desktop and mobile browsers. This is what we do and it's what got Mozilla interested in Cliqz, and why they are an investor, just like Burda Media. All the technologies we have built share 2 attributes:
1. None collect personal data
2. Rely on client-side logic (computers are powerful enough these days to be used for more than display interfaces)
Offers is part of how we monetize (we're exploring paid products too). Like any other technology at Cliqz, they share the same 2 attributes (No personal data, all triggering logic resides in the client). The code is open sourced here . You can read a high-level description here .
We believe our approach is a healthy alternative to monetizing products on the web. At all times we allow the user to control what features from Cliqz they want to use; including offers. We understand there are plenty of reasons to be frustrated with the state of the web (we are too) - but blatantly rejecting any business model that brings privacy-preserving products to the market is not healthy.
Sort of like, but not exactly the same as, those consent forms you sign when you go river rafting. They do not legally protect the rafting company from negligence. In fact, they're almost a waste of paper.
That's not entirely true. If a user really consents to being tracked for advertising purposes, the GDPR allows tracking. Whether the consent banners inform users honestly about the extent of tracking is another question. I think they don't.
What's worse is that Google still tracks users by default, even if they never visited an actual Google property, let alone have a Google account. That's an obvious violation of the GDPR but Google will probably try to shift the blame on publishers.
That's not exactly true either. For the consent to be valid, it must be freely given - that is:
1. The user must have a choice to give consent or not give
2. The service provided should be the same regardless of #1, unless the consent is necessary for the service (e.g. consent to store address for delivery of goods - although in such case this shouldn't really be based on consent)
Unfortunately many sites either do not give opt out at all, or make it hard to find it - in such cases consent can't really be considered to be freely given.
Consent is just one lawful basis for data collection, business justification is another one and ad revenue is a perfectly valid reason in which case you don’t even need consent but just to inform the user.
You can do what ever you want under “vital interests” as long as you feel comfortable explaining those to the regulator, not the user.
Consent is used often because the current interpretation of most legal experts is that it shifts the liability to the user however this has never been tested.
If targeted ads give you more revenue and you choose to use solely targeted ads because thats your business model GDPR does not forced you to provide a free service or a service that generate less revenue.
So no #2 doesn’t have to be as #1 this is confusing things with the single purpose clause in which case you can’t make X and Y being co dependent.
E.G. while I can perfectly refuse service if you do not accept ads I can’t refuse to sell you something for not wanting to join my mailing list.
Also not only that does nothing stopping you from having multiple bases for consent it’s actually the recommended approach.
"When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
And then Recital 43:
"Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
1. You ask users for consent
2. The consent is not strictly necessary to provide the service
3. You deny the service to users who decline to give consent
Then the consent isn't freely given and therefore invalid.
> GDPR does not forced you to provide a free service or a service that generate less revenue.
True, but then consent isn't the right basis for processing of data. As you mentioned, business justification, or "legitimate interests" as GDPR puts it, is what you should be using.
Meaning i can't force you to sign up to my mailing list or refuse to sell you items on my store, the current interpretation of most DPA is that it doesn't apply to single purpose processing.
Also again as stated below people confuse the "I agree" button to a GDPR consent, the fact that there is ok/opt-out UI for GDPR does not mean that they are seeking consent as their lawful bases but they still need to inform the user and allow them to opt-out (even if opt-out means that they opt-out of the service).
Only about half the GDPR popups I've seen were actually worded solely for seeking consent even tho they had the agree/opt-out buttons below the text itself stated the legitimate interests of both them and their partners in why they need the data for most things with maybe a handful of purposes relying on consent alone.
If Google can generate the same ad revenue of close enough to it without having you to force your users to agree or opt-out into oblivion in which case you lose the revenue stream from all users that opt-out.
It's also important to note that Google's non-targeted ads server two functions as they both allow you to display ads to users who did not consent to data collection as well as potentially protects you as an advertiser from ensuring that your ads are delivered in a GDPR compliant manner.
Under the broader interpretation of the GDPR you as an advertiser might be liable if you buy spaces for targeted ads that are displayed unlawfully and this is because GDPR essentially mandates that you must ensure the compliance of your partners.
"This is what we do do you agree: yes/no" is much easier than to develop a valid vital 1st and 3rd party interest for each case and most online services don't require a contract.
However the idea that somehow you have to provide services to people who do not consent is simply false.
That you can't do is tie completely unrelated interests to a single consent for example:
I have a website that shows you local events and allows you to sign up for them, my business model is to sell your contact details to promoters.
If you do not consent there is no reason under the GDPR to compel me to provide you with a service that costs me money to run while you refuse to participate in my revenu stream.
What I can't do is say if I run a ticket website to refuse to sell you a ticket if you do not consent to me using the details you've put into in order to purchase them to be sold to promoters or in other words under the GDPR the information collected for the purpose of selling you a ticket cannot be used for another purpose selling your info to promoters.
It's also important to note that in some cases the "I agree" isn't actually used for consent it's just a UX quirk, you can still allow people to opt out even if you don't use consent as the lawful basis for example I can display you the following message:
"I collect the following information: XYZ, and issue the following tracking cookies: ZYX the lawful basis for this is the vital interest of my company and my business partners"
I still technically need to give you a way to opt out, so the windows that says opt-out or agree isn't necessarily a consent window from a GDPR point of view.
And as previously mentioned I can deny a service to you if you opt-out because I can't monetize you in which case I can legally redirect you to a page that says you can't access by website until you agree to my terms, in this case again consent is not necessarily a lawful basis rather than you acknowledging the lawful basis i presented under my terms of service.
So will the counter position that sending reader info to countless third parties isn't actually necessary to monetize, as plenty segmentation value comes from the readers' selection of the site itself.
It will be argued the marginal value of each additional exposure of the reader's private data does not outweigh the individual's right to privacy.
In the meantime, here is a reasonably neutral but in depth overview for site owners interested in learning more to better navigate GDPR:
I suggest you read the "legitimate Interests" part of the document you provided.
>It will be argued the marginal value of each additional exposure of the reader's private data does not outweigh the individual's right to privacy.
There is nothing in the GDPR that puts on legitimate interest over another including your so called right to privacy.
In fact there is one exception which thankfully limits legitimate interests of data controllers:
"processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child."
It remains to be seen in practice how much data controllers' interests can be overridden by "interests or fundamental rights and freedoms of the data subject".
It's still early days, but many companies don't even follow GDPR as they're supposed to, including Google and Facebook. That will only be settled after an enforcement wave against both large and average-sized companies (GDPR is more lenient towards small companies).
Doubleclick cookie notice: "Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user."
Facebook cookie notice: "Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers."
These descriptions fail to mention that the collected data will be combined with information from thousands of other websites you visit which allows to create sophisticated user profiles. From these profiles, you can infer things like gender, age, socio-economic status, interests, or hobbies with relatively high accuracy. Even if you asked them, Google and Facebook couldn't tell which hidden categories their machine learning models can discover.
Edit: and yes, I just checked and it looks like Cookiebot.
I think one of the points is that there are very few companies that have the financial resources to do that, one of those companies that can afford it being Google. The next retort is "but then those companies should stop using trackers all-together" which leaves most of those companies that don't have Google's financial resources without ad money, meaning they're most likely to go out of business, practically creating an oligopoly where a handful of companies control most of what's published on the Internet. Granted, we would have gotten there regardless, only that legislation like GDPR is accelerating this process.
Yes, why do they have to track their users? Why don't use real targeted advertisement instead? If I go to a car forum, car related ads would be relevant for me. Using ML, tracking and profiling to give me ads for the fridge I did buy last week is not relevant
Come on, that's not what they are trying to do and you know it. There's so many valid arguments you could make, why use a strawman?
But the answer to your first question, is because ads targeted to users pay more, get more clicks, and overall perform better than those that are targeted to the page.
Say the average person buys a fridge once every 10-20 years, the probability you're looking for a fridge this month is something like 1/120-1/240, call it .75 percent.
Some percentage of fridge purchases end up being returned. Let's say 2 percent of them. If you return a fridge, you pretty much are guaranteed to need a new one, so around 2 percent of people that just purchased a fridge are very likely to buy a new one.
That's over double the likelihood of someone that didn't just buy a fridge!
Only in the context of the disastrous relevance of tracking.
Does tracking earn companies more than it costs users in added electricity? I doubt it.
And most of the tracking happens on the server, the client really only keeping some tokens for state and sending them with the requests.
Cents per user is still a lot of money if you have a billion users.
Maybe the real value of tracking is the perceived value of tracking?
It's a good way to combat competition as tracking requires that you already have a large presence.
Now companies might do dumb stuff, but they don't just continue to grow and dominate by making exclusively bad decisions. Google is built on targeted advertising, and it's paid off for them very well, so it can't be a complete boondoggle.
The wikipedia article on targeted advertising says that targeted ads make about 2.7 more money than the alternative.
I don't have any numbers on material costs, but I can't imagine it costing users that much in electricity. Still, it is just a guess so if you have anything that shows otherwise I'd love to read it!
On the other hand, I've also been told by lawyers that the usual scrawl your signature at the bottom of a paper after a quick glance probably doesn't make much of a difference.
This is interesting data but I'm not sure it supports the title - It shows Google's market share in the EU going up a tiny bit, but total tracking goes down in the same period, while the baseline is probably runaway growth like the US. Google may be hurt the least, but I doubt they're a "beneficiary" in economic terms.
It's a shame Project Wonderful just shut down - it felt like the kind of project that the GDPR should help. There must be a market for content-based, non-tracking ads that you can put up on any website without GDPR concerns. Google can and will fill that market, but since they can't lean on their global panopticon other ad providers can compete on fair terms.
From Project Wonderful's shutdown notice:
> Some advertising networks have held on by adopting more and more invasive user tracking, forcing their publishers to sign binding contracts, or by trying to train publishers (and readers!) to expect that "sometimes a bad ad will sneak through", but that's something we always refused to do. We believed - and still believe - that you deserve better. We believed - and still believe - in a world where an ad blocker wouldn't be an obvious thing to install, because advertising would be good, interesting, and non-invasive.
So, relatively Google is the biggest beneficiary.
Quite the opposite, if you pass a 20% tax on every company, except for Google, who gets a 10% tax, it is a beneficiary.
Everything is relative.
The significant drop in trackers on EU sites reported here (and not a huge surge in Google trackers on EU sites) suggests to me that it is other adtech/tracker companies that have lost, rather than google gaining.
Either way, it is good to see some hard figures on tracking being rolled-back a bit. Now we just need some enforcement to fix the badly-implemented consent-walls (e.g. slate.com).
As with a lot of EU digital regulations, they're essentially centralising power to organisations who have the legal resources to either go through the process (and find loopholes), or the cash to fight it.
A lack of competition in the tracking space won't really mean the practice will disappear, but that the organisation who has the biggest consent database will take all the money by default.
I might be biased as a marketer, but I'd prefer to have multiple small companies who're tracking limited pieces of info about me across different parts of my web experience (and who may fuck up occasionally), than one huge company knowing 100% of my information.
(Edit: as a side note, the linked article is doing something shitty with the scrolling on the site, which is more annoying than semi-targeted advertising to me...)
I'm not advocating in favour of tracking, but the effects of enforcing collecting explicit opt-in consent appears to be centralising power, rather than getting rid of the industry. I'd rather have implicit consent across multiple providers (with processing safeguards and data sharing agreements stating they're only pooling the data amongst their advertisers), than explicit consent with only one behemoth.
This won't be a popular opinion here, but... it's actually good news/ what you observe is GDPR protecting user privacy. You think that Google is bad? Then, you probablly haven't seen the smaller players. With e.g. Mouseflow, you can literally watch users enter their personal email in your "register account" field, then change their mind and use a disposable account. Or glean other kind of sensitive details (passwords too, I think).
> In the end, users should never only rely on laws and regulations such as the GDPR to protect their privacy. Instead, they should be aware of who they are providing which data to.
Ignoring the fact that GDPR is primarily a regulation ensuring that they know who they are providing which data to, and ensuring they have a choice about providing it.
The second-order effects that everyone predicted are already happening (big tech companies change nothing significant, many small companies shutting down).
The long-term and unforseen second-order effects have yet to bear fruit, as far as I know (please let me know if you've seen anything).
The shutting down of companies is a desired effect, because those are the companies that won't get consent. Data resellers for example that dont provide any advantage tto the user.
We haven't even seen the actual effects yet because google Facebook et al are probably in violation and are waiting to be sued to fight it out in courts
For real improvements, we will have to wait a few years to find out what and who regulators will persue for violations, and how the courts interpret the GDPR. If regulators never look at small companies, the second order effects on small companies will vanish. If regulators miss to successfully prosecute the obvious violations by tech giants, no meaningful effects will stay at all. It all comes down to what regulators will do, and it's way too early to tell.
The European Union is the antithesis of democracy. If it wasn't, those directives would never have passed.
Besides, if they didn’t block me, I can always ensure my privacy to a reasonable degree by using private browsing mode on my browser. That requires very little effort, unlike what I would have to do now — use some VPN provider who quite likely would be monitoring ALL my data not just to that site.
I suggest: https://outline.com/
What privacy was I losing?
Anyway, I'm also blocked on those sites but the same news on LA Times and Fox appear on countless other sites. I'm not losing anything, they're not wasting power and bandwidth for a freeloader. Win/win.
When more and more people block ads, there will only be a few large sites remaining on the internet because the rest will not be able to survive in the most likely scenario. You could cry all about your freedom then.
> To reduce the amount of personal data we process for you, we have stopped asking for address, city, state and zip code in our shop (we do not ship physical goods anyway). Also, we are in the process of removing all existing address information from our customer database.
Since we had legal counsel in house, it wasn't too terrible. For a smaller company that doesn't have those resources though, GDPR compliance must have been a huge burden.
As a committee member on a local swimming club, it took about 2 hours.
I've talked to colleagues who do a wide variety of processing for their controllers in a business with just a few employees, which is paralyzing. The company I work in is somewhere in the middle. I've also talked to colleagues at companies who only have a few inputs, and regardless of the volume of input that seems to be pretty easy.
Are there any resources for small businesses in the US that want to protect themselves from onerous fines the data regulators can impose? How can they even begin to assess the risks of noncompliance?
 deep link: https://static.cliqz.com/wp-content/uploads/2018/10/trackers...
The actual biggest beneficiaries are the citizens whose data is protected.
I know multiple young startups and entrepreneurs in Europe that killed their projects/ideas because the additional burden of coping with GDPR was too much for them.
It's like complaining about how new credit card businesses or banks can't just start up but need a load of compliancy. That was tried with cryptocurrencies and billions of user's monies was lost due to poor security and scummy companies.
Seriously. Besides that one blogger who was screaming because he didn't even want to bother with the help wordpress provided, I did not hear of a single person/company that quit because of that.
It would also be quite embarrassing considering the time you had to prepare, the help that is all over now or the fact that nobody seems to enforce it. Especially for businesses.
First hit from a google search for “GDPR shut down”.
Dodged a bullet here.
- history.com forwards to their german page history.de as it always did
- Ragnarok Online is working: https://www.ragnarokeurope.com/?lang=de
- Klout sounds just as dirty as unroll
- Super Monday Night Combat is working https://www.uberent.com/smnc/
Sooo what's the problem again?
I get downvotes for FACTS? Seriously people?
Maybe you mostly have relations with startups that work in the ad industry?
The only way GDPR could kill a business in the conception stage is if the business model was to secretly collect user data and sell it for profit. A business that can't get started due to GDPR is a business that never deserved to exist.
The purpose of GDPR wasn't to hurt large companies, but to protect citizens.
FWIW - ‘tracked all over the world on every website’ also comes with some significant caveats.
If I use one product of google, it does not mean they have a "business relationship" that entitles them to tracking me as a third party on random websites.
And even if it somehow did, I could merely opt to not be part of that, and neither the website nor google can deny me service for opting out. That's one of the main aspects of GDPR, you can't make a service conditional on clicking "I agree" and signing away all your rights.
Facebook is even worse, they track me without me even having any interaction with them prior.
Unless Google can successfully argue that every action, every step, every breath I take, is now a business transaction with them because I made a google account, then they don't have a "legitimate interest exception" for jack shit.
I'm a company that forwards your postbox content to your house, and I also sell your nighttime movement data that I've harvested from GPS though my delivery app. Totally exempt from the GDPR since it's part of my core business to silently sell your data.
since when is this a bad thing? i want my page less bloated with 100 trackers...
Considering IP-address is considered personal information it sounds like this study is based on data that was illegally collected according to GDPR.
But that doesn't even enter into the tech industry zeitgeist, where commentators are enthralled by the bloodsport between corporate champions and the lives lived by actual humans are incidental and inconsequential.