This is effectively a) putting everyone’s approximate search histories on the internet, or b) outlawing google search’s buisiness model.
The consequences of trying option a and failing even once are so great, I argue if that’s your goal you should ban logged out personalization before anyone deludes themselves into thinking they can do it without leaking everyone’s info publically. I also think that’s going to harm consumers more than it actually helps them but I am obviously biased as an ex google search engineer.
What about the legal risk for Google if you opted out of the tracking a month ago but now google thinks you are a different person and is tracking you?
They're also googles problems to solve, not societies. We're not required to provide solutions for them.
If google can't solve them, maybe that means google's business model is illegal.
In practice, legislation goes into effect globally by being in a large enough market that companies would rather comply than lock themselves out. Several companies have rolled out their GDPR compliance updates globally rather than just to the EU. It's the same reason that lots of products in the US comply with standards that only exist in California.
The data subjects of ad networks however are completely different entities from their customers, which makes it a very different compliance problem. It might not be possible at all to conduct that kind of business in a compliant way.
This is not personal, it's the contextual targeting everyone wants. These blog posts never understand adtech.
There's also no personal identity, it's just a cookie if available, used mostly to frequency cap.
Cookies are also not an identity and refreshed very often. Their main use is to cap ad frequency and track conversions over the short-term (hours to days).
Google and Facebook do not provide any personal identifiers. That would be a massive breach of their core 1st party dataset. What little data they did provide is now gone with GDPR.
I don't know what you mean to say about the cookie either, the whole point of this kind of advertisement is to persist associatable data about a person for the lifetime of the cookie.
Cookies are an anonymous identifier, they are specifically not a person. As I said, it's a short-term stable ID used to control the amount of ads shown and track any conversions for campaigns. Adtech companies do not know who you are, only Google and Facebook do.
The fact that cookies are pseudonymous has 0 effect here -- literally their entire purpose is to be able to associate third party data with a person's browser.
Your contention that all they're used for is frequency capping isn't true either, but even if it was, it's not relevant -- "I'm just using it for frequency capping" isn't acceptable under the GDPR, just as much as "I need the data to do advertising" isn't a reason acceptable under the GDPR for keeping a piece of data in the first place.
Here's the text of the GDPR on cookies: https://gdpr-info.eu/recitals/no-30/
Most ironical thing here -- IAB categories applied not to user profiles but to URL's.
So, their goal is to facilitate ads targeting not to user profile, but to page content. This is the use case which is often discussed on HN as ethical and "right" way of showing ads -- you get the bid request with "Nature, travel" IAB categories and you show ad about outdoor gear. You don't need to crunch user data to make this simple decision.
However, I have to admit this complaint has it's own merit. Bid request usually contains not just page URL and IAB categories, but user cookie as well. So, by data-mining bidstream, you can theoretically find people (well, at least their unique cookies) who are looking for a cure for impotence, and this is against GDPR, for sure.
> Lack of transparency makes it impossible for users to exercise their rights under GDPR. There is no way to verify, correct or delete marketing categories that have been assigned to us, even though we are talking about our personal data.
> Under GDPR, processing special category [medical information; political affiliation; religious or philosophical views; sexuality; and information revealing racial or ethnic origin] data generally requires explicit consent from users — with only very narrow exceptions, such as for protecting the vital interests of the data subjects
The last quote is particularly troublesome, as Article 9 GDPR  is explicit about this: processing this data is prohibited by default, and none of the exemptions seem to apply even by a stretch of imagination.
Assigning such labels may be the norm from the Ad industry's point of view, but that is simply no longer possible under the GDPR.
Looking at the data selection to export, I am not even sure this is included somewhere.
More explicitly, the UK's regulator says: "You should however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request."
if (dob.month == december) $birthstone = quartz
select advert from adverts where stone = $birthstone
You would also need explicit concent to use the date of birth for advertising purposes.
However I am sure I got an interest profile, at least being used with the Discover feed on Android.
The discover feed on android is mostly powered by web search history, chrome browsing history, and location history. You can see all that here:
The problem with that being, of course, that any company participating in the bidding process can decide to store that information and build a profile that does have this information.
That correlation tends to take weeks worth of data to do with any accuracy, and by that time, all the opportunity to actually use the knowledge to place bids has gone.
The bidders can re-correlate if they actually make a bid, and use a creative to inspect their own cookies, and then resell that ad-spot, but typically that isn't worth it for small bidders (there's just too many devices on the internet - you'd need a huge ad budget), and large bidders are bound by privacy laws that stop them doing it (no investor wants the company the wrong side of an EU fine).
A few bidders used to do that on iOS devices, since the ads there are sufficiently valuable to make it worth it, but I haven't seen it for a few years.
Advertising atheism and I wouldn't be entirely surprised if in the future people will be prosecuted for it.
I'm jealous that at least Europeans can complain legally.
In the U.S., we believe that the free market knows best and that's freedom and such. Meanwhile, we're being profiled by these vile companies (FB, Google) and our data resold. Aside from individual rights being violated (hint, individual rights aren't just rights against government intervention), there's a huge societal threat here: what happens when this data is used to pit us against one another? Are we still free, then?
In the U.S. it will take a cataclysmic event to reach a GDPR-like desire by the population. The sad reality is that the EU has its citizens' interests generally in mind (consumer protections, GDPR), while in the U.S. Big Brother has the interests of large corporations at heart (namely by allowing them to run roughshod over our rights).
Note that this doesn't disallow websites with first party data and user consent to add user related information to the bid requests to increase their value, it just doesn't allow to correlate the information with a person after the RTB process ends. Of course it totally changes the role of data providers in the current ecosystem, but that wouldn't necessarily be a bad thing.
I believe this is intentional on part of the EU.
The American companies are simply bigger target and have the attention of more people, so their reported more quickly.
Name and shame. List the EU companies that are shitting on user privacy the way Google, Twitter, and Facebook currently are.
If a page on some website is about cars, then you sell that page as being about cars to the advertisers. At no point would you care about the user, just the assumption that a person reading about the latest Toyota might be in the marked for a new car.
Why would users actually provide meaningful consent to having a tracking profile? You need to actually offer something to users. The law essentially says you cannot just start profiling them without their permission.
You could offer users a subscription based ad free browsing experience. User pays 50 euro a year, you take a 10% margin, leaving 45 euro behind to provide the ad free experience. At 164 impressions per day (stretched inference from the article) you bid 0.075 cents per ad space. If an ordinary advertiser bids less then this to show you an ad, then no ad would be shown instead and the content publisher would still get paid. At any time you could cancel your subscription and demand that the profile be deleted. This is just one idea on how you could collect meaningful consent for an ad profile.
More evidence there is zero moral compass in SV and given enough money people are willing to do whatever away from public view and posture and pretend to care about niceties like ethics in public. And these are educated folks who are not starving and desperate.
Discussions should move from a default human base ethical position to any discussion about ethics is posturing and empty, its only by actions that any sense of ethics can be gleaned.
But people who behave unethically cannot then expect an ethical society or ethical behavior from others. These others too have a right to exchange their values for money and attempt to normalize, redefine or hand wave away their actions.