Hacker News new | past | comments | ask | show | jobs | submit login

I am curious, if you ask for a dump of your data from Google, where do you have to look to find your ad category ? As far I know, this is not directly accessible from your profile or privacy settings.

Looking at the data selection to export, I am not even sure this is included somewhere.

Yes, it seems that service providers confuse the "provide a dump of my data" with just being the information a user actively uploaded and stored. The point of this is to get access to any information the service provide might have about the individual requesting the data. And have it all deleted upon request also!

I'm pretty sure GDPR is meant to force disclosure of derived data too.

Are you sure? I didn't find a clear sentence on this last time I looked. It seems hard to define what is derived data (if they guess that a 20 year old is a student, is that derived data? or just a guess) and I can imagine it leaking information about other people if it involved aggregating together pieces of data from multiple people.

The GDPR says "'personal data’ means any information relating to an identified or identifiable natural person". So as long as this derived data is directly related to a person, the GDPR applies.

More explicitly, the UK's regulator says: "You should however note that if this ‘inferred’ or ‘derived’ data is personal data, you still need to provide it to an individual if they make a subject access request."

Huh, thanks for that. So e.g. LinkedIn not providing any information on (say) emails they've scraped seems blatantly illegal too?

In that case, if I stored your date of birth then I'd also have to "disclose" your age and star-sign.

Only if you actively stored or processed their age or star sign. It's not 'disclose every possible inference you could make given the data you hold'

What if you don't store the inference, but instead process it when needed internally in a function?

  if (dob.month == december) $birthstone = quartz
  select advert from adverts where stone = $birthstone
Or whatever

For ads, you probably don't need to tell people about the "birthstone". But if that automatic processing "produces legal effects concerning him or her or similarly significantly affects him or her" (such as denying a credit card or job offer), then you have to give the person "meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for [them]."

GDPR requires that you log when you use information from a user in models, reports etc so this would probably have to be logged and disclosed.

You would also need explicit concent to use the date of birth for advertising purposes.

I have ad personalization turned off, but you should be able to view and edit your interests from your settings page.


It is mostly empty just my age and sex.

However I am sure I got an interest profile, at least being used with the Discover feed on Android.

Google ad data isn't really linked to data for other non-ad services for privacy reasons.

The discover feed on android is mostly powered by web search history, chrome browsing history, and location history. You can see all that here:


Maybe Google doesn't store it, and just uses these categories in the process of auctioning advertisements, sending them as context?

The problem with that being, of course, that any company participating in the bidding process can decide to store that information and build a profile that does have this information.

Bidders don't get as much info as googles internal models get. For example, bidders get to 'track' users by a unique id for up to 30 days, but then the id gets reset, so they can never persist any data beyond that unless they can correlate the new id with the old.

That correlation tends to take weeks worth of data to do with any accuracy, and by that time, all the opportunity to actually use the knowledge to place bids has gone.

The bidders can re-correlate if they actually make a bid, and use a creative to inspect their own cookies, and then resell that ad-spot, but typically that isn't worth it for small bidders (there's just too many devices on the internet - you'd need a huge ad budget), and large bidders are bound by privacy laws that stop them doing it (no investor wants the company the wrong side of an EU fine).

A few bidders used to do that on iOS devices, since the ads there are sufficiently valuable to make it worth it, but I haven't seen it for a few years.

I think you mean "participating"

tnx, updated

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact