Hacker News new | past | comments | ask | show | jobs | submit login

Setting aside penalties for a moment, what is the minimum set of changes to programmatic advertising practices that would bring it into compliance with GDPR? Would removing the targeting categories that relate to intimate data be sufficient? Or is something deeper, more structural in the crosshairs?

Remove userid / cookie sync / whatever you name it from bid requests, and make them only context based. Also, forbid cookies from ads providers to be stored on the end user machine.

Note that this doesn't disallow websites with first party data and user consent to add user related information to the bid requests to increase their value, it just doesn't allow to correlate the information with a person after the RTB process ends. Of course it totally changes the role of data providers in the current ecosystem, but that wouldn't necessarily be a bad thing.

I by no means and expert on the subject, but I believe that the "simplest" change would be to target based on content, rather than the individual user.

Yes, but that's also a torpedo to the way programmatic ads are currently bought and sold. (FWIW I am in favor of such a change, but there are a lot of very large tech companies selling data management platforms whose core value prop is being able to stitch together audiences from this sort of data and precisely target them everywhere their browser cookie or device ID goes.)

Agree. GDPR and programmatic ads are totally incompatible.

I believe this is intentional on part of the EU.

Basically anything that hurts American tech companies is intentional on the part of the EU. That's why they're keeping both eyes shut on the plethora of violations many European companies are doing.

You have to report the violating companies. There are no government organizations actively looking for violations.

The American companies are simply bigger target and have the attention of more people, so their reported more quickly.

> That's why they're keeping both eyes shut on the plethora of violations many European companies are doing.

Name and shame. List the EU companies that are shitting on user privacy the way Google, Twitter, and Facebook currently are.

The first fines were leveraged against EU companies [1], your whining falls flat on it's face and has no basis in reality.

[1] https://iapp.org/news/a/germanys-first-fine-under-the-gdpr-o...

The ad categories mentioned in this complaint are the content categories.

I don't mean the "content categories" of the user.

If a page on some website is about cars, then you sell that page as being about cars to the advertisers. At no point would you care about the user, just the assumption that a person reading about the latest Toyota might be in the marked for a new car.

That’s literally what this amendment is about. They are talking about the content categories.

Offer users a meaningful reason to actually consent to such targeting. Current "consent" forms are not meaningful in that most users are probably clicking "ok" just to get rid of the pop up and not because they actually agree.

Why would users actually provide meaningful consent to having a tracking profile? You need to actually offer something to users. The law essentially says you cannot just start profiling them without their permission.

You could offer users a subscription based ad free browsing experience. User pays 50 euro a year, you take a 10% margin, leaving 45 euro behind to provide the ad free experience. At 164 impressions per day (stretched inference from the article) you bid 0.075 cents per ad space. If an ordinary advertiser bids less then this to show you an ad, then no ad would be shown instead and the content publisher would still get paid. At any time you could cancel your subscription and demand that the profile be deleted. This is just one idea on how you could collect meaningful consent for an ad profile.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact