Hacker News new | past | comments | ask | show | jobs | submit login

The point is that bid requests may (do) contain both an identifier and data about that person. "Is reading a financial news article" being an attribute of the content, sure, but broadcast such that it can be associated with the person.

That's just how context works. If you visit another site then there would be different categories involved and has nothing to do with the user.

There's also no personal identity, it's just a cookie if available, used mostly to frequency cap.

Can't adtech companies associate that cookie with the category and build a profile over multiple pages? Then they can correlate the data and identifiers Google provides to any that they collect on their own (e.g. their own pixels served in the ads that actually get shown). If they connect their own pixel identifiers to data that they buy, then they are building up a decent profile.

Those profiles would quickly become so broad as to be useless. Context in the moment is the most important thing, which is why even Google shows ads targeted to your actual search query.

Cookies are also not an identity and refreshed very often. Their main use is to cap ad frequency and track conversions over the short-term (hours to days).

Google and Facebook do not provide any personal identifiers. That would be a massive breach of their core 1st party dataset. What little data they did provide is now gone with GDPR.

I'm not sure what you mean be "that's just how context works", but perhaps to illustrate the disconnect, it is just as incompatible with GDPR to share the page URL itself, let alone data derived from it like the page category. Doing so is sharing user data in a way that is not consented to.

I don't know what you mean to say about the cookie either, the whole point of this kind of advertisement is to persist associatable data about a person for the lifetime of the cookie.

Page URL is not personal information, that's a ridiculous overreach and misinterpretation of GDPR.

Cookies are an anonymous identifier, they are specifically not a person. As I said, it's a short-term stable ID used to control the amount of ads shown and track any conversions for campaigns. Adtech companies do not know who you are, only Google and Facebook do.

You're incorrect, or at least that's what this complaint claims, and I personally have been expecting it for awhile.

The fact that cookies are pseudonymous has 0 effect here -- literally their entire purpose is to be able to associate third party data with a person's browser.

Your contention that all they're used for is frequency capping isn't true either, but even if it was, it's not relevant -- "I'm just using it for frequency capping" isn't acceptable under the GDPR, just as much as "I need the data to do advertising" isn't a reason acceptable under the GDPR for keeping a piece of data in the first place.

Here's the text of the GDPR on cookies: https://gdpr-info.eu/recitals/no-30/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact