Hopefully, if enough people abandon sites that use dark patterns and invasive tracking tech, the industry will get the message that these technologies are unethical and even illegal.
Without these overlays, they violate the GDPR.
With these overlays, they violate the GDPR and annoy their users.
If I can't reject this nonsense within 3 clicks I'll leave the site.
I still frequent it for work, there's lots of great stories, but it's almost insufferable.
They don't mind that you feel that way; they still want to make it official.
All my finances, banks, retirement, taxes, budgeting etc is online. most of my work (email, googling, tools) is only possible online, 90+ percent of my entertainment and social media is online. My maps, calendar, appointments, education, finding things out such as court houses address or phone number of restaurant is online. Much of my medical (presprections, appoint schedule, doctor/nurse correspondence) is online. Most of my shopping is on line.
I think not using a few websites who use scummy ad practices (of which there are sometimes ethically reasonable alternatives, like this site) is a lot easier than never driving again, though.
If there were a real change in driving habits that the providers could trace to the presence of lead in gasoline, don't you think they would have taken it out?
The context seems consistent with that being the intended thrust of the argument, but its literal wording (https://news.ycombinator.com/item?id=19962410):
> This is like saying in 1950 that companies will take the lead out of gasoline if we all stop driving.
seems to claim, not just that enforced regulations rather than consumer-led boycotts were the right way to address the issue of leaded gasoline, but that boycotts wouldn't have worked.
If your gloss is the correct one, then I find the argument much more plausible than a literal reading suggests.
You will have the option to accept or configure what "partners" you want to track you when you're on Oath sites. There is a list of hundreds of these partners with links to each of their privacy policies and a switch to turn them on or off.
The problem is partly that they are defaulting to tracking you and sharing information with partners, under GDPR it is supposed to be the default to not tracking and share data. It is also supposed to be equally easy to choose tracking vs not-tracking, with the Oath dialogue the option to turn it all off is not as easy or prominent as the option to accept tracking.
Sorry about the image not being in english, but the language is automatically set based on location.
Interestingly, Tumblr respects the Accept-language header.
English screenshot: https://i.imgur.com/7yZLAir.png
Visit, say, TechCrunch. You get an overlay saying "TechCrunch is part of Oath; please let us do all the things" with a big "OK" button and a "Manage Options" button-made-to-look-not-like-a-button.
So, you click on "Manage Options". Now you have a new page with a big "OK" button (which obviously will, again, give them permission to do all the things), a "Learn more" link, and a "Manage" link. The "learn more" link takes you to a page saying how wonderful it is that Oath wants all your data; that page doesn't appear to give you any options to configure or control anything.
So, you click on "Manage". This takes you, of course, to yet another page on which you cannot yet manage anything. "Oath works with partners ...". Three links. "You can change your choices at any time by visiting the 'Partners' tab in our _Privacy dashboard_"; "See how partners use your data. _Show_"; "See and customize which partners can use your data. _Show_". (And of course a big "Done" button which gives them permission to do all the things.)
It sounds as if the first is for changing things once you've set them, and the second only lets you look but not touch. So, follow the third link.
This doesn't take you to a new page. Instead, it replaces the paragraph the link was in with a two-tabbed thing. One tab is called "Foundational partners" and has a list of 11 partners (people like Amazon, Google, Facebook, as well as some less well-known names). You have no ability here to change anything, but there are links to these people's privacy policies. The first three I looked at (Amazon, Google, eBay) link to pages that give information but _still_ no ability to change anything.
The other tab here is called "IAB partners". This has a list of _238_ separate partners and a little on/off switch for each. There is -- I'm sure there used not to be, so they've actually improved this -- an option that says either "Select all" or "Deselect all". ... But then, at the bottom, you see: "Visit the following industry links to opt out of personalised advertising from those third parties who are members of the _European Interactive Digital Advertising Alliance_ (EDAA), _Digital Advertising Alliance_ (DAA) or _Network Advertising Initiative_ (NAI)."
So. You need to go three levels in before you get any ability to change anything. At that point, you can opt out of personalized ads from their "IAB partners". (Can you opt out of _being tracked_ by them? It doesn't exactly say you can, but one can hope that that's the effect.) But if you want to opt out of anything involving their "Foundational partners" you need to go to their 11 individual websites and go poking around (good luck!). And then there are some unspecified _other_ partners in the EDAA, the DAA, and the NAI. For each of those there's a link taking you to the relevant organization's site, with its own clumsy and typically-dysfunctional mechanism for opting out. And, again, all they actually say will be achieved by opting out is that you won't get personalized ads; you might hope this will also stop them tracking you, and who knows? you might be right.
None of this is anything remotely like GDPR-compliant, so far as I can make out.
I'd attempted to opt out of Oath's tracking a few days back and noted the same. Eventually gave up and blocked all cookies (including 1st party) in uMatrix, which addresses desktop but not mobile privacy.
I've also finally got OpenWRT adblock configured on my router, ofering LAN-wide covrage, which helps.
But yes, the exerience is utterly hostile and violates the GDPR in both letter and spirit.
I'm coming to think that domain-boxed containers as a default cannot come soon enough. Firefox's tools are useful but nowhere near complete.
 At least until 2020, see https://github.com/mozilla-mobile/fenix/issues/574#issuecomm... and https://www.zdnet.com/article/mozilla-end-of-firefox-for-and...
A while ago android got slammed in (I think France) for hiding a privacy related option behind a single button. If that's the cutoff they'll probably be found to be in violation.
It won't come quickly of course, google got fined in 2018 for things they did in 2008/2009 ish? But at least people are documenting and reporting them. We can hope that in 10 years they'll get fined out of business.
Most people heard about GDPR because companies panicked and send out mails to everyone, with GDPR in the title. But in the end, most people have no clue about what GDPR actually is.
Please don't say we need to educate people on this, because not only do they not know, but they also don't care. They just want to search, read and watch stuff on the internet, and the less technology and knowledge the better.
For me, I know what it all is, and I simply don't care. Some ad tech knows which websites I saw and what product I searched... I seriously don't give a shit.
If you want to fix this issue, I think micro-transactions is the only way possible. Because content creators will always try (and need) to make money, which means the content reader will always pay. Whether is is with their attention (ads), data, or actual money. Subscriptions don't always work, because most of the time, I just want to read an article and not the whole website.
People like ads.
You know "brand Twitter" and how people like talking about the cheeky thing that Burger King said? That's an ad.
The Super Bowl? People watch for the ads.
Magazines: people collect pretty ad series, like the old Absolute Vodka ones.
Podcasts? We all loved saying "mail kimp" like idiots for a couple months because of a popular ad.
People like ads! …Except on the web.
No one has ever liked a banner ad. Search ads people sometimes like, but no one has ever liked a banner ad. So, they kept adding more banner ads to try to make it up in volume and then they added a shit ton of tracking because they could, but guess what, banner ads still suck and no one likes them.
So, maybe stop trying to make fetch happen? If banner ads haven't been successful for 20 years, maybe they aren't going to suddenly become successful and it's time to stop trying.
Agree. And I guess they have reason to be happy for now.
> The shareholders of companies spending ad money do not care about metrics, they care about revenue.
Agree. And they have reason to be sceptical: a lot of Facebooks growth in ad sales seems to have come from companies who suddenly had to pay to reach their fan base.
> People who buy those ads care about metrics, but while they cannot see inside the FB machine and need to trust them somewhat regarding views and reach they have absolute visibility on the results of that ad spend and where those visitors are coming from.
Another explanation: pay per view ads are massively overvalued but for some reason or another management isn't aware of it or doesn't care yet.
Also there are companies that will track your FB ads and tell you if FB is lying.
Also classifieds were a major source of revenue for many publications and it was destroyed by listing sites like Craigslist. Nobody talks about it but that was the first big blow to the old model.
Ad-only publications were always very low quality.
[Disclosure: I've built a lot of these models in the past]
But I can verify that I think Google gets my interests wrong more than 9 out of 10 times to the point of repeatingly insulting me and my family, and they are supposed to be very smart so I guess they to have equally smart models.
If they had just stuck to something relevant to the pages I visit they'd probably hit more than 50% of the time. If I visit a video about fixing stuff I might be interested in tools, paint or parts. If I visit a local news source around lunch I'd probably enjoy ideas for dinner from local shops.
That said I probably wouldn't buy much more but at least they wouldn't insult me and my family.
But in the absence of data, I'm leaning towards trusting that a market-leading company incentivized and dedicated to optimizing targeting models has a stronger research on targeting the majority of users than vague internet claims of bad targeting. But what do I know.
Do you think it's not repeatable?
...that's like saying "high standards of medicine are bad except for hygiene-minded users." The fact that the user has other concerns in their life doesn't change the fact that it's still bad for them.
Now the game has been turned. Advertisers don't need to target sports illustrated to sell gatorade. They can see you checked into LA Fitness and most of the people who checked into this particular LA fitness also happened to spend 30s longer looking at a tester gatorade ad, so there is a slim possibility that you too will look at a gatorade ad for 30s and maybe subliminally engage with it next time you are presented with a gatorade in a cooler at the grocery store. The classic is you looking at a product on amazon and seeing it appear all over the web. It only gets more insidious the deeper your digital footprint goes, the more data they have on you, the more correlations they are free to make which would have been impossible back when advertisers were catering to audiences, not individuals. Sprinkle in exploiting modern psychology for profit, and it's disturbing.
The clearest example of this is the collapse of local news.
Realistically, I wouldn't expect targeting more granular than a zip code. But that's still pretty decent as far as advertisement targeting goes. Definitely better than broadcast radio, as one example.
I can imagine say, readers of Golf Digest are probably interested in golf. That's about the extent of the research that can be done by a traditional magazine. But there's an entire ad industry (for better or worse) to minimize 'wasted' impressions, and there's a large chasm between "male 25-35" and "specifically John Doe who looked at #9 clubs yesterday but hesitated to buy them, maybe we can win him over". Clearly the later example is prohibited in the spirit of the GDPR, but it's broad enough that it kills the former as well (and puts the extent of information available to the industry back to "golf digest readers play golf").
Not that I am particularly sympathetic to advertising agencies and the machinations of what online ad-tech has become, but I am sensitive to legislation that puts entire industries (I.e. real people's jobs) under a coal fire of "maybe we as a company literally have no viable path forward".
You really don't have to play devil's advocate, one of them is illegal.
If a company has no viable way forward, and has to resort to what the rest of us deemed illegal, it should stop existing. Not all companies should survive at any cost, that's not utilitiatian or desirable.
I'm going to be purposefully obtuse and set up a contrived hypothetical, but to me it's really more like: you came to my store today, but I saw you at the golf shop yesterday. Maybe I watched you closely to learn exactly what you were thinking about buying. I happen to also sell golf things and maybe I want to peddle them to you. So I really go all in on my sales pitch and single you out while you're shopping. That's legal in meatspace. What makes "the same thing, but do it on a computer" illegal and unethical? I think it's a real important question for legislators to answer. Is it the scale? The fact that it can be automated? That we're really not actually comfortable with the meatspace example but didn't have a good way to ban it before?
Just food for thought. I'm mostly neutral on the GDPR, I appreciate the intention but I think we as a society need to define consistent expectations about privacy.
Imagine almost every store in your city installed something facial recognition (a la Amazon Go). This system, given to owners literally for free, was created by one company - Google - and allowed them to automatically see what products most people were looking at, what time they were doing so, and their demographic. As payment, Google also gets this data and is able to use it for their means.
Note: i'm just making this analogy. Google Analytics (probably) isn't being used for ad targeting.
What actually happens is that your behavior (in store or not) is permanently observed all the time and ads are served whether you want it or not.
Imagine if in all shops, always you'd get jumped on by attendant trying to sell you things. And sometimes shop attendant would appear out of the blue.
What you're describing you can have today - just convince user to make account in your shop and give you permission to send offers. You can chase him any time you want.
As opposed to the half of them where it currently happens?
If creepy shopkeepers following you round was a thing I suspect it would be illegal already.
You could even hire someone to wander around your competing stores and take lots of notes about the people they saw. "Red shirt guy shopping around for slim fit pants". Unlikely scenario, but legal to do and to use that information.
My whole thing is - what makes the scenarios different enough that one is prohibited and one is allowed? Certainly if we told folks they must forget their observations about others upon request, that would face some baseline rebuttal about their own autonomy.
Good that you're sensitive, but some jobs simply deserve to die. It happened in the past; behind leaded gasoline, or CFCs, or poisons sold as miracle drugs, were real people with real jobs. Advertising as an industry proved itself to have cancerous nature and grew to do incredible damage to people; it deserves to be burned down to the ground.
I know I'm talking hypotheticals, not anything that helps people make money of actual work done online, right now. But I'd be ready to pay for a fairly done flat rate service that gives me access to quality content on a variety of sites for a reasonable price a month. If you do that, companies would not have to track anything after confirming my login, it would no longer be the main revenue stream.
Are there any good estimates how much money the internet makes from the ad data of an average person, per month? Like, spread among multiple websites? Is that too crazy an amount to ever expect people to pay?
This is a human behavior issue. You would need to change the behavior of billions of people before the ads model gets affected.
Music and movies are highly repeatable and have production costs that users recognize and value. News and general content is not valued the same so nobody wants to pay for it. The severe dropoff in any paywalled site shows the effect of charging for news.
First, there was the web, and there weren't any ads, and that was just the way things were. Then there were ads on the web, and it got to be unpleasant. Then there were adblockers, and things were good again. Then there were adblocker-blockers, and I stopped visiting sites that used them.
I honestly don't know how you're going to make money out there, but it's not my problem.
With AdSense you can use non-personalized ads: https://support.google.com/admanager/answer/9005435?hl=en
(Disclosure: I work for Google)
At least then I’m actually choosing to receive ads. In return it would be nice to have a say in the sheer amount of attention grabbing advertising we’re subjected to in the physical realm. There is no consent there, and this advertising only serves the purpose of businesses selling stuff. Why can’t I charge a cost per view for everything shoved in my face on the way to work, or at the cinema, or on the train, or in any other situation where I’ve already handed over cash? My attention is a scarce resource that holds a lot of value to my friends, family, colleagues, and any other human being in my life. I’d love to paywall access to that.
In short though I believe there has to be a fundamental shift from the belief that ads, tracking, and shadow profiles are the path to profit in an increasingly connected world. Something about the relationship needs to change, maybe towards business-2-citizen instead of business-2-consumer.
Because you don't own whatever is being used to advertise. It's not your decision to make. They can charge you and then show you ads.
>In short though I believe there has to be a fundamental shift from the belief that ads, tracking, and shadow profiles are the path to profit in an increasingly connected world.
Belief doesn't mean anything. What matters is what pays the bills. If alternatives worked well, then I'm sure we'd have plenty of sites that would already be doing this. You could argue that crowdfunding is one such route, but I don't think that will ever work on a large scale. The amount of money required just isn't there.
The reason ad-tech is so common is because people are unwilling to pay any amount of money.
And I agree that pay-as-you-go would put a high mental overhead on sites. That's why we have ads instead.
So, maybe ads are not the answer after all.
Users are still paying for the content just indirectly.
It would be FAR better for everyone if people started paying for content again.
Also, haven't looked at every company they list, but maybe they're covering their bases by listing every company part of adchoices? https://youradchoices.com/participating
Source: I know a guy who runs a blog who wrote Google+ posts about doing it.
If the NYT or whatever started advertising for its audience, I wouldn't have shoes ads all over the place as soon as I buy a pair of shoes on amazon.
The big lie of adtech is that it can advertise better than conventional methods. Yet I've yet to see a relevant ad online - when I see them in paper magazines and metro stations that don't aggressively target me individually.
I'm not against advertising online, I don't like ads because I think they're too good and leverage our vices too much, yet I understand their necessity in the "econo-societal" context we live in. Therefore I am for ads in the metro, TV, magazines, billboards and websites. But I sure as fuck am against individually targeted ads, because even if they worked better I think that'd be going too far, but mostly because they don't work whatsoesver? In my circle of friends I've never heard someone going "yo, I saw this sick ad for [whatever], I'm sold, I'm gonna order one of those". I have however heard some (and myself) say "I saw this concert ad in the metro on my way here, wanna go ?" (The malade imaginaire with Daniel Auteuil ad in the Parisian metro worked on me for instance.)
I could go on and on about this, but I've recently switched to dvorak and I'm pretty slow at typing. My thesis is as follows though: use ads on me, but don't follow me everywhere and try to find out what I might buy again. Use conventional pre ad tech means, they work better anyway.
P.S. google sponsored links are such a dark pattern. I didn't realize it until I saw a very good friend of mine use google (peer googling if you will). He'd wouldn't even notice the sponsored links and click on them as if they were the first non-paid google link - only to click the back button and the second sponsored link again and again, until finally hitting the first non-paid link and being satisfied with its content. He's an architect and therefore very attentive to details and yet, he'd automatically click on them as we were googling after I repeatably explained him what was going on. I bet you most non techies are this way.
P.S.S I haven't even had the time to discuss about the gdpr popups that show iphone style toggles but that are so evily designed that you cannot tell if they are "on" or "off". Or all the sites that check them all by default when they should be off. And all those sites that you just cannot even find where the hell to set these things even after navigating on all the nested links in the popup.
How often do you see ads online that are in one of the hundreds of languages that you don't speak? How often are these ads for a particular business in a location that's in another country?
Without some targeting, many of the ads I get are in languages I do not understand. Sometimes they advertise services that are in another country entirely.
Who even clicks on internet ads? Grandma? Kids? People who weren't on the internet when clicking a banner ad gave you malware? My family has been blocking ads since 2005, I wonder if advertisers even know if their ads are being blocked? If I were Zuckerberg, I'd lie all day about my engagement numbers, because why wouldn't you? Hire a Russian click farm to get your numbers, your board of trustees probably isn't tech literate enough to tell the difference and that's good enough to keep the stock afloat.
However, doesn't facebook already optionally ask me where I live, birth date etc ? Come on, those are enough info to classify me as student/working/revenue/ etc, and these I give with my consent. You don't need to analyze my location history, throw nlp at my comments, track my hyperlink activity or whatever the hell they do.
That is very kind of you. Thank you!
>However, doesn't facebook already optionally ask me where I live, birth date etc ? Come on, those are enough info to classify me as student/working/revenue/ etc, and these I give with my consent.
I agree with you, but not every service asks you for that information. I don't really want them to ask it either, because I would probably have to register on every website I try to visit to get access to the content. On the other hand, I completely agree that the whole thing has gone overboard. They try to track way too much stuff.
Curious...that's not a problem I see much, if at all. If sites simply display ads that are in the same language as their primary content, surely that shouldn't be much of an issue? Or are you in the habit of visiting sites you don't understand?
The only websites I use that are in my native language are the government websites and banks. This would mean that I would not be the target audience of many (most?) of the ads I see.
Just as an aside, I don't get how that works. I buy a thing on Amazon... then I get ads for the thing I just bought.
This happens often. Guies.... I already gave you my money, I'm not buying two TVs now...
Great bold statement out of a personal anecdote! Yet Google and FB joint market cap is 1.3 trillion dollars and they employ thousands of people paid a fortune to build personalized ads models. Everyone must be stupid, right?
And sorry for the bold statement as it is indeed based solely on the tiny view of the world my senses allow me to have. I would however love some of you to tell me some "personal" anecdotes about the effectiveness of adtech on them, I'm curious honestly.
I'd be google and facebook, I'd sure as hell continue diversifying away from adtech as much as possible because you are right, no one is stupid here, hence GDPR.
I've looked into how you file a complaint with the UK information commissioner about that sort of think but there doesn't seem to be a way unfortunately.
Tempted to do this myself, the Oath GDPR notices are the worst, with no visible controls and a warren of useless links.
I came across a particularly scummy site making it look like the ICO endorsed them by abusing their logo.
The logo was removed the next afternoon. All it took was an email to that address.
I guess what I'm trying to say is that in the current state of things, you cannot complain about "ads are evil and don't work", "Google and FB are monopolies" and "I want privacy" at the same time. The three are linked. If you push for privacy, you'll hurt open web (because you'll consolidate advertising to Google and Facebook which are on the publishers side so have less incentives to make ads work because they fully control inventory).
Patreon, Brave BAT and crypto etc. are good ideas to change the fundamental economics of the web. But in the status quo, we cannot have everything: privacy AND free services like Google and Facebook AND these companies not being monopolies interested in data collection.
[Disclosure: I've built a lot of ads targeting models in the past for a living]
A total nobody could easily spend O($1000) and serve malware to millions of people, served out of his own ad server. If he was going through a DSP there would be some sort of approval of ads but no enforcement that the same ad was the one actually being served. This was when Flash was still around and unsandboxed on most browsers and buggy as hell.
Oh, and the industry-standard self-hosted ad server was a PHP thing which carried a backdoor for months/years before anyone noticed. Someone just replaced the tarball on the developer's site and went unnoticed.
And the people selling data... do most people know that this is possible: you buy a car, offline, at company X. They have your phone number. You visit website Y, type your phone number. You visit site Z, they can buy your phone number from website Y, and match that to your phone from the car company which sold your data to third-party W, and know for a fact which car you bought. No profiling, statistics, guessing, inference. They have the actual data. Costs O($0.25).
This was years ago, frankly I doubt things improved and I doubt they are as cash-rich now.
It has improved immensely wherever GDPR is in place.
Great. Fuck free services, let me pay for the service and retain my privacy.
We saw some information about this rather soon after GDPR went into effect. I wonder if there's some more recent data like this.
That leaves just the governments, but hey, it seems like a step in the right direction...
Naive I know.
Restaurants lose a lot of money throwing out food that's probably good enough by the standards that most of us use in our kitchens at home but because there was an excursion in the fridge temperature of 2c or whatever the law says they have to throw it out.
They could make a lot more money if they didn't have to do that, especially if chefs were allowed some discretion in when things are "out of date" like they used to have prior to food safety laws.
However, as a society we actually don't want chefs to have that discretion because although we might trust an individual chef we sure don't trust every chef. So we set rules for restaurants because we would rather have some restaurants go bankrupt and there be fewer restaurants around than have everyone risk eating food that might be below standard every time they go out. Instead, we set an objective baseline criteria for food standards.
Same thing with privacy. Your personal standard of privacy may or may not be higher than my personal standard of privacy, but society-wide we don't want privacy to be a roulette wheel or a tragedy of the commons, so we set an objective standard for it.
That may or may not bankrupt some ad-tech companies who are reliant on the dodgy-chef techniques, but that's not a loss to society as a whole any more than losing dodgy restaurants would be.
>The tracking landscape post GDPR, adverse effects on competition and a market for compliance technologies
By September, stats showed that Google and Facebook managed to stay relatively the same in the EU, while all the other ad companies lost reach.
>The Short-Run Effects of GDPR on Technology Venture Investment
https://www.nber.org/papers/w25248 (there's a link to the pdf)
A paper by NBER finds that, in the short term, EU ventures relative to US ventures, raised less money, did fewer deals, and the deals raised less money.
I think it'll take a lot more time to get an answer to your question directly though. It's also possible that any answers we do get are politically motivated (both for and against).
In the run-up, the best guide to GDPR was UK ICO's guide to 1998 data protection with a few GDPR annotations.
You must live in a different Europe than I do, because I'm pretty sure that most companies that don't deal with the internet, don't even know what privacy they're required to provide. People still regularly use gmail for some business tasks, they openly list data that shouldn't be shared etc. I don't think what you said is true at all. I think most companies simply don't know that they're in violation in some way or another.
The biggest problem with Data Protection was the maximum penalty, and that it had no teeth for data that moved out of area. It simply wasn't enough for the larger corporations to care that much - unless they were purely national. Hence some companies being fined multiple times for the same failings. I don't believe there's a Shell, Philips, Siemens or Glaxo that didn't have awareness, data protection officer and so on.
Neither do companies offer me a way to get the data they have about me.
This guy has been trying to get his Facebook data for 4 months now:
Will be interesting to see if he keeps at it and how it turns out in the end.
It was always a transparent ploy to make it more expensive for small-time ad network operators and give Google and Facebook yet another monopoly advantage.
And ironically, it is Google and Facebook who are the huge privacy violators, not the small ad tech companies; GDPR only serves to erode your privacy in the end.
Even if "advertising to EU citizens" put them in reach it wouldn't give the outcome they want - that would likely turn into a full block if they see no benefit to it and compliance costs.
It is a democracy. The many will win if they want to. I understand the unethical part of 'consuming content for free' which costs them $. But there they picked to go to the extreme end of loading a simple piece of news with 10+ trackers.
On TC I get 14 hits on my PrivacyBadger, 9 hits on NoScript, and 2 hits on ABP. If one day that '25 violations' go down to 2-3, I will consider letting them go with it.
GDPR is vague principle-based legislation and this part is not what people think it means.
Making a profit is not necessary to operate a service in the same way. It's necessary for the company to be profitable but that is irrelevant to the GDPR.
All things laws have forced makers not to do. This is just the same, except it concerns misuse of personal data.
A company that requires ads and data to pay for the service cannot be forced to provide that service without those ads and data at no cost to a user. The choice is freely given as a user by not giving consent to data, which means the site doesn't offer the service.
AIUI the GDPR means you can't exclude users on the basis of their willingness to give up PII. So you're going to need to charge everyone. You can probably refund those who do give your PII, or pay them for it in a more direct way. But you can't offer a service where the only differentiator between access and denial of service is "give us your PII"?
GDPR can prevent extraneous data capture but it can't force companies to provide services without compensation.
A business is free to choose their compensation model. Your choice is to not engage if you don't want it, not to demand it for free regardless.
Continue to do so and face the possible consequences, close doors or leave the market, or find an alternative way. Just as happens with other laws.
Businesses are not completely free to choose their compensation model - many places have long standing laws against unreasonable rates of interest or other illegal terms, discrimination etc. This is just another more recent limit.
But they are not. Your compensation model generally cannot include such things as slavery, child labour, prostitution... Many places place limits on the amount of interest that may be charged on a loan.
A business is free to choose their compensation model within the confines of what the law allows. In case of the GDPR it disallows paying through PII. Thus a business is not free to choose this model.
However it can't force a company that requires data to be processed for a service to still provide that service when the data is not consented to. That is impossible without breaking the very law that prevents it.
This whole thread is just people refusing that data can be necessary for the service, which is fine if that's your interpretation, but not what major law firms actually agree on and it's certainly not going to hold up in court.
I'm failing to understand how Techcrunch's provision of articles is impossible without my provision of PII, they seem to manage to display those articles to other people even when I don't give them _my_ PII.
It sounds like someone is confused as to what essential means; it doesn't mean "carry on using the same privacy infringing business model regardless".
HN users should contact a law firm instead of being self appointed lawyers downvoting everything they misunderstand.
Do I need your insurance renewal dates before I can serve you a pint of beer? No. But if I had them I might be able to give you slightly cheaper beer (and feed back to the insurance company that you drink beer; a fact they might use to increase your insurance). So, under GDPR can I refuse to serve beer to people who won't give up PII, no, I have to come up with another way to ensure payment, like asking for money, or advertising to you without PII, or ...
Universal service obligations worldwide. Anti-discrimination laws. Mandatory customer warranties. Regulatory standards. The whole world is replete with examples where regulation places restrictions on goods and services, and the conditions under which they can be offered. It is absolutely feasible to disallow mandatory data collection for services. I am honestly struggling to see what problem you can possibly be seeing with this.
If you're not paying then the company is, and that's a cost. You can't demand that a service be provided to you for free without some greater provisions that subsidize that service. There's nothing illogical about this.
Your examples aren't the same thing. Regulations on how something is offered while being compensated is different from claiming that a service must be offered even if it can't be compensated. We've already discussed this with some of the biggest law firms in the world and I suggest you talk to counsel if you want further clarity.
1. Companies can offer services which exploit personal data as part of their commercial business plan.
2. That collection must be reasonably described as a "legitimate interest" for the purposes of establishing a lawful basis for processing under the GDPR.
3. The "legitimate interest" in this case must be such that the site could not reasonably operate without targeted advertising. on order for explicit consent (and the associated option to opt-out) to not be required.
If I understand you correctly, then I agree that if you can construct a valid "legitimate interest" in this vein then you could reasonably require visitors to accept targeted advertising, without it being a GDPR violation. It wasn't clear from your argument that this was what you were saying – statements like "you cant force companies to provide a service at cost to them" are simply not accurate, because it is entirely reasonable and common that regulations require companies to provide services with certain conditions attached (indeed, the GDPR is one of these when you are operating on the "lawful basis" of consent). And further, it is entirely feasible for a regulation to be incompatible with an existing business model, such that a company would no longer be able to offer a service at all (if, for example, TechCrunch were unable to make enough income though non-customised advertising).
However, this position is _far_ from being as clear as you seem to suggest. It is heavily disputed whether or not "online behavioural advertising" constitutes a "legitimate interest" under the GDPR. There are several outstanding complaints on this matter and the question of whether or not OBA can constitute a "legitimate interest" is not at all settled.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
I don't think 'we want to sell your information for money' would be considered a necessary part of whatever webservice/website you offer, given that you could choose a different way to monetize it. Thus you need consent, but clearly the situation you present does not meet the definition of 'freely given. But I hope we will soon see this issue being decided in court.
If data processing is necessary to provide the service then the service cannot be provided without consent. This is perfectly allowed in GDPR. Ask a law firm for further details.
If I can't profit off serving you content without you consenting to the targeting (so that the ads will pay out more money), I should not be legally required to provide you content at a loss. I'm sure it wouldn't fly in the U.S, though I'm not sure what protections businesses have in the EU.
First, ethics are not irrelevant. You may argue that ethics has been satisfied in a case, but that doesn't make it irrelevant.
> There's nothing unethical about ads. If you don't want to view ads in exchange for the content then you can pay for it or visit a different site.
I have two issues with this line of reasoning. First, it assumes that the issue is with the ads themselves, rather than the stalking being done. Second, it assumes that the content can be paid for (not always the case) and that other sites do not perform similar stalking of the users.
If you don't like the model then don't engage. But claiming that it doesn't behave ethically because you just don't like it is silly.
But tracking and targeting without consent are not any longer.
It's kind of like arguing that businesses should be free to dump toxic waste wherever they want, because they can't produce their products at a profit without doing so. They are free to either adjust their business models to compensate, or stop doing business.
You aren't. In fact, you're forbidden to provide this content in the EU.
Then you don't get to play in the EU. Businesses have many protections in the EU, the right to indiscriminately track and target users without permission is not one of them, nor to make provision of service dependent on tracking.
Make no mistake - The GDPR is absolutely an attack on the business of targeted advertising.
I've looked, and followed links from TC to the parent site and back again. Can't find anything other than more links to more policies.
Edit: curious why I was downvoted, did I say anything wrong or offensive?
> This Regulation applies to the processing of personal data of data subjects who are in the Union
Short answer: this applies to people in the EU, citizenship is irrelevant. The law is geographic, not based on passport.
Otherwise, someone might think that being in the EU grants them GDPR rights when dealing with a company in Argentina.
How and will that be enforced is a different discussion, but the regulation clearly protects people in the EU regardless of where the website owner is located.
GDPR is business regulations, phrased as human rights, and makes the most sense if understood as business regulations. I understand that some might choose to hold different opinions about any or all of this.
Like 99% of sites currently, yes.
It is enforced.
These fines are typically small at first, and rise exponentially as the firms do not comply.
It's not like you just complain and the next day the business in violation starts behaving.
It helps so far that I (as a user) see upfront how much an article costs (in tracking data). I can then decide if I want to pay for it or not.
It is rather disingenuous to upsell ICO as a vanguard, instead of describing it as a toothless quango, at best.
I am curious if someone can argue for the point that only the medical data from you doctor should be protected and the rest can be sold behind your back.
The very concept that this is 'your' data is in error. It is demographic data collected by third parties 'about' you. You've entered into consensual relationships to provide all of this data with those third parties, for the express purpose of using it for advertising. There is no expectation that it then would not be used for that purpose, quite the opposite thats why it is collected.
Conversely, your relationship with the data your doctor collects has had a long expectation of privacy. Reinforcing that expectation with explicit laws doesn't change the basic relationship.
Before GDPR all of this was not so clear for many people, my parents do not know that they are giving up their data, that it is sold on a market, that a profile of them is created somewhere and each click will put some new tags on that profile.
I agree that this is a big one, and I believe that businesses indeed should explicitly and plainly let users know what kind of data is stored and how it is used.
However, isn't one of the main issues with GDPR the fact that it doesn't give users an option to enter in this kind of relationship with a company, even if both parties are aware and consenting?
I am not a legal expert, but I thought(according to my understanding of GDPR) that businesses are not allowed to store personal data about users, period, unless the data is needed to provide the service. I have no idea if "we need this data, so we can use it for ads to earn the revenue needed to finance our service" qualifies as "needed to provide the service", but I always thought it didn't. I will be happy if someone could clarify this point and, potentially, prove me wrong.
It's the same with taxes. If you're a small company, you're paying the official rate. If you're Google, you'll have a Double Irish with a Dutch Sandwich, who cares if you need to pay €10m to set it up and get the okay from revenue services (there's a fun report on how the uppermost German tax officials "freelance" for the large tax consultancies on the side and make a lot of money to write "articles") - you'll save billions.