Hacker News new | past | comments | ask | show | jobs | submit login
GDPR adtech complaints keep stacking up in Europe (techcrunch.com)
221 points by jacquesm 62 days ago | hide | past | web | favorite | 288 comments

I just leave any site with adtech 'consent' overlays like Techcrunch.

Hopefully, if enough people abandon sites that use dark patterns and invasive tracking tech, the industry will get the message that these technologies are unethical and even illegal.

I actually tend to try and work with them. With this article as well, I tried to change my data settings instead of just leaving. But I gave up after following the 7th link without encountering a single setting, just more links to follow.

Any Oath website is the absolute worst about this - I tried twice to go through their Byzantine windows to “set my ad preferences” and gave up. They specifically designed it to be as difficult as possible, obviously. Now I just leave immediately anytime it’s an Oath website

I don't understand why companies are doing this.

Without these overlays, they violate the GDPR.

With these overlays, they violate the GDPR and annoy their users.

That's what I don't get. It's my understanding that these ad tracking options have to be opt-in. If I have to dig through countless hidden links and options to reject these settigns it's anything but opt-in.

If I can't reject this nonsense within 3 clicks I'll leave the site.

Surprisingly, Techcrunch is a great example of a site that works very well without JS. Very clean.

Nothing makes me happier than rolling into an article and not having to enable JavaScript for 50 different domains to read 200 words of text.

I came to say basically the same thing. The article sounded interesting but TechCrunch has such a bad consent form / use of data that I always just nope out of there and close the page.

I use ublock to hide those overlays

Or, on a purely ad hoc basis, McDiarmid's "Kill Sticky Headers" (https://alisdair.mcdiarmid.org/kill-sticky-headers).

Slightly better implementation:

It's basically the same but it also catches `sticky` and `-webkit-sticky`, which some sites use instead of `fixed`.

Thank you! Indeed McDiarmid's implementation is so nearly reliable that I find myself confused and stymied when it doesn't work. I'll substitute yours and hopefully avoid confusion and stymied-ness.

Wow, this makes Medium almost readable! Thanks!

Ugh, Medium is the only site I've had to consistently break out the "Block Element" button with. I don't even mind ads and I'm happy to leave them on sites that I want to support, but Medium is an ugly beast with all of the headers and footers.

I still frequent it for work, there's lots of great stories, but it's almost insufferable.

> Medium is an ugly beast with all of the headers and footers.

They don't mind that you feel that way; they still want to make it official.

At this point, while I carry a Medium account, I refuse to log into it out of principle.

I use the extension "Hide Fixed Elements" which is similar.

Just remember, you're accepting the agreement if you blocked the overlay because that's the default if you ignored it.

You mean in the overlays that are required by law to have the default option be to opt out of tracking?

Actually, they're supposed to be opt-in. "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." [0]. I worked extensively on one of the big ad-network's GDPR compliance pub & advertiser tools and we took this seriously. If you blocked the message & you were detected to be in the EEA, that was "no consent" for data use. That said, I know many of the other players in the ecosystem actively overlooked or did not abide by this policy.


Shoot, you are correct, and I misspoke. I meant to imply that the default must be assumed to be rejecting all tracking, and that all tracking applied must be explicitly accepted.

What's a shame is that most companies hide behind the claim that if users block IP tracking, since they "can't" get geo without IP, you're opt-in by default. They don't make the best effort attempt to, using the data they have, determine opt-in/out default behavior. The regulators seem OK with that argument. So your point sort of stands (and I wish it didn't)

No, GDPR requires explicit consent for data collection. Blocking the overlay crap is withholding consent.

But is that the case in practice? It's my experience that there are countless media outlets showing me popups that have the tracking options activated by default.

Most companies hide behind the claim that if users block IP tracking, since they "can't" get geo without IP, it's opt-out. Oath in particular will use any excuse to opt-in by default, but so will most news sites. Regulators seem OK with that.

GDPR should be opt-in only, not sure if it currently is or isn't, but in my opinion it should be...

It is, and few care. "Silence, pre-ticked boxes or inactivity should not therefore constitute consent." [0] Problem is that the authorities are too underfunded and understaffed to actually handle this, and the wording in the regulation is vague enough that big company lawyers have hemmed them in. I've seen it happen.

[0] https://www.gdpreu.org/the-regulation/key-concepts/consent/

This is like saying in 1950 that companies will take the lead out of gasoline if we all stop driving.

It's a little easier to stop visiting a website than it is to stop driving a car in US.

For some, maybe. But not at all for me. I'd argue internet has greatly reduced if not almost eliminated need for driving car for many people. I could get by without car for week. Not having internet for same period much less so.

All my finances, banks, retirement, taxes, budgeting etc is online. most of my work (email, googling, tools) is only possible online, 90+ percent of my entertainment and social media is online. My maps, calendar, appointments, education, finding things out such as court houses address or phone number of restaurant is online. Much of my medical (presprections, appoint schedule, doctor/nurse correspondence) is online. Most of my shopping is on line.

The choice wouldn't be using the internet vs driving a car. The entire internet isn't using these tracking scripts. Boycotting websites for their tracking behavior is way easier than giving up a car.

I wonder though! If you were to give every American today an ultimatum that they had to either (1) never drive a car again or (2) never use the internet again, what percentage would take each side of the deal?

Well, Uber uses the Internet to communicate. I know which one would be more useful overall to me.

I think not using a few websites who use scummy ad practices (of which there are sometimes ethically reasonable alternatives, like this site) is a lot easier than never driving again, though.

But websites are on the internet, they're not the internet.

Yes, thank you for using your Gopher client to post this highly relevant and on-topic comment that none of us had already known since forever.


GP was not making this a US versus EU thing at all. Why are you?

Never mind that, how on earth is GDPR a bad law? Is making the bare minimum effort to safeguard customer data such a high cost of doing business?

You may not see a discussion of having all Americans off the Internet in a discussion about a EU law as not US versus EU. But that isn't how it read to me.

The commenter you replied to is American, and right up to the root comment, the subthread had nothing to do with Americans vs Europeans using the internet. The comment exclusively about a hypothetical choice between driving and using the internet.

Is it? There are numerous US cities where you can live comfortably without owning a car. Living without using the big five is all but impossible in part because you never know what they're doing behind the scenes.

> This is like saying in 1950 that companies will take the lead out of gasoline if we all stop driving.

If there were a real change in driving habits that the providers could trace to the presence of lead in gasoline, don't you think they would have taken it out?


Just let them think GDPR is enforceable across the ocean.

Techcrunch has events in the EU (e.g. Disrupt Berlin).

In the 1950s was leaded gasoline illegal across a continent worth about 20% of gross world product?

Idlewords is arguing for legally enforced privacy rights, rather than consumer-led boycotts (or worse, non-organized individual picking and choosing of which privacy violations to tolerate).

> Idlewords is arguing for legally enforced privacy rights, rather than consumer-led boycotts (or worse, non-organized individual picking and choosing of which privacy violations to tolerate).

The context seems consistent with that being the intended thrust of the argument, but its literal wording (https://news.ycombinator.com/item?id=19962410):

> This is like saying in 1950 that companies will take the lead out of gasoline if we all stop driving.

seems to claim, not just that enforced regulations rather than consumer-led boycotts were the right way to address the issue of leaded gasoline, but that boycotts wouldn't have worked.

If your gloss is the correct one, then I find the argument much more plausible than a literal reading suggests.

Thanks, I genuinely wasn’t able to see that interpretation until I saw this, and instead took it in the literal sense you’re giving here.

Could you describe a bit more what the consent overlay you are talking about please? I went to techcrunch with my ad blocker on at first then turned it off but did not see much change. What exactly are you talking about, I would appreciate knowing so I too can avoid deceptive sites. Thank you.

Techcrunch (and tumblr and yahoo and others) is part of something called Oath, you're probably only going to see the consent overlay/redirect if you have an IP that shows as being within the EU.

You will have the option to accept or configure what "partners" you want to track you when you're on Oath sites. There is a list of hundreds of these partners with links to each of their privacy policies and a switch to turn them on or off.

The problem is partly that they are defaulting to tracking you and sharing information with partners, under GDPR it is supposed to be the default to not tracking and share data. It is also supposed to be equally easy to choose tracking vs not-tracking, with the Oath dialogue the option to turn it all off is not as easy or prominent as the option to accept tracking.

Sorry about the image not being in english, but the language is automatically set based on location.

Example: https://imgur.com/a/PFM1W69

> Sorry about the image not being in english, but the language is automatically set based on location.

Interestingly, Tumblr respects the Accept-language header.

English screenshot: https://i.imgur.com/7yZLAir.png

"Not as easy or prominent" is quite an understatement. Here's how it goes.

Visit, say, TechCrunch. You get an overlay saying "TechCrunch is part of Oath; please let us do all the things" with a big "OK" button and a "Manage Options" button-made-to-look-not-like-a-button.

So, you click on "Manage Options". Now you have a new page with a big "OK" button (which obviously will, again, give them permission to do all the things), a "Learn more" link, and a "Manage" link. The "learn more" link takes you to a page saying how wonderful it is that Oath wants all your data; that page doesn't appear to give you any options to configure or control anything.

So, you click on "Manage". This takes you, of course, to yet another page on which you cannot yet manage anything. "Oath works with partners ...". Three links. "You can change your choices at any time by visiting the 'Partners' tab in our _Privacy dashboard_"; "See how partners use your data. _Show_"; "See and customize which partners can use your data. _Show_". (And of course a big "Done" button which gives them permission to do all the things.)

It sounds as if the first is for changing things once you've set them, and the second only lets you look but not touch. So, follow the third link.

This doesn't take you to a new page. Instead, it replaces the paragraph the link was in with a two-tabbed thing. One tab is called "Foundational partners" and has a list of 11 partners (people like Amazon, Google, Facebook, as well as some less well-known names). You have no ability here to change anything, but there are links to these people's privacy policies. The first three I looked at (Amazon, Google, eBay) link to pages that give information but _still_ no ability to change anything.

The other tab here is called "IAB partners". This has a list of _238_ separate partners and a little on/off switch for each. There is -- I'm sure there used not to be, so they've actually improved this -- an option that says either "Select all" or "Deselect all". ... But then, at the bottom, you see: "Visit the following industry links to opt out of personalised advertising from those third parties who are members of the _European Interactive Digital Advertising Alliance_ (EDAA), _Digital Advertising Alliance_ (DAA) or _Network Advertising Initiative_ (NAI)."

So. You need to go three levels in before you get any ability to change anything. At that point, you can opt out of personalized ads from their "IAB partners". (Can you opt out of _being tracked_ by them? It doesn't exactly say you can, but one can hope that that's the effect.) But if you want to opt out of anything involving their "Foundational partners" you need to go to their 11 individual websites and go poking around (good luck!). And then there are some unspecified _other_ partners in the EDAA, the DAA, and the NAI. For each of those there's a link taking you to the relevant organization's site, with its own clumsy and typically-dysfunctional mechanism for opting out. And, again, all they actually say will be achieved by opting out is that you won't get personalized ads; you might hope this will also stop them tracking you, and who knows? you might be right.

None of this is anything remotely like GDPR-compliant, so far as I can make out.

Now here's a reason why I disable js.

Thanks for writing that.

I'd attempted to opt out of Oath's tracking a few days back and noted the same. Eventually gave up and blocked all cookies (including 1st party) in uMatrix, which addresses desktop but not mobile privacy.

I've also finally got OpenWRT adblock configured on my router, ofering LAN-wide covrage, which helps.

But yes, the exerience is utterly hostile and violates the GDPR in both letter and spirit.

I'm coming to think that domain-boxed containers as a default cannot come soon enough. Firefox's tools are useful but nowhere near complete.

I think you can use uMatrix in Firefox on Android.[1] I know uBlock Origin works. But the UI is borderline unusable on a phone.

[1] At least until 2020, see https://github.com/mozilla-mobile/fenix/issues/574#issuecomm... and https://www.zdnet.com/article/mozilla-end-of-firefox-for-and...

Actually, you're right and I have it installed, though still tend to use Chrome (incognito) on account of performance.

> None of this is anything remotely like GDPR-compliant, so far as I can make out.

A while ago android got slammed in (I think France) for hiding a privacy related option behind a single button. If that's the cutoff they'll probably be found to be in violation.

It won't come quickly of course, google got fined in 2018 for things they did in 2008/2009 ish? But at least people are documenting and reporting them. We can hope that in 10 years they'll get fined out of business.

Many large companies use geo-targeting to selectively show you legal disclaimers for whatever country you are accessing from. I imagine TC is showing him a large landing page to comply with GDPR and not for us in the USA.

Yup, but even if they don't, after a couple of weeks post GDPR rollout I realised I didn't actually care about any of these articles anyway, and in the end it's just strictly benefited my piece of mind.

You are probably 0.01% of the population. Most people don't know or care what a cookie is, and just click "OK" when they see it.

Most people heard about GDPR because companies panicked and send out mails to everyone, with GDPR in the title. But in the end, most people have no clue about what GDPR actually is.

Please don't say we need to educate people on this, because not only do they not know, but they also don't care. They just want to search, read and watch stuff on the internet, and the less technology and knowledge the better.

For me, I know what it all is, and I simply don't care. Some ad tech knows which websites I saw and what product I searched... I seriously don't give a shit.

If you want to fix this issue, I think micro-transactions is the only way possible. Because content creators will always try (and need) to make money, which means the content reader will always pay. Whether is is with their attention (ads), data, or actual money. Subscriptions don't always work, because most of the time, I just want to read an article and not the whole website.

What is a reliable way to make money from free articles (other than NY times - style limited articles)? As in, what ad networks can you set up that only use the content of the page to target ads? At this point, if you don't use Google Ads (adsense), your advertiser pool drops significantly and you'll likely be making less money overall.

The same way publications made money for two centuries without tracking and “personalization”, by displaying advertising relevant to the content and the publication’s target audience.

Here is a thing I think about a lot:

People like ads.

You know "brand Twitter" and how people like talking about the cheeky thing that Burger King said? That's an ad.

The Super Bowl? People watch for the ads.

Magazines: people collect pretty ad series, like the old Absolute Vodka ones.

Podcasts? We all loved saying "mail kimp" like idiots for a couple months because of a popular ad.

People like ads! …Except on the web.

No one has ever liked a banner ad. Search ads people sometimes like, but no one has ever liked a banner ad. So, they kept adding more banner ads to try to make it up in volume and then they added a shit ton of tracking because they could, but guess what, banner ads still suck and no one likes them.

So, maybe stop trying to make fetch happen? If banner ads haven't been successful for 20 years, maybe they aren't going to suddenly become successful and it's time to stop trying.

Facebook ads are basically extremely successful banner ads, both for FB and advertisers. There's a reason 90% of new ad spend is split between Goog and FB.

Honest question: How do shareholders know FB doesn't lie about their metrics? Maybe if it leaked it would be fraud, but what stops them from saying some psuedo-b.s? Like "our ad score went from 0.4 schmeckle to 8.6 schmeckle increasing ad yield by over 78% this quarter, here is a 500 page document about it" and if I were an investor I wouldn't have time at all to figure out what a schmeckle means, and I certainly wouldn't care what a schmeckle means or even if it's all an elaborate ruse if my position is improving.

FB shareholders do not care about metrics, they care about ad revenue. The shareholders of companies spending ad money do not care about metrics, they care about revenue. People who buy those ads care about metrics, but while they cannot see inside the FB machine and need to trust them somewhat regarding views and reach they have absolute visibility on the results of that ad spend and where those visitors are coming from. These last two are not things that Facebook could fake for very long...

> FB shareholders do not care about metrics, they care about ad revenue.

Agree. And I guess they have reason to be happy for now.

> The shareholders of companies spending ad money do not care about metrics, they care about revenue.

Agree. And they have reason to be sceptical: a lot of Facebooks growth in ad sales seems to have come from companies who suddenly had to pay to reach their fan base.

> People who buy those ads care about metrics, but while they cannot see inside the FB machine and need to trust them somewhat regarding views and reach they have absolute visibility on the results of that ad spend and where those visitors are coming from.

Another explanation: pay per view ads are massively overvalued but for some reason or another management isn't aware of it or doesn't care yet.

Most FB advertisers measure sales from Facebook directly using 1st or 3rd party cookies. So you can see that you spent 100k and made 200k.

While there's plenty of grey area in measuring "engagement", eventually ad spend either delivers ROI or it doesn't. That's not something you can fake.

Successful advertising campaigns generate revenue. Can't fake that.

Also there are companies that will track your FB ads and tell you if FB is lying.

You can't talk about the past and just forget all the context. The scale in people, services, and speed of connectivity make a massive difference. It's an entirely different world.

Also classifieds were a major source of revenue for many publications and it was destroyed by listing sites like Craigslist. Nobody talks about it but that was the first big blow to the old model.

Every article about newspaper sales talks about it. That was ~15 years ago though.

Surely you could use NLP to extract context tokens and ad labels for ad submitters to create an ad network for this scale.

I thought that was mainly paid subscriptions and advertising?

Ad-only publications were always very low quality.

The big moneymaker for papers was and is advertisements:


This does not work as well. If you take any machine learning model for ads, "content" related features are way less predictive than "user" related features. ie who you are matters more than what you're currently reading.

[Disclosure: I've built a lot of these models in the past]

Do you mean that advertising won't generate the maximum amount of revenue possible unless it violates users' privacy?

Correct. The crux of the issue in the economics of the web is that users privacy value is not explicitly part of the advertiser-publisher transaction. Advertisers want more data because it works. Publishers are ok with that as long as it doesn't bother their users too much. But it's not explicitly priced in the transaction, and users have no say in the transaction at all.

I cannot verify your models.

But I can verify that I think Google gets my interests wrong more than 9 out of 10 times to the point of repeatingly insulting me and my family, and they are supposed to be very smart so I guess they to have equally smart models.

If they had just stuck to something relevant to the pages I visit they'd probably hit more than 50% of the time. If I visit a video about fixing stuff I might be interested in tools, paint or parts. If I visit a local news source around lunch I'd probably enjoy ideas for dinner from local shops.

That said I probably wouldn't buy much more but at least they wouldn't insult me and my family.

I can throw around anecdotes as well. I can verify that I think the majority of ads on content websites that I see and find interesting often have nothing to do with the article that I'm reading.

But in the absence of data, I'm leaning towards trusting that a market-leading company incentivized and dedicated to optimizing targeting models has a stronger research on targeting the majority of users than vague internet claims of bad targeting. But what do I know.

Really? To me it seems that "user-predictive" modeling just mean "show ads for sites user visited recently". E.g. if I buy a blender on Amazon (and maybe check a few comparison sites or something before that) I'm going to get blender-related ads. If that's the best advertisers can do, it's pretty weak sauce... Why would I need 7 blenders?

It seems to have worked better than well for New York Times: https://digiday.com/media/gumgumtest-new-york-times-gdpr-cut...

Do you think it's not repeatable?

> except for privacy-minded users

...that's like saying "high standards of medicine are bad except for hygiene-minded users." The fact that the user has other concerns in their life doesn't change the fact that it's still bad for them.

It might be good for supply (publishers) short term, but it's worse for demand (advertisers) and for ads quality since it removes personalization opportunities. An open-market like RTB where offer meets demand is more efficient (except for privacy-minded users which aren't even part of the transaction). It's also worse for supply long-term as it ties them more to Google and FB, or to a non-scalable contract negotiation process mad-men style with a handful of advertisers.

Targeted ads long predate tech companies. Not every publication gets printed with the same ads. Some metro areas get different ads than others. Same with television. The content itself may be the same nation wide, but local stations run their own ads to better target certain populations. You're providing the publication with your name and address - do you really think they aren't using that to deliver more fine grained ads?

That's still a huge difference. Previously ads would be people who read x, people who go to y, here's a shoe that you might like because people who read wsj wear loafers, here's a hair product you like because people who read seventeen magazine are generally seventeen. The ad wouldn't know anything about you, just what the readers of where the ad is placed might be into based on past advertising decisions, and the content of whatever they are reading.

Now the game has been turned. Advertisers don't need to target sports illustrated to sell gatorade. They can see you checked into LA Fitness and most of the people who checked into this particular LA fitness also happened to spend 30s longer looking at a tester gatorade ad, so there is a slim possibility that you too will look at a gatorade ad for 30s and maybe subliminally engage with it next time you are presented with a gatorade in a cooler at the grocery store. The classic is you looking at a product on amazon and seeing it appear all over the web. It only gets more insidious the deeper your digital footprint goes, the more data they have on you, the more correlations they are free to make which would have been impossible back when advertisers were catering to audiences, not individuals. Sprinkle in exploiting modern psychology for profit, and it's disturbing.

Yes, and it's shitty for consumers and publishers as well. Before if I was interested in a niche product, there would be publications that were supported by ads from the niche industry. Now, they can figure out that I am interested in fountain pens from my browsing history, and instead of paying someone to write fountain pen content for me to read, they put the ads on any random website that I happen to visit. This means that now niche publishing is unviable because it doesn't have a high level of traffic and it also can't deliver more highly targeted ads than e.g. Facebook.

The clearest example of this is the collapse of local news.

Yes. Do you know how commercial printing works? The newspaper is not targeting individuals.

They could be if they wanted to. My address is printed on the cover of some of my magazines - so the capability of person-specific printing exists it's just a matter of extending this to the ads too.

Realistically, I wouldn't expect targeting more granular than a zip code. But that's still pretty decent as far as advertisement targeting goes. Definitely better than broadcast radio, as one example.

Lol, you got me, they can put a sticker on magazines, so there's no difference between print and online advertising.

You mean the model that is no longer viable and is forcing increasing numbers of publications into paywalls to remain solvent?

To be honest I prefer paywalls. If I only read a couple of articles randomly a month from the publication I don't see them at all. If I read any more, I don't mind paying $1 a week to support good content. In the old days you had to either pay a newspaper subscription or buy a paper from a newsstand if you wanted to walk home with it, so it's not all that much different.

To play devil's advocate - how do you determine what constitutes research to figure out what your "target audience" actually is, versus "privacy violation/GDPR no-no"?

I can imagine say, readers of Golf Digest are probably interested in golf. That's about the extent of the research that can be done by a traditional magazine. But there's an entire ad industry (for better or worse) to minimize 'wasted' impressions, and there's a large chasm between "male 25-35" and "specifically John Doe who looked at #9 clubs yesterday but hesitated to buy them, maybe we can win him over". Clearly the later example is prohibited in the spirit of the GDPR, but it's broad enough that it kills the former as well (and puts the extent of information available to the industry back to "golf digest readers play golf").

Not that I am particularly sympathetic to advertising agencies and the machinations of what online ad-tech has become, but I am sensitive to legislation that puts entire industries (I.e. real people's jobs) under a coal fire of "maybe we as a company literally have no viable path forward".

Well, say that I want to know if you are interested in golf. Do you prefer me asking if you can fill in a questionnaire, or should I just pop where you live and take pictures from inside your house?

You really don't have to play devil's advocate, one of them is illegal.

If a company has no viable way forward, and has to resort to what the rest of us deemed illegal, it should stop existing. Not all companies should survive at any cost, that's not utilitiatian or desirable.

Certainly, spying on someone's domicile is illegal. But it wasn't really the analogy I was going for.

I'm going to be purposefully obtuse and set up a contrived hypothetical, but to me it's really more like: you came to my store today, but I saw you at the golf shop yesterday. Maybe I watched you closely to learn exactly what you were thinking about buying. I happen to also sell golf things and maybe I want to peddle them to you. So I really go all in on my sales pitch and single you out while you're shopping. That's legal in meatspace. What makes "the same thing, but do it on a computer" illegal and unethical? I think it's a real important question for legislators to answer. Is it the scale? The fact that it can be automated? That we're really not actually comfortable with the meatspace example but didn't have a good way to ban it before?

Just food for thought. I'm mostly neutral on the GDPR, I appreciate the intention but I think we as a society need to define consistent expectations about privacy.

Following me around all over town like you did yesterday is considered stalking in my books.

Google isn't following you, they're just in every store you walk into no matter what.

Imagine almost every store in your city installed something facial recognition (a la Amazon Go). This system, given to owners literally for free, was created by one company - Google - and allowed them to automatically see what products most people were looking at, what time they were doing so, and their demographic. As payment, Google also gets this data and is able to use it for their means.

Note: i'm just making this analogy. Google Analytics (probably) isn't being used for ad targeting.

I was careful to say only that I saw you at the other store rather than implying I followed everywhere, since that's a fair line to draw and I wanted to avoid that particular connotation. But even still, hiring a private investigator is not illegal - it's just observational.

What you describe is not what actually happens.

What actually happens is that your behavior (in store or not) is permanently observed all the time and ads are served whether you want it or not.

Imagine if in all shops, always you'd get jumped on by attendant trying to sell you things. And sometimes shop attendant would appear out of the blue.

What you're describing you can have today - just convince user to make account in your shop and give you permission to send offers. You can chase him any time you want.

> Imagine if in all shops, always you'd get jumped on by attendant trying to sell you things. And sometimes shop attendant would appear out of the blue.

As opposed to the half of them where it currently happens?

50% better than on internet and they do not have my data.

> Maybe I watched you closely to learn exactly what you were thinking about buying.

If creepy shopkeepers following you round was a thing I suspect it would be illegal already.

That's the precipice of the argument though, right? It's not illegal to observe interactions that you witness, or take notes about customers you saw shopping your competition.

You could even hire someone to wander around your competing stores and take lots of notes about the people they saw. "Red shirt guy shopping around for slim fit pants". Unlikely scenario, but legal to do and to use that information.

My whole thing is - what makes the scenarios different enough that one is prohibited and one is allowed? Certainly if we told folks they must forget their observations about others upon request, that would face some baseline rebuttal about their own autonomy.

The difference is that one is an actual problem and the other isn't. That's it. There isn't some deep legal theory driving lawmaking.

It wasn't necessary to make this behavior illegal before because it was impractical, but now that computers have made mass surveillance practical, it should be illegal.

> I am sensitive to legislation that puts entire industries (I.e. real people's jobs) under a coal fire of "maybe we as a company literally have no viable path forward".

Good that you're sensitive, but some jobs simply deserve to die. It happened in the past; behind leaded gasoline, or CFCs, or poisons sold as miracle drugs, were real people with real jobs. Advertising as an industry proved itself to have cancerous nature and grew to do incredible damage to people; it deserves to be burned down to the ground.

Maybe advertising isn't the future of the web?

I know I'm talking hypotheticals, not anything that helps people make money of actual work done online, right now. But I'd be ready to pay for a fairly done flat rate service that gives me access to quality content on a variety of sites for a reasonable price a month. If you do that, companies would not have to track anything after confirming my login, it would no longer be the main revenue stream.

Are there any good estimates how much money the internet makes from the ad data of an average person, per month? Like, spread among multiple websites? Is that too crazy an amount to ever expect people to pay?

This has been tried countless times and there are dozens of options available. There's no scale to it.

There wouldn’t be any scale to adtech either without massive adoption. If adtech collapses as a viable stream, something will quickly take its place.

It's either direct or indirect payments. Direct payments haven't scaled so indirect (ads) will continue.

This is a human behavior issue. You would need to change the behavior of billions of people before the ads model gets affected.

It seems to be working fine for Spotify and Netflix. Is there something special about journalism that means it wouldn't work there?

It's barely working for Spotify and Netflix is testing ads.

Music and movies are highly repeatable and have production costs that users recognize and value. News and general content is not valued the same so nobody wants to pay for it. The severe dropoff in any paywalled site shows the effect of charging for news.

I initially upvoted this for the first sentence, but then I decided I disagreed with the rest of it.

First, there was the web, and there weren't any ads, and that was just the way things were. Then there were ads on the web, and it got to be unpleasant. Then there were adblockers, and things were good again. Then there were adblocker-blockers, and I stopped visiting sites that used them.

I honestly don't know how you're going to make money out there, but it's not my problem.

I'm not a kook (yeah, I am a kook) but I distinctly remember an Atari Lynx racing game with a Marlboro billboard in it. I remember thinking "wow, video games are going mainstream!" when 13-year-old me saw that, and how this was The Future. Advertising hasn't kept up with me, and I'm 44 years old. That's why I say it's not my problem.

So, you basically want cable TV for the internet? Yeah, we all know how that's going to work out, don't we?

> what ad networks can you set up that only use the content of the page to target ads?

With AdSense you can use non-personalized ads: https://support.google.com/admanager/answer/9005435?hl=en

(Disclosure: I work for Google)

Thanks, the only issue I see is that this is still blocked by adblockers, but nothing can be done about that.

I mean, isn't that what Ad Blockers are for? Blocking ads?

I’d happily accept ads for things on the internet as long as they were relevant to the topic and non-intrusive. These sites do need to earn some money for the work they do and I can decide if that work is valuable or not by reading their articles or watching their videos. Just make the ad experience sensible instead of throwing shitty dark patterns and other things that interrupt the experience. Let me subscribe to a pure RSS feed or other lightweight experience I can pull into a reader.

At least then I’m actually choosing to receive ads. In return it would be nice to have a say in the sheer amount of attention grabbing advertising we’re subjected to in the physical realm. There is no consent there, and this advertising only serves the purpose of businesses selling stuff. Why can’t I charge a cost per view for everything shoved in my face on the way to work, or at the cinema, or on the train, or in any other situation where I’ve already handed over cash? My attention is a scarce resource that holds a lot of value to my friends, family, colleagues, and any other human being in my life. I’d love to paywall access to that.

In short though I believe there has to be a fundamental shift from the belief that ads, tracking, and shadow profiles are the path to profit in an increasingly connected world. Something about the relationship needs to change, maybe towards business-2-citizen instead of business-2-consumer.

>Why can’t I charge a cost per view for everything shoved in my face on the way to work, or at the cinema, or on the train, or in any other situation where I’ve already handed over cash?

Because you don't own whatever is being used to advertise. It's not your decision to make. They can charge you and then show you ads.

>In short though I believe there has to be a fundamental shift from the belief that ads, tracking, and shadow profiles are the path to profit in an increasingly connected world.

Belief doesn't mean anything. What matters is what pays the bills. If alternatives worked well, then I'm sure we'd have plenty of sites that would already be doing this. You could argue that crowdfunding is one such route, but I don't think that will ever work on a large scale. The amount of money required just isn't there.

The reason ad-tech is so common is because people are unwilling to pay any amount of money.

They demonstrably are willing to pay some amount of money - they already pay $40-100+/mo for internet access to their ISP to get access to the stuff online. What they're not willing to do is be nickel and dimed - even if the amount they spend is tiny, the mental overhead of a pay-as-you-go plan vs an unlimited plan is such that it makes the experience much less pleasant.

I don't think it follows that they are willing to pay some amount of money. Maybe they're willing to pay for something like Google, Wikipedia, Youtube as a platform, but they're probably not willing to pay for most of the niche and small sites.

And I agree that pay-as-you-go would put a high mental overhead on sites. That's why we have ads instead.

AFAIK, Guardian asks visitors for donations, and just recently started turning a profit with this way: https://www.bbc.com/news/entertainment-arts-48111464

So, maybe ads are not the answer after all.

Hey there! I'm part of a team that recently founded contextcue.com, a privacy-focused ad network that does exactly what you just described. We only use the content of the page to place ads, and don't track, collect, or store any user data. We're still in the early stages, but would love to get your thoughts if you want to check it out. Let me know if you have any questions!

That is a pretty bad argument. Not everything that makes the most money is good and should be supported. There are other things to consider.

Note that the first RTB complaints were actually about the contextual parts of the specification. They specifically went after the parts that only use website subject data.

I hope the ad industry completely implodes of this.

Users are still paying for the content just indirectly.

It would be FAR better for everyone if people started paying for content again.

yes, but Adsense is a couple of cookies, no? These sites have hundreds and hundreds of cookies

It's currently being looked into by the EU but it's very likely even Adsense is in violation of GDPR.

Also, haven't looked at every company they list, but maybe they're covering their bases by listing every company part of adchoices? https://youradchoices.com/participating

My understanding is it's common for sites to use a bunch of ad providers, because not all of them will offer up good paying ads on a given page. So you try for the most profitable ad provider, and then another ad provider, and then another one, and then maybe if none of them pan out, you show the Google Ad, which gives you something to fill your ad box.

Source: I know a guy who runs a blog who wrote Google+ posts about doing it.

I'm not saying Adsense wasn't in violation but I'm just saying that the other ad providers have a lot of cookies

Why not just show adds not targeted for a particular user, but rather for the audience targeted by the media outlet in the first place?

If the NYT or whatever started advertising for its audience, I wouldn't have shoes ads all over the place as soon as I buy a pair of shoes on amazon.

The big lie of adtech is that it can advertise better than conventional methods. Yet I've yet to see a relevant ad online - when I see them in paper magazines and metro stations that don't aggressively target me individually.

I'm not against advertising online, I don't like ads because I think they're too good and leverage our vices too much, yet I understand their necessity in the "econo-societal" context we live in. Therefore I am for ads in the metro, TV, magazines, billboards and websites. But I sure as fuck am against individually targeted ads, because even if they worked better I think that'd be going too far, but mostly because they don't work whatsoesver? In my circle of friends I've never heard someone going "yo, I saw this sick ad for [whatever], I'm sold, I'm gonna order one of those". I have however heard some (and myself) say "I saw this concert ad in the metro on my way here, wanna go ?" (The malade imaginaire with Daniel Auteuil ad in the Parisian metro worked on me for instance.)

I could go on and on about this, but I've recently switched to dvorak and I'm pretty slow at typing. My thesis is as follows though: use ads on me, but don't follow me everywhere and try to find out what I might buy again. Use conventional pre ad tech means, they work better anyway.

P.S. google sponsored links are such a dark pattern. I didn't realize it until I saw a very good friend of mine use google (peer googling if you will). He'd wouldn't even notice the sponsored links and click on them as if they were the first non-paid google link - only to click the back button and the second sponsored link again and again, until finally hitting the first non-paid link and being satisfied with its content. He's an architect and therefore very attentive to details and yet, he'd automatically click on them as we were googling after I repeatably explained him what was going on. I bet you most non techies are this way.

P.S.S I haven't even had the time to discuss about the gdpr popups that show iphone style toggles but that are so evily designed that you cannot tell if they are "on" or "off". Or all the sites that check them all by default when they should be off. And all those sites that you just cannot even find where the hell to set these things even after navigating on all the nested links in the popup.

>The big lie of adtech is that it can advertise better than conventional methods. Yet I've yet to see a relevant ad online - when I see them in paper magazines and metro stations that don't aggressively target me individually.

How often do you see ads online that are in one of the hundreds of languages that you don't speak? How often are these ads for a particular business in a location that's in another country?

Without some targeting, many of the ads I get are in languages I do not understand. Sometimes they advertise services that are in another country entirely.

I find it funny when the ad tech clearly doesn't have enough data points. I get weird ads now (on platforms where I can't block them, of course). Usually it's a drop shipped aliexpress product from a forgettably named shopify front, recently a lot of eczema treatment ads (I don't have eczema), and today I got a bayer aspirin ad. The last time I bought aspirin was 3 years ago when I had a headache and bought the biggest strongest bottle they had at CVS, generic of course.

Who even clicks on internet ads? Grandma? Kids? People who weren't on the internet when clicking a banner ad gave you malware? My family has been blocking ads since 2005, I wonder if advertisers even know if their ads are being blocked? If I were Zuckerberg, I'd lie all day about my engagement numbers, because why wouldn't you? Hire a Russian click farm to get your numbers, your board of trustees probably isn't tech literate enough to tell the difference and that's good enough to keep the stock afloat.

I don't know who clicks on ads. I've only ever deliberately clicked on an ad once in my life, because they showed a game and I had nothing better to do at the time. The rest... I have no idea who these ads are really for, I just know that somehow it's worth it for companies to spend money on them.

I've upvoted you because you kindly exposed an angle I hadn't thought of, thank you :)

However, doesn't facebook already optionally ask me where I live, birth date etc ? Come on, those are enough info to classify me as student/working/revenue/ etc, and these I give with my consent. You don't need to analyze my location history, throw nlp at my comments, track my hyperlink activity or whatever the hell they do.

>I've upvoted you because you kindly exposed an angle I hadn't thought of, thank you :)

That is very kind of you. Thank you!

>However, doesn't facebook already optionally ask me where I live, birth date etc ? Come on, those are enough info to classify me as student/working/revenue/ etc, and these I give with my consent.

I agree with you, but not every service asks you for that information. I don't really want them to ask it either, because I would probably have to register on every website I try to visit to get access to the content. On the other hand, I completely agree that the whole thing has gone overboard. They try to track way too much stuff.

> many of the ads I get are in languages I do not understand

Curious...that's not a problem I see much, if at all. If sites simply display ads that are in the same language as their primary content, surely that shouldn't be much of an issue? Or are you in the habit of visiting sites you don't understand?

That would make the ads understandable, but that doesn't deal with the problem that they are advertising something that's not available in my region. For example, if I go on reddit and see ads in English, then only ads for some digital products and services could be relevant to me, because anything that deals with physical businesses would be inaccessible for me.

The only websites I use that are in my native language are the government websites and banks. This would mean that I would not be the target audience of many (most?) of the ads I see.

>If the NYT or whatever started advertising for its audience, I wouldn't have shoes ads all over the place as soon as I buy a pair of shoes on amazon.

Just as an aside, I don't get how that works. I buy a thing on Amazon... then I get ads for the thing I just bought.

This happens often. Guies.... I already gave you my money, I'm not buying two TVs now...

I'd guess the tracking doesn't (thankfully) know your Amazon order history, only that you were browsing for shoes.

> The big lie of adtech is that it can advertise better than conventional methods. Yet I've yet to see a relevant ad online - when I see them in paper magazines and metro stations that don't aggressively target me individually.

Great bold statement out of a personal anecdote! Yet Google and FB joint market cap is 1.3 trillion dollars and they employ thousands of people paid a fortune to build personalized ads models. Everyone must be stupid, right?

They're worth that much because they get ads in front of people and because its cheaper than manually and intelligently target ads like newspapers used to. Not because of its effectiveness nor its quality. Adtech is the mac donalds of ads, and mac donalds was so big and effective that they made a movie about it, does that mean they make a good burger and don't ruin the planet making people think they can eat meat cheaply when in all truth it has massive externalities on our ecosystem and our healths ?

And sorry for the bold statement as it is indeed based solely on the tiny view of the world my senses allow me to have. I would however love some of you to tell me some "personal" anecdotes about the effectiveness of adtech on them, I'm curious honestly.

I'd be google and facebook, I'd sure as hell continue diversifying away from adtech as much as possible because you are right, no one is stupid here, hence GDPR.

Sadly the article doesn't mention any complaints against TechCrunch/Oath's non-compliant consent request.

I've looked into how you file a complaint with the UK information commissioner about that sort of think but there doesn't seem to be a way unfortunately.

Might be worth shooting an email to casework@ico.org.uk ?

Tempted to do this myself, the Oath GDPR notices are the worst, with no visible controls and a warren of useless links.

I emailed ico about an issue, they told me to get in touch with the company, who ignored me. I followed up with ICO again, and didn't hear anything after. Was really disappointed.

Try letters on paper?

They don't necessarily respond but they do seem to act.

I came across a particularly scummy site making it look like the ICO endorsed them by abusing their logo.

The logo was removed the next afternoon. All it took was an email to that address.

Logo misuse & similar stuff is probably treated very differently from GDPR issues.

Ok, given the ads hate on HN this will be a pretty unpopular opinion here but... RTB is a good thing. It ensures that Google and FB don't become even more monopolies. Open ad exchanges ensure better efficiency of offer and demand and a somewhat middle ground between publishers and advertisers. In theory, it also ensures an alignment of incentives: higher quality ads (because advertisers want ads that perform better whereas publishers don't care as much on average, as long as they get paid)... Which of course comes at a privacy cost. Remove or erode RTB (as it has been the case over the years with FB closing its ad exchange, Youtube not even offering an exchange etc) and you'll see the nightmarish closed web we all dread: all the long tail of websites won't be able to monetize anymore, and everyone will be at the mercy of Google and FB for any content to be published (AMP etc.). I'm sure Google and FB lawyers are super happy about GDPR: EU is helping them entrench their monopolies.

I guess what I'm trying to say is that in the current state of things, you cannot complain about "ads are evil and don't work", "Google and FB are monopolies" and "I want privacy" at the same time. The three are linked. If you push for privacy, you'll hurt open web (because you'll consolidate advertising to Google and Facebook which are on the publishers side so have less incentives to make ads work because they fully control inventory).

Patreon, Brave BAT and crypto etc. are good ideas to change the fundamental economics of the web. But in the status quo, we cannot have everything: privacy AND free services like Google and Facebook AND these companies not being monopolies interested in data collection.

[Disclosure: I've built a lot of ads targeting models in the past for a living]

I also had something to do with the RTB ecosystem. You have a point, but I was also impressed at how low the standards were, how cheaply you could target an immense amount of people, and how nothing is enforced.

A total nobody could easily spend O($1000) and serve malware to millions of people, served out of his own ad server. If he was going through a DSP there would be some sort of approval of ads but no enforcement that the same ad was the one actually being served. This was when Flash was still around and unsandboxed on most browsers and buggy as hell.

Oh, and the industry-standard self-hosted ad server was a PHP thing which carried a backdoor for months/years before anyone noticed. Someone just replaced the tarball on the developer's site and went unnoticed.

And the people selling data... do most people know that this is possible: you buy a car, offline, at company X. They have your phone number. You visit website Y, type your phone number. You visit site Z, they can buy your phone number from website Y, and match that to your phone from the car company which sold your data to third-party W, and know for a fact which car you bought. No profiling, statistics, guessing, inference. They have the actual data. Costs O($0.25).

This was years ago, frankly I doubt things improved and I doubt they are as cash-rich now.

> This was years ago, frankly I doubt things improved

It has improved immensely wherever GDPR is in place.

> But in the status quo, we cannot have everything: privacy AND free services like Google and Facebook AND these companies not being monopolies interested in data collection.

Great. Fuck free services, let me pay for the service and retain my privacy.

>I'm sure Google and FB lawyers are super happy about GDPR: EU is helping them entrench their monopolies.

We saw some information about this rather soon after GDPR went into effect.[0] I wonder if there's some more recent data like this.

[0] https://whotracks.me/blog/gdpr-what-happened.html

I agree that RTB probably is healthier for the advertising ecosystem, but given how rampant privacy abuses are, blasting out a users private information to every bidder in the auction seems like a tough sell.

I was thinking, maybe it's a great thing the web cannot be monetized on a gigantic scale? Maybe it's not too late to turn the tide against tracking, censorship and thought-policing going on on the internet if the giant tech corps cannot earn money on it anymore.

That leaves just the governments, but hey, it seems like a step in the right direction...

Naive I know.

It would be great if there was a comprehensive analysis about how much money was spend complying with GDPR and what the resulting benefits to privacy are.

That's not actually how the law works though.

Restaurants lose a lot of money throwing out food that's probably good enough by the standards that most of us use in our kitchens at home but because there was an excursion in the fridge temperature of 2c or whatever the law says they have to throw it out.

They could make a lot more money if they didn't have to do that, especially if chefs were allowed some discretion in when things are "out of date" like they used to have prior to food safety laws.

However, as a society we actually don't want chefs to have that discretion because although we might trust an individual chef we sure don't trust every chef. So we set rules for restaurants because we would rather have some restaurants go bankrupt and there be fewer restaurants around than have everyone risk eating food that might be below standard every time they go out. Instead, we set an objective baseline criteria for food standards.

Same thing with privacy. Your personal standard of privacy may or may not be higher than my personal standard of privacy, but society-wide we don't want privacy to be a roulette wheel or a tragedy of the commons, so we set an objective standard for it.

That may or may not bankrupt some ad-tech companies who are reliant on the dodgy-chef techniques, but that's not a loss to society as a whole any more than losing dodgy restaurants would be.

I think it is going to take a while to see how / if enforcement plays out.

While these sources don't answer your question directly, they do measure some impact of GDPR:

>The tracking landscape post GDPR, adverse effects on competition and a market for compliance technologies


By September, stats showed that Google and Facebook managed to stay relatively the same in the EU, while all the other ad companies lost reach.

>The Short-Run Effects of GDPR on Technology Venture Investment

https://www.nber.org/papers/w25248 (there's a link to the pdf)

A paper by NBER finds that, in the short term, EU ventures relative to US ventures, raised less money, did fewer deals, and the deals raised less money.

I think it'll take a lot more time to get an answer to your question directly though. It's also possible that any answers we do get are politically motivated (both for and against).

Has anyone actually been fined in a significant way as a result of GDPR?

An hospital in Portugal was fined €400k for allowing its staff to access patient records without proper safeguards. I think that's the highest so far, but many cases are still being analyzed.

Wasn't that kind of thing prohibited long before the GDPR based on medical privacy laws?

Most things in the GDPR were already prohibited by the Data Protection Directive, but not the amounts of the fines and such.

Which is the reason most Europeans were talking of GDPR as though it was a non-event in the many HN discussions. Every European business had been doing it for decades under data protection. GDPR cleaned up a few definitions, expanded a few new uses and abuses of personal data, and the headline maximum possible fine. The fine that was almost the only thing people wanted to fixate on.

In the run-up, the best guide to GDPR was UK ICO's guide to 1998 data protection with a few GDPR annotations.

>Which is the reason most Europeans were talking of GDPR as though it was a non-event in the many HN discussions. Every European business had been doing it for decades under data protection.

You must live in a different Europe than I do, because I'm pretty sure that most companies that don't deal with the internet, don't even know what privacy they're required to provide. People still regularly use gmail for some business tasks, they openly list data that shouldn't be shared etc. I don't think what you said is true at all. I think most companies simply don't know that they're in violation in some way or another.

Not every company I've dealt with, or worked for has been net based. All have had some sort of awareness of Data Protection. Obviously, there were also exemptions for the smallest businesses. Sometimes awareness was simply a weekend going through DPA and deciding they were small enough to be exempt.

The biggest problem with Data Protection was the maximum penalty, and that it had no teeth for data that moved out of area. It simply wasn't enough for the larger corporations to care that much - unless they were purely national. Hence some companies being fined multiple times for the same failings. I don't believe there's a Shell, Philips, Siemens or Glaxo that didn't have awareness, data protection officer and so on.

Interesting, thanks for the explanation.

In other words, the GDPR is the Data Protection Directive but with significant teeth.

Probably the most known and significant fine was Google's 50 million euro [0].

[0] https://www.theverge.com/2019/1/21/18191591/google-gdpr-fine...

From a user perspective, GDPR has no impact so far. I am still being tracked to death wherever I go.

Neither do companies offer me a way to get the data they have about me.

This guy has been trying to get his Facebook data for 4 months now:


Will be interesting to see if he keeps at it and how it turns out in the end.

It's very early days, legally speaking, right? I imagine they are still mostly sending out warning notices, and collecting evidence of violations for the most part. In a few years, if a few stonking fines are handed out (which I think there will be) we'll see what's what.

it has one major impact: every site I visit I have to click an annoying box acknowledging how the internet works.

GDPR was never about your privacy or user rights.

It was always a transparent ploy to make it more expensive for small-time ad network operators and give Google and Facebook yet another monopoly advantage.

And ironically, it is Google and Facebook who are the huge privacy violators, not the small ad tech companies; GDPR only serves to erode your privacy in the end.

If most of some companies revenue come from selling analytics of user data, is the maximum 4% GDPR fine enough to force all these companies to be compliant?

The process doesn't stop with the fine, they're still required to become compliant, and further violations can lead to more fines.

Seems like a valid business model would be to sue yourself, plead guilty, and pay the 4% tax every year. Legal fees would be minimized by playing both sides.

I love armchair legal advice

So basically I can't use techcrunch unless I consent to letting them use my data for advertising? Doesn't this violate GDPR?

Well the thing about jurisdiction is that it is utterly toothless if they aren't in reach - hence the lack of arrest of Wikipedia editors for Tiananmen Square contributions. It is kind of embarrassing really.

Even if "advertising to EU citizens" put them in reach it wouldn't give the outcome they want - that would likely turn into a full block if they see no benefit to it and compliance costs.

And this is why _we are forced_ (speaking for myself and a few more) to use PrivacyBadger (on which I keep adding domains), NoScript, AdblockPlus, ublock, and others.

It is a democracy. The many will win if they want to. I understand the unethical part of 'consuming content for free' which costs them $. But there they picked to go to the extreme end of loading a simple piece of news with 10+ trackers.

On TC I get 14 hits on my PrivacyBadger, 9 hits on NoScript, and 2 hits on ABP. If one day that '25 violations' go down to 2-3, I will consider letting them go with it.

There is no "forced" here. For most news sites, you can just not read them, and it's fine, really.

TechCrunch have UK based staff, though... there should be a way to have an impact.

No, and that part of the law is unenforceable anyway. You cant force companies to provide a service at cost to them.

I don't understand what aspect of this you think is unenforceable. Companies can be legally required to perform certain actions, and then subject to sanctions if they do not perform them.

This is forcing a company to provide a service. Unless the govt is going to subsidize it, it's not going to work. And in this case, if they require your consent to process data to provide service and you don't give it, then they can't be forced to provide the service in violation of the same law.

GDPR is vague principle-based legislation and this part is not what people think it means.

Nobody is forcing a company to provide a service. You have fundamentally misunderstood this. Regulation requires that if a company does offer a service, then it is not permissible to require mandatory data collection. The company is free to stop offering that service if it cannot offer it in a legal manner.

Yes it is, if data collection is required to provide that service in the first place. That is legal.

There's nothing vague about it [0]. Consent must be freely given. It's the service provider who has to make a choice; offer the service with no tracking, or don't offer the service at all.

[0]: https://ico.org.uk/for-organisations/guide-to-data-protectio...

That guide says "consent should not be bundled up as a condition of service unless it is necessary for that service". But what does "necessary for that service" mean? I suspect that "we can't make money unless we're tracking you" wouldn't qualify, but it would be nice if they had a few more clarifying examples.

If it's how the service is paid for then it's necessary for the service.

From what I understood via local company legal, "necessary" means "this type of service cannot possibly exist without this data". Ie, your email may be required to use a service that notifies you via email for shopping deals. Email addresses are private data and in this case, you can't use the service without it.

Making a profit is not necessary to operate a service in the same way. It's necessary for the company to be profitable but that is irrelevant to the GDPR.

But you can make certain ways how services are provided illegal. How is that not enforceable?

What's illegal about it? It's their service. If they don't want to provide it then they don't have to, including ads if necessary to offset costs. Your choice is to not use it. You can't demand it in whatever way you want if it costs them to serve you.

I want to buy a car without emissions control or catalytic converter, running on leaded fuel. I want to burn that old smokey coal in my home and factory again.

All things laws have forced makers not to do. This is just the same, except it concerns misuse of personal data.

Not sure what that example is trying to show.

A company that requires ads and data to pay for the service cannot be forced to provide that service without those ads and data at no cost to a user. The choice is freely given as a user by not giving consent to data, which means the site doesn't offer the service.

>cannot be forced to provide that service without those ads and data at no cost to a user. //

AIUI the GDPR means you can't exclude users on the basis of their willingness to give up PII. So you're going to need to charge everyone. You can probably refund those who do give your PII, or pay them for it in a more direct way. But you can't offer a service where the only differentiator between access and denial of service is "give us your PII"?

The PII is necessary to pay for the content. If you don't give consent then they can't process the data and cant offer you the service. Necessary requirements are allowed under GDPR.

GDPR can prevent extraneous data capture but it can't force companies to provide services without compensation.

When you go to the shop and buy a book, do they ask for PII instead of money? It doesn't seem necessary, just the particular way that people have chosen to do things to hide their taking of payment.

When you go to the library and check out a book, do they ask for money instead of PII?

A business is free to choose their compensation model. Your choice is to not engage if you don't want it, not to demand it for free regardless.

The fact remains that the law states you may not do that, and that you must provide the same service - if it's provided "free" with data gathering - without that personal data gathering for those who don't wish to opt-in, and if memory serves not in a degraded manner.

Continue to do so and face the possible consequences, close doors or leave the market, or find an alternative way. Just as happens with other laws.

Businesses are not completely free to choose their compensation model - many places have long standing laws against unreasonable rates of interest or other illegal terms, discrimination etc. This is just another more recent limit.

> A business is free to choose their compensation model.

But they are not. Your compensation model generally cannot include such things as slavery, child labour, prostitution... Many places place limits on the amount of interest that may be charged on a loan.

A business is free to choose their compensation model within the confines of what the law allows. In case of the GDPR it disallows paying through PII. Thus a business is not free to choose this model.

But the law does allow for ads as payment. GDPR only regulates consent and privacy, not business models, and absolutely allows for PII as payment as long as consent is obtained and data is secure.

However it can't force a company that requires data to be processed for a service to still provide that service when the data is not consented to. That is impossible without breaking the very law that prevents it.

This whole thread is just people refusing that data can be necessary for the service, which is fine if that's your interpretation, but not what major law firms actually agree on and it's certainly not going to hold up in court.

>people refusing that data can be necessary for the service //

I'm failing to understand how Techcrunch's provision of articles is impossible without my provision of PII, they seem to manage to display those articles to other people even when I don't give them _my_ PII.

It sounds like someone is confused as to what essential means; it doesn't mean "carry on using the same privacy infringing business model regardless".

It displays the articles to other people using their PII to pay for it. Essential because of compensation is allowed, and you have the choice to not view anything. There is nothing you’re losing, but you’re not entitled to demand content either.

HN users should contact a law firm instead of being self appointed lawyers downvoting everything they misunderstand.

You've shown that Techcrunch requires paying, you've not shown it requires PII. The service has to actually need PII, and not be able to reasonably offer it without.

Do I need your insurance renewal dates before I can serve you a pint of beer? No. But if I had them I might be able to give you slightly cheaper beer (and feed back to the insurance company that you drink beer; a fact they might use to increase your insurance). So, under GDPR can I refuse to serve beer to people who won't give up PII, no, I have to come up with another way to ensure payment, like asking for money, or advertising to you without PII, or ...

That is just blatantly not true. Companies can be, and frequently are, legally required to offer services that they otherwise wouldn't.

Name an example. You can't force a company to provide something at cost without any subsidy or provision in return.

Who said “at cost”?

Universal service obligations worldwide. Anti-discrimination laws. Mandatory customer warranties. Regulatory standards. The whole world is replete with examples where regulation places restrictions on goods and services, and the conditions under which they can be offered. It is absolutely feasible to disallow mandatory data collection for services. I am honestly struggling to see what problem you can possibly be seeing with this.

The processing of data is a core part of the service when it's how the service is paid for. Not consenting to your data being processed means the service can't be available. This is perfectly allowed under GDPR.

If you're not paying then the company is, and that's a cost. You can't demand that a service be provided to you for free without some greater provisions that subsidize that service. There's nothing illogical about this.

Your examples aren't the same thing. Regulations on how something is offered while being compensated is different from claiming that a service must be offered even if it can't be compensated. We've already discussed this with some of the biggest law firms in the world and I suggest you talk to counsel if you want further clarity.

Okay, I think we've been talking at cross-purposes, and you're arguing that (in the case of free-to-view sites) targeted advertising is a "legitimate interest". Here is the situation as I understand it:

1. Companies can offer services which exploit personal data as part of their commercial business plan.

2. That collection must be reasonably described as a "legitimate interest" for the purposes of establishing a lawful basis for processing under the GDPR.

3. The "legitimate interest" in this case must be such that the site could not reasonably operate without targeted advertising. on order for explicit consent (and the associated option to opt-out) to not be required.

If I understand you correctly, then I agree that if you can construct a valid "legitimate interest" in this vein then you could reasonably require visitors to accept targeted advertising, without it being a GDPR violation. It wasn't clear from your argument that this was what you were saying – statements like "you cant force companies to provide a service at cost to them" are simply not accurate, because it is entirely reasonable and common that regulations require companies to provide services with certain conditions attached (indeed, the GDPR is one of these when you are operating on the "lawful basis" of consent). And further, it is entirely feasible for a regulation to be incompatible with an existing business model, such that a company would no longer be able to offer a service at all (if, for example, TechCrunch were unable to make enough income though non-customised advertising).

However, this position is _far_ from being as clear as you seem to suggest. It is heavily disputed whether or not "online behavioural advertising" constitutes a "legitimate interest" under the GDPR. There are several outstanding complaints on this matter and the question of whether or not OBA can constitute a "legitimate interest" is not at all settled.

That is a creative interpretation that does not seem in line with the text of the GDPR.

> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

I don't think 'we want to sell your information for money' would be considered a necessary part of whatever webservice/website you offer, given that you could choose a different way to monetize it. Thus you need consent, but clearly the situation you present does not meet the definition of 'freely given. But I hope we will soon see this issue being decided in court.

This thread is just going in endless circles.

If data processing is necessary to provide the service then the service cannot be provided without consent. This is perfectly allowed in GDPR. Ask a law firm for further details.

As I understand you have to Target EU citizens, having a box which states you exempt yourself is allowed. You just have to explain that it is their choice and if they choose to allow you they grant you permission. It just has to be an explicit agree.

IIRC you are explicitly not allowed to deny service if someone doesn't agree to tracking/targetting, so I'm not sure how that would fly.

I believe you are correct, though I have no idea how it came to be.

If I can't profit off serving you content without you consenting to the targeting (so that the ads will pay out more money), I should not be legally required to provide you content at a loss. I'm sure it wouldn't fly in the U.S, though I'm not sure what protections businesses have in the EU.

If your business model does not work when behaving ethically, perhaps that is a problem with the business model, rather than a problem with the ethics.

Ethics are irrelevant here. There's nothing unethical about ads. If you don't want to view ads in exchange for the content then you can pay for it or visit a different site.

> Ethics are irrelevant here.

First, ethics are not irrelevant. You may argue that ethics has been satisfied in a case, but that doesn't make it irrelevant.

> There's nothing unethical about ads. If you don't want to view ads in exchange for the content then you can pay for it or visit a different site.

I have two issues with this line of reasoning. First, it assumes that the issue is with the ads themselves, rather than the stalking being done. Second, it assumes that the content can be paid for (not always the case) and that other sites do not perform similar stalking of the users.

They're irrelevant because they're subjective. Feel whatever way you want but you don't have to participate if you don't want to.

I'm confused. Your first sentence states that ethics are irrelevant, while your second sentence gives an argument about ethics. Surely, if they are as irrelevant as you say, making an argument about ethics would be pointless.

The ads business model is legal and works for billions of people and millions of companies around the world. In the context of your specific complaint about "behaving ethically", that's entirely your subjective judgement and irrelevant because giving you the choice to do what you want is about as morally good as it gets.

If you don't like the model then don't engage. But claiming that it doesn't behave ethically because you just don't like it is silly.

So, ethics are not at all irrelevant, and you are instead arguing that tracking somebody's every movement online and, increasingly, in the real world, is ethical?

You’re repeating the same thing. There’s nothing wrong with advertising, ads and tracking are different things, and consent is the issue at hand which allows you to engage with what you feel comfortable — and that choice is indeed ethical by all measures.

> The ads business model is legal

But tracking and targeting without consent are not any longer.

Nobody is disagreeing.

This is not a very strong argument – if privacy is a protected and regulated right, then it's totally reasonable that your inability to build a business model which meets the requirements of privacy regulations means that your business is no longer viable.

It's kind of like arguing that businesses should be free to dump toxic waste wherever they want, because they can't produce their products at a profit without doing so. They are free to either adjust their business models to compensate, or stop doing business.

> I should not be legally required to provide you content at a loss

You aren't. In fact, you're forbidden to provide this content in the EU.

> If I can't profit off serving you content without you consenting to the targeting

Then you don't get to play in the EU. Businesses have many protections in the EU, the right to indiscriminately track and target users without permission is not one of them, nor to make provision of service dependent on tracking.

Make no mistake - The GDPR is absolutely an attack on the business of targeted advertising.

You can visit from a European IP address and opt out.

Their EU opt-out is pretty limited, you can't exclude the "Foundational partners" like Amazon, Google, Facebook and dozens of others.

Have you ever found the control to do that?

I've looked, and followed links from TC to the parent site and back again. Can't find anything other than more links to more policies.

Some websites offer a different experience if you access them from an IP address from the EU. So playing Devils advocate, maybe they don't violate GDPR.

Edit: curious why I was downvoted, did I say anything wrong or offensive?

I thought geo-targeting with IPs wasn’t good enough because GDPR applies to European citizens/users, not just people who happen to be located in a European country.

GDPR applies to location, not citizenship. You do not need to ascertain or assume the citizenship of people on your website, only if they're located in the Union. If a German citizen is browsing a US website from a computer in Kentucky, EU law does not apply. See GDPR Article 3 (1), Article 3 (2), and Recital 14.

GDPR does not apply to “European Citizens.” It applies to people in the EU.

> This Regulation applies to the processing of personal data of data subjects who are in the Union


Short answer: this applies to people in the EU, citizenship is irrelevant. The law is geographic, not based on passport.

More specifically, it applies to companies with a legal presence in the EU dealing with people in the EU.

Otherwise, someone might think that being in the EU grants them GDPR rights when dealing with a company in Argentina.

It does grant them GDPR rights. If you offer service to people in the EU, you have to comply with the GDPR. If you don't, you don't have to.

How and will that be enforced is a different discussion, but the regulation clearly protects people in the EU regardless of where the website owner is located.

An unenforceable right is a nonexistant right.

GDPR is business regulations, phrased as human rights, and makes the most sense if understood as business regulations. I understand that some might choose to hold different opinions about any or all of this.

GDPR only applies to geography because there's no possible way to know who a person is online unless they specifically login or tell you, and at that point you already have consent.

> Doesn't this violate GDPR?

Like 99% of sites currently, yes.

What is the point of the GDPR if it is not enforced?

Wait until it starts raining penalties.. Adtech that gets busted will either comply (shrink evil profits), die (won't be able to handle the profit loss), or move to greener pastures (keep their practices away from us).

But those penalties will also screw over most of the sites people are using in the EU.

Or they'll just keep making more money by expanding, until GDPR hits are viewed with the same level respect as the pirate community views DMCA takedowns.

Google was fined $57M.

It is enforced.

I really can't tell whether this is sarcastic or not.

Where do you see sarcasm? On the amount?

These fines are typically small at first, and rise exponentially as the firms do not comply.

Where can I see that it was enforced.

Pursuing cases takes time.

It's not like you just complain and the next day the business in violation starts behaving.

There are many different ways for GDPR to be effective without fines. In the UK, for example ICO aims to offer warnings and guidance in most cases. They aim to get people compliant, levying fines in cases of wilful contempt or egregious slackness. It’s not primarily a money making exercise

I think we can safely agree as of now GDPR is having ~zero effect (bar the annoying overlays) and quickly becoming another cookie law.

The overlays are the start of something bigger, and are a significant change as is. Websites now are forced to tell you who's tracking you and let you turn off that tracking en masse without being unable to use the site.

Complaint is this is not happening at all. In fact, they would need to require an opt-in consent, not presenting obfuscated opt-outs which do not even work. It really does not help we have tables with few hundred companies listed.

> It really does not help we have tables with few hundred companies listed.

It helps so far that I (as a user) see upfront how much an article costs (in tracking data). I can then decide if I want to pay for it or not.

I think we can safely agree that GDPR is having substantial effects (I’ve worked on implementing it in 2 organisations) and that the banners we are seeing is a tiny element of what GDPR are about - an annoying edge case.

It's achieved a quite dramatic change in data breach reporting, thanks to that 72 hours requirement.


No, we can't agree.

>In the UK, for example ICO aims to offer warnings and guidance in most cases. They aim to get people compliant, levying fines in cases of wilful contempt or egregious slackness.

It is rather disingenuous to upsell ICO as a vanguard, instead of describing it as a toothless quango, at best.

Definitely some good feelings and European based companies taking the mantel. Unfortunately those same companies will probably be state propaganda with how the EU has been going lately with internet regulations

Imo the real point of it was for EU politicians to get re-elected on the basis of them taking a “tough stance” against the US tech giants and “caring about user privacy”.

Why is for some of the US citizens medical data sacred but any other kind of data is free for stealing and selling (I mean stealing because you are most of the time not aware what data is collected and to whom is sold). Most of this data can include medical stuff like what medical products you buy, what medical queries you search etc.

I agree with you. My comment was less about the intent of GDPR, which I consider noble, and more about limp-wristed enforcing and real-life effects of GDPR in its current form.

It could take a while for large effects but there are effects for me already, I stopped visiting this websites when I see the dark patterns, I don't even waste time bypassing the wall.

I am curious if someone can argue for the point that only the medical data from you doctor should be protected and the rest can be sold behind your back.

It's not that only medical data from your doctor should be protected, but there clearly should be different tiers of data. I don't really care if people know I visit HN, but I do care if people know the exact contents of my passport or my exact medical history. There's a lot of data we generate that is private and can be used to suss things out about us, but we don't consider it critical like we do some other data.

I agree that data can be in different levels. The first thing I think should happen is informing the people, say if you send me an PM about a medical issue you have you should be informed that your message will be analyzed and a hidden profile of you will be updated and then sold. At least if you want to trade your data you should be able to read a clear contract on what you trade and what you get in return.

I don't believe this argument but I'll make it.

The very concept that this is 'your' data is in error. It is demographic data collected by third parties 'about' you. You've entered into consensual relationships to provide all of this data with those third parties, for the express purpose of using it for advertising. There is no expectation that it then would not be used for that purpose, quite the opposite thats why it is collected.

Conversely, your relationship with the data your doctor collects has had a long expectation of privacy. Reinforcing that expectation with explicit laws doesn't change the basic relationship.

>You've entered into consensual relationships to provide all of this data with those third parties

Before GDPR all of this was not so clear for many people, my parents do not know that they are giving up their data, that it is sold on a market, that a profile of them is created somewhere and each click will put some new tags on that profile.

> [users] do not know that they are giving up their data, that it is sold on a market

I agree that this is a big one, and I believe that businesses indeed should explicitly and plainly let users know what kind of data is stored and how it is used.

However, isn't one of the main issues with GDPR the fact that it doesn't give users an option to enter in this kind of relationship with a company, even if both parties are aware and consenting?

I am not a legal expert, but I thought(according to my understanding of GDPR) that businesses are not allowed to store personal data about users, period, unless the data is needed to provide the service. I have no idea if "we need this data, so we can use it for ads to earn the revenue needed to finance our service" qualifies as "needed to provide the service", but I always thought it didn't. I will be happy if someone could clarify this point and, potentially, prove me wrong.

This is not true. Consent is a basis for storing data.

Regulatory capture. It's easy for FB, Google & Co to pay lawyers to find the loopholes, figure out the right angles and buy off the Irish (or Luxembourgian, another notorious offender to punch holes in EU laws for big corporations) government for tax deals & privacy exemptions. It's much harder for smaller competitors, so GDPR is an effective gate keeping device.

It's the same with taxes. If you're a small company, you're paying the official rate. If you're Google, you'll have a Double Irish with a Dutch Sandwich, who cares if you need to pay €10m to set it up and get the okay from revenue services (there's a fun report on how the uppermost German tax officials "freelance" for the large tax consultancies on the side and make a lot of money to write "articles") - you'll save billions.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact