"The overwhelming majority of commercial email sent today contains tracking pixels and tracking links, these are used to uniquely identify individuals so that opens and clicks can be correctly attributed to them"
While spammers may have a problem, people don't.
If I want your tracking pixels and emails then I'll opt in.
Now, what additional personal data are collected by tracking pixels?
> these are used to uniquely identify individuals
I would say that this isn't the case. It is to check that the email was read.
In theory, an IP can be captured, which is considered PII, but most mailbox providers use proxies so this isn't reliable.
You are correct that the email was already personal data. But, GDPR requires that each new use of data be transparently communicated and legally justified (which may or may not mean consent), even if it's only using data you already have. The fact that they have already identified the user does not resolve the issue--GDPR still cares when you collect more data about a known user.
Meaning, even though you are justified using the email address to send the newsletter, you may not be in the clear building an engagement profile associated with that email. Which, apparently, some email marketers do.
There's nothing stopping them either, they're entitled to do so, given they obtain consent for that data processing.
I'm yet to see a single marketer only do tracking by opt-in, and I work in the industry.
The problem is that we're:
A) Collecting the data without consent
B) In most cases, unable to not collect the data because ESP's do it by default with no option to switch it off
If I read it, when I read it, where I read it from (location, device, etc)
If linked to email address and considered personal data then the argument is what is covered by consent to receive email marketing? IMHO tracking whether the email was opened is covered (in the same way as agreeing to receive phone marketing should imply they can track whether you answered the phone...). They will also obviously keep track of what emails they sent you and when.
But agreeing to receive a snail mail does not imply consent to track if it was read. I feel that email is closer to that.
The point is that tracking emails, like tracking phone calls, is inherent to that communication medium and there is absolutely nothing wrong with it.
Google could proxy and cache remote content in emails when they are accepted by Gmail servers, and that would render Gmail users untrackable by third-parties.
I always assumed that disabling 1x1px images would be first on the list of mitigations against this technique. I was under the impression that email clients, in addition to an option to block images in general (usually on by default for an address or origin), generally prevented the loading of remote images. Embedding images directly into emails is fine, isn't it?
On the whole, disabling images entirely is the only real defence against email tracking.
Most email clients these days don't block images by default unless it ends up in the spam mailbox.
They never embed images directly into emails either.
Marketing spammers maybe, but now scammers and malware spammers have the floor instead. Laws only stop the law abiding citizens from doing their thing, it sure doesn't stop the criminals from.... being criminals.
I don't want to be tracked by marketing emails without consent (or, more realistically, ever, because please). If you want to do it anyway, from here on out you have to violate the law.
If you had no trouble with doing that before (being a filthy spammer/scammer), you still won't. If you do, then you will stop tracking me. Hooray.
It’s one disgusting thing when people hide signup behind email confirmation without clearly marked opt-in spam confirmation. It’s another when I get home from a professional event and I have a dozen new “subscriptions” and people “just reaching out” or “following up on our prior conversation” to a single-purpose email address I gave to one place and used a fake name and fake company name.
Email marketing can get fucked.
Outside of spam, I spent some time and unsubscribed from most of the pseudo-solicited communications I got (i.e. the kind of pre-GDPR bullshit where I register for some service and this automatically counts as consent to receive marketing communication). About solicited marketing messages I don't whine much (except that they exist), that's on me.
(I actually used this occasion to softly threaten one of the marketers from the top of my box with legal action, because they are clearly breaking Polish law - they tried the "this message is only request for consent to sent the actual message" trick, but executed it badly.)
If you filter just a single address that address can change. If you filter their domain you might lose legitimate correspondence.
What would be great is a third-party site where you can somehow document/log unsubscribe requests. Then, if the company still spams you, document that. A few hundred users is pretty good proof, and the company can't just argue a glitch. It'd pay for that.
I mean, I'd love to be able to, but do you think I'd even be able to determine what the company's actual address is?
Not that I'll ever configure my email client to automatically download images, as far as I'm concerned downloaded images is just making your email address more valuable to the spammer by confirming you got it.
Hardly. It's just the abuse of being able to display images in HTML-formatted mail. You would have to remove every tag and attribute that is able to request an external URL from a mail HTML dialect to counteract tracking.
Plus, if something is illegal there's less likely to be an industry driving down the price of that activity. If something is more expensive and less convenient, then people (including criminals) are less likely to do it.
That's a non-sequitur and complete nonsense unless you want to suggest that GDPR automatically turns marketers into criminals.
Also, just because it can't solve all of the problems at once doesn't mean it's a bad thing.
If you use tracking pixels in your receipts, I think you're doing it wrong.
A tracking pixel hit only means that that the email was received and loaded in some email client, not that it was read (in detail, or at all), understood, or acted on.
The email industry would comprise a lot more than just marketing.
You have email providers. You have email clients. You have non commercial newsletters. You have evites. You have e-cards. You have emails related to ticketing and reservations.
The email industry is far larger than email marketing, despite what the email marketeers would like us to believe.
Either you do think email marketing comprises the entire industry, or the article title (and HN submission) are (or give the impression of) clickbait.
At least it doesn't seem you are doing any direct tracking on the post though ...
(I used to work for an ISP with a pretty large email service, so it touches nerves that were exposed when our enemies, those companies who try and find ways to irritate our customers, think they are the only important parts of the actual email industry)
This is something I wish ISP's took more care of, they could easily protect users by blocking image loading by default and warning users when links in emails are tracked, for example.
There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.
Certainly not. If I didn't check a box saying "I want to receive commercial emails related to your products and services" I expect not to receive those. I might unsubscribe from the whole thing if I don't have any other means of avoiding those useless commercial emails.
Most email marketing service providers don't even support multi-interest opt-out page, or charge a lot for configuring your unsubscribe page this way (like a multiple of list size for each option gasp), so this makes it impossible for email recipients to choose what emails types to opt-out of so marketers in turn don't bother to collect unbundled consent.
Comparison of some market leading ESPs (see multi interest opt out row): https://www.bigmailer.io/bulk-email-marketing-services/
Very much so; the pop-ups interrupt and obstruct, breaking immersion. I sincerely hope a browser gets brave enough to start blocking those obstructions by default.
It irks me how every "Cookies" banner is an unpaid advertising billboard saying, "Your privacy is valuable to us. Yours faithful, EU".
>This too shall pass.
For now, uBlock Origin + the ruleset from I Don't Care About Cookies.
Here is a trick for website owners: don't track your users. No need for any popup anymore.
You do not need consent for cookies that power basic website functionality or a feature the user is trying to use. So setting a cookie when someone logs in or adds an item to their shopping cart.
Note that they provide notification of necessary cookies, and default opt-out of analytics cookies.
> You do not need consent for cookies that power basic website functionality or a feature the user is trying to use.
This is correct, you do not need consent for necessary cookies. You do, however, have to provide notification that necessary cookies are being set.
> Although the exemption applies to both the provision of information and the gaining of consent, it is good practice to continue to provide clear information about all cookies including those that are strictly necessary, and if personal data is involved then you will be required to do this under the fairness and transparency requirements of data protection law.
I'm not a lawyer and I can't give you legal advice. I can just report that the legal advice that was given to me was that any cookie setting activity needs to be notified, even if consent is not required.
One potential discrepancy is that we are being prepared for the e-Privacy Regulation (which is not yet in effect), while it looks like the page you linked to covers the e-Privacy Directive.
No. It leads to non-acceptance by default. If you are seeing forms where you are opted in to data capture by default that isn't a core part of the service, that's a breach.
Now we are in a sort of transition phase where laws are written but companies interpret them themselves (badly) and there are few guiding cases.
I look forward to the next phase when the notices will be gone or say “did you know you can enable tracking so we show more relevant ads that we get more money for showing?”. I’ll say no regardless of how much I enjoy that content.
Laws are only effectivr if they're enforced, and right now the tracking laws of the GDPR don't appear to be enforced, or have any sort of method for reporting, which is really really disappointing
Currently the country's regulators (such as ICO in the UK) are swamped with GDPR complaints and are prioritising the most egregious cases. I imagine cookies are a way down the list.
In terms of reporting, you tell the company itself first, if you don't get satisfaction you report to your own European country's regulator, or that where the company is based.
We need a standard for managing these controls on the browser side, which major browsers can then implement. It wouldn't surprise me if people were already working on something like that. If I reject ads from google doubleclick specifically, they should be pre-rejected for every subsequent website that asks the same question. Likewise for the various cookie purposes.
(I do understand the unfortunate potential for fingerprinting here...)
Really? Any chance you could share some examples, because my strong impression is that a clear 95% of those I see are not compliant.
If the permissions were managed by the browser then cookies could be managed directly on the client side without server side interference, and preferences could be communicated to the website via headers (like DNT but GDPR requires a lot more granularity, and is also legally enforceable in the EU).
It lets you specify a global setting to what extent you want to be tracked, and communicates that to sites that support the extension's "standard".
Like the "Do Not Track" header field?
Perhaps it will work if introduced as a GDPR header field.
GDPR does not forbid websites to ask or even deteriorate your experience (afaik). Perhaps that should change.
I wholeheartedly agree on your point though, that if i reject 'A' on one site, it could be assumed by the browser i'd like to reject 'A' on the next site. Perhaps the same kind of block could occur like they do with faulty ssl settings, just stating that you blocked 'A' on some site ,and this site is using the same, with a button to proceed if you accept that fact.
It's illegal. End of.
Note that you can still 'sell' Web content for forcing your customers to see advertisments. You just aren't allowed anymore to track that on a person-by-person basis.
Or the opt out page just leads to instructions to disable cookies in your browser.
not true, i mark all those as spam, if there is a "newsletter checkbox" i check it out, but if they have hidden it somewhere i dont care, mark as spam and next.
No. Most of the services out there require an email to sign up to the service itself. Using that email for anything beyond the core provision of the service I signed up for is a breach. If I bought a fucking pencil sharpener from your website, any communication beyond keeping me abreast of (and optionally checking if I was happy with) my order is abusive.
And this by itself says a lot, but not what people usually think it says.
The reason why cookie popups are so widespread is two-fold:
1. Because indeed most sites track you to death, and are unwilling to back off even if it costs them visits (many people just close the tab upon being presented with all but the least obnoxious popups). In this perspective, the GDPR is working as intended;
2. General ignorance about the cookie exceptions. You can hardly blame the regulators for that. In fact, AFAIK the GDPR clarified a few things that were ambiguous WRT cookies. That backfired horribly, but just beacause ignorance is rampant.
If the site respect users privacy it will not track the users and don't need the warning
In other words, your privacy has value to them, and they are eager to shaft you that privacy to extract the value.
"Communications" as in "valuable information", like letting you know somebody logged into your account. That's fine and unaffected by the GDPR.
If by "communication" you mean unsolicited advertisements about the company you are describing illegal behavior that was already illegal before the GDPR. "I agree to be contacted for marketing purposes" checkboxes are ubiquitous precisely because without my opt-in they can't.
Indeed, mandatory acceptance is not a meaningful choice and hence explicitly ruled out by the GDPR.
> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.
Sure, and all necessary use of information is just fine and unproblematic. Just the additional spying on top of that requires an additional, unforced opt-in.
By banning consent bundling GDPR is designed to make this exchange of value illegal.
And no, it's not "reasonable" because it leads to situations where the only way to pay for a service is with your PII.
No. Have you looked at the thing? It affects every organization willing to do business or communicate with the EU.
The only ones that are (negatively) affected are the companies that are not wanted by the EU in the first place.
Not true. GDPR imposes costs on every company. Specifically there are the legal compliance costs, software compliance costs, support costs, and that's if you're a "good guy."
My Firefox is scaled up using layout.css.devPixelsPerPx with a value of 1.2 and even then I've to scale up most websites to at least 120% in order to see anything.
(And the site is using px; it shouldn't.)
Now the question of what the root font-size is (a unit I like to call “browser em” or “bem”—I’ve never heard anyone else give it a proper name)—that’s a much more interesting question. It’s almost always 16px (I have no stats ready to hand, but I’d suggest >99% of page views), but there are devices out there that have other values, mostly between 13px and 19px, and you can change the value in some browsers also. However, website layouts commonly break if the value is not 16px, if the font sizes are based in bems and media queries in px, or font sizes in px and media queries in bems, and the developers have assumed 16px (which is completely normal). The ideal situation is to use either px everywhere or bem everywhere.
In theory, using relative units everywhere is potentially nicer. In practice, you’re fine using pixel units everywhere.
But 24px is still way too big.
Like those sites with the overly huge logos that look ridiculous and annoying on 1080p but I'm sure on 2k and higher they look fine. I don't want to scroll down an entire page worth of scrolling to read your article, it should be immediately available.
Thankfully there's Firefox's Reader Mode.
We had to write a line of business app used by office staff opening mail to feed high speed scanners to support mobile first with a responsive design.
I'm more curious though if what you're experiencing might also be sites designed for high res phones. Most phones these days are 1080p or better.
Tracking has become so ubiquitous, it's become the default to put Google Analytics on a site, to put a tracking pixel into every email, to personalize every link we send out...
But so much of that tracking isn't really necessary. I've stopped tracking website visitors and stopped including tracking pixels in emails a few years ago, and nothing has really changed.
So, I guess I won't know if 10% open my marketing emails or 50%. But who cares? I wouldn't even know what to do with the information anyway. I'd rather focus on making my product better.
You didn't know before either since many mail programs block tracking pixels. This was always garbage data to a large extent.
I've just launched my e-commerce platform and I see 34 unique visitors and no sales. Analytics is key to figure out if something is wrong and I'm not talking about the code.
> I'd rather focus on making my product better.
How do you make it better? Having numbers without analyzing user engagement is shooting in the dark with a shotgun.
How about asking? What about some live chat to gather information?
We have found this to be highly valuable for our shop(s). It automatically pops up after 30 seconds on a product page, on other pages the badge is always present. Lot of good chats, lots of "I'm looking for XY"-feedback that helped us improve.
I suspect it would be. The GDPR doesn't say you can't have analytics, but it quite rightly tries to prevent the kind of tracking you're talking about without explicit consent from the user being tracked.
Analytics provide great insight and enable optimization that companies who are serious need to actively engage in to grow and succeed.
Dismissing analytics is like saying you don’t need a debugger. Just put log statements all over the place... (or, write classic ASP :))
The problem with Google Analytics and tracking is it's hard to tell what the motive is for putting it onto your site from the visitor's POV.
Not everyone who uses GA is using it for evil purposes.
They use it because GA makes it easy to gain useful business metrics, such as 100 people visited this page, 30 people filled out the account form, 5 people completed the checkout. Now you have a way to measure how good or bad your checkout flow is working and implementing this took almost no work at all. Rigging up your own DB model and tracking this stuff locally is a huge burden (especially if you account for bot traffic).
GA is also really useful to track referring URLs (with UTMs) because if you use these links from Youtube videos or blog posts, suddenly you can see exactly which posts are doing well. And "doing well" isn't just being more profitable if you're selling something. It helps you know what to write about or make videos on because this is what people want.
At the very least it's also good for just answering "am I growing?" where you look at unique visitors on a monthly basis and hope to see your chart moving up per month.
I just see it as a pragmatic tool to help you measure things. It's unfortunate it can also be used in other more malicious ways.
Does it inconvenience honest people who'd like to use those tools for honest purposes? Sure. But think of it this way: it would be much more convenient for me if I could just give a merchant or service provider my on-line banking login and password, so they could take care of billing me directly. Would I ever do this if asked? No fucking way (even ignoring that my bank would consider it a TOS violation).
So you were tracking people without even needing the information? Why?
>I'd rather focus on making my product better.
Yeah, analytics are useless for that. Use your gut! Everyone knows that's better than using data.
> EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads.
Not true, unfortunately. EU wants the ads to not track people without their explicit, informed consent. GDPR isn't an anti-advertising law, it's a data protection law (says so literally in the name).
> That's regression
No. That's remission.
- users could consent once for each tracker if thats what the law cared for. Consenting for each tracker x for each website is purposeful obstruction in order to make advertising optional
- To consent, one must be informed, so the sites would have to advertise adblockers, why they exist and how can they be used.
- Current adblockers rely on volunteers compiling lists of ads, and sites trying to evade those lists. That's not a reasonable way to ensure a legal right, so sites / networks would have to publish those lists themselves.
- The GDPR is about way more than website access tracking, so you'd still need all the same rules about the rest of the use of personal information. Seems like a duplication of effort and complexity.
> - users could consent once for each tracker if thats what the law cared for.
Just because I'm OK with a network knowing I visit nytimes.com doesn't mean I'm OK with them knowing (and using the information) that I visit pornhub.com. Consent per site is crucial.
How did it work like that all the time? It can work perfectly without all the tracking. Tracking is just so omni-present that some people can not imagine a world without it.
> EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads. That's regression
Actually that would be a great regression! I'd soooo love to have static images delivered to me again, instead of some JS bullshit which is tracking me all over the web.
Let's just kill all the ad networks over night. It will be a great time and we have a second chance to make the internet a great place.
You're allowed to track users. You just need a legal basis to do so.
Especially all the "by continuing to use our site, you'll agree to getting the shit tracked out of you"-messages are highly illegal, because the GDPR requires explicit consent.
Sadly there have been no big legal cases up till now. But the time will come.
No, and if that's how it's implemented by you then you're breaking the rules here. It should be opt-in. And yes, I know that at that point you could probably just delete the tracking. If that breaks your business model, all I have to say to you is bye.
What is SFMC?
I have a startup in Denmark, and the incubator we're part of applied for an EU funding scheme. The bureaucracy for these programs is out of control, and there are claims out there that 90% of state innovation funding is blown on administration.
Long story short, I had to fill out some timesheets, and because of GDPR print out the sheets filling in everything except the personally identifying information, and then fill the rest of them out with a PEN.
Still see no good reason to do it.
Want to educate users about privacy? do it with extensive educational campaigns, not by ruining everyone's experience on the web
And the point of GDPR is to give users the information to let consumers make informed choices and to make companies abide by those choices.
There's no point in 'extensive education' if the consumer is still powerless to exercise that knowledge.
A honest cookie popup would ask "Do you want to be tracked for advertising purposes? yes/no", and any sane person would klick "no". No education needed at all, if the advertisement industry would play honest.
If the Web experience is ruined now, the Web advertisement industry needs to fix it.
1) "GDPR is europe's problem" --> I'm saying it's an attempted solution, not a problem
2) "not of the entire 'email industry'" --> the whole 'email industry' is in fact, affected. Where you operate from isn't a factor. Only if you don't email EU citizens (which is quite unlikely), you don't have to worry about it. If you do (which is very likely), you should know and implement GDPR rules.
I understand your FACTA analogy, but don't see how you disagree with me.
I don't think the GDPR solves much or anything, iff you want to play on the internet, almost [there are good exceptions, where you can just choose to have a 'lesser' experience] all of the time you'll have to click "I agree".
GDPR does solve some problems, in my view. For example, it allows EU citizens to ask companies to disclose what they know about them and how it is being used. You can ask companies (and they must comply) to delete your records. Data must be pseudonymized / anonymized in many cases. Those are all real effects. It offers transparency and gives more control to individuals.
If you want to learn more about what the GDPR does do, what protection and control it brings EU citizens, I refer you to the wikipedia page which has all of that and more.
That in itself is a GDPR violation. If you care enough, report it. That said, this is not what happens “almost all of the time” at all. In my experience most websites are completely or partially usable when you disagree with being tracked. At worst (and also in violation of GDPR), the tracking dialog makes it intentionally difficult to refuse being tracked.