Those who abuse it the most will just move to a jurisdiction where it is allowed. Or they'll do it anyway, since many of the worst threats on the internet are already criminal. On the internet, technical solutions > legal solutions.
There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.
Tracking only pays if you can track a huge number of people and sell ads to a huge number of advertisers. The profit per tracked user is too small to pay for running a criminal enterprise.
Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
> There are clearly some things that are economically viable as a criminal enterprise, but I don't think tracking people for ad targeting purposes is one of those things.
True, most illicit ads tend to be non-targeted. But some criminals do things like blackmail, fraud, espionage, etc. using tracking data.
> Moving to a different jurisdiction is impossible as your customers (the advertisers) and the sites/apps where ads are placed would still be breaking the law.
That all depends on the specific business model, business partners, and their presence. Regardless, what I describe is not conjecture, many companies are shuffling around data to avoid GDPR rather than comply.
A different company without a physical presence or business partner in the jurisdiction in question, might have little to no incentive to follow the law.
In the end, even if companies are breaking the law, or even if they are fined, your data won't be protected unless they actually change their behavior as a result. Calculated non-compliance is a commonplace strategy for corporate legal compliance.
I don't dispute any of that. But what it means is merely that compliance will never be perfect. Companies will always test the limits of the law and look for loopholes.
Like with tax compliance, this will always be an arms race. But if the law raises the bar, they will jump a little bit higher on average.
It doesn't have to be perfect. Privacy is not black or white, and trackers themselves are anything but perfect.
I recently looked at the list of what Google thinks I'm interested in. It's funny. Supposedly, I have a particularly strong interest in vehicles and buying cars. In fact I don't even have a driving licence, never owned a car, never will.
The list goes on and on like that. They must have rolled the dice to come up with things like "Flowers" and "American Football". I feel my privacy is completely safe with these geniuses :)
For sure, mass marketers prefer quantity to quality. Google/Facebook are not doing anything particularly novel in the realm of what is possible, nothing more than is needed to get accurate enough across a large number of users.
It's the more targeted uses of fingerprinting and data collection that are scary. If you're a person with lots of money or influence, there's already someone out there who is specifically trying to collect data about you in particular. Those people and organizations are looking at the data in much more detail than mass marketers.
