What I still don’t get is: wouldn’t it still be worth enough money to segment the traffic onto something that doesn’t do any tracking and at least throw Adsense on it?
it seems to be for sites like archive.to anyway
These are entire networks doing this probably running a core CMS.
No, because there are likely so many trackers embedded, with nobody really knowing where they are, that they'd basically have to engineer an entirely new site.
You can hack your way around that stuff. Just add a CSP policy telling the browsers that any connection except to wjtv.com should be blocked, problem solved. Granted, your trackers can actually handle having their connection broken without breaking the entire rest of the site.
This obviously won't help if you for example sell your backend access.log to the highest bidder, or do backend tracking somehow.
actually it would cost engineering time/money. those engineers are likely contractors or some of the highest paid folks at the paper who are likely barely staffed and dealing with the page load of a big article.
Why would they do that? The problem they were intending to solve is their legal liability.
The problem that Europeans can’t read their news without ads is not a problem they want to solve. They don’t want people reading their news without ads.
…is the cheapest and easiest way to meet their legal obligation. It is way easier than setting up some alternative revenue stream and ensuring that it is compliant.
It wasn’t “petty motivations” it was a lack of motivation.
WJTV’s signal doesn’t even reach across the entire state of Mississippi. Why do you think they even for a moment considered EU visitors to their website? Nobody from the EU wants to know about traffic detours, city council elections, or the weather for the morning commute in Jackson Mississippi. EU readership just isn’t even remotely relevant to their operations.
It costs to comply with GDPR even if you are doing no tracking.
1. If GDPR applies to you and you are not in the Union you must have a designated representing in the Union to receive GPDR requests (both from individuals wishing to exercise their GDPR rights and from regulators). So right off the bat you have to engage some service in the Union to handle that for you. There are such services that aren't very expensive, but it is something you have to deal with.
2. IP addresses are personal data according to many GDPR experts. Normal logging that is done by most web servers leaves you with a GDPR burden to deal with. It seems likely that storing this would be allowed without the need to obtain explicit consent because there is a legitimate business interest to that logging, but you still have to deal with requests from people to delete their data. So more hassle.
3. You will have to keep up with developments as regulators rule on the meaning if the tons of subjecting things in GDPR.
If you are not in the Union but people who are in the Union use your site GDPR applies if either you are:
A. offering goods or services to them (free or paid), or
B. monitoring their behavior as far as their behavior takes place in the Union.
For A you have to envisage offering goods or services to them. The mere fact that they can reach your site and use it is not sufficient.
If you aren't monitoring behavior in a way that makes B apply, then whether or not GDPR applies comes down to whether or not you envisaged offering goods and services to people in the Union. That's a fairly subjective thing and I don't think there have been enough cases involving that yet for it to be clear just what that means.
Blocking EU visitors makes it clear you did not envisage serving them saving you all the aforementioned hassles and annoyances.
If IP address logging is enough to count as monitoring, then sending a block page doesn't fix the problem.
If you're confident enough that you have a non-tracking response to EU citizens, then you already did the hard part, and you might as well dump the article contents into that response.
Logging IP addresses looks like it counts as storing personal data of the visitor, but it isn't at all clear that it counts as "monitoring of their behavior as far as their behavior takes place within the Union" which is what monitoring has to do for that to be a bases for GDPR to apply.
There's a recital (Recital 24) that elaborates on that part of GDPR. From that:
> In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
A simple IP based location block doesn't seem like it really fits that, and so wouldn't snare you via the "monitoring of their behavior as far as their behavior takes place within the Union" part of the GDPR's territorial scope article (Article 3 section 2(b)).
If that's the case, then whether or not GDPR applies comes down to whether or not you envisaged offering goods and services to people in the Union (Article 3 section 2(a) and Recital 23).
Blocking would be intended to show that you did not envisage doing so. That gets you out of needing to have a representative in the Union and needing to deal with data deletion requests.
The hard part isn’t not tracking, it’s convincing hostile regulators that you are in fact not tracking. Sometimes they want 8–14 week delays before launching features: https://gdpr-info.eu/art-36-gdpr/
Seems like a business opportunity: a load balancing rule that sends EU requests to your log-free tracker-stripping static file-generating server appliance (possibly EU hosted) which has google Adsense on it and a GDPR responder that responds to every GDPR request specifying all that.
If that were true, they wouldn't even have to worry about the GDPR. But it's almost never a "local media outfit" in the traditional sense; they're owned by a huge media company worth billions. And they might have to care about GDPR.
No. Europeans are pretty poor compared to Americans, so it's not worth going out of your way to scrounge for a few relatively low-return clicks, especially given the legal risk.
What I still don't get is: Wouldn't it be worth it for the EU to fix the silly GDPR cookie requirements?
They burden sites & users with billions of extra meaningless interactions every month for no net gain in privacy – and possibly a net loss, by training users to habitually dismiss such popups without thought.
They impose no burden if you make everything opt in at the point it's required rather than on first page load. Every cookie notice is there by choice because the site operator doesn't care about smooth UX.
So, in a theoretical world that doesn't exist, where every website does extra engineering to defer a disclosure until later, it's less of a burden. (But still a burden at that later point.)
Can you point out a few prominent sites using your preferred approach, so I'm sure what you mean?
In our actual world, the disclosure/opt-in requirement is a major burden, because essentially all of the practicioner/implementers, and the specialist firms now powering disclosure popups, have decided their best way to comply is the first-load pop-up mess we've got now. (That's likely because: there's immense value in being able to track sessions-of-use, for adjusting design, even before any commerce or specific-identity info is disclosed. And that value flows not just to the websites: it helps adjust content/UI for the users, as well.)
Given the actual, observed state-of-the-world, for years now, it would make more sense for the singlular governing entity that created the problem – the EU – to fix this, rather than the millions of diverse websites worldwide.
At the very least, the EU could waive the opt-in requirements for any browser which offers some baseline of user-controlled cookie-blocking – which the ~half-dozen relevant browser engines could easily add. That'd be a far more rational, low total compliance cost, high user-agency solution.
Competition & user self-help had practically wiped annoying modal popups from the web. Then the EU's clumsy, oblivious regulators brought them back.
> track sessions-of-use, for adjusting design, even before any commerce or specific-identity info is disclosed. And that value flows not just to the websites: it helps adjust content/UI for the users, as well.
Tracking (regardless of whether cookies or other methods are used - the dumb idea that GDPR only cares about cookies needs to die) for essential purposes such as maintaining state for shopping carts/user preferences/etc does not require disclosure nor consent.
That essentially every professionally-developed website I visit seems to have concluded differently makes me doubt your analysis - or, if your analysis is technically true, that that analysis is relevant to real websites' needs.
agree, cookie popups should just be banned entirely, sites should be required to default to the minimal cookies required to implement the site's functionality, and users can opt-in to analytics if they want
That's literally what the regulation stipulates. The vast majority of consent pop-ups you see are not compliant.
The problem is a lack of enforcement so widespread that entire businesses now specialize (and thrive!) in providing non-compliant consent flows as a service.
