IMO data should be radioactive for companies, especially if it approaches PII. Companies should be forced into thinking deeply about every single bit of data they collect from people, and they should be terrified of receiving data and be chomping at the bit to get rid of it ASAP.
To intercept the usual argument of "But my business can't exist without all this data!", to that I say "Good!". If your business can't exist without tracking every single iota of your customer's existence, then it truly shouldn't. I couldn't tell you the amount of times I've had to fight back against implementing yet another tracking tool at work, just to collect data that I know for a fact no one will look at after the first few weeks of the tool being there. The amount of times I've heard some stupid shit like "Well we don't need this data yet, but what if we need to have their mother's maiden name at some point in the future?!" is depressing, and I'm glad that we're starting to have legal channels to push back against such idiocy.
> IMO data should be radioactive for companies, especially if it approaches PII. Companies should be forced into thinking deeply about every single bit of data they collect from people, and they should be terrified of receiving data and be chomping at the bit to get rid of it ASAP.
100%. Unless a cooperative model (like most businesses should be run, bit that's a different issue) exists in which I am compensated for you having my data. At that point all the time and friction I have to spend/deal with because all of you have my data is worth it. Right now all this friction in my life because you have my data and I'm dealing with your beaches is "paid" for by me, and that's lame.
> I couldn't tell you the amount of times I've had to fight back against implementing yet another tracking tool at work, just to collect data that I know for a fact no one will look at after the first few weeks of the tool being there.
I'm curious, how does such a conversation usually go? Is your main angle to point out how useless the data ultimately will be, or did you find a resonating way to point out the negative effects on users?
There's lots of ways to address it, depends on what the feature is. There's always ways you can spin it, like going the technical route: "That would require a new column which would add X to the size of the DB and thus our costs would rise by Y", "That would require X, Y and Z investment from these 3 teams just to add this 1 new column" etc. Usually the people pushing this stuff are non-technical so you can just give them any technical mumbo jumbo and they'll give up.
I also tend to highlight that we do have historical data that nobody is looking at as-is, what's different about this new data? What are the actual long-term plans for the data? Can we reuse what we already have for what we're aiming for here?
These days my default is "Oooh we'll have to check in with legal on that one, not sure if it's GDPR-friendly to include this new column like this". No one likes talking to legal unless they absolutely have to, so most will just drop it.
And unfortunately sometimes there's no winning it no matter what, so you have to "disagree and move on" as it were. If it's some manager's pet project, well, you're SOL for the most part.
> or did you find a resonating way to point out the negative effects on users?
Unfortunately I've found this to seldom work unless you're working somewhere where privacy is part of the value prop. Even pointing things out like "How would you feel if the DB were to leak and all your info were to be made public?" elicits 0 response. The marketing people and C-suite that push these kind of boneheaded things forward don't view the users as actual humans, they're all just numbers to them. Will this cause churn? How much? Those are the only questions that matter to them.
You have an issue with customer behavior so you set up tracking to understand it.
Keep it running for a few days, then check on but the tracking doesn't output meaningful data that you can exploit to solve your issue.
At this point, you search for alternative tracking but do you disable the old one ? What's the benefit ? Either it's free or cost very little, none of your customer know they are being tracked and in the eventuality it may become useful later on you keep it.
Repeat a few times and you end up with bloated website that tracks where you were, are and will be. What you're watching, cursor position, scrolling, how long you spent watching that image or these one, have access to every technical details about your device because it's required for fingerprinting, all while no one actually is exploiting the data.
It's junk yet you collect it because it's free.
If there was a meaningful reason to limit the number of tracking, like the law and fear of getting sued, then it would be a different story.
> Either it's free or cost very little,
Whatever it costs it reduces your profit margin so why would you keep it live?
There's also studies on load times impacting conversion rates (which mostly matters at scale i.e. Amazon).
At the same time - quantifying this is not straightforward and companies mostly ignore committing resources to such activities.
In these terms it will also be a labor cost to turn it off. That cost might be higher even if amortized over a long timespan.
> IMO data should be radioactive for companies, especially if it approaches PII
It's pretty much the idea of GDPR. The wording of the GPDR is "You should make your systems private by design", which they explain as "Store PII only you really have no choice"
In this case, the legal ruling means that even if they somehow fix their consent, they have to remove all the data they currently have! Also all their clients need to remove all the data. Having to tell your customers they have to remove all their data ought to completely kill their business.
That being said, it will likely not happen: It's not the first time they lose a ruling and I'm pretty sure no-one removed any data, despite being required to...
I think the current situation is actually quite good. GDPR was well thought out.
You need to be clear about what you collect, get clear consent (and all the courts decisions on that are actually going in the direction that it really needs to be clear and specific) and give people the ability to have their own data modified.
Plus, enforcement makes a lot of sense. Companies get a lot of warning before things escalte and fines are proportional to companies results so it hurts but is not a death sentence unless they repeatedly offend.
> Companies get a lot of warning before things escalte
Yeah, we once got contacted by our local DPA about some issues. Mailed us a list of issues they had with our site. I set up a call with them for some clarification, and they were happy to go into detail. Then they just said to mail them when it’s done, or they’ll just re-check after some months. They are interested in actually changing things, not in fees.
"GDPR was well thought out"
And then we lobbied in "legitimate interest".
> And then we lobbied in "legitimate interest".
There's a charitable way to view it: there are a lot of human endeavours. You can spend a few centuries trying to classify all of them and put them in to law, or you allow "legitimate interests".
"The wheels of justice turn slowly, but grind exceedingly fine"
What about the businesses that are required by law to keep data?
Those can keep the data, as required by law.
*...keep the data while treating it as a serious liability with potential for ruinous fines if not secured carefully
It gets slightly tricky seeing how the Internet works, since IP addresses can become PII depending on context.
What you're advocating for has a few 2nd order effects.
1. Entrenches Google, Facebook, etc. because they are the only people that have enough money to comply with the regulation.
2. Makes the rest of the internet worse (e.g. people show MORE ads because they are less effective because they show me boats and I hate boats)
3. Makes data brokers even more important because companies can't get data anywhere else.
4. Reduces competition because the incumbents will always have more data than startups (Nike knows I wear a size X and the startup can't ever get that data)
Everything is a tradeoff. I, for one, would rather these regulatory agencies go after the 100,000s of data brokers that mine for SSNs, birth certificates, financial info, etc., rather than them going after Facebook, TikTok, etc.
Ads are here to stay, if you don't want ads, then ban ads, and with it most of the internet, but if people keep making terrible regulations like this that try to hurt big companies and get rid of ads and in reality, you just enable and feed these massive companies. Regulation makes them MORE valuable, not less. (see Meta stock price vs. Snap after ATT)
> Entrenches Google, Facebook, etc. because they are the only people that have enough money to comply with the regulation.
I have very little sympathy for the idea of NOT storing user data is some sort of onerous regulatory burden.
Just stop collecting it
> 2. Makes the rest of the internet worse (e.g. people show MORE ads because they are less effective because they show me boats and I hate boats)
Back in the olden days, if you read a boat magazine, you’ll see ads for boat stuff. This was always fun for me — if I’m ready a motorcycle racing magazine, I’ll see ads for cool things that I had no idea existed and that would be useful to me. With “targeted” ads, it becomes an echo chamber — I see ads that are “tailored” for my alleged current interests, but nothing that helped me discover new things that I could become interested in.
What’s wrong with context-based ads? If I’m reading about Thailand travel, then the publisher should sell ads related to SE Asia travel.
Why am “I” being customized to rather than ads being relevant to the content?
If you want to reach boat enthusiasts, then advertise on content related to boats (or perhaps water sports, etc.) You then don’t need to track “me,” but instead you can track “boat content. That takes the personal data out of it. This keeps me from being followed around the web trying to sell me a vacuum cleaner I already bought.
This is the part that I'm most confused about. How can it possibly be useful to try to sell me another fridge?
Sure, it might be useful to try to sell me another burger, or another nicotine gum, but something went very wrong in the data processing if I'm being resold on lifetime goods.
And it happens way too often.
> This is the part that I'm most confused about. How can it possibly be useful to try to sell me another fridge?
I've seen this kind of comments several times over the years, and I've always thought that this might actually be the optimal strategy, because I'm not convinced the alternatives work better. You'd have to see the numbers over samples bigger than n=1.
Let's say I just bought a bridge, and that's the only thing you know about me. What ads should you serve me? Maybe fridge accessories would make sense (I'm not sure that's a thing). But fridges themselves might be relevant as well, more so than some other random product:
1. I might be able to return the fridge I just bought, if I see another one I might prefer.
2. What's the life expectancy of such an appliance? I guess it either breaks quickly (manufacturing flaw) or not (hopefully it can last more than 5 years). In the first case, I'm back in the market right after my purchase.
I'm also guessing that the margin on such an appliance might be higher than on burgers and nicotine gums, such that you can afford lower conversion rates.
Goods aren't lifetime any more. Planned obsolesce is a business model.
Agreed. The only advertising I stand is one I personally seek out. To me the pinnacle of this were product catalogs. I want to buy a computer, so I subscribe to "Computer Shopper Monthly", and get a magazine with nothing but computer ads. Those were always fun to browse, since I was interested in the product in the first place. E-commerce started as a digital implementation of product catalogs, but as companies got greedier, that just wasn't enough.
The key culprit is that user data is used not just for advertising products that the user might be interested in _today_. But to create a profile of their interests so that companies can predict what they might be interested in at any point in the future, which can then be used to design more effective advertising campaigns tailored to the type of products they're most susceptible to be manipulated into buying.
Furthermore, this profile is also generally useful to anyone who wishes to psychologically manipulate a group of people into thinking or acting a certain way. Since advertising is a branch of propaganda, governments and political agencies are particularly interested in this use case. It's pretty obvious that the current global sociopolitical instability is largely a product of this type of manipulation.
So considering that both governments and companies have an interest in user data, this genie is never going back in the bottle. The best we can hope for is for the exploitation to be contained via regulation by governments that haven't been fully corrupted yet.
> What’s wrong with context-based ads?
What ad is relevant to a Taylor Swift song? A news article about a shooting (a naive algorithm will say "guns")? A Youtube video explaining the Fourier series?
What about a TV Show review... that is watched by people around the world, and where the show in question is on different platforms in different countries? Does displaying Hulu ads to readers in countries without Hulu access make sense?
Non-personalized advertising favors big brands, because most content isn't contextual, and only brands with extremely broad appeal advertise on such content. This is why so much TV advertising is cars, banks, medications, detergent, shaving cream and so on.
> A Youtube video explaining the Fourier series?
We know this one! Apparently subscription services to learn STEM.
(Coincidentally I actually were shopping for such a service the other day, and checked out the one promoted most. Turns out they seem to have spent the entire budget on marketing add had very little content, so could not solve my problem anyways)
Let's put it another way: which advertising needs, exactly, are being served by keeping my precise geolocation data, device identifiers and IP addresses for 12 years? https://x.com/dmitriid/status/1817122117093056541
Which advertisement needs, exactly, are being served by sharing all that data with 1498 "partners" each of which will store similar data for similar periods of time? https://x.com/dmitriid/status/1733421877119324609
Which advertisement needs are not being served by showing contextual ads?
BTW, personalised ads favour huge brands on huge advertisement platforms. Because https://www.sciencedirect.com/science/article/pii/S016781162...
--- start quote ---
Our simulation study reveals that more than 50% of audience segments ... require a minimum increase in performance larger than 700% to be at least as profitable as no-targeting. ...we find that more than half of the audience segments require an increase in CTR0, CR0, and m0 larger than 100% to be at least as profitable as no-targeting.
Approximately half of the audience segments on Spotify require a higher increase in CTR0 for the advertiser, suggesting they might be less profitable than no-targeting.
--- end quote ---
> What ad is relevant to a Taylor Swift song?
How did radio handle this for 90+ years?
> This is why so much TV advertising is cars, banks, medications…
No, that’s because national TV advertising is super expensive.
> Does displaying Hulu ads to readers in countries without Hulu access make sense?
Yeah, perhaps it’ll generate interest in Hulu expanding to that country. You’d be reaching an audience that are ostensibly TV enthusiasts, so it’s a perfect idea for Hulu to gauge and develop interest among audiences that matter.
> A YouTube video explaining the Fourier series?
I don’t know: what kinds of products, services, or events might be interesting for someone who was interested in the Fourier series?
This isn’t a hard problem at all. Advertising worked in the 1950s just fine.
There is zero reason for a company to have my personal buying and interest habits in their database. It doesn’t benefit me. Is the advertising landscape better in 2025 than it was in 1964? Not at all. Here’s a prime example: my friend is an author, he reads blogs and websites on all matter of topics, but somehow if he’s researching a character, he’ll be followed around the web forever advertising products he’ll never buy. In the real world, if I go into a perfume shop one time and buy something, that doesn’t mean I’m a perfume enthusiast — so all of those CPM ads from the perfume companies: completely wasted.
Just because I view, visit, or even buy something, that doesn’t mean I’m interested. Am I in a feminine products affinity group because I occasionally have purchased those products for my wife?
Why not have everyone give a DNA sample to Google so they can tailor advertising based on my genetics? Where does it stop, and to what levels of absurdity shall it reach before we push back — both as consumers and well as tech people building all of this shit?
Want to sell boats? Advertise in boat content. Want to sell subscriptions to your “innovative accounting platform,” the advertise in accounting or business related content.
Again, this isn’t hard. I don’t want “personalized” advertising because the internet doesn’t know me or what I’m interested in at a particular moment. The data on me is very noisy, my interests frequently are fleeting or change, and my “buying habits” are very much contextual and situational. Not to mention I don’t want Google and potentially governments to know what I’m interested in — it’s literally none of their business.
Privacy is a human right and we should be pushing for that. If that makes it harder to monetize Taylor Swift — tough shit. Not my problem. And I don’t think Taylor Swift cares either way.
> 1. Entrenches Google, Facebook, etc. because they are the only people that have enough money to comply with the regulation.
The article we're commenting on makes it clear the big guys aren't complying. Also, I reject the notion that you have to spend inordinate amounts of resources to comply, in fact it is the opposite. You don't spend money on data you don't store, after all.
Co. I used to work for is microscopic in comparison to FAANG, and we didn't have a single cookie banner or anything of the sort and have absolutely no problem complying with GDPR because we track nothing and collect nothing more than what is strictly necessary, mostly because of individuals like myself who push hard against any data collection that doesn't have a well thought out reason. Hell, even Github with their massive scale has no problem with not having cookie banners or anything else of the like. This is a problem of will, not resources.
> 2. Makes the rest of the internet worse (e.g. people show MORE ads because they are less effective because they show me boats and I hate boats)
Perhaps, but we're already drowning in them as-is. The internet is unusable without uBlock and DNS-level adblocking.
> 3. Makes data brokers even more important because companies can't get data anywhere else.
If we make data radioactive, then data brokers wouldn't be able to exist. What we need is stringent and broad laws that limit data gathering, period, regardless of the source. Whether you collect it yourself or pay someone else to collect it for you is completely irrelevant, both should be made equally painful. I'd also have no qualms with making sharing any data that you do collect even more of a pain in the ass and a nightmare for everyone involved, this whole gray market has net negative benefits to everyone.
> 4. Reduces competition because the incumbents will always have more data than startups (Nike knows I wear a size X and the startup can't ever get that data)
Why would Nike have this data in the system we're talking about (data radioactivity)? How is this data even useful to anyone, other than for tracking purposes to make a unique profile out of you? Companies shouldn't have this data unless it's a podiatric clinic or something like that, whether it be Nike or this imaginary Shoe startup that needs feet sizes for whatever reason.
I guess I could see there being genuine usefulness for people who have feet sizes that aren't the norm to find footwear that fits them, but there's no reason they have to have their entire essence tracked by every company on the internet for that.
>1. Entrenches Google, Facebook, etc. because they are the only people that have enough money to comply with the regulation.
TFA made it clear that they _aren't_ complying.
> data should be radioactive for companies, especially if it approaches PII
Cute theory. Fails in practice. Especially with LLMs on the horizon, this would be tantamount to unilateral nuclear disarmament. (Practically, it fails in that we haven't quantified the cost of breaches commensurate with what those of us who are security minded estimate it to be.)
I have advocated for privacy issues for a short while. "Data is radioactive" is the "defund the police" of our movement.
What do you mean? Why do LLMs need user data to operate?
On a side note, I also don't understand your comparison to "defund the police" - were there any places that fully applied it and demonstrated that it "fails in practice".
> Why do LLMs need user data to operate?
Training data?
> I also don't understand your comparison to "defund the police" - were there any places that fully applied it and demonstrated that it "fails in practice"
It's a famous example where a minority overreacting in a presentable way set the entire movement back.
>> Why do LLMs need user data to operate?
> Training data?
What purpose would user data serve in your training set? What's the application of the LLM after it's done training?
I'm sure we all understand why the user doesn't want his private data in the training set, but I also don't understand why BigAI would want to train on this data. Except for AI-enhanced advertising, of course. But maybe... nobody should do this anyway?
on that note, shouldn’t we ask people to CONSENT to having their data trained on? And when i say consent i mean asking them directly, not hidden in some terms of service. That’s just slimy…like a used car salesman lol.
Why is it okay for companies to just vacuum up all user data without 90% of users knowing it’s happening ?
Or shall the “stealing” of knowledge and creative works without consent continue?
LLMs need too much data to ethically source their data sets. That's why they rely on aggressive scraping, user-provided prompts, and of course straight-up piracy to fill their datasets.
Outcry made Adobe and other such companies put (opt-out) user controls for gathering training data, but writers, especially writers on the internet, are usually ignored. I've seen even the angriest "AI is stealing my art if you use Dall-E you're a bad person" people use ChatGPT, because they don't seem to consider writing to be art or expression as much as they do their own works.
Textual data just doesn't seem to be valued, and as a result data scrapers often don't care about annoyances such as "ethics" or "consent" when it comes to gathering training data.
There’s the rub. We pretend a change to the law will make LLM development stall, yet we acknowledge nobody is following the existing laws anyway.
Not sure how i feel about the whole thing to be honest. (legal gray area)
Don't agree entirely, at least in italy you can tell chatgpt to not use your chats to train other models. Well, it's still going to be using memory if you tell it something, but whatever info you give theoretically should remain there and not be used afterwards
You made a claim but didn't backed it with an argument. How is banning corporate hoarding of user data similar to nuclear disarmament?
> How is banning corporate hoarding of user data similar to nuclear disarmament?
Nukes have clear downsides, ones one doesn't need a protractor or regression to prove. Our estimates of the costs of data breaches remain statistical.
I read two more claims and but I can't parse out what your arguments for these new claims are. I just don't have enough to go by to even evaluate your original claim that nukes and data hoarding are similar.
So I'm reduced to asking again: How is banning corporate hoarding of user data similar to nuclear disarmament?
The argument is it’s infeasible. If user data in models is valuable corporations will move to legal regimes where it is allowed. Their models will get better and out compete the models made in regimes that do not allow it.
Governments (probably rightly) view ai technology as strategic so will build legal regimes that improve ai. This means that they will have power over the ones that don’t.
The last 50 years have shown pretty clearly that nuclear disarmament was a strategic mistake for regimes that did it so they won’t make the same mistake with ai.
> If user data in models is valuable corporations will move to legal regimes where it is allowed.
So lets take a concrete example. Let's imagine Facebook moves out of the EU in order to skirt EU law. How do they now operate in the EU? How do they make any money from the EU users?
If the EU has neighbors who have nukes, then that is a threat to the EU, and the EU needs their own nukes for deterrence. This far I follow. If the EU has neighbors who have lax data privacy laws, then that is their problem - it's not a problem in the EU because they can be barred from running businesses in the EU. Can they store the data from EU users who visit their online services? Sure. But they will have to offer free services to entice EU users to visit, because they can be blocked from running business in the EU. I don't see the business model for keeping this up.
> Especially with LLMs on the horizon, this would be tantamount to unilateral nuclear disarmament.
We should also be hoping for unilateral nuclear disarmament (I get your point on the infeasability though), but I don't see the parallels here. LLMs don't need personal data to work (I'd even imagine such data to be better off left out of the training data anyways, caveat for celebrities), and regardless of everything else whether the AI hypesters are to be believed about how world-changing AI/LLMs will be remains to be seen.
Also, as the OP article suggests, we can and are doing something about it. Things aren't perfect yet, but GDPR itself has already made huge waves and have made things better. From how I interpret this ruling, the dark pattern cookie banners are being scrutinized and are being put under the knife, so there's some hope that things will soon improve on that front.
> I have advocated for privacy issues for a short while. "Data is radioactive" is the "defund the police" of our movement.
Except we can already see a shift in the masses and their opinions here. People are becoming cognizant of the sheer amount of data all these tech companies harvest on them. I am consistently getting more and more of my non-technical-in-any-capacity friends asking me how to safeguard their data better, so I'm quite hopeful we're going to get there. All we need is to actually fucking hurt the FAANGs and their ilk. Cut the head off the snake and all that, if we actually hurt Meta as we should've a million times by now, then all the smaller players will automatically fall in line for fear of a similar world of hurt.
I don't see any parallels with unilateral nuclear disarmament and making exploiting user data unviable
>we haven't quantified the cost of breaches commensurate with what those of us who are security minded estimate it to be
We don't estimate GDPR violations as the true materialized damages either, we put a heavy % of yearly income per offense, large enough to deter it.
> We don't estimate GDPR violations as the true materialized damages either, we put a heavy % of yearly income per offense, large enough to deter it
Not remotely analogous to turning data into a liability. Particularly when the EU laws seem almost explicitly written to allow for offloading such risks to America and China.
It's not analoguous, it _IS_ turning data into a liability. It's just more closed in scope than today's topic.
> Particularly when the EU laws seem almost explicitly written to allow for offloading such risks to America and China.
I don't know what you refer to with this specifically
> I don't know what you refer to with this specifically
GDPR is a gating function. If you can afford the specific set of qualified lawyers (up to a ridiculous, plutocratic limit the likes of e.g. Google breach), you can legally offload the risks to an offshore server. If you're a tiny competitor, you should be beaten up by funded complaints.
As the other commenter that replied to you said, any data on EU citizens is subject to GDPR and has to be respected. Of course, enforcing that outside of EU borders is a different issue and one I don't think anyone expects to be feasible, but if you're operating within EU borders and have the data of EU citizens, you must comply with GDPR. There's a reason more and more companies are opening up EU-hosted databases.
>If you can afford the specific set of qualified lawyers (up to a ridiculous, plutocratic limit the likes of e.g. Google breach), you can legally offload the risks to an offshore server.
You can't. GDPR also applies to processing EU residents' PII outside of the EU.
> IMO data should be radioactive for companies, especially if it approaches PII.
That's an idealistic, but highly unrealistic, thought.
As long as a market exists that can profit from exploiting PII, and is so large that it can support other industries, data will never be radioactive. The only way to make it so is with regulation, either to force companies to adopt fair business models, or by _heavily_ regulating the source of the problem—the advertising industry. Since the advertising industry has its tentacles deeply embedded everywhere, regulating it is much more difficult than regulating companies that depend on it.
So this is a good step by the EU, and even though it's still too conservative IMO, I'm glad that there are governments that still want to protect their citizens from the insane overreach by Big Tech.
> As long as a market exists that can profit from exploiting PII, and is so large that it can support other industries, data will never be radioactive.
The EU bureaucracy machine can be slow moving, but has the potential to fix this. The stricter the rules, the simpler the implementation. You could cut a LOT of the administrative burden by specifying what data is allowed to be stored at all, instead of what isn't.
Big tech needs to be put in their place, and as others have commented; if this kills your business model, your business model doesn't deserve to exist.
As a customer, I want the ability to choose the way in which I pay a business I interact with, with the consent of that business of course.
Europe gives me less control of my personal data than the US would. I am no longer allowed to decide that I'd rather choose services that take payment in data instead of services that take payment in Euros.
I think people who disagree with this perspective should be accommodated. It's a valid objection and technology inherently favors monopolies, so you can't really have the Facebook equivalent of a vegan restaurant or gay club. I'm not against forcing (large) tech companies to offer tracking-free plans at reasonable prices for those for whom this is the right tradeoff.
What Europe is doing is just plain stupid, though, and it will be felt most by those who can least afford it.
> I am no longer allowed to decide that I'd rather choose services that take payment in data instead of services that take payment in Euros.
Google, Microsoft and Apple don't really give you a choice, you will pay in Euros for your phone/PC, and then you will pay in your data as you use it whether you like it or not.
It should be perfectly fine if people want to pay with personal information, as long that personal information has zero social costs.
A prime example is sharing information about DNA since that has a social impact on relatives. Less obvious problem would be people in a position of social position, like say a judge or jury, since access to personal information in that situation provide unfair position of power in society. It also is a problem with voting, since access to voters personal information has a high risk of influence elections.
To take a more direct example, if you are paying your email provider with data, then you are also selling the information of anyone who send their emails to you. The sender is in an impossible position in that they can't know who the email provider is of a recipient (email forwarding is a thing), so the social cost is on the recipient if they sell the information.
What you just described is actually only possible with data protection law. In Germany there are websites that ask you to accept ads and cookies or else u pay the monthly subscription fee. Without data protection law you likely just don't get the choice. Btw, the ads fee are priced in when you buy stuff.
I don’t understand where this is coming from. Isn’t Meta offering to EU users exactly the choice you are describing? (Even though in the case of the subscription we can’t really be sure they also don’t still use your data.)
The problem is that is also against the rules. GDPR bans using private data as a form of payment. You can give your data away freely but it can't be requested as a form of payment. In this case Meta is asking you to either pay with your money or your data. One is OK, the other isn't.
> it will be felt most by those who can least afford it.
This sort of business model is problematic precisely because the poorest can't afford to refuse - that's a feature not a bug. Privacy is deemed a human right, and human rights shouldn't be for sale.
You could make the same argument supporting the legal sale of human organs, but as a society we've decided that kind of "payment" strips the poorest of their dignity and human rights.
The business model is inherently predatory for other reasons too. People see what they get right now - "free" access to the website they're on, but they're completely oblivious to the real costs because they're abstract, too many steps removed from each individual's actions, but they're very real and damaging in aggregate.
"Personalized" advertising isn't good for anyone except the ad networks.
It isn't good for consumers whose privacy is being violated as they are being annoyed with unwanted, irrelevant ads and they get charged higher prices due to the cost of the advertising.
It isn't good for companies buying the ads by participating in sham "auctions" with no real insight into or control over the process. They are literally begging to be ripped off.
It doesn't have to be this way. "Context sensitive" advertising is more privacy respecting, easier to implement and monitor and can be more cost effective.
Example: The fact that I recently shopped for and bought a car is no reason to show me auto ads on a web site devoted to pet supplies. There is a logical disconnect here because context is ignored in favor of "personalization".
Those paying for these dumb "personalized" ads are wasting their money and my time and bandwidth because I already made a purchase. I'm not making another one any time soon.
By the way, this doesn't really happen to me any more because I now block these "personalized" ad networks. And you should too --- it's the only logical recourse to this stupidity.
> It doesn't have to be this way. "Context sensitive" advertising is more privacy respecting, easier to implement and monitor and can be more cost effective.
This is what launched Google's money printing machine: Showing ads matching the current intent (current search) thus solving a current problem.
I actually dislike this sort of advertising even more. Because it pretends to be the solution to your current problem when often it’s not.
At least out-of-context ads can be more easily ignored.
> It isn't good for companies buying the ads by participating in sham "auctions" with no real insight into or control over the process. They are literally begging to be ripped off.
You seem to think that companies have a choice. I've been advertising for years, Google has been rolling out the standard ads in favor of automated "personalized" one for a long time.
They kept removing features again and again.
In more of removing features and making basic ads impossible to use, they have a team of people that will keep calling you and to offer you 'guidance' on how to run your ads. These guidance almost always revolved around enabling the automatic advertising algorithms and disabling your old school ads.
I consider myself quite smart with internet things but even me, at some point, got baited into switching to these automated ads because at the end you run a business that is completely different from marketing and it's not your core business. You're not expert into marketing and especially not into Google ads so it's easy for these experts to trick you.
I have seen my money syphoned by these automatic techniques with quite bad roi.
And all these self made people or very small companies (which represent the vast majority of the business), they are just as easy target for Google than I was.
Big companies can afford ads consultant that will run the advertising campaigns and optimize everything, but small ones are stuck doing things themselves on a system that is purposely made to hand over your money and let the computer do it's 'magic' with targeted advertising.
And if you're not happy with Google, what you gonna do ? It's not like there is competition. Everyone use Google, Google is a monopoly.
I tried switching to bing ads, Facebook ads, but its just not possible. No one use bing. Facebook leads were never as profitable as Google one, at least in the market I advertised.
You know you don't actually need Google to advertise, right?
I was hosting websites in 1998 when Google was still in Larry Page's garage. We sold ads the same way magazines and newspapers always have: we had a sales staff and they did their job well. There's no reason we can't go back to that.
Then Google will sell ads for terms related to your business and eat your lunch.
The original vision of Google died when they bought DoubleClick.
I agree. But in the crappy experience topic, it seems to me that this is just bad engineering. If I were to build an algo to show personalized ads, I would definitely account for the likelihood of someone wanting to buy 2 consecutive cars vs a car and maybe some car related products. How was that decision made, because it seems that an entire industry adopted this and called it a day.
How was that decision made, because it seems that an entire industry adopted this and called it a day.
Easy --- advertisers pay for bad ads the same as good ones --- why bother stopping the bad ones?
Convincing so many advertisers to just blindly trust the system and buy into the concept of black box "personalized" advertising is actually the real marketing coup here.
According to some stats, global use of ad blockers is now over 40%. Once it exceeds 50%, I believe this stupidity will slowly start to die out.
There's no incentive for the ad platforms to account for that, real-time bidding will make money for them no matter the experience of the ad being showed.
If you get another ad for a product you already bought the advertiser already paid for placement, a click through is just a bonus on top of that. Even more when information is so secretly guarded that any analysis of the impact of an ad is extremely flawed, it hasn't solved the old adage from John Wanamaker:
> Half the money I spend on advertising is wasted; the trouble is I don't know which half
It's meant to be that way, the ad platforms do not want advertisers to know what is waste and optimise their ads further than what's needed to keep them advertising, they just need to throw some bones here and there, convert a few people through clicks, to make themselves look indispensable.
There's no incentive to improve that, at all.
The other case for personalised advertising is when a purchase is almost made.
I was recently searching for a toy across Etsy, Ali Express, eBay. I didn't buy it. A day later, I saw 'suggested' purchases on Amazon for the same toy. I boycott Amazon, so I don't often visit their website.
I normally block (successfully?) almost all of this advertising, so I find it particularly creepy when I receive it.
They are so dumb too. It rarely actually presents ads for things I might be interested in as I search but once I buy something they will follow me for a week. Buying an item seems to be a much stronger signal to them, it makes very little sense how this currently works.
Seeing ads appropriate to a site however makes me a bit wary of the site itself, it needs enough difference to the context to not harm the sites reputation.
> are wasting their money and my time and bandwidth
_You_ think it doesn't work, but it does. Or at least 'on average' it does. As for your time, perhaps you value your time. But again, 'on average', there are so many people spending hours and hours on Insta, TT, etc. and those people clearly don't care about focus/time/ads, because it is their (mental/spiritual) bread and butter. When a young woman 'follows' 100 'influencers' and each posts twice per day, that young woman consumes at least two hundred ads per day and if she buys at least one item per day, that's a win for 'them'.
Regarding the car/pet scenario, if they are any good they should be advertising stuff to clean dog piss, brushes, etc.. items that "will keep your car clean when you got a pet".
But again.. it works. People make money.
> "Personalized" advertising isn't good for anyone except the ad networks.
According to Meta, their personalized advertising alone generates over $0.5 trillion of economic activity per year.
As much as the Hacker News crowd hates on ads, it's indisputable that it's good for businesses and the broad economy.
> it's indisputable that it's good for businesses and the broad economy.
I dispute this. Therefore it is not indisputable.
I support my dispute thusly: imagine a world where there were no ads. All the money spent on ads would be spent on other things. Those other things would, I assert, be better for everyone involved than ads. The world would be a better place.
I support my assertion that anything else would be better than ads by pointing out that for businesses advertising is an arms race, all your competition and you are in an auction for customer attention in which the winner is one of the duopoly that control all internet advertising. And for users I just point to waves hands at everything we hate about the modern internet all that. QED.
I don't disagree with you broad statement that ads are a shitty thing on the whole, but their cost should be viewed in real terms not financial terms. That is, the cost is the people that work on the tech, the resources spent delivering them, the attention diverted to looking at them etc etc. The ad companies are sitting on huge cash piles so clearly there's a shortfall in the value of resources that can be bought if we stopped spending on ads.
According to Meta, their personalized advertising alone generates over $0.5 trillion of economic activity per year.
Why should I care that they make a boatload of money while making the life of everyone else crappier? Advertising turns everything into shit.
Crapware pre-installed onto your brand-new phone or laptop [1]? Advertising. Pervasive tracking added to Windows? Generating profiles for advertising. Smart TVs sending regular screengrabs to Samba TV? Analytics for advertising. Like your $2000 smart fridge? It's going to be much worse because Samsung is piloting advertising. Every tech product is getting infected by this disease, both shoving unwanted ads into your face and tracking your pervasively.
Of course, someone is going to argue that we cannot have 'free' products without advertising. In the end the consumer is paying for advertising as part of (increased) product prices.
I think what many of us question is whether nor not those same $0.5 trillion would be generated by contextual ads. There's no doubt that ads work, but we really don't know to what extend.
E.g. if I'm on a pages looking at watches, should I get ads for watches, or would it be better to show ads for the washing machine I was looking up last night? Google, the search engine, clearly thinks it's better to show ads relevant to my search term, but they are also in a special position that's not applicable to a news website.
People working in the field has also previously commented, here on HN, that the ad networks are basically hustling the advertisers, selling them ad space / users that they know will perform badly, to move more "inventory". That generates economical activity, but does that benefit anyone beyond the ad networks?
There's a lot of money in international drug trading, and some people/orgs are getting filthy stinking rich pursuing that, consequences be damned.
By your logic, that makes it a good business. I dispute that.
According to Jack the rock slinging glazier, the broken windows he creates generates massive returns to the economy when people pay him to fix the windows.
Not sure if relying on research made by an advertising company, about it's own positive impact, is something that you should blindly trust.
You mean the same Meta and their ads and data collection that have been directly and indisputably linked to literal, actual Genocides? And teen suicides? And Cambridge Analytica?
Oh, but they shuffled some money around the economy (mostly into their coffers), so it was all worth it in the end, because as we all know the magic economy is the only thing that matters.
JFC… I’m begging for you to please think about things like this in ways that aren’t strictly about “the economy”. It’s so so so clearly a net loss for society it’s not even close. You have to literally ignore everything else other than this idea of “shareholder value” to come to such a ridiculous position.
I believe the main purpose of tracking based advertising is to know your gender, politics and social class to show you the right kind of car and pet supply.
This discrimination is quite important and before internet people would self discriminate on those basis and buy different magasines, see different movies, walk different streets and advertisers could target their demographics based on that.
Now everybody goes to the same social networks so the tracking is used to provide this discrimination
A good example is gym membership. There's 20eur/month and 300eur/month ones. The 300eur/month ones really don't want to advertise to everybody, they have a really specific demographic target in mind.
Interesting that ICCL didn't link the actual press release.
Press release from Belgian Data Protection Authority:
https://www.dataprotectionauthority.be/citizen/the-market-co...
IAB response post:
https://iabeurope.eu/belgian-market-court-confirms-limited-r...
They have included multiple new references since the time of this comment.
lol at IAB's choice of headline: "Belgian Market Court Confirms Limited Role of IAB Europe In The TCF"
IAB was on the hook for the dreadful cookie "consent" popups that ruined the web (no, it wasn't GDPR that ruined it, it was a very deliberate action by "industry groups" like IAB).
The only reason the Market Court annulled the previous decision was on procedural grounds, while agreeing that IAB is responsible, and keeping the 250 000 EUR fine in place.
Too bad. I wish Market Court would've burned IAB to the ground, salted the earth and scattered the ashes.
> It applies immediately across Europe.
Does anyone know what the consequences are? I have no idea exactly what it is that applies immediately.
I would guess that starting today Google and others should stop advertising as they currently do it, it being illegal. I doubt it's that simple, and even if it was, I am sure they will not simply stop. So what happens now?
Tracking has no legal basis, but it's still permitted with consent. The problem with IAB Europe (and other similar ad providers, as well as IAB's customers) is that IAB Europe didn't obtain consent; it tried to hide its tracking by using supposedly non-personal identifiers, which wouldn't necessitate consent, but the court ruled that these identifiers were actually PII. IAB also tried to weasel its way out of its responsibilities, but preventing that seems to have failed.
As a result, data collected through IAB about European customers was collected unlawfully, and third parties must delete that data. IAB also can't smuggle consent like this anymore, and needs to pay a fine that was handed down a few years ago.
The legal publication can be found here (translated into various languages, though I believe the original may have been Dutch or French as it was the Belgian DPA that started the suit): https://curia.europa.eu/juris/documents.jsf?num=C-604/22 and here https://www.dataprotectionauthority.be/the-market-court-rule...
I very much doubt ad companies will actually delete the illegally obtained data, but IAB and other companies in the cyberstalking industry this can be a problem, because they need to actually comply with the law.
The IAB doesn't track anything though? There is no IAB tracking pixel.
There's the IAB TC string though, which I think it's what's been considered analogous to PII.
>I am sure they will not simply stop. So what happens now?
U guess they'll either try to fight it in court somehow or find a loophole to abuse. Or yknow... just ignore the ruling as long as possible.
I don’t think this is a thing Google has to stop so much as people who implement these ads and TCF on their websites.
For a split second I hoped that this ruling would be the end of the IAB consent popups.
What more would be needed? Does the GDPR need to be amended?
Nothing
As I always say, you can’t outlaw being an asshole. But I am curious about what sort of assholery we will see next. Maybe all tracking will become “legitimate interest” (I’m kidding, please don’t actually entrench that garbage any more than it already is).
You see this blatantly abused all the time already - real example, first site I tested:
Use limited data to select advertising
Consent (91 vendors)
Legitimate interest (41 vendors)
Measure advertising performance
Consent (97 vendors)
Legitimate interest (58 vendors)
A number of news websites have started to make you choose between accepting cookies for free or paying to reject cookies
The actual options are: either you pay with your data or with your wallet. Which makes sense since, you know, journalists like to eat and eating costs money.
But it is illegal to pay with your data. That is the whole point. There shouldn’t be a choice to make here. Journalists should be able to eat and you should be able to read articles without being spied on.
Which is against with GDPR, Meta got a 200 million euro fine for this.
Technically Meta got fined on the basis of the DMA, not the GDPR (which I still don't fully understand). It's illegal according to my own interpretation of the GDPR too, but enforcement is seemingly non-existent.
All these fines are coming, but corporate lawyers stall as much as they can. Then, they appeal first-instance court decisions to stall some more. And they do get fined, 3-7 years down the road. Then, they change tactics just enough to violate a different law. If they were to change the nature of the crime more often, they'd open themselves to more prosecution.
But big tech can handle a few government penalties every decade. It even creates moat - artificial barriers to market entry. The multiplicity of penalties is insurmountable for new market entrants, but pocket change for the established ones. For example, the UK Online Safety Act is putting all the small social media sites out of business in the UK, but it won't change moderation standards at Facebook. Ergo, it has become Meta's moat. "If a fine is set for a crime, then it's only a crime for poor people".
Tech is full of clever and fast people who run circles around slow-moving government bureaucracies (even judicial). These courts need to resolve these cases every week. If it's 1 week for first-instance, 1 week for appeals, that's the pace that would stop big tech. Twenty-seven fines with a bite a year would have the intended effect.
But we're talking about a "landmark" GDPR win in this thread that took about 5 years. And the fines so far are less than 500 euros per data collector (250k euro fine / 600+ companies in IAB). It will not even warrant a footnote in GAAP financial statements at the end of the year for these companies; they'll just put it in operating expenses (along with the 1,500 euro office coffee machine, 3x more expensive than the privacy violations). A small blogger collecting analytics data incorrectly may not have much to eat in the month they get fined 500 euros (not that they will have had much to eat in the months of expensive court proceedings), but of course, they also risk the full extent of the penalties.
They already do that, unfortunately
Totally agree. The current ad model feels extractive on all sides. Context-based targeting feels like a more honest middle ground that doesn’t require spying on users.
The "problem" is that oh so many sites have no context. They exist solely to host ads, the content on their pages provide no actual value and is rehashed press-release, direct copies of reporting from Reuters, 10 ten lists written by interns or AI junk.
If this works it will be good for everyone, the many issue with today's internet is the perverse incentives to get views or "engagement" so you can sell ad space. The ads are the goal, not the message.
I’m sure some grifters won’t get their second Mercedes, but sites with no context and just ads disappearing would be a wonderful, almost dream-like outcome for the internet. It might even solve the dead internet problem to a degree.
There’s no way the advertising industry giants will let it happen. But the thought alone clearly illustrates the damaging effects of advertising.
Domain parking servies are a prime example of that shit.
See also the decline of media where they learned very early on that rage generates by far the most clicks and hollowed out their entire fucking industry to sell more ads.
Honestly a number of really really significant societal problems have their roots in surveillance capitalism
The decline of media is also based on the fact that advertisers no longer had to pay the big trustworthy publishers and could instead supposedly target those same users elsewhere.
It would be nice to have an opt-in platform where you could select products that you'd like to see ads for. For example, you're looking for a TV or automobile and you want to see deals related to those products.
Would not work, you’d end up with hundreds of such platforms (because why not, free market) and some would even exist for the sole purpose of inferring your consent from multiple other platforms (that would sell access) and it would then become so opaque that you would have no way of actually confirming which choices you made.
I understood as a SWE that the perfect solutions we often conjure never work as expected in the real world because we do not understand basic human nature and also how society as exists today works, including many many perverse incentives.
Not exactly, but somehow what you want: https://myadcenter.google.com/
I've been working on open source mobile app tracking for advertisers to use (an MMP specifically). Would love to connect with anyone in this thread to discuss it.
Specifically, is tracking inside of a single app/property acceptable?
So much mobile tracking is added due to a lack of real HTTPS links (in mobile called deferred deep links). To just know whether a user from link X did or did not open the app.
Happy to chat with people opposed or pro, feel free to reach out for a longer discussion.
> Specifically, is tracking inside of a single app/property acceptable?
If you have any kind of unique identifier for the user (UUID, etc) and do not ask for consent before processing their data (tracking them), then this is a clear breach of privacy law.
If you get explicit consent (that means the user understands what they're consenting to) before you process their data (so no setting up identifiers and then showing a popup), then you're in the clear.
If you put unique identifiers in the link the user clicks so you can see if the user opened your app, then you need to ask for consent before generating the link.
And of course, apps/services should all function if the user doesn't provide consent. "Give consent to enter" is explicitly illegal.
Theoretically, you could build something like this, but it's not what advertisers want, because they want to track their users without interrupting the conversion flow with a yes/no popup "do you want company Y to know you installed app X because of them".
On iOS, there are two ways to work around it:
1.) use custom product pages. Users need to have a device with iOS 18, but if they do you can now assign a URL to a custom product page, and the app will receive this URL on first launch. Only works for a small number of static links because you can't dynamically create custom product pages. Good for thinks like influencer campaigns if you have a small number of influencers (e.g. a YouTube channel you support), and since iOS 18 adoption is high enough now this has very recently become a viable method.
2.) use an App Clip. I do this for referral links in my app. The user launches the App Clip, and because the App Clip can receive an invocation URL, you can store that in a shared group container - that's a shared data space between your App Clip and your app. Most users don't know what an App Clip is, so to avoid confusion and make your users assume that they already downloaded the app when in fact they didn't, I recommend just making it a single page with a download button. You can try this flow here (it's a referral link for my app); make sure to open the link on an iOS device, otherwise you will see a fallback website telling you to install the app first: https://tape.it/user_referral/1
> Specifically, is tracking inside of a single app/property acceptable?
No.
Tracking is explicitly not permitted unless you receive an informed consent from the user.
there is no acceptable advertising, because advertising is propaganda not information.
What's the likely outcome of this? I cannot see Google et. al. giving up their surveillance apparatus. Instead I suspect we will end up with more extensive consent forms, which will end up making the surrendering of privacy from the user even more explicit.
I hope I'm wrong, but I cannot see a more plausible outcome.
250k euros for an association of 600+ advertising agencies (IAB) is an exceedingly cheap cost of doing business.
Keep in mind that the fines are intended to be progressive. If they don't quit their current practices now that is is clear how the law should be interpreted, the next fine will be substantially larger.
That’s understood.
But is 250k euros an appropriate fine for the personally identifiable information that’s been collected and associated with behavioural metrics, political preferences, confidential health data, and other private data points by the 600+ companies that make up IAB and their partners?
This is less than 500 euros per company. They probably pay more each month to host the illegally collected data.
And they probably have the data for millions of EU citizens. Maybe a billion+ profiles worldwide. Granted, the numbers are pulled out of thin air, but what’s a reasonable estimate if not that?
Unless I’m misunderstanding…
What do you think happens if they are caught again? By then the precedent has been set. Easy decision. Fine them again. And obviously the previous fine didn't work so increase it. Courts have no patience for repeat offenders.
Also, it sends a signal to wannabe competitors to this company that there are laws and there are consequences for breaking those.
And of course given that these companies have money, there are going to be lawyers paying attention to see if they can get at that money in some way. Germany is almost as bad on that front as California. Lots of enterprising lawyers here. So, one successful court case can trigger many more once the precedent is set.
The fine is nothing, but their core selling point (selling ads without bothering to ask for consent) has been exposed and ruled illegal. The implication is also that data collected for years by those 600+ advertising agencies has been collected illegally, though I doubt deletion of that data will be enforced without a second suit.
> the Market Court annulled the BE DPA's decision 21/2022 on procedural grounds.
It's a win for advertisers. The court says, the logic holds, but the advertisers will not be fined and will not have to follow the 21/2022 decision.
"Although decision 21/2022 is annulled for procedural reasons, the Market Court endorses the reasoning of the Belgian DPA and confirms the fine of 250,000 euros imposed. However, the Court rejects the BE DPA's conclusion that IAB Europe acts as (joint) data controller for the processing operations that take place entirely within the OpenRTB protocol." https://www.dataprotectionauthority.be/citizen/the-market-co...
It's not a pure win.
> The court says, the logic holds, but the advertisers will not be fined.
That's common in European jurisdiction. We tend to operate on a "first strike is free" principle, especially in contested / purposefully left unclear legal environments. Only when the case law is clear, it can be shown that a law was intentionally exploited or broken or it's a repeat offender, then we bring the hammer down.
Really? But from what HN told me, any minor violation of the GDPR would be met with a multi-million fine and the GDPR police blasting your doors to arrest everybody
/s
The problem is, many people on HN are Americans and assume that the way their jurisdiction works should be an example for everyone else to follow.
Our political and legal system prefers self-regulation first, if that doesn't work then regulation will be introduced, the first offenders will get a slap on the wrist to clarify for everyone what the courts' lines on interpreting the law are, and only then the fines follow.
Yup, pretty much this
In this case the fine was annulled because the procedure wasn’t followed correctly by the public defenders.
I can assure you that if the procedure is followed the way it should be you will be fined for any kind of violation of the GDPR no matter how small you are.
I don’t know where you are getting from this “you can violate the law for free the first time”. I know HN likes to defend the EU any way it can (not because they love the EU but because they hate the US because they dared to choose a leader they don’t like), but this is absolute bs.
> I can assure you that if the procedure is followed the way it should be you will be fined for any kind of violation of the GDPR no matter how small you are.
That depends! If it is an innocent violation or the offender is a small business, no court will hand down the top end of the fines. Only if you are someone like, say, Facebook and intentionally piss off the EU, then you will be in the deeper end of the trouble.
> I know HN likes to defend the EU any way it can (not because they love the EU but because they hate the US because they dared to choose a leader they don’t like), but this is absolute bs.
European HNers tend to defend the EU not because of their current leadership, we already did this during the Biden and Obama terms. We defend Europe because we believe that a lot of what the US does (both its relevant economic players and its politicians) is utterly counterproductive, if not outright harmful.
> That depends! If it is an innocent violation or the offender is a small business, no court will hand down the top end of the fines.
So you admit you will be fined? Good we’re on the same page.
No you won't. You will be asked to fix the violation first. If it goes to court, then you're likely to be fined.
Which is moving the goalposts. Of course if you don’t get sued you don’t get fined. But there’s no “first strike is free” principle in EU law, that is bs.
That's the entire point. Our regulatory authorities don't immediately go to the courts. They will ask you to clean up shop first, unless it's obvious you're an intentional violator or your violation was based on extremely gross negligence.
Which is not what’s happened here. This went to court but the sentence was annulled because the prosecutors messed up.
We are dealing with the IAB and tracking for a looong time now. The first warning shots followed the implementation of GDPR, the behavior of the ad industry at this stage is assumed to be intentional abuse.
Hence, it's time for hard sanctions, even though procedurial issues made for this fine-less ruling now. Expect more fines to roll out if the ad industry doesn't get it now that playtime is over.
Corporations should pay $0.01 per data point stored, per day, to that citizens country.
For once, a corporations actions will then disproportionately affect the rich, since they will be the only ones worth holding data points on. Those best able to financially and legally enforce the rule.
A clean win win.
I hate tracking with a passion. I browse internet in incognito mode with ublock origin.
That said, I don't understand how TC String can be considered PII.
I haven't been following this case so probably miss a lot of context, but my understanding is that the TC String encodes user's preferences for which advertises to share your info with. For example, I visit example.com and deselect everything. This information then gets passed around so that advertisers know I don't want their advertising.
Isn't that kind of the point? I want them to know I don't want them. I'd rather setup that once and then not do it again for every site under the sun. Is the issue here that you can somehow be identified based on your tracking preferences alone?
The ruling here is confirmation of an earlier ruling where TC String was considered personal data. As an effect, the organization coordinating all this tracking (IAB) is considered data processor.
Is the ruling just a technicality (the fine is pretty low) because IAB isn't listed in data processor lists for all the sites I visit, or is there a deeper consequence arising from the ruling?
I think that 70 % of web users believe, that each website that they open can see their real name, their address, their phone number, the files on their computer, their browsing history and a lot more, and they believe that the GDPR laws are the only attempt to prevent websites from misusing (e.g. selling) all their private data.
Sorry for the mangled and editorialized title, I had to remove the company lists to stay in HNs length limit.
I was quite glad to see this quote in there:
> Dr Johnny Ryan said "Today's court's decision shows that the consent system used by Google, Amazon, X, Microsoft, deceives hundreds of millions of Europeans. The tech industry has sought to hide its vast data breach behind sham consent popups. Tech companies turned the GDPR into a daily nuisance rather than a shield for people."
I feel this so often gets lost in the conversation where a huge amount of people in communities like this one will loudly point out how annoying consent banners are but never give any thought as to why so many websites feel that just because you want to read a single article on their website that they are now entitled to sell your information often to hundreds and even thousands of different data brokers and that this is now so normalised that it’s almost every bit of content I consume now.
The original purpose of the GDPR was clearly to try and put an end to this kind of thing while still leaving cutouts for legitimate purposes with informed consent.
I’m so glad to see them come at this from a new angle entirely now to just firmly say that this surveillance capitalism bullshit is illegal and you can’t cookie banner your way out of it as some kind of legal protection.
Good, that makes me extremely happy as an EU resident and I wholeheartedly support whatever steps you need to take in order to enforce this. There’s no reason at this point to continue playing nice with US spyware companies masquerading as “data brokers”, let them deal with the mess they made but we don’t need it here.
> The original purpose of the GDPR was clearly to try and put an end to this kind of thing while still leaving cutouts for legitimate purposes with informed consent.
Don't forget the "legitimate interest", where somehow 635 ad companies absolutely must have my data to visit a single website...
Making the shareholders richer is certainly a legitimate interest for the owner of the website, eh?
Here's an interesting read from noyb that tells the tale of how scummy Xandr, the Microsoft advertising network, is.
https://noyb.eu/en/microsofts-xandr-grants-gdpr-rights-rate-...
I've tried to do the same steps in the past and eventually, the xandr pages linked there were removed - now being in Microsoft something page - and being even harder to contact (even if it's still possible to fill a form asking for your data when you get there. I received the same answer as noyb)
The ruling today shows how consent pop-ups used by tech giants like Google and Amazon have been misleading Europeans, turning GDPR into a nuisance rather than a protection. With real-time bidding and tracking cookies at the heart of online ads, it’s clear that the entire system needs a serious overhaul. But how will this ruling change the game for advertisers? Will they actually be forced to respect privacy, or will we just see more ways to sidestep the rules?
Advertisers are not at fault here, publishers and ad networks are.
Translation: Ad-supported revenue, which is most Tech revenue, is not allowed in europe -> Tech will never be allowed to grow in europe
You're right. What a ridiculous idea to force companies to make a profit from selling their actual product, instead of from selling their users' data to a middle-man that exploits it in perpetuity. Europe is doomed.
Contextual advertising is fine. The advertising industry (even the web advertising industry; personally targeted advertising wasn't really a thing until sometime in the noughties) existed happily enough for a couple of centuries without personal targeting.
Ad-supported revenue is fine. Contextual advertising is fine. RTB without adequate consent is not fine.
If this is what "growth" looks like, I'm good with stagnation.
It is allowed. It just has to come up with a different revenue stream. Doesn't sound impossible.