That's not what the article is about. Advertisers will always find a way to advertise.
The article is about what publishers to do, and speculates that smaller publisher may not be able to create a business model, but larger publishers will be able to adapt ad systems.
Yeah, but all these years the targets of the publishers' ires were and have been US tech companies. That includes an op-ed claiming that the publishers are afraid of tech. The same publishers that bragged about swaying elections and decision making in Brussels.
IMO using ads as a revenue model for news publishing is doomed to fail. The incentives between readers/publishers aren't aligned and it is basically a clickbait race to the bottom.
Browsers should have taken that space long ago. Mozilla tried with Persona, but inexplicably it was abandoned. We could have granular control of our real and pseudo identities.
Persona is exactly where my mind went with this as well. While Yahoo was flailing, trying to find some new vision, one of the few good things they did was partner with a company that really has a vision in Mozilla. Yahoo could have moved to align the significant portion of the web under their control into compatibility with Mozilla's various efforts, such as Persona.
To me that's going to go down in internet history as one of the ultimate what-ifs. I feel like it was a missed opportunity for both companies.
We don't need companies controlling the internet, and we certainly don't want them controlling our identity systems. The current status quo is already bad enough. Where is the implementation that allows me to own my identity? Why are my user records locked away in some (many) corporation's database?
You're right that we don't need companies Co trolling g the internet, but it sure would have been nice to have a good login system backed by a company with the intentions and motivations of Mozilla (a non profit).
Businesses aren't going to trade their content out of the goodness of their heart, they want something in exchange. I would much rather trade ad views through Mozilla using a list of my interests that I control than to allow excessive tracking and profile building by some untrusted third party.
What we apparently have now is login collectives starting up, but who's to say how good or bad the practices are for each, or whether they have the ability to adequately secure their system.
it could be based on some other identity provider perhaps an anonymous one, even trustless. persona was flexible with regards to authenticators. the point is, if the browser had control of the SSO, then the user could control it, not facebook or google or twitter.
I'm still trying to understand the cryptocurrency space and its implications, but isn't digital identity a perfect use case for the blockchain? Decentralized trust that doesn't rely on some government or corporation?
It's an interesting case. I looked at their architecture diagram and at first thought "WTF is the blockchain doing there", since their process is essentially the same as Mozilla Persona, except in the latter the attestations were delivered to the user, who then delivered them to the requester (therefore keeping the provider ignorant about who was the requester, from privacy reasons).
But then they talked about revocability and yeah, that's true; if an attacker tricks the provider into giving them an attestation, then the provider has no way to alert the requester if they discover the attack, since the user is mediating the conversation. The blockchain serves as a kind of neutral proxy that allows the provider and the requester to talk without meeting each other.
On the other hand, the requester still has to check the blockchain periodically to see if any revocation was issued, so it's not immediate. Rather than doing that, why doesn't the requester periodically require the user to provide a fresh attestation?
So yeah, I'm still not seeing why the blockchain is actually needed.
Persona’s technical implementation required permitting use of third-party cookies across domains (yoursite.com vs persona.com), which turns out to be wholly incompatible with tracking protection efforts. From a technical standpoint maybe it’s possible it could have been fixed, but it turned out that no one particularly needed a third-party “middleman” authentication service that required webmaster effort per-site—especially with OAuth2 already providing a viable, if imperfect, alternative approach.
They aren't, exactly. In one of the articles linked from this one, it says
>
It’s easy to confuse the ePrivacy regulation with the General Data Protection Regulation, a broader law addressing consumer data privacy that has dominated the market’s attention lately. The core difference is that cookie use is central to the ePrivacy regulation, which is why it’s known as the “cookie law.” Businesses in Europe must get explicit consent to use cookies and provide clear opt-outs to users under the proposed new law. Meanwhile, the GDPR regulates the general handling of personal data.
If that is true, why not throw things into some P2P cryptographically secure user account system like this[1] (disclaimer: ours).
From a technology perspective, it is non-trivial for corps/companies to do this (since they don't value that). But the technology to do it already exists, so if laws are forcing people this direction, what is the best way to market the availability of systems like this?
some distributed pseudo-identity could be, as long as it has strong privacy protection and identities can be deleted / obfuscated in a way that becomes untraceable. but here you still have a centralized identity provider.
That's a good idea, but if I were a German citizen I'd rather they use something that's tried and true like shibboleth. I can't speak for the rest of the world, but shibboleth is what most of America's colleges and universities use to allow students to access research material the institution has paid for. Something that isn't obvious though, is anyone can setup a shibboleth identity provider, the only difference being that it's not on the whitelists that academic identity providers are on.
The general term for this property is “federated identity” and academia is probably the most mature and widespread implementation - academic institutions regularly allow visitors from other institutions to use their home institution’s credentials, for example in the worldwide “eduroam” WiFi network.
I really don't understand what the EU's goal is here. Someone said that it's to model the "walled garden of regulation" approach that China has: Make regulations so tough and block out outside actors, creating an internal market that can thrive. Also wanting to break out the dominance of American tech companies within EU, and foster innovation.
However, I have yet to see a single argument where these regulations (both GDPR and ePrivacy) don't hurt EU businesses, and favors companies outside that don't have to abide by these stricter regulations.
So why has EU adopted this extremely hard line approach? What is the best case scenario?
The EU tried the soft touch approach and we just got generic cookie warnings on everything, so now we have the stricter regulation. The ultimate purpose is to put a stop to pervasive tracking and user-targeted advertising. Advertisers will just have to go back to targeting based on the content the ad is displayed with instead.
Vast majority of people aren't willing to subscribe so Internet outlets will become even more dependent on partisan funding.
Many esteemed newspapers are already propaganda arms for their rich benefactors (see WaPo and Bezos) without whom they couldn't keep the lights on. This will only hasten this process for European media.
Maybe accelerationism is the right approach here but it is very unlikely to improve quality.
Extreme partisan politics, and it’s associated funding, seems to be a very American thing.
Many EU countries (like Germany) have proportional representation systems that eradicate two-party control.
Even in the UK where we do have two-party politics, the minor parties still pull in substantial voter share. And you don’t see extreme spending during campaigns. UK politics looks pretty shabby compared to spectacular that is US policial campaigning.
Anyway The point I’m trying to make is that publications relying on partisan funding isn’t really a danger in the EU. European media and politics is nothing like the US.
Americans spend a lot on politics because they're much richer than Europeans and can spend a lot on everything. You see it with healthcare, houses, cars...
GDP per capita in the US is a third higher than in Germany and the US is four times more populous on top of that. The amount of wealth sloshing over there is incomparable.
And the ad bubble themselves is partly to blame, thanks to
the way the debt-based economy works. For example, Google raises housing prices in California.
Or, it gets run by enthusiasts instead of companies. We had a huge internet ecosystem before everyone was being tracked, and it has only gotten worse since.
That's the point. People will click on clickbait but very few will pay for it. Without the tracking, you also lose the filter bubbles that only show you opinions you agree with.
The EU (and certainly mostly Germany) has historically a very strict stance on protecting private data. The so called “informationelle Selbstbestimmung” is regarded a part of the fundamental human rights. See for example the Volkszählungsurteil of the german constitutional court (German, sorry https://de.m.wikipedia.org/wiki/Volksz%C3%A4hlungsurteil)
So the best case scenario is that the goal is to actually protect the EU citizens. (I’ll avoid discussing whether the GDPR is a good tool to achieve this goal)
Though the gdpr doesn't really do that; see one-stop-shop and all. It's transparently aimed at American companies.
NB: I don't necessarily disagree with the EU deciding to break Google and FB's business models; but pretending that's not what is happening is silly. It would have been helpful if FB hadn't basically told EU privacy regulators to DIAF.
The GDPR is composed of a bunch of vague hand waving subject to after the fact rule making by 29-ish different country specific privacy orgs, plus a fewer number of rules set out in black and white, presumably with limited local rule making capabilities. The black and white rules include that consent must be default opt-out, must specifically enumerate and permission each processing purpose, and cannot be required unless necessary to provide the service, even for free services.
What stops Google from presenting users with a large popup with lots of legal notices mixed with sweet talking marketese? Most people would just click "Okay, I agree" having never read anything in that popup.
Informed consent is required and hiding the crucial information in a sea of legalese would violate that. EULAs get slapped down for such things on a regular basis.
I didn't mean it to be deceptive. They could just explain things at length in sweet language. Then inject consent request at a point in the workflow where people are most likely to click it away in hurry.
The point is that Google or Facebook would get away with this while smaller sites won't.
* brevity
* clarity
* consent to be separate from other T&Cs
* default opt-out for everything
* each purpose for which processing will take place to be individually enumerated and consented
* granularity: the ability to opt-out (default) to each processing purpose
There's no ban on including a button that opts a user in to everything, but you would have to take care to make it very difficult to click by accident or I can possibly see a regulator permitting this. See eg discussion of "clear affirmative action" (A32).
And I think the eu will very specifically place the highest scrutiny on google and facebook, rather than the least.
edit: no doubt, some smart-asses are going to push their luck, but they'll get slapped down in short order (imo). The GDPR regulators will be looking to make an example of some companies.
Also, the stick here is the larger of 10m euro or 4% of global turnover.
The simplest thing is that they must provide an option to refuse (without making getting service conditional on it), and there's explicit legal requirement that "revoking consent must be as easy as giving it".
If next to "Okay, I agree" button there's a "No, just let me through" button, people are going to do just that.
Exactly this. A veneer of personalization can make it so that you must consent to get the service. Realistically not every use can be put down a priori because that would preclude allAB testing of new features. I’m expecting a much larger “cookie pop up” but getting an option to reset data will be nice (until I need to use the service again)
Note that you must get consent for each separate use. If users give you consent to use that data for service personalization, then that must be separate from using the same data for ad personalization and from consent for sharing that data with third parties - even if the first use case is objectively needed by your users, the other uses must be opt-in and can be refused.
"Realistically not every use can be put down a priori because that would preclude allAB testing of new features." means just that - it does preclude you from AB testing of new uses of that data as you might have done before. It's illegal now unless you get user consent beforehand. It doesn't prevent AB testing as such, but it does prevent "hidden" AB testing that doesn't inform users and doesn't give them an option to refuse.
And crucially, under the consent basis, you have to explicitly enumerate the 3rd parties by name. You can no longer use a defined, every precisely defined, class of 3rd parties.
The other available basis, legitimate interests, would be extremely hard to use as a basis for 3rd party target data sharing.
- Private Data is useful for Ads, but not the only way to run them.
- Ads are useful way of generating Revenue, but not the only way to get it.
- Revenue is useful to provide a Service, but not necessary, as evidenced by almost every startup out there ;).
Ok, I'm joking with the third a bit, but for the first two points - sure, data->ads->revenue might have been the easiest way to make money on the Internet, but it's not the only way, and the point of GDPR is for companies to explore other, less user-hostile options.
The problem is that, effective in a few months, this argument is not considered sufficient. You don't get get automatic permission to use private data just because you "need" that for revenue. People have an unconditional right to their private data, your business does not have an unconditional right to revenue or success. You get only the data that users consent to. If that's not sufficient for your ads, revenue and service, then tough luck, adapt or cease operations; if your business model is not compatible with user privacy then that business model simply is not valid anymore.
You are debating different thing. The debate is, can a business deny service, or offer degraded service instead, if no consent is given. Nothing I have read suggest otherwise.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
This is exactly what it means - it doesn't explicitly prohibit a business to deny service; however in this case the regulator is likely to rule that the consent they received from those users who did click "agree" was not freely given, and the business is using their data in violation of this directive.
I.e. instead of "can a business deny service, or offer degraded service instead, if no consent is given" think about the concept "if a business is known to deny service or offer degraded service instead if no consent is given, is that consent freely given or not?", and how will your business demonstrate to the regulator the legal basis that gives that you have the right to use that data - since now by default you're not allowed to have and use it. The evaluation criteria is not "did they click a box with required parameters" but rather "does your whole consent-gathering process ensure that you're not counting consent that users did not want to give" - if your consent-gathering process is flawed and systematically results in people who didn't want to consent being listed as "True" in your consent-database, then it means that you don't have consent from anyone.
This is an clear, large financial risk, since if a business does it this way I'm likely to intentionally go to their website, click 'Agree', enter my data, on the same day file the standard request to the business requesting information of the data they have on me and the legal grounds for using that, and if all they've got to say is "well, you clicked the agree button where the other choice was to refuse service" then I'll immediately file a complaint with the regulator that they're using my data without freely given consent (as the service was conditional on that consent) and deserve a fine for this violation. And the fines are substantial.
Unless the business can show that private data is necessery for good service which it is as data brings more revenue, and more revenue enables good service.
So a user would have two options: 1. Disagree, pay with money, 2. Agree, pay with private data.
No, that's simply not true - the exemption is if the data needs to be used to actually do the service right now. Quoting the actual directive, "processing is necessary for the performance of a contract to which the data subject is party"; there's no "good service" there, nor future improvements of that service, nor sustained profitable operation of the company. And "necessary" means just that; if you physically can perform the contract without this data, then the data is not legally necessary even if you'd go bankrupt if everyone did that. This exemption covers things like storing your address for deliveries of goods, a messaging app storing your contact info, instagram storing your photos - things where that data is inherently needed to execute that service.
Data can be helpful to improve some recommendations that will make service better in the future - fine, the users can opt-in and some will do that; but that's not an automatic justification to use that data;
Data can be helpful to support the future development your service with revenue - fine, the users can opt-in and some will do that (i.e. many people turn off adblockers and give patreon funding to services they like), but again, that's not going to be legal justification to use data of those who don't want to.
There are a bunch of other exemptions where you can use that data without consent (compliance with other legal requirements, overriding public interest as in e.g. press about public officials), but "I need money to continue operating" is not among them. GDPR is intended to solve the conflict between "I don't want to provide data" vs "I need data-based revenue to continue operating" in the favor of users. If you really do need that data based revenue to operate, then the users can "vote" (by opt-in) whether they consider your continued operation valuable enough to hand over their data voluntarily.
A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services.
The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geo-localisation or online behavioural advertising are necessary for the provision of the photo editing service andgo beyond the delivery of the core service provided. Since users cannot use the app without consenting to thesepurposes, the consent cannot be considered as being freely given.
[Example 6]
A bank asks customers for consent to use their payment details for marketing purposes. This processing activity is not necessary for the performance of the contract with the customer and the delivery of ordinary bank account services. If the customer’s refusal to consent to this processing purpose would lead to the denial of banking services, closure of the bank account, or an increase of the fee, consent cannot be freely given or revoked.
You appear to be right. GDPR effectively bans targeted ads in EU which means a significant source of revenue, enough to be fatal, is now illegal. It seems to me that EU does not like private data as payment.
I wish good luck to citzens and businesses cause I certainly wouldnt/couldnt, as a business, provide EU.
Which many wont. Yet business still have to provide same service as someone who has. Cost remains same but now profit reduced drastically. Thus its not economical to provide to EU.
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Article 43:
> Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
I've only read interpretations of said guidance from the ICO, DPN, and DPC but they are exactly what you would expect from those two articles.
I don’t agree that the goal was to target and brak up US companies. It just happens that the largest companies that rely on tracking are US companies. This law will hurt EU companies just as much, as evidenced by the article.
The reason for this regulation is the privacy of EU citizens. Businesses (both in EU and outside) don't "behave well" by themselves, since there's an inherent profit motive in violating users' privacy and interests, so this regulation is forcing them to do this.
The best case is just that - businesses serving EU citizens (this includes most large multinational businesses as well, companies hosted outside do have to abide with these stricter regulation at least for EU users, since almost always they also have EU customers or EU presence) have to obey these rules. They don't get to (ab)use user's data that much and are unhappy about this, but figure out on how to live on without that data.
I absolutely agree that privacy is important. However, what I'd like to understand more is: What are the regulators actually expecting to happen? Looking at the first version of the cookie law, basically the end result was a worse user experience across EU websites. Large warnings that take up large screen real estate, people learning to just blindly accept without reading. I was trying to explain to my SO that I'd been to a presentation about GDPR and ePrivacy, and said "It's the new version of the cookie warning" "Oh is that those awful warnings? I hate those I don't even understand what they are trying to say"
From a pragmatic standpoint the result of these new regulations seems to be not that publishers and other ad-financed businesses are saying "OK, ads are bad, let's do less of those". They are finding workarounds that abide by the law, but still allow them to target ads as optimally as they can.
The true winners in this are obviously the platforms with the largest database of users and user interest: Google and Facebook. The two companies are are dominating already, and in essence killing smaller local (EU) publishers. So from that perspective, are the regulators hoping that publishers and local companies band together, creating cookie pools and sharing user information amongst themselves to strengthen their position against FB and GOOG? Or are they hoping that EU companies come up with the holy grail of new revenue streams that nobody has though of yet?
TL;DR: In my mind: T stop bad things regulators make laws against something, and also to promote the "right way". Example: People get hit by cars crossing the roads anywhere. They invent a crosswalk and make it illegal to cross the road anywhere other than the crosswalk. What is the ePrivacy version of the crosswalk?
The main cause with the "cookie law" is that the law as written failed to implement the intent; the intent was to reduce tracking by cookies, but the actual requirement could be satisfied by those obnoxious warnings while doing tracking as before, and so it was. If the concept of "consent to cookies" was worded more strongly, as in the current laws, then many websites would actually have not made these warnings and simply made do without the cookies, since they wouldn't be able to obtain consent from most people anyway.
The new laws seem to avoid this mistake (of course, only time will tell for sure) - they are harsh enough to ensure the strategy "figure out what legalese we need to add to keep doing the same things" is not viable, and they have to actually stop gathering and using that data.
In my reading, GDPR seems like it will not enable workarounds that still allow targeting ads as optimally as they could in 2017. They'll still try to target them as optimally as they can, they'll probably figure out some workarounds for parts of it but that will by necessity be ads that are less targeted and use less private information (at least for EU residents) than last year. Also, the intent of lawmakers is clear - whatever workarounds the ad industry figures out to circumvent that intent are likely to be closed in 3-5 years with the next iteration of this directive.
The regulators are not "hoping that publishers and local companies band together, creating cookie pools and sharing user information amongst themselves" - they are explicitly creating conditions to ensure that it's almost impossible to get consent for that sharing of user information, and also that Facebook and Google will be able to get much less information than they could before - for example, the GDPR has a big impact on information gathered by all the FB like buttons and google analytics snippets in third party websites; and the "4% of global turnover" clause is included explicitly so that it has leverage to force Google and FB to change their behavior (at least for EU residents). There's no such thing as a "service-wide" opt-in for everything anymore; I will be able to deny Google consent to use my gmail data for targeting ads on google.com, and Google will have to obey; I will be able to ask Facebook for the data they've gathered about me on third party websites and get them to remove that data.
Since it's expected that most EU consumers will not give that consent (why would they?) it will pull Google and FB down to the level of those ordinary publishers; they will lose the data that historically gave them this advantage. They're not hoping that EU companies will magically grow new revenue streams, they are taking away those revenue streams (regarding EU customers) for all companies, EU and foreign.
This seems like what the regulators are actually expect to happen, and from what I've seeing in the internal activities of local businesses, it's going to happen - pretty much everyone here has major ongoing IT projects that will reduce the amount of private data that they are gathering and storing. That is the ePrivacy version of the crosswalk - stop gathering private data about users, anonymize/cleanse the data you already have, and do your advertising in a more coarse-grained manner.
I think you are expecting too much. Folks are going to click consent buttons in order to use the websites they want to use and never think to go to privacy dashboard and view/modify/delete their data.
First, there's no such thing as "click consent buttons in order to use the websites they want to use" - if clicking that button is needed to use the website, then it doesn't count as freely given consent. I.e. either the choices are "Agree and proceed" and "Disagree, but still proceed" or you might not have bothered with asking, since that click is not consent. If the data is not inherently needed to provide the service (i.e. a delivery address if you want something delivered), then users must have the option to refuse.
Second, there can be no single "consent to do everything". You have to explain every single usecase separately with details and specifics, and get consent for each use case separately. This is a big issue. If a small company has something particular in mind, it's not a big deal. But if a megacorp has (had) a habit to use your data everywhere for everything, that's not going to work. As GDPR states, “A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”. If the list of use cases and their details doesn't fit on a single screen, users simply won't accept them. For an organization like Facebook, it'll be a major challenge to simply list the places and ways where they are already using my data - and they'll either have to give that full list to me and somehow convince me that I should agree (as the default option is to refuse with no consequence to me) or stop doing it.
In essence, you have to bring them to the privacy dashboard first. And everything has to be opt-in (default off). If you have a random consent button like the classic "Agree" under terms and conditions - well, that doesn't count as informed consent, so if that was your system then you don't have consent from any of your users, and your use of their data was prohibited. Even if most users won't care, a few activists can force you to change the behavior for everyone or risk major fines - i.e. if I see that you're using my data without my consent, then it doesn't stop at you removing my data; the regulator can ask you to prove that you got informed, specific, freely given consent from all your other users.
Third, previous consent doesn't imply future consent - if you want to use the data for something new, previously this was done by quietly amending the terms and conditions, and adding a new option to the privacy dashboard (often pre-selected). Under GDPR, every new use requires new consent.
Fourth, a lot of the tracking has historically been done by third parties. I can see myself giving consent to use my data on some forum or blog that I frequent; however, the consent that I give them doesn't count as consent for all the ad networks running the ads on their site. The ad networks would have to ask permission separately (which they won't realistically get, ever) and they also can't count on getting the site owner to give them my data, since site owner needs my (separate! opt-in! specific instead of "may share with third parties"!) consent for that.
What if your website doesn’t work without cookies?
“We are collecting this data in order to provide relevant stories and advertisements on this website and partner websites. Please click Yes to enable your personalized feed”.
Each purpose must be listed separately; the fact that user gave you the data and consent to use it for one purpose doesn't imply that you're allowed to use that data for another purpose.
In your example:
"This data is absolutely required for the service you requested" >> no consent needed, you're just informing the user;
"Also, we'd like to use that data to personalize your feed" >> opt-in;
"Also, we'd like to use that data to personalize your advertisements on partner websites" >> a separate, different opt-in. The user can enable the personalized feed while denying you consent to share that data with advertisers.
And if they say no along the way, what prevents the company from blocking access? Also, how does law differentiate between something that has to be separate or AND'd?
If the company does block access when you decline, then this means that the regulator is exceedingly likely to consider that any "consent" the company got from those who agreed was not freely given, and so it does not have the right to use any user's data for this purpose; which would expose the company to substantial fines.
The law intentionally doesn't set out explicit conditions to differentiate between what needs to be separate, and other conditions as well, to prevent gaming for workarounds. Instead, it lies out general principles and rights of the users, and gives a lot of leeway to the regulator(s) to evaluate if the usage of data was in accordance to the user's wishes.
In essence, the question is quite simple - did the user want you to use that data for whatever you did? And, can you demonstrate to the regulator that they intentionally gave you informed consent by freely opting in to that use?
If they genuinely wish you to have and use that data, then it's ok (and they're not going to complain) and if they did not actually want you to use that data but your process somehow managed them to click all the required boxes, then your process is wrong, since whatever it measures is not informed, freely given opt-in consent. E.g. if I'm the company, then it's my duty to show why I have the right to user other's private data. If the only justification I can provide is that they clicked on "We are collecting this data in order to provide relevant stories and advertisements on this website and partner websites. Please click Yes to enable your personalized feed", then that's a lousy justification - it demonstrates that users wanted me to enable their personalized feed (so I have permission to do that), but it doesn't really show that those who clicked 'Yes' wanted me to use their data for advertisements on partner websites, which is the criteria that matters. Any regulator will reasonably assume that it's likely that some of those users wanted the feed but did not want their data to be given to advertisers, in fact, they might have some evidence in forms of complaint from such users. Maybe some of them really wanted me to do just that (e.g. they freely wished to support my site in this way by donating access to their data), but that question did not give them the ability to clearly express this intent. If I had separated those things, I might have gotten consent from some users to share data with advertisers, but with the combined question I did not; so it'd be in my interests to separate those questions.
All the consent-related articles of the law and comments to them pretty much amount to repeatedly stating that if the user doesn't wish you to use that data, then the only way out is not to use it (or use it under some of the non-consensual use exemptions) - the law doesn't provide any option to claim consent if the customer doesn't actually want you to do what you did with their data.
For a crude comparison, the consent criteria seem to be comparable with those of sexual assault - no means no, a lack of answer is not consent, consent must be freely given and not coerced with some threats, consent can be withdrawn at any time, etc, etc; essentially it's only consent if they actually want to do that, no tricks or technicalities. The answer to "what prevents the company from blocking access if they say no along the way" is somewhat analogous to "what prevents your boss from firing you if you say no to requests of sexual favors" - they can do that, but the (implied) threat of it means that the act was not consensual and unacceptable even if you didn't say no.
> The main cause with the "cookie law" is that the law as written failed to implement the intent; the intent was to reduce tracking by cookies, but the actual requirement could be satisfied by those obnoxious warnings while doing tracking as before, and so it was.
The "cookie law" states quite clearly that you have to be able to say no and also explicitly states that it's only about tracking. The problem was that it was en EU directive and the member states implemented it quite differently (some not at all, claiming it already being covered by existing law) which led to a lot of confusion and companies getting away with those annoying OK-button banners.
I agree that the cookie law was a mistake, but I don't necessarily agree that it has any bearing on the GDPR's effectiveness.
I won't wade into whether the law is better for certain businesses, that's a complicated topic that I don't have the cycles for.
But what I will say is that the requirements[1] sound like really good benefits for consumers.
Being able to go to Facebook and say "delete everything you have on me" is a huge plus.
Being able to go to Whatsapp and download all of your contacts and messages in a 'commonly use and machine readable format' is awesome.
Now, of course, the devil is in the details. If 'machine readable format' is poorly defined, that provision is useless. If the consent provision requires 120 pt red font legalese on every page you enter data into, that's ridiculous. But since neither of us is going to go read the thing... at least the goals are good.
> Being able to go to Whatsapp and download all of your contacts and messages in a 'commonly use and machine readable format' is awesome.
Even better: being able to opt-out from sending all your contacts to WhatsApp, although they will just try to blackmail you into doing it anyway by citing false technical reasons.
> The true winners in this are obviously the platforms with the largest database of users and user interest: Google and Facebook. The two companies are are dominating already, and in essence killing smaller local (EU) publishers.
Neither is really a "publisher", and (as people are arguing elsewhere in this thread) it's the US multinationals which will be in a worse position, since they rely so heavily on doing things with people's personal data without clear consent.
> band together, creating cookie pools and sharing user information
My impression was the directive makes this harder since everyone involved would have to get informed consent.
> promote the "right way". Example: People get hit by cars crossing the roads anywhere. They invent a crosswalk and make it illegal to cross the road anywhere other than the crosswalk.
Ah, the American solution. The UK never made it illegal to cross the road and instead invented a type of crossing where the pedestrian always has priority. https://en.wikipedia.org/wiki/Belisha_beacon
Just as an American must check the legality before crossing the road, it seems the intent of the GDPR is to make every developer think twice before storing any data about the user in order to consider whether it is personal data, or the even more restricted category of sensitive personal data. Hopefully this will prevent users getting hit by privacy breaches, intentional or accidental.
The law doesn't regulate specific technological details because that would be far too dirigiste, and break down as soon as there's a new technological innovation. People would either be complaining that they couldn't use a new solution because it wasn't mentioned in the law, or that their privacy was being violated in a new context.
> 3. "The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity."
(and so on for 173 paragraphs before the directive starts)
Politics ideally try to generate the highest sum of wealth and well-being across all citizens. Having healthy corporations is nice, because it means your citizens have work, get paid etc., but it's not a goal unto itself. If those corporations are healthy, because they exploit your citizens, then they generate on average negative wealth. So, you need to put laws into place that balance things out. That's why the EU might want to put these laws into place.
You also seem to be misinformed about the GDPR. An essential part of it is that companies outside of the EU now do have to abide by EU data protection laws, if they want to process data of people in the EU. This really improves the situation for EU businesses, as they do not anymore have to compete against Google, Facebook, Microsoft and the like on uneven grounds.
I don't understand the outcry. Cookies are not required to show users ads or track clickthrough rates. Why will there be a loss of ad revenue? We had ads before privacy invasive techniques like retargeting.
But it can easily be argued that it's been a zero-sum game, where one actor has been forced to use more targeted ads because others have been more efficient (cheaper) by doing so. It's not like ads spending has increased; unless you're arguing that consumption has increased due to targeted/invasive ads?
It is difficult for me to see how it would be zero sum. Instead it seems very likely to me that the total amount spent by users online is higher with invasive ads than non-invasive ones: if no ad you see is relevant to you then you are less likely to buy anything online at all.
Zero sum in the sense that in so far marketing engages in the arms race of pushing the buttons of consumers rather than focusing on the products and honest descriptions of them, that is at the cost of ads that don't do that. With any individual ad you make you have the choice to go one way or the other, like two poles on a spectrum. If you are 80% of the way towards one pole, you are 20% of the way towards the other, you know the distance from both by knowing the distance from one.
> if no ad you see is relevant to you then you are less likely to buy anything online at all.
Only if you don't actually need that type of product after all, so I'd consider that another plus.
There's an argument I've seen - no idea whether it's correct - that users acclimatise to new advertising technology and eventually regress back to the mean. I suppose this would mean that newer and more invasive ads cause a spike in consumer spending, which drops over time until the next innovation.
I've never seen someone make that argument for better targeting, which is what they're saying cookies enable. You're not going to acclimate to being more interested in the ads you're seeing.
The argument for better targeting is simple: targeting works (whether directly or just through being a novelty), and those who engage in it get ahead of those who don't.
The argument for getting used to ads is mostly psychology/neuroscience.
If Wikipedia is right that "no consent is needed for non-privacy intrusive cookies improving internet experience", then that's a good sign EU is finally adopting ethics-based regulation instead of the old capability-based regulation that threatened to cripple the Internet. It also means they are now specifically targeting advertising business instead of legislating universally technophobic nonsense.
That was always the case (consent only required for third party cookies), but nobody understood it. Or was willing to give up Google Analytics. The EU has a bit of an issue with communicating to the public.
Where is it written that it applies only to third party cookies? AFAIK the old cookie law only allowed cookies without permission, first party or third party, where they were required for website to function, e.g. shopping cart cookies. I interpret this as banning even those cookies that improved user experience, but that weren't strictly required for the website to function.
Actually coming up with an example is quite easy. Consider website with huge catalog that customizes recommendations based on your previous activity on the website. This makes user experience better, but it is not strictly required for the site to function. None of the exceptions on the page you linked apply to this case.
If the user has an account cookie that would be subsumed in there, along with the consent notice that the site was storing your activity.
If there is no other cookie, then it gets interesting - you're storing a chunk of their browser history, which if you can identify it to a particular user becomes personal data. Then you need their permission to store this - and that's the intent of the GDPR.
You could easily do that for logged in users without using anything more than a session cookie to track that they are logged (which was allowed).
Tracking non-logged in users across multiple sessions is obviously not allowed without consent, but that is exactly the type of non-consensual privacy invasion that the law is intended to prevent.
I'm pretty ad-friendly compared to most on HN (people have shown countless times that they don't want to pay if they don't have to, and microtransaction/favor/tipping systems are a giant mess and likely always will be), but the "people have to track to keep stuff running!" view strikes me as naive.
a) Right now we have "content" created and tailored more to pull in ad revenue than to do anything user-beneficial. That's not ideal, most pure clickbait going away would not be a net negative. Consider news: was the internet of 15 years ago meaningfully devoid of news content compared to today, or was it better off cause it wasn't flooded with as much polarized crap?
b) There's an assumption here that ad spending will decrease. One alternative possibility is that ad companies have been stuck in arms races for years now, without actually increasing yield. Look at the reasons why companies are "pivoting to video" - even with all this tracking and "AI" garbage, online display ad effectiveness still sucks. As long as every network and publisher has to follow the same rules, I don't believe any advertiser is truly worse off. And from a principle-based view, I think any sort of smart-enough tracking to produce truly well-targeted ads (vs today's "here's that thing you already bought, let me show you it on every website now" crap) is too far on the creepy side to be something we want anyway.
c) The other side of the "sites won't make money anymore" side is that with a more even playing field there's a chance for some of the money to shift away from the people playing tech games and to the people producing the content. There's not a ton of effective competition in ad networks right now, look where all the revenue goes. A Facebook and Google duopoly also only makes the implications of the tracking worse.
d) Finally, from the advertiser's perspective: where else are they going to send that budget? TV? Newspapers? Please. And even the worst case here - a net decrease in ad spending - is hard to paint as such a huge loss since there's a lot of more productive things out there than showing ads.
There are a few other trends that will need to be ultimately addressed separately, though. One is the shift to video even for stuff that's rather stupid to force into the video format, just because the audience is more captive to ads, and this is a big problem IMO. Not really relevant to what we're discussing here, though. A more interesting debate may be around fraud prevention, I could see a plausible claim that if you have less history on the user you have fewer heuristics you can apply for fraud-fighting. I'm mostly meh on that, though, and willing to let fraud be the cost of business with internet display ads and hope it just washes out in the long run. (I'd prefer if it caused people to shift to paid models, but I'm not optimistic.)
Logins for news sites was tried in the 2000s and it failed miserably. The only ones who could survive such a strategy are news institutions with a large subscriber base like WSJ or the NYTimes. But even they are struggling.
Would a login collective be any better? I highly doubt it.
Is the article switching half way from talking about login cookies, to ad sales (which presumably is about tracking cookies of other kinds)?
I wish the law would just attack the problem at the root: remove all incentive to track users and gather their personal data. E.g. don’t allow advertisers to show ads to people based on anything they haven’t given that site. If I haven’t told the newspaper I’m visiting that I like fishing, they can’t show me fishing ads because I liked it on Facebook.
And if they can’t risk showing targeted ads, then the value for anyone to trade in this information vanishes.
This would also solve the problem of more and more advertising being harder to block because it’s “native”.
101 comments
[ 2.8 ms ] story [ 155 ms ] threadThe article is about what publishers to do, and speculates that smaller publisher may not be able to create a business model, but larger publishers will be able to adapt ad systems.
Subscription will be the future.
To me that's going to go down in internet history as one of the ultimate what-ifs. I feel like it was a missed opportunity for both companies.
Businesses aren't going to trade their content out of the goodness of their heart, they want something in exchange. I would much rather trade ad views through Mozilla using a list of my interests that I control than to allow excessive tracking and profile building by some untrusted third party.
What we apparently have now is login collectives starting up, but who's to say how good or bad the practices are for each, or whether they have the ability to adequately secure their system.
For example: https://www.civic.com/ (disclaimer: I own CVC tokens)
But then they talked about revocability and yeah, that's true; if an attacker tricks the provider into giving them an attestation, then the provider has no way to alert the requester if they discover the attack, since the user is mediating the conversation. The blockchain serves as a kind of neutral proxy that allows the provider and the requester to talk without meeting each other.
On the other hand, the requester still has to check the blockchain periodically to see if any revocation was issued, so it's not immediate. Rather than doing that, why doesn't the requester periodically require the user to provide a fresh attestation?
So yeah, I'm still not seeing why the blockchain is actually needed.
> It’s easy to confuse the ePrivacy regulation with the General Data Protection Regulation, a broader law addressing consumer data privacy that has dominated the market’s attention lately. The core difference is that cookie use is central to the ePrivacy regulation, which is why it’s known as the “cookie law.” Businesses in Europe must get explicit consent to use cookies and provide clear opt-outs to users under the proposed new law. Meanwhile, the GDPR regulates the general handling of personal data.
So yeah, confusing all around.
From a technology perspective, it is non-trivial for corps/companies to do this (since they don't value that). But the technology to do it already exists, so if laws are forcing people this direction, what is the best way to market the availability of systems like this?
Any thoughts/clues? Thanks!
[1] https://hackernoon.com/so-you-want-to-build-a-p2p-twitter-wi...
https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_...
There is already a website warning for the privacy issues of the platform (https://nonio.pt/).
However, I have yet to see a single argument where these regulations (both GDPR and ePrivacy) don't hurt EU businesses, and favors companies outside that don't have to abide by these stricter regulations.
So why has EU adopted this extremely hard line approach? What is the best case scenario?
I really can't wait the time you have to pay for most content. It will reduce informational clutter and improve quality of the content.
Many esteemed newspapers are already propaganda arms for their rich benefactors (see WaPo and Bezos) without whom they couldn't keep the lights on. This will only hasten this process for European media.
Maybe accelerationism is the right approach here but it is very unlikely to improve quality.
Specifically, here in Norway, no entity is allowed to own more than 33% of a media company like a news paper etc.
Many EU countries (like Germany) have proportional representation systems that eradicate two-party control.
Even in the UK where we do have two-party politics, the minor parties still pull in substantial voter share. And you don’t see extreme spending during campaigns. UK politics looks pretty shabby compared to spectacular that is US policial campaigning.
Anyway The point I’m trying to make is that publications relying on partisan funding isn’t really a danger in the EU. European media and politics is nothing like the US.
GDP per capita in the US is a third higher than in Germany and the US is four times more populous on top of that. The amount of wealth sloshing over there is incomparable.
NB: I don't necessarily disagree with the EU deciding to break Google and FB's business models; but pretending that's not what is happening is silly. It would have been helpful if FB hadn't basically told EU privacy regulators to DIAF.
The GDPR is composed of a bunch of vague hand waving subject to after the fact rule making by 29-ish different country specific privacy orgs, plus a fewer number of rules set out in black and white, presumably with limited local rule making capabilities. The black and white rules include that consent must be default opt-out, must specifically enumerate and permission each processing purpose, and cannot be required unless necessary to provide the service, even for free services.
The point is that Google or Facebook would get away with this while smaller sites won't.
And I think the eu will very specifically place the highest scrutiny on google and facebook, rather than the least.
edit: no doubt, some smart-asses are going to push their luck, but they'll get slapped down in short order (imo). The GDPR regulators will be looking to make an example of some companies.
Also, the stick here is the larger of 10m euro or 4% of global turnover.
If next to "Okay, I agree" button there's a "No, just let me through" button, people are going to do just that.
Whats the problem ?
"Realistically not every use can be put down a priori because that would preclude allAB testing of new features." means just that - it does preclude you from AB testing of new uses of that data as you might have done before. It's illegal now unless you get user consent beforehand. It doesn't prevent AB testing as such, but it does prevent "hidden" AB testing that doesn't inform users and doesn't give them an option to refuse.
The other available basis, legitimate interests, would be extremely hard to use as a basis for 3rd party target data sharing.
- Private Data is useful for Ads, but not the only way to run them.
- Ads are useful way of generating Revenue, but not the only way to get it.
- Revenue is useful to provide a Service, but not necessary, as evidenced by almost every startup out there ;).
Ok, I'm joking with the third a bit, but for the first two points - sure, data->ads->revenue might have been the easiest way to make money on the Internet, but it's not the only way, and the point of GDPR is for companies to explore other, less user-hostile options.
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A3...
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
I.e. instead of "can a business deny service, or offer degraded service instead, if no consent is given" think about the concept "if a business is known to deny service or offer degraded service instead if no consent is given, is that consent freely given or not?", and how will your business demonstrate to the regulator the legal basis that gives that you have the right to use that data - since now by default you're not allowed to have and use it. The evaluation criteria is not "did they click a box with required parameters" but rather "does your whole consent-gathering process ensure that you're not counting consent that users did not want to give" - if your consent-gathering process is flawed and systematically results in people who didn't want to consent being listed as "True" in your consent-database, then it means that you don't have consent from anyone.
This is an clear, large financial risk, since if a business does it this way I'm likely to intentionally go to their website, click 'Agree', enter my data, on the same day file the standard request to the business requesting information of the data they have on me and the legal grounds for using that, and if all they've got to say is "well, you clicked the agree button where the other choice was to refuse service" then I'll immediately file a complaint with the regulator that they're using my data without freely given consent (as the service was conditional on that consent) and deserve a fine for this violation. And the fines are substantial.
So a user would have two options: 1. Disagree, pay with money, 2. Agree, pay with private data.
All looks GDPR-compliant.
Data can be helpful to improve some recommendations that will make service better in the future - fine, the users can opt-in and some will do that; but that's not an automatic justification to use that data;
Data can be helpful to support the future development your service with revenue - fine, the users can opt-in and some will do that (i.e. many people turn off adblockers and give patreon funding to services they like), but again, that's not going to be legal justification to use data of those who don't want to.
There are a bunch of other exemptions where you can use that data without consent (compliance with other legal requirements, overriding public interest as in e.g. press about public officials), but "I need money to continue operating" is not among them. GDPR is intended to solve the conflict between "I don't want to provide data" vs "I need data-based revenue to continue operating" in the favor of users. If you really do need that data based revenue to operate, then the users can "vote" (by opt-in) whether they consider your continued operation valuable enough to hand over their data voluntarily.
[Example 1]
A mobile app for photo editing asks its users to have their GPS localisation activated for the use of its services.
The app also tells its users it will use the collected data for behavioural advertising purposes. Neither geo-localisation or online behavioural advertising are necessary for the provision of the photo editing service andgo beyond the delivery of the core service provided. Since users cannot use the app without consenting to thesepurposes, the consent cannot be considered as being freely given.
[Example 6]
A bank asks customers for consent to use their payment details for marketing purposes. This processing activity is not necessary for the performance of the contract with the customer and the delivery of ordinary bank account services. If the customer’s refusal to consent to this processing purpose would lead to the denial of banking services, closure of the bank account, or an increase of the fee, consent cannot be freely given or revoked.
You appear to be right. GDPR effectively bans targeted ads in EU which means a significant source of revenue, enough to be fatal, is now illegal. It seems to me that EU does not like private data as payment.
I wish good luck to citzens and businesses cause I certainly wouldnt/couldnt, as a business, provide EU.
ie
is legitimate consentIMO this demands more attention from HN: https://news.ycombinator.com/item?id=16314101
> Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Article 43:
> Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
I've only read interpretations of said guidance from the ICO, DPN, and DPC but they are exactly what you would expect from those two articles.
The best case is just that - businesses serving EU citizens (this includes most large multinational businesses as well, companies hosted outside do have to abide with these stricter regulation at least for EU users, since almost always they also have EU customers or EU presence) have to obey these rules. They don't get to (ab)use user's data that much and are unhappy about this, but figure out on how to live on without that data.
From a pragmatic standpoint the result of these new regulations seems to be not that publishers and other ad-financed businesses are saying "OK, ads are bad, let's do less of those". They are finding workarounds that abide by the law, but still allow them to target ads as optimally as they can.
The true winners in this are obviously the platforms with the largest database of users and user interest: Google and Facebook. The two companies are are dominating already, and in essence killing smaller local (EU) publishers. So from that perspective, are the regulators hoping that publishers and local companies band together, creating cookie pools and sharing user information amongst themselves to strengthen their position against FB and GOOG? Or are they hoping that EU companies come up with the holy grail of new revenue streams that nobody has though of yet?
TL;DR: In my mind: T stop bad things regulators make laws against something, and also to promote the "right way". Example: People get hit by cars crossing the roads anywhere. They invent a crosswalk and make it illegal to cross the road anywhere other than the crosswalk. What is the ePrivacy version of the crosswalk?
The new laws seem to avoid this mistake (of course, only time will tell for sure) - they are harsh enough to ensure the strategy "figure out what legalese we need to add to keep doing the same things" is not viable, and they have to actually stop gathering and using that data.
In my reading, GDPR seems like it will not enable workarounds that still allow targeting ads as optimally as they could in 2017. They'll still try to target them as optimally as they can, they'll probably figure out some workarounds for parts of it but that will by necessity be ads that are less targeted and use less private information (at least for EU residents) than last year. Also, the intent of lawmakers is clear - whatever workarounds the ad industry figures out to circumvent that intent are likely to be closed in 3-5 years with the next iteration of this directive.
The regulators are not "hoping that publishers and local companies band together, creating cookie pools and sharing user information amongst themselves" - they are explicitly creating conditions to ensure that it's almost impossible to get consent for that sharing of user information, and also that Facebook and Google will be able to get much less information than they could before - for example, the GDPR has a big impact on information gathered by all the FB like buttons and google analytics snippets in third party websites; and the "4% of global turnover" clause is included explicitly so that it has leverage to force Google and FB to change their behavior (at least for EU residents). There's no such thing as a "service-wide" opt-in for everything anymore; I will be able to deny Google consent to use my gmail data for targeting ads on google.com, and Google will have to obey; I will be able to ask Facebook for the data they've gathered about me on third party websites and get them to remove that data.
Since it's expected that most EU consumers will not give that consent (why would they?) it will pull Google and FB down to the level of those ordinary publishers; they will lose the data that historically gave them this advantage. They're not hoping that EU companies will magically grow new revenue streams, they are taking away those revenue streams (regarding EU customers) for all companies, EU and foreign.
This seems like what the regulators are actually expect to happen, and from what I've seeing in the internal activities of local businesses, it's going to happen - pretty much everyone here has major ongoing IT projects that will reduce the amount of private data that they are gathering and storing. That is the ePrivacy version of the crosswalk - stop gathering private data about users, anonymize/cleanse the data you already have, and do your advertising in a more coarse-grained manner.
First, there's no such thing as "click consent buttons in order to use the websites they want to use" - if clicking that button is needed to use the website, then it doesn't count as freely given consent. I.e. either the choices are "Agree and proceed" and "Disagree, but still proceed" or you might not have bothered with asking, since that click is not consent. If the data is not inherently needed to provide the service (i.e. a delivery address if you want something delivered), then users must have the option to refuse.
Second, there can be no single "consent to do everything". You have to explain every single usecase separately with details and specifics, and get consent for each use case separately. This is a big issue. If a small company has something particular in mind, it's not a big deal. But if a megacorp has (had) a habit to use your data everywhere for everything, that's not going to work. As GDPR states, “A purpose that is vague or general, such as for instance ‘Improving users’ experience’, ‘marketing purposes’, or ‘future research’ will – without further detail – usually not meet the criteria of being ‘specific’”. If the list of use cases and their details doesn't fit on a single screen, users simply won't accept them. For an organization like Facebook, it'll be a major challenge to simply list the places and ways where they are already using my data - and they'll either have to give that full list to me and somehow convince me that I should agree (as the default option is to refuse with no consequence to me) or stop doing it.
In essence, you have to bring them to the privacy dashboard first. And everything has to be opt-in (default off). If you have a random consent button like the classic "Agree" under terms and conditions - well, that doesn't count as informed consent, so if that was your system then you don't have consent from any of your users, and your use of their data was prohibited. Even if most users won't care, a few activists can force you to change the behavior for everyone or risk major fines - i.e. if I see that you're using my data without my consent, then it doesn't stop at you removing my data; the regulator can ask you to prove that you got informed, specific, freely given consent from all your other users.
Third, previous consent doesn't imply future consent - if you want to use the data for something new, previously this was done by quietly amending the terms and conditions, and adding a new option to the privacy dashboard (often pre-selected). Under GDPR, every new use requires new consent.
Fourth, a lot of the tracking has historically been done by third parties. I can see myself giving consent to use my data on some forum or blog that I frequent; however, the consent that I give them doesn't count as consent for all the ad networks running the ads on their site. The ad networks would have to ask permission separately (which they won't realistically get, ever) and they also can't count on getting the site owner to give them my data, since site owner needs my (separate! opt-in! specific instead of "may share with third parties"!) consent for that.
“We are collecting this data in order to provide relevant stories and advertisements on this website and partner websites. Please click Yes to enable your personalized feed”.
In your example:
"This data is absolutely required for the service you requested" >> no consent needed, you're just informing the user;
"Also, we'd like to use that data to personalize your feed" >> opt-in;
"Also, we'd like to use that data to personalize your advertisements on partner websites" >> a separate, different opt-in. The user can enable the personalized feed while denying you consent to share that data with advertisers.
The law intentionally doesn't set out explicit conditions to differentiate between what needs to be separate, and other conditions as well, to prevent gaming for workarounds. Instead, it lies out general principles and rights of the users, and gives a lot of leeway to the regulator(s) to evaluate if the usage of data was in accordance to the user's wishes.
In essence, the question is quite simple - did the user want you to use that data for whatever you did? And, can you demonstrate to the regulator that they intentionally gave you informed consent by freely opting in to that use?
If they genuinely wish you to have and use that data, then it's ok (and they're not going to complain) and if they did not actually want you to use that data but your process somehow managed them to click all the required boxes, then your process is wrong, since whatever it measures is not informed, freely given opt-in consent. E.g. if I'm the company, then it's my duty to show why I have the right to user other's private data. If the only justification I can provide is that they clicked on "We are collecting this data in order to provide relevant stories and advertisements on this website and partner websites. Please click Yes to enable your personalized feed", then that's a lousy justification - it demonstrates that users wanted me to enable their personalized feed (so I have permission to do that), but it doesn't really show that those who clicked 'Yes' wanted me to use their data for advertisements on partner websites, which is the criteria that matters. Any regulator will reasonably assume that it's likely that some of those users wanted the feed but did not want their data to be given to advertisers, in fact, they might have some evidence in forms of complaint from such users. Maybe some of them really wanted me to do just that (e.g. they freely wished to support my site in this way by donating access to their data), but that question did not give them the ability to clearly express this intent. If I had separated those things, I might have gotten consent from some users to share data with advertisers, but with the combined question I did not; so it'd be in my interests to separate those questions.
All the consent-related articles of the law and comments to them pretty much amount to repeatedly stating that if the user doesn't wish you to use that data, then the only way out is not to use it (or use it under some of the non-consensual use exemptions) - the law doesn't provide any option to claim consent if the customer doesn't actually want you to do what you did with their data.
For a crude comparison, the consent criteria seem to be comparable with those of sexual assault - no means no, a lack of answer is not consent, consent must be freely given and not coerced with some threats, consent can be withdrawn at any time, etc, etc; essentially it's only consent if they actually want to do that, no tricks or technicalities. The answer to "what prevents the company from blocking access if they say no along the way" is somewhat analogous to "what prevents your boss from firing you if you say no to requests of sexual favors" - they can do that, but the (implied) threat of it means that the act was not consensual and unacceptable even if you didn't say no.
The "cookie law" states quite clearly that you have to be able to say no and also explicitly states that it's only about tracking. The problem was that it was en EU directive and the member states implemented it quite differently (some not at all, claiming it already being covered by existing law) which led to a lot of confusion and companies getting away with those annoying OK-button banners.
I won't wade into whether the law is better for certain businesses, that's a complicated topic that I don't have the cycles for.
But what I will say is that the requirements[1] sound like really good benefits for consumers.
Being able to go to Facebook and say "delete everything you have on me" is a huge plus.
Being able to go to Whatsapp and download all of your contacts and messages in a 'commonly use and machine readable format' is awesome.
Now, of course, the devil is in the details. If 'machine readable format' is poorly defined, that provision is useless. If the consent provision requires 120 pt red font legalese on every page you enter data into, that's ridiculous. But since neither of us is going to go read the thing... at least the goals are good.
1: https://www.eugdpr.org/key-changes.html
Even better: being able to opt-out from sending all your contacts to WhatsApp, although they will just try to blackmail you into doing it anyway by citing false technical reasons.
Neither is really a "publisher", and (as people are arguing elsewhere in this thread) it's the US multinationals which will be in a worse position, since they rely so heavily on doing things with people's personal data without clear consent.
> band together, creating cookie pools and sharing user information
My impression was the directive makes this harder since everyone involved would have to get informed consent.
> promote the "right way". Example: People get hit by cars crossing the roads anywhere. They invent a crosswalk and make it illegal to cross the road anywhere other than the crosswalk.
Ah, the American solution. The UK never made it illegal to cross the road and instead invented a type of crossing where the pedestrian always has priority. https://en.wikipedia.org/wiki/Belisha_beacon
Just as an American must check the legality before crossing the road, it seems the intent of the GDPR is to make every developer think twice before storing any data about the user in order to consider whether it is personal data, or the even more restricted category of sensitive personal data. Hopefully this will prevent users getting hit by privacy breaches, intentional or accidental.
The law doesn't regulate specific technological details because that would be far too dirigiste, and break down as soon as there's a new technological innovation. People would either be complaining that they couldn't use a new solution because it wasn't mentioned in the law, or that their privacy was being violated in a new context.
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A3...
> 3. "The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised in the Charter as enshrined in the Treaties, in particular the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity."
(and so on for 173 paragraphs before the directive starts)
You also seem to be misinformed about the GDPR. An essential part of it is that companies outside of the EU now do have to abide by EU data protection laws, if they want to process data of people in the EU. This really improves the situation for EU businesses, as they do not anymore have to compete against Google, Facebook, Microsoft and the like on uneven grounds.
This is described in section 2 here: https://gdpr-info.eu/art-3-gdpr/
Presumably the privacy invasive techniques are done specifically because they increase ad revenue, not because the newspapers want to be nefarious.
> if no ad you see is relevant to you then you are less likely to buy anything online at all.
Only if you don't actually need that type of product after all, so I'd consider that another plus.
The argument for getting used to ads is mostly psychology/neuroscience.
I really like these euphemism, talking about lost ad sales when it's really about losing personal data sales.
If there is no other cookie, then it gets interesting - you're storing a chunk of their browser history, which if you can identify it to a particular user becomes personal data. Then you need their permission to store this - and that's the intent of the GDPR.
Tracking non-logged in users across multiple sessions is obviously not allowed without consent, but that is exactly the type of non-consensual privacy invasion that the law is intended to prevent.
a) Right now we have "content" created and tailored more to pull in ad revenue than to do anything user-beneficial. That's not ideal, most pure clickbait going away would not be a net negative. Consider news: was the internet of 15 years ago meaningfully devoid of news content compared to today, or was it better off cause it wasn't flooded with as much polarized crap?
b) There's an assumption here that ad spending will decrease. One alternative possibility is that ad companies have been stuck in arms races for years now, without actually increasing yield. Look at the reasons why companies are "pivoting to video" - even with all this tracking and "AI" garbage, online display ad effectiveness still sucks. As long as every network and publisher has to follow the same rules, I don't believe any advertiser is truly worse off. And from a principle-based view, I think any sort of smart-enough tracking to produce truly well-targeted ads (vs today's "here's that thing you already bought, let me show you it on every website now" crap) is too far on the creepy side to be something we want anyway.
c) The other side of the "sites won't make money anymore" side is that with a more even playing field there's a chance for some of the money to shift away from the people playing tech games and to the people producing the content. There's not a ton of effective competition in ad networks right now, look where all the revenue goes. A Facebook and Google duopoly also only makes the implications of the tracking worse.
d) Finally, from the advertiser's perspective: where else are they going to send that budget? TV? Newspapers? Please. And even the worst case here - a net decrease in ad spending - is hard to paint as such a huge loss since there's a lot of more productive things out there than showing ads.
There are a few other trends that will need to be ultimately addressed separately, though. One is the shift to video even for stuff that's rather stupid to force into the video format, just because the audience is more captive to ads, and this is a big problem IMO. Not really relevant to what we're discussing here, though. A more interesting debate may be around fraud prevention, I could see a plausible claim that if you have less history on the user you have fewer heuristics you can apply for fraud-fighting. I'm mostly meh on that, though, and willing to let fraud be the cost of business with internet display ads and hope it just washes out in the long run. (I'd prefer if it caused people to shift to paid models, but I'm not optimistic.)
Would a login collective be any better? I highly doubt it.
I wish the law would just attack the problem at the root: remove all incentive to track users and gather their personal data. E.g. don’t allow advertisers to show ads to people based on anything they haven’t given that site. If I haven’t told the newspaper I’m visiting that I like fishing, they can’t show me fishing ads because I liked it on Facebook.
And if they can’t risk showing targeted ads, then the value for anyone to trade in this information vanishes.
This would also solve the problem of more and more advertising being harder to block because it’s “native”.