170 comments

[ 5.1 ms ] story [ 232 ms ] thread
Broadcast ads would certainly be compliant.

(...and if the advertiser pays for the spot, not per view, "fraud detection" becomes moot as well.)

The “fraud” issue is then an issue is whether the placement is on a site that actually has rights to its content. Maybe this would make link farms and other spam sites uneconomical, which would be great.
Also those embedded in video ads YouTubers or podcasts do (assuming they comply with other regulations like disclosing the sponsored nature).

Online advertisers would explode if any online ad gave them viewability equivalent to the "the side of a bus", or "roadside billboards", only they can't measure it (but there are efforts to try with cameras on billboards in the industry), yet despite this buses and billboards actually carry a premium compared to internet ads because it's a less competitive market.

Behind those sponsorships is likely non-gdpr compliant tracking so advertisers know the audience type. I think of it like magazine ads of yore
In the world of smart TVs, and internet connected set-top boxes for satellite and cable TV this is not the case. Increasingly linear TV ads are discreetly swapped out for personalised ads targeting you.

> The creepy world of personalised ads is coming to your TV

> Channel 4 and Virgin Media are adopting Sky's AdSmart advertising system. Sky says it can put viewers into groups of 5,000 or more based on age, location, lifestyle, and "even if they have a cat"

https://www.wired.co.uk/article/personalisted-tv-adverts-sky...

That's a response more to the title than the content of the article.
It's a response to both. Der Spiegel could allow unadvertised access to its subscribers, and untargeted access to the general public. Es könnte sein.

Sure, "circulation" is not so well known, but was it ever exactly known for broadcast* television? free papers on trains? 50% of all advertising is worthless, anyway: to what extent do we have any idea that even fraud-detected CPM ever converts to actual sales? Why does anyone do "corporate identity" placement on PBS?

Finally, I'd have no problems (hint: how many targeted placements do you see on this webiste?) if a certain percentage of the internet disappeared because it was not economic to continue it without targeted advertising "revenue". If the market speaks, then let the market speak.

* my dorm was once a Nielsen household for a week or two. They were warned, but accepted 80 as our household size.

Nielsen ratings were a decent approximation and I would submit that the cost to print gave a certain incentive to try and get people to see the publication. With digital advertising it is easy to make many times more fake traffic than the site will ever have.

To your other point, the "certain percentage" is most of it and we won't have all that much to discuss here.

Again Jeff pretends that there are no ads but personalized ads that require you to collect any and all user data without consent.

Again Jeff pretends that data you need to collect to combat ad fraud can be freely used for any other purpose.

Again Jeff deliberately misrepresents the facts of the court cases he links.

Again Jeff makes it sound like Schrems is a bad ruling.

And throughout this all he presents this misinformation, intentional misrepresentation, deliberate twists of meaning and falsehoods bordering on outright lies as fact.

Jeff. Stop.

Edit: comments to the blog post call all this out and provide additional analysis. I highly recommend reading through them.

Ads predate surveillance capitalism, so of course they can.

Base the ad on the web page content, not on constantly spying on everyone.

"In the analog world, many homes are secured with a four-digit passcode. Therefore, a four-digit passcode should be sufficient to secure any Web account." This is the form of your argument.
No the argument is “therefore 4 digit passcode can also secure any web account”

Which is true. It’s just not as secure, just like dumb ads wouldn’t be as profitable as todays’ ads.

But no one is arguing they would be nearly as profitable. Or profitable at all. Only that they are possible. Maybe you get 5c where tug used to get $1. That’s fine! Take the 5c and just shut down the site if that isn’t enough. There will be new jobs in print advertising…

And this IS the argument for by-the-letter GDPR interpretation of cookie wall laws, or proponents of Adblocking: we don’t think the problem is to somehow find a solution that respects privacy and at the same time doesn’t torpedo the whole ad-based economy.

I just want ads not to spy on me and my regulators to do their job, even if 75% of “ad funded” content disappears tomorrow.

I don’t find the vision very inspiring.
I don't put your desire for money ahead of everyone else's right to privacy.

Not to mention the part where optimizing content for maximum ad impressions has led to the rise of extremist content and political infighting.

What if I like using ad-supported services and am not very excited about a barren Internet with little content? You are proposing to impose your will on everyone else so accusing anyone who doesn't particularly like it of wanton greed seems like an unfair attack.
Previous commenter: Yes, I am completely aware that many would hate an internet without 80% of the content. And I'm aware that some of those might be making a conscious transaction when they "sell" their information/integrity/whatever, in exchange for the service or information (My guess is a tiny majority - but I have nothing to back up that guess with).

So my argument is basically this

1) I don't think many understand what's being exchanged in the transaction. And I think such transactions shouldn't be allowed. So I don't think they must necessarily be "banned" outright, but they should be made very clear. And that's what the GDPR is trying to do. Not make anyone make transactions where they aren't aware what they are giving away.

2) If everyone is "aware enough" of what they are giving away, then I don't think enough people would accept it. So simply put, there is the "barren internet" or the internet that people like but for the most part because they aren't aware of what's going on.

Now,

Not only is it of course "my will imposed on others" (As is any legal/political argument or suggestion). But not only that, it's also a case of me arguing "people aren't clever enough to take care of their own integrity". And I stand firmly by that one as well.

> What if I like using ad-supported services

Again, ads are entirely possible without constantly spying on everyone, they are just less profitable, which is a good tradeoff for those who are not excessively greedy.

If you want to be allowed to spy on someone, all you have to do is get their informed consent.

Ads barely even sustain many ad-supported businesses now.
Sadly, ads are not the only thing that is problematic. It's almost impossibke to find something as mundane as an e-mail service that will sign a data processing agreement with its customers.
An email service seems like one of the businesses that would be most hesitant to sign such an agreement, given that the service involves sending personal messages with metadata attached in plaintext over the public Internet.
Let's put it this way: I've read a whole lot of privacy policies over the last month and, except for one law firm, none of them even mention e-mail. If I was in the questionable business of suing people for this, I'd have a lot to do. E-mail can contain a whole lot of PII and almost nobody gives two flying MIME headers about safeguarding it.
I'm not sure it's almost impossible. Let's look at the two biggest email providers out there.

1) GSuite. Here's their data processing terms https://cloud.google.com/terms/data-processing-addendum/inde...

2) Office365. Here you go https://www.microsoft.com/licensing/docs/view/Microsoft-Prod...

So both of them will absolutely sign one. Maybe you don't like google and microsoft. Let's look at some others. What about Fastmail?

https://www.fastmail.help/hc/en-us/articles/6049922252943-Fa...

Basically any legitimate email service will sign a gdpr-compliant data processing agreement as far as I can see. Certainly all the ones I have ever used do.

All of these are US companies, in which case the GDPR explicitly states that I need to have additional contractual clauses to transfer the data to the US, which would be nice to avoid. Furthermore, recent court decisions have stated that I, as the data controller, need to take additional technical measures to protect the data being transfered... which I'm supposed to do how exactly with e-mail?
What kind of agreement are you after? Does not the likes of protonmail suit your needs?
It's called a data processing agreement, where the data controller and data processor have an agreement how personally identifiable data is to be handled exactly. Protonmail is no exception to this as they still have access to unencrypted PII when they receive mail over SMTP.
Yes you can. It was the norm in the first days of the internet, before big corporation like Meta and Google made us believe that in order to show ADS you need to track the user.

Before one says "but if you don't track the user you cannot know how many user did see the AD and you cannot target the AD to the user preferences so no one will buy them", because nobody buys ADs on TV, radio and newspapers where you have the same one directional communication channel? Come on, they are only excuses to collect more user data...

Furthermore, both Google and Meta have quietly conceded that a lot of the digital attribution data they generate is pretty bunk. It’s why Meta developed Robyn, which uses MMM techniques that have long been used to measure effectiveness of traditional channels: https://github.com/facebookexperimental/Robyn
In the early days of the internet click fraud was rampant, and it has only gotten more and more sophisticated. While you could still do advertising the overall value would probably be much less valuable.
"Click fraud" is still just a subversion of a dataset that was not available to pre-digital (print, radio, TV, billboard) ads.

You do not need that information in order to run effective online ads. You've just been conditioned to believe it's necessary by DoubleClick, Google, et al.

Ad fraud is still pretty rampant now too - from outright fraud like Roku screen savers that click ads though to softer things like content sites that are written just to farm ads
I think this is the key: advertising not only risks becoming a lot less valuable, it should be a lot less valuable.

Without pinpoint targeting, more irrelevant ads will be shown. That reduces value.

Without lots of invasive tech, you can’t avoid fraud or track conversions. This also reduces value.

This isn’t an unfortunate side effect of GDPR and adblockers.

yes, ads can be GDPR compliant. Consider search ads. They are shown based on the keywords being searched by the user, no data collection needed for search ads to work really well.
We have reasonable guesses for how many people are going to see a print or television ad.
The same kind of methods can be applied to internet websites, even more easily because it's digital. GDPR doesn't say anywhere that you can't do analytics or whatever on your website, it only says that you can't track the user, but there are plenty of way to do analytics in a GDPR compliant way, and there are a number of even open source projects alternative to Google Analytics for example that allows to do so.

Of course what you can no longer do (without user consent, because if the user give you explicit consent you can) is to provide ADS targeted to a specific user based on tracking data. But you can assume that if a user visits a page that has a certain content it will be interested in certain type of ads, this is possible because you are not targeting the specific user based on data you collected on the user, but all the user that look at that content will see the same ads (that are pertinent).

Is a big loss? Yes, to Meta and Google, to company doing advertisement not, because this kind of advertisement is not that effective, and to users even more not because tracking is bad for their privacy in many ways.

This is correct, it's trivial to measure click through rates and conversion rates online without knowing anything about the person at all.
The article makes a big assumption that ads cannot exist without privacy violations, but that's simply not true. Print ads have existed for longer than the internet, and they're chosen based on the content, not the reader. If I'm reading an article about guitars, show me an ad for a guitar or pedal or amp. Easy. That would already be better than 99% of today's "targeted" ads.
I wonder if you read the part about fraud detection?
That argument is somewhat flimsy though. It is only a problem if you want to pay per view. If you just pay for "show it for one week" as in print then there is no issue.
But in print it is knowable how many copies are going out, isn't it?
Even that can be fiddled.

USAToday used to do it via deals with hotels to put one outside your room. Boom, extra copies!

Printing a newspaper at least costs a bit more money and there's a decent chance someone will read the copy of the paper in their hotel room. Fake Web traffic could easily dwarf real traffic.
Yeah although ad buyers of any sophistication knew going in that a lot of certain newspapers were hotel copies (though arguably a lot of people read those), trade rags vs. consumer subscriptions, general vs. niche, etc. and took that into account.

They still didn't have a great idea of how effective they were a lot of the time of course.

Advertisers would want to know something akin to circulation numbers before paying for placement though. And they would want to be reasonably confident those numbers aren't pumped by fraud.

Maybe the web needs something like Nielsen ratings, where Verified real users voluntarily submit their browsing to help advertisers determine watch time.

I talk about this at the end of the post as well. I think a ratings panel approach doesn't apply well to the web because the web is so fragmented. (In a good way! I like that there are lots of independent sites!)

Unless you had something like 10% of real users or a super representative 1% I think you'd have a big problem with getting realistic numbers outside huge sites.

Yes. But even if you pay for a month placement on a given site, the ad buyer is still going to want an estimate of how many legitimate viewers see/saw your ad.

It probably works better on things like podcasts but the bottom line is that you can't really trust me to tell you how many viewers my site had without some fraud detection mechanisms in place. (And even then fraud is apparently pretty rampant.)

I may be missing something, but why? Wouldn't the buyer just look at how many people arrived at their website from the ad?
How do you know those clicks are people? (You can measure just conversions but that's a much higher bar for measuring an ad and a direct conversion may not even be your objective.)
Bots can click through like any other visitors. They won't buy stuff, though, so if you're placing ads for people to directly take an expensive action ("performance advertising") you're mostly ok. Brand advertising, though, is very dependent on fraud detection because it doesn't have this clear connection.

There's more about this near the end of the post.

Do you think it’s possible to measure how many people are coming from an ad on a specific site and buying something, without also resorting to illegal tracking?
That's a good point. I think a shopping site might be able to succeed in arguing that they had a legitimate interest in tracking how people arrived on their site, but possibly not. On the other hand, if half of your visitors consent to tracking that's enough to have a pretty good sense of the value you're getting from each source.
>But even if you pay for a month placement on a given site, the ad buyer is still going to want an estimate of how many legitimate viewers see/saw your ad.

yes, you might WANT that. but you do not NEED that. Remember that ad's isn't only effective when clicking on it, but also by spreading visibility of your offer/product.

you could easily use sites visitor count as a estimate for monthly pricing. And frankly without all tracking there would be no incentives to fake click on ads at all, so you could get your own tracking on your own side.

If I can't tell with some degree of assurance whether you have 1K viewers per month or 1M viewers per month (never mind uniques), I'm probably not going to pay for ad on your site.
Print can charge for ad placement, not impressions. But that's only possible because the number of subscribers, size and number of print runs, circulation are well known and hard to fake stats.

The web cannot do that without tracking...

Big sites (newspapers) could do it the same way - maybe independent reach surveys could be the data that they use to back up their web ad pricing.
I think that's one of the points though. Big sites can back up their digital reach claims such as by using third parties. But if vetting yourself for advertisers was to become a requirement, advertisers just might not bother with small sites. Though admittedly Google makes money off small sites--but I bet most of those small sites don't make enough to make note of.
Google's vetting of small sites is pretty minimal. Instead they use fraud detection: vetting the traffic itself.
Right. Which is the point both of us are making I think. If you can't do some minimum floor of fraud detection more or less transparently and cheaply, you fall back on more heavyweight mechanisms and probably screen out any site that isn't "big."
Depends what you call tracking. Just like a newspaper company knows how many copies they distribute a website would know how many copies they've sent over the line.

You might not trust them but I don't see why you'd think a newspaper would have a harder time claiming they've made more copies than they have.

Sending out a newspaper is much more expensive than sending out a pageview. If a million bots visit my site everyday I can point at server logs showing very high numbers of pageviews, but you wouldn't want to use that to pay me!

Now, you could say don't do business with people who are trying to defraud you, but one of the more impressive things about the ad ecosystem is that it works without advertisers and publishers trusting each other. I can sell the space on my site and advertisers don't need to figure out how much to trust me in particular.

It's easy to have ad fraud that's plausibly deniable and maybe even not on purpose. Let's say you're a publisher and you want more people to come to your site. You look around and you find someone who says they run a newsletter and would be willing to include links to your stories for a small fee. When you multiply out the cost per visitor this looks like a pretty good deal; you say yes. This traffic turns out to be entirely bots, but you can't tell because we got rid of ad fraud detection.

> but one of the more impressive things about the ad ecosystem is that it works without advertisers and publishers trusting each other. I can sell the space on my site and advertisers don't need to figure out how much to trust me in particular.

For a person who worked in ads you are surprisingly oblivious to how both Facebook and Google defrauded advertisers and publishers.

- Facebook Lied About Video Metrics and It Killed Profitable Businesses https://www.ccn.com/facebook-lied-about-video-metrics/

- Google Hit With $268 Million Fine Over Unfair Ad Practices https://gizmodo.com/google-hit-with-268-million-fine-over-un...

Ad industry should burn in the fires of hell.

There was a second flaw in the premise between print publishers and websites. Some print publishers inflate circulation numbers when attempting to sell ad space in an attempt to make the ad space appear more valuable.

Similar double-selling of television ads take place as well. A network ad may run in the network feed and will appear in the network affidavit logs as having run. Local affiliates supercede network feeds all the time and in some of those cases they do so during a network ad pod and run station-sold ads. Consumer sees only one of the TV ads but both get reported as run.

Fraud in advertising isn't something new or isolated to the online medium.

Ignore the headline which is completely unsupported by anything in the story but circulation numbers are audited, e.g. by an organization called BPA. https://www.photonics.com/Articles/The_Magazine_Industrys_Di...

Doesn't mean there isn't fraud but someone can't really make up circulation numbers out of whole cloth.

Sure, but if anything that shows that newspaper companies can't be trusted to report accurate numbers if there is no oversight whatsoever.

All I'm saying is that the same logic holds for websites and that tracking people is a needlessly paranoid and harmful solution to the problem when it can be solved with trust, contracts and auditing.

>it can be solved with trust, contracts and auditing

I actually agree with you. And large businesses in particular are both audited and do internal audits all the time. It's not that they and their employees are all untrustworthy but audits can both catch mistakes and send a signal that people are watching.

There are probably other mechanisms to do fraud detection. But, as your comment suggests, they may be more heavyweight and therefore might exclude most smaller sites.

The argument is specific to electronic ads.
It isn't.

What the ad industry refers to as "fraud detection" is just abuse of a monitoring system they didn't have access to in print (pay per view/click) - print ads were still deemed effective even without assurance of per-individual revenue. There's no reason electronic ads couldn't've been treated the same - the only difference is advertisers have been allowed to develop surveillance to gain granular revenue insights (and anything abusing that system of surveillance is labelled "fraud")

Ad fraud is only legitimately "fraud" if you accept the pervasive surveillance it's "defrauding" is legitimate to begin with.

I don't see how you figure. If I pay to put an ad in the New York Times, the circulation is not a secret. If I pay to put an ad in some Web site (or, worse, thousands of Web sites I don't know about in advance) then I have no insight whatsoever into how many impressions I'm getting if we decide it's illegitimate to try and measure traffic.
You can measure traffic anonymously or pseudonymously without violating GDPR. Monitoring of traffic for a website owner is inarguably legitimate interest if even just for DOS protection. The tracking discussed in this article is not about traffic measurement, it's much deeper individual tracking.

Also...

> the circulation is not a secret

Isn't it? Like yes, there's a published figure, but is it verifiable?

If we're discussing potential for "fraud" here, I don't really see how there's any difference between online and print circulation.

For print circulation, there are two choices: the publisher can report their actual numbers or they can participate in fraud (by lying about it). The latter has real legal consequences attached to it. They might bet on never being found out; I am guessing that most do not.

For online "circulation", there are three choices: the two given above, plus the possibility that the "actual numbers" (e.g. generated from server logs) do not reflect what they appear to (ie. bot visits). This is "problem" that tracking seeks to fix, by avoiding a "circulation data source" (page visits) that isn't (and cannot be) reliable.

Not only that. I’m potentially publishing across many sites I haven’t verified. A well known newspaper seems unlikely to engage in outright fraud, but someone I don’t even know, why should I trust them?
Bot visits need incentives. There's two:

1. the current incentive where individual brands can defraud ad exchanges' pay-per-x systems. Without pay-per-x this incentive disappears.

2. publishers defrauding advertisers. This has similar cost & risk ratios online as either misreporting numbers or bulk-buying papers does in real life. There's also very little tangible difference between the ability of authorities or legal agents to enforce honest reporting of numbers online and in print. The two scenarios are eminently comparable.

Ultimately, removing pay-per-x brings online ads and the ability to defraud advertisers down to a level of equivalence with print.

There is no honest reporting of numbers online without some sort of tracking.
> Monitoring of traffic for a website owner is inarguably legitimate interest if even just for DOS protection.

Even in cases where the GDPR allows data collection for one purpose, that does not mean you can apply your collected data or analysis for a different purpose.

IANAL but I don't think that's what's happening here: the gp was referring to circulation figures. DOS-protective measures need insight on individual bad actors but only derived aggregate figures are needed for circulation. That's not something covered by GDPR in any way - it's extremely explicit in defining what types of data points relating to "natural persons" it covers.
I think what you're proposing is:

1. Collect data for DOS-prevention purposes.

2. Analyze it afterwards in aggregate for advertising purposes.

Except you can't do #2 without turning #1 into "collect data for DOS-prevention and advertising purposes", which goes beyond your legitimate interest in collecting the data.

I agree that #2 should be allowed if you'd do #1 anyway, but this isn't how the GDPR works.

Yeah it's easy and is exactly how ads were first implemented. Go do some research on the history of Google Adsense

Well big surprise: They don't perform as well. Don't you think there is a reason the ad industry went in the direction it did?

Now that they’re not allowed to go that direction, though, the old way looks more appealing.
Strange way of saying they have no other option
“No ads” is another option. See the title of the article up top of this discussion.
Surely no CEO would actually struggle to choose between legal and poorly-performing vs illegal and better-performing?
Who says personalised ads are better performing?

The companies who make the real money out of ads are ad tech vendors, with publishers often picking up the scraps

It’s not suprising that people who’ve worked in personalised ads often promote them as the only way to fund the internet

> Who says personalised ads are better performing?

I deliberately made my comment more generic, this isn't just about ads.

Any senior manager worth his or her salt knows that staying on the right side of the law is significantly more important than supporting any dubious "product improvement" which is on the wrong side of the law.

> Who says personalised ads are better performing?

https://twitter.com/garjoh_canuck/status/1318989360407236609 summarizes the studies on this, and this comment [1] gives additional context.

[1] https://www.lesswrong.com/posts/dFgfQTo4DRZG5t8Ap/can-ads-be...

Garrett's thread and the studies in it are often rolled out as evidence that personalised ads perform better and so losing the ability to harvest data that supports personalised ads would be bad for the web

Looking how the data was collected in the studies and where it comes from then Google, FB and other adtech vendors feature strongly (and they can't be considered neutral sources)

In the ad market there are three participants - advertiser, publishers, ad networks.

The last group keep telling us we need them for a health internet, while being completely opaque but making billions creaming off their cut of advertising revenue (there don't seem to be any reliable figures on how much they actually take but an old Guardian study found that sometimes they were getting less than 10% of the revenue the advertiser actually spent - Guardian have brought ad sales in house since)

Alternatives such as category based advertising are often not discussed other than to say 'if personal ads go then the spend is likely to be re-directed towards category based ads'

Even Google while claiming personalised ads are better seems to rely on category based ads for the revenue from search ads (see the CMA report)

IME working alongside various publishers it's often that case that directly sold category based ads are way more profitable for the publishers

Given thread like https://twitter.com/nandoodles/status/1582434737813348352 (and others) I'm deeply skeptical of claims ad tech companies make

A large factor is whether or not there are any contextual ads at all for the content being viewed. Sure, random sites with amazon product lists might benefit from letting Google Ads scrape their page then show ads related to the products, but random forums and game sites might not have any contextual ads that would sell.

For example, dotapicker.com (which allows you to see counter-pick viability in Dota 2) runs ads but they're either ads of web-based video games that shows a lot of skin and have very vague wording to skirt Google Ads guidelines (about a quarter of the time), or random product and services related to my overall browsing history, eg. Amazon/Etsy/Ebay/etc or B2B services like Monday.com.

Contextual ads definitely work where they can, which is why google.com ads are all contextual to your search, but it expands available ad real-estate to run targeted ads in places that otherwise would get no clicks.

There's a decent amount that can still be done cleanly. You can count how many impressions were served vs how many clicked through. You can use campaign slugs to measure which sites sent more, or how effective different ads were. You can serve different ads to different geographic regions, and as you said - different pages ..

Almost everything we currently decide when you visit a page, the only real concession is that it's scoped to the current page, rather than every page that we know you've visited.

I'm honestly not convinced our current idea of targeted ads actually works. Continually showing me links to a product I bought someone for Christmas a month ago isn't remotely clever, despite being precisely targeted. "People shopping for guitars on Saturdays are more likely to convert to sales, than people shopping while they should be working" does not require storing PII, and is (hypothetically) more useful than "If you bought a guitar last week, surely you're more likely to buy a guitar this week".

My friend has been at Facebook forever - apparently new hires often show up and say "I just bought a vacuum cleaner, why do you think I need a new one?" and the strategy of not showing you that ad gets tried over and over, and never actually improves clicks. Friend also doesn't have an explanation, apparently there are just people out there, who look just like you and me, but buy their vacuum cleaners two at a time a week apart. Mystery.
That's what happens when you are so bad at predicting a thing that any noise overwhelms your signal.

People sending stuff they brought back and buying something else exist, and also people buying for their friends. But if you had an actually good prediction of their behavior, you wouldn't need to proxy it by "brought a vacuum recently".

Yet, companies insist that failure is a feature, and that their local maximum is the best possible world. And will keep harming advertisers, viewers and society to keep their position at that peak.

If not showing repeat vacuums does not improve clicks, I'd be very curious if it reduces clicks either.

It seems like what you posit is only a mystery if we take it on faith that targeting works. Once that faith is lost, you can also approach it from the angle that if showing them something we think they want is just as effective as something we know they don't want, you're actually proving that "what we think they want" isn't working either.

I mean, given "we know you've bought a vacuum cleaner" and "we think you'd like a kettle" - if ads for either are equally effective, either there's a lot more people collecting vacuums than either of us would have expected - or we're entirely wrong about the kettle. And it seems to me that our blind faith in targeted advertising leads us to wonder why people want so many vacuums.

I don't think it's a mystery. Ad targeting usually doesn't know which people have just bought a vacuum, just that someone has been looking at vacuums recently. People who have been looking at vacuums are far more likely than the typical person to buy one, so it's not surprising that it would be worth showing them an ad reminding them that they can buy one from you. Especially with higher margin products like mattresses or cars.

But how do we explain how there are also advertisers like Amazon who do know that you just bought a vacuum from them and still show you more ads for it? Since Amazon is in a position to run principled A/B tests on whether showing these ads leads to sales that otherwise wouldn't have happened, and they are the kind of organization I'd expect to get this right, this part I am willing to accept without external evidence. It's probably that the likelihood of additional purchases of the same item, for yourself or others, is high enough, combined with that the cost of advertising to you is low enough.

I agree. There is a lot of folklore amongst advertisers. Also, the companies serving the ads, do not care whether the advertisement achieves it's purpose, they only care about the goal they get paid for. Next, there is the rat race between advertisers, outbidding each other on certain users. The house always wins.

Removing PII will hopefully hurt the greedy ad serving companies most. Though I am scared they will find workarounds.

My website https://officesnapshots.com does this.

Our niche is office design content and we sell advertising primarily to office furniture manufacturers. The ads are hosted by us and are sold directly.

This approach definitely works, and I agree you can do it without any tracking. All that's needed is that the furniture manufacturers can tell how much of their purchases are coming via your site.

But this is also not a model that can support a very large fraction of the existing web. Most sites aren't built from the ground up to have this kind of highly commercial tie-in.

Monetizing a general news website would definitely be quite hard with this model.

*edit: that said there is a local news website in my city that has local ads for local services and businesses.

Our specific case is weird in that contract furniture is mostly purchased through dealers so tracking sales isn’t as straightforward.

We partially do something similar. I wrote an adserver that mainly serves contextual ads. We also serve consent-requiring ads if given, but with an adblocker (a bespoke adserver for a smallish site rarely gets blocked) or no consent, we serve HTML ads based on context.
(comment deleted)
I also wonder if these really targeted ads are cost effective. If ads were run as they used to be positioned in Newspapers and Magazines, a simple area of the screen that was set aside for an advertiser, with no targeting, no tracking, and performance measured simply by "impressions" and "clickthroughs" would they work at all? It would be much better for the users. (I'm always amazed at how unusable the websites of my local TV stations are with the adblocker off. Popups and blinking things everywhere, and the page just keeps changing out from under me.)
It's not a question of whether or not they can exist. It's a question of whether or not they can be effective enough that the advertisers will pay enough for them to provide enough revenue to keep the site afloat.

Someone reading a print article is probably a much stronger signal that they are interested in things related to the article or the topic of the publication than is someone reading an article on a website.

If some random site runs an article about, say, a meteor shower you probably can't infer that the reader has more than a passing interest in astronomy. Even of a site that is focused on astronomy runs such an article they are still likely to get a lot of casual readers, such as people who heard on the news about an upcoming meteor shower and Googled to find more information.

If on the other hand Sky & Telescope runs an article about a meteor shower in their printed magazine it is probably a safe bet that most people reading that have a fairly serious interest in astronomy.

If I were trying to sell astronomical equipment I'd probably be willing to pay a lot more to run an ad in Sky & Telescope than I'd pay to run the same ad on a "free but with ads" astronomy website and I'd pay even less to run it on some non-astronomy site that happens to be running an astronomy article.

I think this largely invalidates most of the "it worked for print so it will work on the web" arguments I've seen except maybe for websites with well enforced paywalls.

You're trading one evil for another. If your primary revenue source is guitar manufacturers, how likely are you to write an honest guitar review?
HN has an advert on the front page right now --

  PhotoRoom Is Hiring a Fullstack API Developer (OpenAPI, Python, React) in Paris (lever.co)
Perfectly GDPR compliant

(Many people on HN are fully invested in an industry built around personal informaiton theft so hate things like GDPR as it stop them extracting money from people hence the immediate downvotes)

In case folks don’t know, one of the benefits of being accepted to Ycombinator is that you can place hiring notices directly on the front page of HN. Notice how there is not a voting arrow next to the Photoroom post. It is basically an ad.
Say I'm Der Spiegel. How does this model help me?
Der Spiegal can sell advertisers ad spots like these, without targeting to specific audiences (but targeting them to specific sections on your site, e.g. different ads next to sports news and fashion news), and without tracking who exactly views them, rather relying on general audience statistics (e.g. Nielsen-like surveys of what percentage of German consumers read Der Spiegel online).

Perfectly GDPR-compliant, simple, and worked in practice for decades. Of course it's less lucrative than ads based on invasive surveillance, but if those get prohibited, that's a reasonable alternative.

I discuss this in the post: Nielsen like surveys work when there are a small number of things people can be watching/readings/listening to. Der Spiegel may or may not be big enough for this, depending on how many people are in your panel, but a panel big enough to get good coverage across smaller sights is not practical.
Der Spiegel has been selling adverts in its publications since 1947. I'm fairly sure in 1947 they couldn't track individuals reading them. They couldn't even measure how many people read them.
I do wish we didn’t have to keep retreading the same arguments answered in the piece in this discussion.
I don't understand.

HN is simply rendering a link. This is different than many online ads, which make a call to some remote server which returns the ad content (and presumably tracks you without consent).

There is not a third party serving the content for the HN portfolio company hiring link, so no GDPR violation, right?

Help me understand the problem.

Even in cases where every part of ad serving happens in house, as it does, ex, with ads on Google Search or Facebook, the GDPR still applies.

The reason that HN ads aren't a problem under the GDPR is that they don't (as far as I know) collect or use any personal data in their ad system. But that's something that works much better for HN than for most sites.

That's the point - it's an advert with no GDPR violation, thus the answer to the question is "Yes"
Wow, thanks. I just realized, I misinterpreted your comment as a sarcastic criticism of HN, when it was not.
HN has a clear commercial tie-in: the audience has a lot of people who are looking for highly compensated software engineering jobs. The issue is all the other sites.
Another interesting question (perhaps even more so) is whether these regulations actually are beneficial. For example, let's say the EU just banned internet advertising in general. Would this hurt or benefit the EU?

As for the question posed in the article, the answer is obviously yes. You don't need to track people to do online advertising.

The issues of fraud and what not are separate. Sufficiently cheap ad space would still be desirable.

The EU isn’t going to ban online advertising, so the question isn’t that interesting. It sounds more like a slippery slope argument.

What the EU privacy push has created is an incentive for ad networks to improve. What we are already seeing are strategies that preserve both privacy as well as a revenue stream using, for examples, cohorts or that strategy (whose name I seem to have forgotten) of adding some randomness to raw data that cancels out at the learning stage.

These aren’t perfect, but it is an improvement.

I’m not sure you understand what a slippery slope argument is.

Inherently there’s a trade off between personalization and effectiveness of advertising.

Inherently there’s a trade-off between speed and safety of a car. Doesn’t mean you can’t improve safety for a given speed, given the right incentives.
The analogy doesn’t make any sense. Privacy is not inherently “safe” to begin with.
> As for the question posed in the article, the answer is obviously yes. You don't need to track people to do online advertising.

I think you will find the article raises some problems with that view.

> and "brand", which is trying to influence your future purchases in a much less legible manner (drink more Coke). Brand advertising is where the biggest spending is, but because the purchases aren't tied to clicks it's very dependent on keeping down fraud.

I find this part a bit surprising. Brand advertising surely cares about fraud when it’s done on a cost per impression model. But I expect that brand advertising’s effectiveness is more related to placements, not impressions. For example, Nike once famously reduced the number of swooshes they used because they thought that having too many diluted the brand. Similarly, a brand placement somewhere like a movie or an article might have high impact despite only being seen once per viewer, whereas a placement on a site that gets lots of intra-site clicks (like Amazon or some mediocre review site) will get many more impressions per viewer but likely less impact per viewer despite a higher number of impressions.

So, with a cost per placement model, I would expect the simple forms of fraud to be much less relevant.

In addition, “premium” placements and take-overs can be negotiated without metrics and just a flat fee making fraudulent impressions a non-issue entirely.
They can be. But when you say “premium placements” and “take-overs”, I hear “banner ads” and “pop-ups”. They didn’t go away for regulatory reasons so they can absolutely return if there’s a financial incentive to make them.
Banner ads? Maybe.

But take a brand like Nike as an example. I can imagine Nike paying to put (one!) swoosh on an article on a site like ESPN. But Nike, if they’re doing their job right, would not want a swoosh to interrupt the reader’s experience — that’s the opposite of good branding.

Consider FM radio as another example. Ads on most music stations are obnoxious. Sponsorships on NPR are generally much more subdued, take less time, and don’t try to stand out.

(Oddly, NPR is quite obnoxious about their own fundraising placements. I wonder whether they would be more effective if they backed off a bit.)

Generally, a "take-over" is a guarantee from a publisher that all ad slots appearing on a specific page will only deliver ads for a single advertisers for a limited time period, usually a day or two.

Variations on "take-over" exist where you may have a "branded slate" in which the normal framing and background of the site will also be updated to align (and sometimes synchronize) with the "take-over" ads for that day.

You have likely visited imdb.com at some point in time. With so many TV shows and movies premiering throughout the year, IMDB has a higher frequency of "take-overs" than an average site.

The "pop-ups" or interstitials did decrease due to being bad design & bad consumer experience, but have returned and are now overrun with publisher sign-in and privacy/consent interstitials.

I'm not sure the relationship you're positing. They would still want to know how many people look at the article. Right?
They would, but they will also want to know how many people read all the way through, how many come back, how many bookmark it or navigate directly, etc. And the advertisers may even want to perform due diligence on their venues.

See daringfireball as a somewhat vocal example of how this can work. NPR has a similar model.

Click farms will not land actual high paying placements no matter how many click they claim.

edit: there could be a startup opportunity here. Build a placement ad network. Participating sites get vetted. Placements are per article, optionally for a limited time or limited geographic region. No tracking. Sites agree to be monitored by human and AI analysis for quality and non-spamminess. Sites warrant that their content is original and the network assists with copyright enforcement. Ads come from the backend (first-party), may be genuinely a part of a content, are are very difficult to ad-block. Ads involve no scripts at all. GDPR compliance is above-and-beyond. Advertisers pay very high rates compared to current systems but get higher value out.

The network helps warn sites if they are inadvertently letting other networks track their users. After all, a high quality site wants to monetize its own users, not let its users be tracked and monetized elsewhere.

In general, ads on a system like this might not even be clickable.

Maybe someone can school me on this, but why can't website owners just specify which ads are displayed on their page?

Like, if I had a blog about mountaineering I would like Google to only show ads about hiking gear, regardless of the cookies of the person visiting the website. Of course my CPM would be lower, but at least I won't need to track my users and I won't have baby formula or school supplies ads between my reviews of snow boots.

> Allow Der Spiegel's approach where sites can let users choose between ads with personalization or paying a reasonable price for access, under the principle that this is a real choice.

This would water down the whole GDPR since its primary function is to stop using PII as merchandise.

Many people attempt to wishcast this goal onto the GDPR, so I can understand your confusion, but the GDPR itself says no such thing. The purpose of the regulation is to ensure that your data is protected and you have control over it; companies are explicitly permitted to use it for whatever purpose they’d like so long as you give free and informed consent to it.
The GDPR definition of "freely given consent" is explicitly written to exclude "sale of consent" - if you say that you'll give you $1 (or some other benefit) if you consent, then according to GDPR that consent is not freely given and thus does not grant you the right to use that PII. In essence, "GDPR consent" applies when people really want you to do that thing with their data, and does not apply if they'd rather not but it comes as a requirement for something else or "bundled" with something desirable.

Also, if consent is the legal basis for processing, it must be possible to withdraw consent without any adverse consequence, so if e.g. you give a discounted subscription to people who gave consent, then you can't revoke that subscription or discount if the data subject withdraws that consent a minute later. If you say that you'll provide some service only if the user "consents", then GDPR presumes that the consent is not freely given (e.g. recital 43 of GDPR).

Which provision of the GDPR explicitly defines “freely given” to exclude “sale of consent”? Again, I know this is conventional wisdom that gets passed around a lot, but as far as I can tell it’s not present in the actual text of the regulation.

e: I see a stealth edited reference to recital 43, which I hadn’t seen before and does seem to show I’m wrong here. Thanks for the reference.

The main part is article 7.4 "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract." which is a bit tricky legal language to make the distinction between PII use that's actually needed to perform the contract (which doesn't need consent, e.g. address to deliver goods) and uses beyond that (e.g. using the same address afterwards for ad targeting).

The final part of recital 42 "Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." is probably even more clarifying than recital 43.

I agree that's what the GDPR says, and what it will be interpreted by courts to mean. But, as I get into at the end of the post, I don't think this is what it should say.
At its core, GDPR is not about digital advertising, it's about all-encompassing rules for all industries to tackle privacy in an appropriate way. The clauses regarding consent have to work well (and generally do) for things like supermarkets asking 'consent' for privacy-invasive things in their loyalty/discount cards, for cell phone operators selling location data with 'consent' of the users, for employees 'consenting' to surveillance by employers, for consent in landlord-renter and real estate broker relations, etc, etc - that is the main purpose of GDPR, websites are a relatively small part of it which is only getting attention because this part is the one that works remotely and thus affects USA companies.

Adjusting GDPR core principles for the purposes of website ads would be like the tail wagging the dog - if it "fixes" web ads but worsens handling of much more sensitive things like companies wanting to exploit data in physical shopping, telecommunications, healthcare and banking, then it's not worth it.

> websites are a relatively small part of it which is only getting attention because this part is the one that works remotely and thus affects USA companies.

On top of that there's USA itself. Which said "if an American company serves anyone anywhere in the world we have the right to request any and all data on all users of that company, regardless of their residence or citizenship". That's what Schrems II was about: there's either privacy and protection of people's data or working with US-based companies. Europe keeps chosing the former, thankfully.

I was under the impression that while "cookie walls" (Accept or get out) were not allowed, providing a paywall with a choice between "ads/tracking" and "payment" was already permissible* under GDPR. Is this not the case?

According to https://www.iubenda.com/en/help/24487-cookie-walls-gdpr

> As regards paywalls, the Garante published a press release to inform that it’s analyzing this solution as implemented by some Italian publishers.

> The Austrian and French DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.

> As it stands, the decision of whether paywalls can be compliant or not is still somewhat of a grey area. We will have to wait for a uniform approach from the DPAs to better assess the compliance of these mechanisms.

I have mixed feelings about this. There is some validity to providing an alternative method of funding the website, but at the same time it will most likely maintain the status quo as the vast majority of people are conditioned to accessing online content for free.

Even having a setting where you choose between 2 dumb ads and 1 targeted ad shouldn’t be acceptable.
The argument is interesting but I find it hard to believe EU regulators really wish to nuke the entire industry of ad-supported content.
> nuke the entire industry of ad-supported content

God, I wish. Imagine a world of content with no ads, supported by willing payment, not data extortion.

It's not even that far off, a lot of the people I follow make their money from subscriptions, donations and sponsorships.

Well, what's the point of... say, Hacker News... if I can only read publications I already subscribe to?
Most of the links I click on Hacker News are to content which the authors would make and publish even if their site had 0 ad revenue. A good publication on a website is a consequence of them building the thing or wanting to express an opinion, not putting the cart ahead of the horse and building or writing some crap just to attract random visitors and show them ads.
I see it as something of a problem that most of the world’s newspapers are “writing some crap just to attract random visitors and show them ads” if we’re deeming that model illegitimate.
For the specific niche of Hacker News style tech content (there are many domains where it's different - e.g. actual local news/politics/etc), when a major newspaper or news site is linked, then it generally either republishes or rewrites some primary source, and we here would prefer to see a link to the original - e.g. the actual paper from the university or the project description from its author with all the nitty-gritty details, instead of a vague pop-sci rewrite to make it more palatable to a non-tech audience. And in those cases, yes, the news site is only writing about the content to push ads, and there is no reason to legitimize various intermediaries which do not add value.
The law is pretty clear. For example it’s not acceptable, as the article describes, to have 2 buttons saying “accept” and “options”. It just isn’t.

So many (most?) sites are in a state of noncompliance simply because they believe their business model requires it.

But I find it hard to believe regulators create laws without the intent of enforcing them. The fines for noncompliance can be very stiff.

Personally I’m hoping there will be a few high publicity examples made soon.

Why do you find that unbelievable? It would pretty much impossible for any polity to enforce every single law literally as written.
ReadTheDocs have a sub-division called Ethical Ads, where targeting occurs based on the content of the page you are viewing, and are claimed to be privacy-respecting. Developers are the ones targeted by these ads.

https://www.ethicalads.io/blog/2022/11/a-new-approach-to-con...

I'm running ethicalads on my site (vadosware.io) and it's been pretty great so far (though I suspect revenue is much lower than other alternatives) -- they also have an open source server which they run an instance of and give you access to:

https://github.com/readthedocs/ethical-ad-server

Stats and lots of information about the advertisements and click rates/etc is available.

Been pretty smooth sailing so far, was going to write about it in the future.

Very basic question: Suppose in addition to the usual tracking ad for $X, you also offer "basic ads" with no tracking, no fraud protection etc., just a fixed ad shown for the same amount of time for $Y. How much less is Y? A half? A third? One hundredth?

Follow up: Suppose the option for $X is ruled illegal. What is Y now?

I'm somewhat skeptical of the figure but research from 2019 seems to suggest the difference is only around 4%.

https://techcrunch.com/2019/05/31/targeted-ads-offer-little-...

Where are you getting the 4% from?

The most relevant part seems to be

> [...] ads were sold with targeting attached, and advertisers were willing to pay a 60% premium for those ads.

So, say $3 vs $2 or showing two tracking ads vs three basic ads.

So tracking seems surprisingly useless for all the work involved?

That only shows they're mistakenly undervaluing basic ads. If advertisers lose 4% of revenue without tracking, it stands to reason they should pay ~4% less for those ads, not 40% less.
> Browsers could offer sites a way to verify that your users aren't bots without any personal data being sent off the device.

A sufficiently memory-hard and ASIC-resistant proof of work scheme could be used here. But obviously, that implies some non-negligible load on the client.

I rather suspect that said PoW will either be cheap enough to be ineffective, or expensive enough to block phones (or perhaps just murder their batteries).
How about PoS then?

* Lock up, say, $5, in anonymous cryptocurrency like Monero

* When visiting example.org, sign a message "example.org <current timestamp>" with your private key, and include the signed message in a request header

* example.org can verify the signature (and the fact it's backed by $5)

* example.org can also forward the signed messages to the advertiser as a proof of legitimate pageviews

* if a bot farmer wants fake pageviews, they need to lock up separate $5 per bot (and if we're counting unique pageviews, then per pageview)

edit: one gothca here is that sites could collect the signed messages to track users across sites. Perhaps there's a way to sign messages so that you prove you have $5, but not which $5 – I don't know.

TV ads are GDPR-compliant, they still work and they even are targeted (by time and target audience).

Just do the same on the web:

You (or an ad aggregator network) can ask (by e-mail or automatically via an API) a specific website to show a specific ad without leaking any details about any specific visitor.

You can still target safely by the website (target audience) and specific page, time, IP geolocation, for registered (at the website you advertise at) users also by the details they voluntarily provide (without leaking personalized details to you/aggregator).

I discuss this near the end of the post: a ratings approach (mostly) works for TV because there aren't very many channels, but there are so many sites that it wouldn't work well on the web. If you tried to make it work here it would require massive consolidation, even more than we already have.
Of course web ad efficiency will drop if we stick to GDPR-compliant practices only. Perhaps reaching the target audience efficiently will become less accessible to small businesses. Yet this is not enough to question if GDPR-compliant web advertising is possible.

Okay, the number of TV channels is small, I get your point. But there also are physical ads, e.g. billboards, subway posters, cards/booklets, local newspapers which often are focused to a small number of physical locations but still happen to generate enough revenue to sustain a business.

There also are agencies which would put your ad on posters all over the country - ad aggregator networks can still work and manage the consolidation this way, we only want to hide viewer personal details from them, not to eliminate them completely. This will decrease significantly (yet not kill completely) targeting efficiency, make display/click price bargaining more subjective but that's all.

By the way there is a direct counterpart to TV commercials in the web world: YouTube/Instagram/TikTok influences promoting sponsors' products by just mentioning them in their episodes. Apparently this works despite the fragmentation.
Google and Meta wouldn't want to go back to contextual ads, because that invites competition. Their moat is their huge userbases and tracking pixels make advertisers feel like gods driving minions to sales. Everyone can make contextual advertising, but stalking users requires dominant-player status.

OTOH we have places like youtube where content makers seem to make more money with sponsorships (which are like contextual ads) than with google's adsense. So it seems like it s time to call out the advertisers: Why haven't they ever taken a stand vis-a-vis stalker advertising? It also seems weird to me that advertisers are not being fined for targetting users even though they are the original perpetrators.

I would like to be able to monetize my websites, but google and EU are both my enemy

> OTOH we have places like youtube where content makers seem to make more money with sponsorships (which are like contextual ads) than with google's adsense.

Even if not more, it would be in addition to what the google way would generate. Or for those for which google won't pay due to copyright claims, it is the only way, in which case any sponsorship is more than google.

As many others have also commented here, I strongly disagree with the author's argument that fraud prevention is legitimate: the word "fraud" here is tantamount to propaganda - the only thing being defrauded is a system of surveillance that shouldn't exist to begin with, and that every non-internet form of advertising has done perfectly well without.

The other argument about the Der Spiegel paywall-or-ads model is also tricky. I do understand where they're coming from, but the argument only holds in a theoretical situation of perfect knowledge (a visitor to your website fully understanding the implications of accepting ads). Requiring this level of consumer understanding isn't reasonable imo. This doesn't even work in Der Spiegel's favour: the only reason to offer the free ad-supported model is that they're forced to compete with free ad-supported alternatives. Otherwise the incentive to pay would be higher for visitors.

Ultimately though, the biggest argument to allow things like the above is corruption: currently we're very slowly seeing the GDPR being enforced many years later in just one or two large cases. There are millions of potential cases that'll never be prosecuted, not only because doing so would generally be unviable (it could still be an effective disincentive) but also because there's massive amounts of government lobbying to disincentivise prosecution and to defund independent data protection offices (keeping the level of enforcement even further below what it should be).

How is this even a question? Of course ads can be GDPR compliant! There's nothing non-compliant about putting some PNG with an ad on your site.

The question being asked is, can spyware be made GDPR-compliant if we just get the user to hit "accept". That's a much more difficult question. But do not conflate adverts and spyware. It doesn't have to be this way.

The author writes: "Allow ad fraud detection under >legitimate interest<, which is the key thing keeping ads from being practical under the GDPR."

Unfortunately this approach means that shady companies will still break the law, since breaking the law would give them a very big advantage. All ads would just be bought via some company fronted in some country with no regulation, or by a chain of companies that appear and disappear. It could also be like "FTX" and "Alameda research" again - this time not tokens, but information about ads would be shared. You can easily see various ad companies coming out of nowhere - if they broke the law, their ads would work better, so everyone would jump there. Then the company would implode, so everyone would jump somewhere else.

Other option, an option that I dont like, but still an option is a move towards requiring users to make accounts. This of course is not great, since nobody (including me) wants to make accounts. But then, you can send ads to groups of accounts, or include / exclude some accounts from seeing the ads. And you can show "ad 1", then "ad 2", then "ad 3" to users. It's a bit more like TV. Less targeted of course. Since nobody (?) does that does it mean that it is not effective, or that it breaks GDPR?

On a side note: there are many apps that require you to have a subscription and show you the same few ads again and again. Do the advertisers really think that after I install app X, that I use for say 15 minutes per day - and I see the same damn add 5 times per use.. that I will buy the product? It makes me dislike their product and not want to ever buy it. Does this approach of showing the same ad again and again really work? (I can understand that it can make me want to buy a paid version of the app, which I did at some point, but it made me hate the advertised things). Also why do they even agree to show the same ad every few minutes?

Targeted ads are just the wedge that opened Pandora's box. You now have a an extremely wealthy constituency that has normalized the concept of tracking, collecting data and creating human behavioral models (and that politically that is an achievable business model)
(comment deleted)
I'd like to point out the OP's author gave many examples of both EU & US websites, explained how both are probably not GDPR compliant, and explained how the US sites have been sued. I did not read to the end, but from what I read there were no examples of any EU sites being sued/punished for GDPR compliance. That is a problem, because it seems quite clear the EU regulations are setup for the purpose of taxing foreign tech companies. One could argue the EU websites are de facto compliant, but the OP indicates otherwise.

We get it.