[corty]

First, illegal obviously doesn't matter to Google. They are collecting GDPR fines but continuing as before. Responsible authorities in Ireland are asleep at the wheel, probably intentionally. As a user, "illegal" doesn't calm my fears, Google fearing to go bancrupt from fines would. But we aren't there yet. Also, Google will mostly avoid responsibility by dropping it all on the Audacity developers and their terms of service.

And ad targeting by button presses isn't the problem. Telemetry transmitting audio content, memory dumps, screen shots, home directory content is the problem. As an end user, I cannot distinguish between the harmless button-press telemetry and the harmful versions. Pinky swearing in the terms of service doesn't help, users have been lied to too often.

Oh, and btw, button presses can also be harmful, e.g. for an on-screen keyboard, a browser or any application where buttons reveal user data.

[eterevsky]

> First, illegal obviously doesn't matter to Google.

I'm just an engineer and I have good visibility only in the project that I'm working on, but at least from what I see, the privacy policy is taken very seriously. All product changes are going through legal review, and I'm not aware of any instances where any illegal or even "gray area" changes were knowingly rolled out in production. When GDPR came into law, a lot of work was spent on making all the systems compliant with it.

I'm not saying that everything in Google's billions of products is strictly legal, but "illegal obviously doesn't matter" is obviously wrong.

[corty]

That the GDPR introduction required a lot of work is a sign that Google failed to comply with German data protection law in the time before. Google did business in Germany, so would have had to comply. GDPR is, in most aspects, a straight translation of what was necessary to do business in Germany for decades. So why should I trust that Google will comply now when it didn't before?

CNIL (the French DPA) could fine Google because Google failed at something as basic as having a Data Protection Officer in their supposed European headquarters in Ireland. If Google legal fails at a two-line appointment letter and an address entry in the privacy legalese, how should Google's legal review be any better?

As to taking things seriously, take for example youtube. For some time we have now been getting a cookie consent banner, but that was introduced only some time after GDPR coming into effect. And that banner is obviously illegal, because it clearly implements the "I agree" vs. "Customize" dark pattern. So I cannot reject as easily as I can agree. And even if I click customize and select "Off" at "Ad personalization", there is still the sentence below that says "We rely on cookies to remember your settings and other preferences. We also use cookies to [...] deliver, maintain, and improve our services and ads". Also, there is the plain lie that "You can change your browser settings to reject some or all cookies.". You can block cookies, after which youtube just won't work in Firefox. I suppose in Chrome it just uses some other hidden identifier.

So please don't try to tell me that things are taken seriously when I just need 30s to find blatant violations and gray areas. Name any other Google site and I would wager I could easily show you more obvious violations like that. I can accept that an engineer won't know or care about stuff like that, but claiming you have never used youtube and never seen what I described seems odd to me. I can accept you wanting to defend your employer, but everyone always says something like "it is fine in my project". That only serves to increase my mistrust in any claims by Google employees when things like the above are clearly not OK.

[HelloNurse]

I'm afraid that the question answered by all that "legal review" is "what can we get away with", not "what is legal", and that that was the principle that informed your GDPR not-quite-compliance big initiative.