[sebastian_z]

The ad industry is not monolithic, though. Some people want to genuinely move on to less privacy-invasive business models; others not. I have been to industry conferences where the advice was "well, if you do not like the Do Not Sell link on your site, maybe it's time to stop selling and start changing your business model."

What is different this time around compared to P3P, DNT, and other earlier mechanisms is that the times have changed. Privacy is a much bigger topic. There is much more reporting now about privacy. Users understand a bit better better (though, we are still far off from real transparency). Lawmakers and regulators are catching up. Many companies embrace privacy. There is a burgeoning privacy tech industry with quite a bit of venture funding.

Also, lessons were learned from earlier efforts. CalOPPA required recipients of DNT signals to only say whether they respect those. The CCPA regulations now require actual compliance. If the CCPA is applicable to your company, you have no choice but to respect it. And that is also true for automated browser signals. There is much stronger enforcement now behind more recent privacy laws. Virginia and Colorado recently enacted privacy laws, and it is likely that other states will do to.

Disclosure: I am an academic researcher working with collaborators of all stripes on Global Privacy Control (GPC) [1, 2]. We are in touch with the good folks at ADPC and support their work. They are doing a fantastic job over there!

[1] https://globalprivacycontrol.org/ [2] https://github.com/privacycg/proposals/issues/10

[unknown_error]

Thing is, how is regulation supposed to ever keep up with the rapid advancements of technology and advertising and the lobbies that come with all that revenue?

Capital and technology need not respect sovereign borders and laws as long as they can keep one step ahead of enforcement and still get enough revenue. The laws and lawmakers are fundamentally slower and weaker and poorer; by the time CCPA et al have an actual deterrent effect (beyond just mandated privacy notices), the industry will have moved on to some more sinister loophole.

It's an arms race that 1700s-style government simply cannot keep up with. It takes months to come up with new algorithmic loopholes, decades to change the law, one industry-friendly administration to undo all the progress.

Offloading privacy to government only works when you have strong states (China, the E.U. maybe). In the US, what's left of the federal government is too crippled to effectively tackle this (and arguably any technological problem) at scale. State-specific laws are subject to the same constraints, and additionally face the problem of enforcement across borders and Commerce Clause issues. If anything this will be an arms race between adtech and adblocking; Congress is the kid in the corner crying, "But I wanna play too!" and pretty much shrugged off by everyone else.

[stonemetal12]

Simple the law should be written in a technology agnostic way. Something along the lines o f"Services shall not track user behavior beyond what is necessary to render service, and user behavior shall not be sold to, shared with, or otherwise made useable by third parties without user consent" Then it doesn't matter what technology you come up with in the future it is covered.

[unknown_error]

That doesn't really work long term. "necessary to render service" might include advertising dollars. And who is a "third party"... If ad networks reorganize into a cooperative that offers services directly to publishers in the manner of AWS, are they still a third party? And user consent, what if it becomes a requirement to consent before you can access data, or opting out gives you diminished functionality...

None of that is far fetched. Facebook, Google, Apple etc. all track and use first party data. If anything this just consolidates advertising power into the hands of an oligarchy that's already largely above antitrust law.

The law is never simple, exhaustive, or agile when it comes to regulating technologies.

GDPR has been the most successful of the bunch and all it really did was force a bunch of cookie notices and deletion processes. That still largely depends on people being lazily accepting advertising.

Any proposed law that singlehandedly destroys ad tech is unlikely to either pass or stay relevant for more than a few months.