Good riddance then? Time to find a new business model and maybe fire some people if your service can no longer sustain that many employees, or let a leaner competitor eat your lunch.
- not if it comes at the price of huge invasion of privacy
- Given the incredible amount of data they have, I'm constantly amazed at how bad FB/Amazon/others are at suggesting what I'm likely to be interested in
The endless barrage of insipid GDPR cookie consent banners have corrected a weird English-language blind spot I had: it turns out that the opposite of "accept" is not "reject," but rather "customize settings" or "view preferences."
Those banners are illegal according to GDPR. Once there's a threat of a fine on the horizon all those "insipid banners" quickly change to show you a reject button https://noyb.eu/en/where-did-all-reject-buttons-come
I would be totally fine with a regulation where they had to ask before using personal data to show ads. The overreach is that the GDPR requires that the user be able to say "no" but still use the service -- you can't make use of the service conditional on accepting ads, and you can't require users to pay instead.
Possibly: it's not fully clear yet whether the GDPR requires you to offer people the opportunity to use your site without ad fraud detection, but I'm expecting it turns out it does. And without ad fraud detection ad-supported sites are mostly not practical.
You can have ad models that are immune to fraud. A time-based model such as "your ad here for X days" is immune to fraud, just like ads in print or TV are immune to it. If the ad drives purchases, the advertiser renews; if it doesn't, you may have to lower your price until another one comes up.
It's not immune to fraud: if I offer you ad space on jefftk.com how do you know how much to pay for it? Without some kind of fraud detection, how do you know whether to trust me when I tell you I have 25k unique visitors monthly?
Could always be an auction-based market - you start with a trial and only do a day/week/etc and gauge your results - if they're good you know you can bid more next time. With enough "liquidity" on either side the true price of said ad inventory will naturally come up without any tracking necessary.
I'm with you that this isn't ideal, but as a choice between the simplest options, I think GDPR was at least an improvement. The prior status quo was 'you can bury it in the ToS in a basement across town' and led to a market where new entrants couldn't compete on more privacy friendly terms.
I'd guess that even now, just allowing a simple 'pay money or <smooth lawyery wording for happiness that incidentally eliminates privacy>' choice would just lead to the same issues again. But it's absolutely like a code smell that tells me there's a more nuanced option somewhere that could be better. However, I'm glad they didn't let perfect be the enemy of good in this case.
This is because otherwise there (mostly) wouldn’t be any service you can use without tracking, because that tends to be the most profitable way to operate. What services still can do under the GDPR is provide a payed version without ads (and many do successfully). It’s just that if they provide a free version with tracking, they also have to provide a free version without tracking.
jeff. We've been through this multiple times already. You working for the ad portion of Google has made you madly in love with ads to the point that you pretend that not letting you siphon and sell my personal data wholesale means you can't show ads. This is not true. Multiple people have told you that already, across a multitude of threads.
You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.
I left Google six months ago, and don't work in ads anymore.
Ads without fraud detection are worth very little, and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.
> I left Google six months ago, and don't work in ads anymore.
But you did work there, and you keep saying the same things over and over again.
> and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.
You posit your incorrect interpretations as if they were fact. And you keep on conflating several things into one. Even though you've had plenty of time to, you know, read something about the things you're talking about.
1. Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.
2. No, fraud detection doesn't mean your ads are personalised. No, fraud detection doesn't mean that your ads must be personalised.
3. No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
And yet, here we are, again, when you keep saying that these three disparate things are one and the same and that "GDPR is an overreach that prevents sites from showing ads". You keep repeating the same falsehoods over, and over, and over again. Please, stop.
I agree with your #1, #2, or #3 and you're right that I've been saying several different things in different parts of this thread, where it's not entirely obvious how they fit together. I do have a coherent view, though -- let me walk through the whole thing and try to clarify.
My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising. If before a service can show any ads they need to offer the user a free choice on whether to see ads, where there are no consequences for clicking "no" other than that they don't see ads, users will overwhelmingly click "no" and the site will not be viable.
(I additionally think that it should be legal to offer services that are supported only by personalized ads, where users can choose between (1) using the service and having personalized ads vs (2) doing neither. I've argued that elsewhere in this discussion, but that's a bit of an aside to my main point.)
While I don't think the GDPR as-written prohibits such services, with the decisions coming out of the data protection agencies in the more privacy sensitive European countries I think the GDPR as-interpreted does make them economically non-viable for most sites because viability requires effective fraud detection.
If a service is going to show ads even if the user has clicked "no" and consented to nothing, it needs to be able to run the full ads stack without relying on anything that requires user consent. This includes:
* No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
* No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2] and follow-up rulings on applications such as analytics [3], fonts [4], and CDNs [5].
Together these rule out all commercially available adtech options I know about.
But let's say you decide to build something fully in-house, or you use some future ad product from a startup run by very careful Germans. What do you still need to do?
The GDPR requires you to have one of several legal bases for any personal data you process. With "consent" out of the picture, almost all of them are irrelevant for ads, with the potential exception of "legitimate interest". [6] Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
The ad industry has historically thought that sites did. For example, the TCFv2 categorizes this under "Special Purpose 1", with users having "No right-to-object to processing under legitimate interests" [7]. On the other hand, points 52 and 53 of the recent Microsoft ruling [8] read to me as saying that since users do not visit sites to see ads that sites cannot claim that they have a legitimate interest in using personal data to attempt to determine whether their ads are being viewed by real people. This is not fully settled; among other things the Microsoft ruling was on the interaction of GDPR and ePrivacy, and ePrivacy is stricter on some points. But I think it's more likely than not that when we get clarity from the regulators it will turn out that the kind of detailed tracking of user behavior necessary for effective detection of ad fraud is not considered to be within a publisher's legitimate interests.
It's strange that you agree... and yet your coherent view keeps on repeating the same lies, falsehoods, and keeps conflating things.
> My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising.
Let me re-iterate: You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.
I mean, come on. Go to spotify.com, download Spotify, and you will disover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid.
It's GDPR-compliant.
> it needs to be able to run the full ads stack without relying on anything that requires user consent
You can do that. Again. To re-iterate:
Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, it doesn't mean that you can't have ads at all.
> No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
This is, of course, a blatant misinterpretation of that decision bordering on a lie. And a false generalisation.
> No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2]
Exactly. Because the US literally said: we don't care about user privacy and we assert the right to view and peruse any data of any citizen of any country in the world if they use American companies.
It is just amazing to me that for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.
> The GDPR requires you to have one of several legal bases for any personal data you process.
Yes. Of course. Why do you want it any other way?
> With "consent" out of the picture, almost all of them are irrelevant for ads
Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.
> Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
> The ad industry has historically thought that sites did.
No, The ad industry has historically thought that users' data is a free for all buffet with no consequences. They are now facing those consequences, and you go out of your way to protect the status quo.
If they just defaulted to "no" with no option to opt-in this would prompt the argument that people love targeted ads and Apple is the bad guy for not allowing them.
If they give the choice, they can put out real-world proof out there that nobody wants them, as demonstrated by low single-digit acceptance rates.
They can use this proof in the future to default to "no" without possibility of opt-in.
> They can use this proof in the future to default to "no" without possibility of opt-in.
Maybe that's their strategy, but it's manipulative and a sneaky way to obtain what they want while avoiding [SOMETHING]. Where something is lawsuits? regulations? outrage? No idea.