| I agree with your #1, #2, or #3 and you're right that I've been saying several different things in different parts of this thread, where it's not entirely obvious how they fit together. I do have a coherent view, though -- let me walk through the whole thing and try to clarify. My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising. If before a service can show any ads they need to offer the user a free choice on whether to see ads, where there are no consequences for clicking "no" other than that they don't see ads, users will overwhelmingly click "no" and the site will not be viable. (I additionally think that it should be legal to offer services that are supported only by personalized ads, where users can choose between (1) using the service and having personalized ads vs (2) doing neither. I've argued that elsewhere in this discussion, but that's a bit of an aside to my main point.) While I don't think the GDPR as-written prohibits such services, with the decisions coming out of the data protection agencies in the more privacy sensitive European countries I think the GDPR as-interpreted does make them economically non-viable for most sites because viability requires effective fraud detection. If a service is going to show ads even if the user has clicked "no" and consented to nothing, it needs to be able to run the full ads stack without relying on anything that requires user consent. This includes: * No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1] * No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2] and follow-up rulings on applications such as analytics [3], fonts [4], and CDNs [5]. Together these rule out all commercially available adtech options I know about. But let's say you decide to build something fully in-house, or you use some future ad product from a startup run by very careful Germans. What do you still need to do? The GDPR requires you to have one of several legal bases for any personal data you process. With "consent" out of the picture, almost all of them are irrelevant for ads, with the potential exception of "legitimate interest". [6] Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in? The ad industry has historically thought that sites did. For example, the TCFv2 categorizes this under "Special Purpose 1", with users having "No right-to-object to processing under legitimate interests" [7]. On the other hand, points 52 and 53 of the recent Microsoft ruling [8] read to me as saying that since users do not visit sites to see ads that sites cannot claim that they have a legitimate interest in using personal data to attempt to determine whether their ads are being viewed by real people. This is not fully settled; among other things the Microsoft ruling was on the interaction of GDPR and ePrivacy, and ePrivacy is stricter on some points. But I think it's more likely than not that when we get clarity from the regulators it will turn out that the kind of detailed tracking of user behavior necessary for effective detection of ad fraud is not considered to be within a publisher's legitimate interests. [1] https://news.ycombinator.com/item?id=34096210 [2] https://trustarc.com/blog/2022/11/30/schrems-ii-decision-cha... [3] https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-... [4] https://www.theregister.com/2022/01/31/website_fine_google_f... [5] https://www.theregister.com/2021/12/08/germany_cookie_servic... [6] https://gdpr.eu/article-6-how-to-process-personal-data-legal... [7] https://iabeurope.eu/iab-europe-transparency-consent-framewo... [8] https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989 |
> I do have a coherent view, though
It's strange that you agree... and yet your coherent view keeps on repeating the same lies, falsehoods, and keeps conflating things.
> My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising.
Let me re-iterate: You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.
I mean, come on. Go to spotify.com, download Spotify, and you will disover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid.
It's GDPR-compliant.
> it needs to be able to run the full ads stack without relying on anything that requires user consent
You can do that. Again. To re-iterate:
Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, it doesn't mean that you can't have ads at all.
> No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
This is, of course, a blatant misinterpretation of that decision bordering on a lie. And a false generalisation.
> No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2]
Exactly. Because the US literally said: we don't care about user privacy and we assert the right to view and peruse any data of any citizen of any country in the world if they use American companies.
It is just amazing to me that for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.
> The GDPR requires you to have one of several legal bases for any personal data you process.
Yes. Of course. Why do you want it any other way?
> With "consent" out of the picture, almost all of them are irrelevant for ads
Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.
> Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
> The ad industry has historically thought that sites did.
No, The ad industry has historically thought that users' data is a free for all buffet with no consequences. They are now facing those consequences, and you go out of your way to protect the status quo.