[dmitriid]

> I agree with your #1, #2, or #3

> I do have a coherent view, though

It's strange that you agree... and yet your coherent view keeps on repeating the same lies, falsehoods, and keeps conflating things.

> My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising.

Let me re-iterate: You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.

I mean, come on. Go to spotify.com, download Spotify, and you will disover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid.

It's GDPR-compliant.

> it needs to be able to run the full ads stack without relying on anything that requires user consent

You can do that. Again. To re-iterate:

Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, it doesn't mean that you can't have ads at all.

> No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]

This is, of course, a blatant misinterpretation of that decision bordering on a lie. And a false generalisation.

> No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2]

Exactly. Because the US literally said: we don't care about user privacy and we assert the right to view and peruse any data of any citizen of any country in the world if they use American companies.

It is just amazing to me that for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.

> The GDPR requires you to have one of several legal bases for any personal data you process.

Yes. Of course. Why do you want it any other way?

> With "consent" out of the picture, almost all of them are irrelevant for ads

Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.

> Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?

No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.

> The ad industry has historically thought that sites did.

No, The ad industry has historically thought that users' data is a free for all buffet with no consequences. They are now facing those consequences, and you go out of your way to protect the status quo.

[jefftk]

> Go to spotify.com, download Spotify, and you will discover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid. It's GDPR-compliant.

Why do you think Spotify is GDPR compliant? For example, if you look at https://support.spotify.com/us/article/gdpr-article-15-infor... they say "we use your personal data to tailor advertising to your interests" and their declared legal basis is "Our legitimate interests here include using advertising to fund the Spotify Service, so that we can offer much of it for free."

I agree there are tons of ad-supported services where if you decline their consent banners they still show you ads. But I think somewhere between "extremely few" and "none" of them are actually GDPR-compliant.

> for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.

Where am I saying "I care about privacy"? My recent privacy writing is https://www.jefftk.com/p/privacy-tradeoffs and https://www.jefftk.com/p/preparing-for-less-privacy

I think there are commonly significant tradeoffs involved around privacy, and "maximize privacy over everything else" is not my view.

> > Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?

> No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.

You're not engaging with my point. I agree that if you say you're doing something for "fraud detection" but it isn't actually needed for fraud detection than the GDPR prohibits that. But what I wrote in my previous message is that even "actually trying to do fraud detection and nothing else" is very likely not something courts will consider to be within the legitimate interest of companies.

[dmitriid]

All I can say is: even though you say you agree with me, you keep deliberately saying the same falsehoods, deliberately clumping disparate and non-related things together, and deliberately misrepresenting and misinterpreting everything related to privacy decisions in Europe.

I've said all I had to say here: https://news.ycombinator.com/item?id=34268322

For a person who writes things like "I rarely see enough concern over is that you can't trust the future to keep things private", you do sure go out of your way to defend arbitrary bulk data collection for the most mundane of things, ads. Oh, and the defeatist "we can't expect to keep things private, so to hell with it, no consent for any private data is necessary".

I have nothing to say to you further.

Adieu.

Final food for thought, not that it will convince you: https://jacquesmattheij.com/if-you-have-nothing-to-hide/