[jefftk]

> Go to spotify.com, download Spotify, and you will discover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid. It's GDPR-compliant.

Why do you think Spotify is GDPR compliant? For example, if you look at https://support.spotify.com/us/article/gdpr-article-15-infor... they say "we use your personal data to tailor advertising to your interests" and their declared legal basis is "Our legitimate interests here include using advertising to fund the Spotify Service, so that we can offer much of it for free."

I agree there are tons of ad-supported services where if you decline their consent banners they still show you ads. But I think somewhere between "extremely few" and "none" of them are actually GDPR-compliant.

> for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.

Where am I saying "I care about privacy"? My recent privacy writing is https://www.jefftk.com/p/privacy-tradeoffs and https://www.jefftk.com/p/preparing-for-less-privacy

I think there are commonly significant tradeoffs involved around privacy, and "maximize privacy over everything else" is not my view.

> > Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?

> No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.

You're not engaging with my point. I agree that if you say you're doing something for "fraud detection" but it isn't actually needed for fraud detection than the GDPR prohibits that. But what I wrote in my previous message is that even "actually trying to do fraud detection and nothing else" is very likely not something courts will consider to be within the legitimate interest of companies.

[dmitriid]

All I can say is: even though you say you agree with me, you keep deliberately saying the same falsehoods, deliberately clumping disparate and non-related things together, and deliberately misrepresenting and misinterpreting everything related to privacy decisions in Europe.

I've said all I had to say here: https://news.ycombinator.com/item?id=34268322

For a person who writes things like "I rarely see enough concern over is that you can't trust the future to keep things private", you do sure go out of your way to defend arbitrary bulk data collection for the most mundane of things, ads. Oh, and the defeatist "we can't expect to keep things private, so to hell with it, no consent for any private data is necessary".

I have nothing to say to you further.

Adieu.

Final food for thought, not that it will convince you: https://jacquesmattheij.com/if-you-have-nothing-to-hide/