[emodendroket]

I don't see how you figure. If I pay to put an ad in the New York Times, the circulation is not a secret. If I pay to put an ad in some Web site (or, worse, thousands of Web sites I don't know about in advance) then I have no insight whatsoever into how many impressions I'm getting if we decide it's illegitimate to try and measure traffic.

[lucideer]

You can measure traffic anonymously or pseudonymously without violating GDPR. Monitoring of traffic for a website owner is inarguably legitimate interest if even just for DOS protection. The tracking discussed in this article is not about traffic measurement, it's much deeper individual tracking.

Also...

> the circulation is not a secret

Isn't it? Like yes, there's a published figure, but is it verifiable?

If we're discussing potential for "fraud" here, I don't really see how there's any difference between online and print circulation.

[PaulDavisThe1st]

For print circulation, there are two choices: the publisher can report their actual numbers or they can participate in fraud (by lying about it). The latter has real legal consequences attached to it. They might bet on never being found out; I am guessing that most do not.

For online "circulation", there are three choices: the two given above, plus the possibility that the "actual numbers" (e.g. generated from server logs) do not reflect what they appear to (ie. bot visits). This is "problem" that tracking seeks to fix, by avoiding a "circulation data source" (page visits) that isn't (and cannot be) reliable.

[lucideer]

Bot visits need incentives. There's two:

1. the current incentive where individual brands can defraud ad exchanges' pay-per-x systems. Without pay-per-x this incentive disappears.

2. publishers defrauding advertisers. This has similar cost & risk ratios online as either misreporting numbers or bulk-buying papers does in real life. There's also very little tangible difference between the ability of authorities or legal agents to enforce honest reporting of numbers online and in print. The two scenarios are eminently comparable.

Ultimately, removing pay-per-x brings online ads and the ability to defraud advertisers down to a level of equivalence with print.

[PaulDavisThe1st]

There is no honest reporting of numbers online without some sort of tracking.

[emodendroket]

Not only that. I’m potentially publishing across many sites I haven’t verified. A well known newspaper seems unlikely to engage in outright fraud, but someone I don’t even know, why should I trust them?

[jefftk]

> Monitoring of traffic for a website owner is inarguably legitimate interest if even just for DOS protection.

Even in cases where the GDPR allows data collection for one purpose, that does not mean you can apply your collected data or analysis for a different purpose.

[lucideer]

IANAL but I don't think that's what's happening here: the gp was referring to circulation figures. DOS-protective measures need insight on individual bad actors but only derived aggregate figures are needed for circulation. That's not something covered by GDPR in any way - it's extremely explicit in defining what types of data points relating to "natural persons" it covers.

[jefftk]

I think what you're proposing is:

1. Collect data for DOS-prevention purposes.

2. Analyze it afterwards in aggregate for advertising purposes.

Except you can't do #2 without turning #1 into "collect data for DOS-prevention and advertising purposes", which goes beyond your legitimate interest in collecting the data.

I agree that #2 should be allowed if you'd do #1 anyway, but this isn't how the GDPR works.