[alkonaut]

There is a suggestion that some data sent is in violation with the GDPR. There is no specifics about what it would be that is in violation however. I think 90% of sites with cookie banners are blatantly violating the GDPR - but whether I'm correct in that assessment is anyones guess. It would depend on court processes that hasn't happened yet. It's based on my understanding and interpretation of the regulation, nothing else. I guess it's the same with the complaint here. If there is a question of a violation then it's probably due to microsoft and the commenter having different interpretations about specific data such as hashed mac addresses (Which certainly isn't clear cut).

[smarx007]

Yup, there are lots of violations: https://noyb.eu/en

And I do think Microsoft has good lawyers and believe they reviewed any activity prior to receiving consent quite carefully.

[alkonaut]

Are there any concluded legal processes that are concerning

1) the form of consent banners

2) consent vs legitimate interest for ip transmission as part of http request headers

3) whether ads are a legitimate interest for web sites?

Those seem to me to be the 3 “big questions” of the GDPR. The regulation and most legal processes however seem to focus more on large scale data storage cases, failure to answer user requests etc. And those are important from a privacy standpoint but from a technical standpoint to software developers the 3 above seem much more interesting, yet mostly ignored by courts? I get a feeling they don’t want to touch it because they are a can of worms

[smarx007]

1) YES https://noyb.eu/en/where-did-all-reject-buttons-come

2) Consent vs legitimate interest is not for data but for data processing purposes. A company, say Paypal, may have a legitimate interest to process (and, therefore, collect) your IP address in fraud detection systems. If you don't give consent, fraud prevention dept cannot share your IP address with the marketing dept (and would have to erase it once it's no longer used by the fraud detection system). Which is why you get pestered with more consent requests than needed. Consent also has to be freely given: https://edpb.europa.eu/news/national-news/2019/facial-recogn... + https://noyb.eu/en/pay-or-okay-tech-news-site-heisede-illega...

3) Ads are not personal data (data that came from you and/or data related to you, not necessarily PII). GDPR is only about careful handling of all personal data. It does not prevent a company from showing you ads. But GDPR does prevent tracking to show targeted ads: https://noyb.eu/en/norway-temporary-ban-behavioral-ads-faceb...