I feel like europe is like a broken record at this moment. These inane rules waste millions of hours and cause untold disruptions for not only no benefit to europe, they managed to completely obliterate whatever was left of european advertising agencies. I struggle to think of one thing that EU has done to help us small-time tech people, other than giving pacifying subsidies that are wasted on travel expenses and stacks of printed paper. (and tbh i dont like advertising, but it feels like there s just nothing unregulated in europe anymore, it's a dead land)
Europe's a broken record because awful companies won't stop acting awfully with PII. it's my information. You have no right to any of it without my explicit informed consent for every aspect of the collection, use, distribution,and storage until it is provably deleted. Should you mishandle it and lose it I should be guaranteed compensation in the same way that banks deposits are insured to a certain amount.
>managed to completely obliterate whatever was left of european advertising agencies
That's a huge win in my books. I take the stance that advertising is a cancer on society wasting: lives,talent, and finite resources while doing what good for society exactly?
For every campaign that does measurable good I can usually argue that either the campaign wouldn't be necessary without advertisings infectious tendrils everywhere, or the effect is virtually worthless in the face of the overwhelming scaleof resources wasted on useless advertisement campaigns.
If it was yours, you would be able to sell it in exchange for something else. The EU's rules forbid this, basically giving ownership to the state
Also, let's be clear, it's not only YOUR information since you didn't collect it yourself, there could be an explicit formula about how much of it is yours. Just because GDPR says so doesn't mean it s correct.
also
> I take the stance that advertising is a cancer on society wasting: lives,talen
> you would be able to sell it in exchange for something else. The EU's rules forbid this
Which rules? GDPR is all about being explicit about how the data is used and the right to choose. What is the rule preventing you from offering a service explicitly allowing people to sell their information?
> “Freely given” consent essentially means you have not cornered the data subject into agreeing to you using their data. For one thing, that means you cannot require consent to data processing as a condition of using the service. They need to be able to say no. According to Recital 42, “Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”
> 4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
That point applies to just one of the bases. It's basically for the extra information which you don't require, but still want.
If your business explicitly deals in user information:
> In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis
> ... these are the other legal bases:
> 1. Processing is necessary to satisfy a contract to which the data subject is a party.
In that business it's necessary to share the data which is being sold. It's part of the contract. As long as you comply with notification, listing 3rd parties, and other relevant points, you can require and sell that data.
Can a publisher demand "user information" in exchange for reading an article, even if it lists 1500 trackers, even if it's part of the contract? No , GDPR forbids it.
That's the gist of the matter. Private information is not tradeable, therefore it's not really property, and certainly not owned by the users since they can't sell it for goods they readily want to acquire.
The clause you quote only applies if the private info is necessary for the service rendered. GDPR considers advertising optional, despite the fact that it's crucial for the survival of websites.
They can sell it. What GDPR prevents is hiding the trade or bundling it into other exchanges.
So you're free to say "this access costs $x, you can sell your data for that much on this other service". If you learn through that that people actually are not prepared to sell their data, then GDPR achieved its purpose.
If you work on the other side, it may seem hard to handle. But if websites can't survive without trading user data, I'm happy for them to die and get replaced by something with better business model. Global data abuse is not worth it.
I guess you could also start a business explicitly selling user data to get access to 3rd party services as a replacement of payment. As long as it's a separate entity, it could work?
No, GDPR considers collection, sharing and use of personal data to deliver targeted advertising optional. You can still deliver advertising that doesn't use any personal data.
You are right. But i could see a market forming if e.g. chinese companies were allowed to compete and offered direct monetary incentive to acquire users (would be cheaper than the ad spending they do)
>GDPR's consent framework, I now could genuinely sell my data
The needs of the many(the entire population) are more important then the needs of the few( the advertising industry). If you disagree let me know why this industry is worth it(if you try then also touch the subject of the tabcoo and diamond industryy and advertising to exploit the population for making money and how that is good somehow)
I think that there are benefits for us the people so far and more to come when the regulations will be enforced, like:
- more transparency, now you can see exactly that your data is shared with 100+ companies and you can see what is collected and decide for yourself if you want to visit or not, or maybe you want to use a VPN or private mode on this dubious website
- you can request you data back and ask to be deleted.
- some website will open in text only mode for EU users, you no longer need to waste a click to press the Reader Mode button.
If you disagree then explain how the listed benefits are "zero benefits"
"The many" don't give a crap about their so called "personal information". I don't care who tracks me and who targets me with ads, as long as it's not the government.
I do hate when inane legislation like GDPR makes websites downgrade my UX to protect some information I don't give a crap about. But it's for my own good, of course.
Dude , you can just click Accept and you can get tracked like the people outside EU.
Anyway when you live in a society you have to respect the society rules even if you don't like them or you can move outside of EU(or use a VPN) to get the full experience advertisers intended it for you.
I dont agree with so much advertising on the internet. And i dont mean the tracking, i mean the amount of it, it's just unacceptable that there need to be so many ads in a page in order for a website to survive. Tracking ... i m not sure why it should bother me, as long as there are legal protections so it doesnt cross lines that are considered unethical (such as pregnancy or sex orientation). GDPR says nothing about it, it just blanket bans it.
Google has only gotten mightier and greedier post-GDRP. So whatever defense is mounted on GDPR, the empirical fact is that it failed in its purpose.
It was a missed opportunity. It could truly hurt google if (a) it declared private information as private property that can be sold in exchange for services or if (b) it provisioned a "PI" tax that should be mandatorily paid back to users similar to the link tax required to be paid to newspapers.
GDPR is not about advertising, so you can put a billion ads if you want just don't track me behind my back then share this data with 100+ companies so now they all know all y activity on the internet.
GDPR should not dictate how you implement ads, if you want targeted ads then maybe the industry needs to implement them respectfully, the user would opt=in, connect his browser with FB,Google,Twitter and then he will get targeted stuff. They could make a browser, DRM-it to shit and if you use that browser you get less ads but all of them are targeted and ever click in that browser is tracked, it would be an opt-in stuff where you sell your browsing activity for ad-points that you can spend on different websites to read articles.
We need strong laws because the industry is fucking the users, they sell you products like a TV or an OS but they still want to make a few more cents so they continue to track you and sell your data to advertisers.
IMO advertising is mostly manipulation, make people buy expensive diamonds or expensive clothing or phones when they don't have too, I would be curious if we could create a economy simulator and ban all advertising like it was done for cigarettes and see what happens.
A large amount of websites now ask wether you want to be tracked and offer a button that allows you to say you don’t.
Google instead thinks they are above the law and offers a pop-up that can only be dismissed by accepting. Forced consent is not consent so that’s against the law.
Don’t complain if companies get into trouble because they break the law. Don’t complain Europe keeps telling companies like Google they need to follow the law until they actually start following the law.
Side note - an incredible number of sites are already planting the cookies, running the scripts, and doing the tracking before you even interact with the prompt...
Textbook illegal under the ePrivacy Directive implementations, but many (most?) sites still do it...
I agree. then again i only saw the google popup once. I see the popups in every tiny website and at this point it's just learned helplessness. I dont like being treated like that
Google instead thinks they are above the law and offers a pop-up that can only be dismissed by accepting. Forced consent is not consent so that’s against the law.
It’s probably not against the law and the situation you have described is a valid method to establishing lawful basis under the GDPR. It’s really not all about “consent” - we hear that too much.
> It’s probably not against the law and the situation you have described is a valid method to establishing lawful basis under the GDPR. It’s really not all about “consent” - we hear that too much.
Various data protection authorities have concurred that forced consent isn't consent. For consent to be valid, it needs to be freely given, informed, and not tied to the provision of a service, such that provision is dependent on unrelated consent.
There's also restrictions on consent being used where there are imbalances of bargaining power (so for example, consent isn't a valid legal basis for processing data at all in an employer/employee scenario due to the imbalance. Another legal basis is needed).
One area of interest in future would be how the imbalance of power could be interpreted - consumers generally can't negotiate anything with any internet company (unlike negotiation with small businesses), and in many cases companies can hold them hostage until they consent (if Google won't let you into your email until you consent to something, that's clearly coercive and abuse of power). When regulators finally learn to move faster, it will be interesting to see how widely this can be applied - could it even extent to a company which holds a monopoly status in a market, due to lack of meaningful choice? I think it could.
In any case, the smart money is on not relying on consent as a legal basis unless you have no other option - it's the least durable basis, and can be revoked at any time.
I work for a small tech startup that aims to give people control over their data, and it's very clear our business case is a lot stronger in the EU than it is in the US. It is creating new markets for businesses that respect people's data, even if that's at the expense of businesses that exploit it and have all kinds of negative side effects like influencing elections.
I mean until they start enforcing the law on US companies operating in Europe then yes, EU advertising companies are going to lose out. But that's no different from any industry where one group of companies just violates the law whenever they feel like it. See Uber, Lyft, etc or the various companies that undercut their competitors by selling unsafe products, or the investment firms that beat the returns of their competitors by being pony schemes or by committing other fraud.
The reason EU agencies went bust was because they were competing against the likes of google and Facebook, because those companies could arguably target better (or were perceived to), and they could only do that because they were breaking the law.
I was quoting the parent - entirely agree and it’s an obviously facetious point.
Frankly the amount of misinformation circulating about GDPR of in particular from US techbros is astonishing. Nobody should be having a serious issue complying.
Ah, apologies! Yeah, I find it absolutely nuts. Anecdotal, but the only serious hatred of GDPR I've heard from UK side was from those in high-level management at data broker/data broker-associated firms. Which kiiiinda chimes with why people like Cummings want relaxation of the regulations, given those people float in the same circles & have the ear of the current government. Makes me stupendously uneasy given that the only thing they care about is cash.
Well, from my POV, the biggest GDPR technical issue is integrating with Google. They don't support TCF 2.0[1] like nearly everyone else in Europe, so we have to special case them.
Other than that, we've had to a) ensure we honour user consent b) ensure that only directly relevant PII is held in our systems c) for only as long as needed and d) is handled securely - so ensure encryption at rest and in transit is properly applied.
Was maybe about 2 months work for 3 people to put in place, and we had plenty of time to do so.
Oh, and an initial early change we made at the behest of our lawyers was to drop the last quartet of any stored IPs. Not sure if that was GDPR or another EU directive though.
Was three months of review work for us at the time, one person doing most of the work with support from three others for implementation. Bar Google, which is understandable, I'm not sure I understand why you would have an issue with the other stuff
