The GDPR obliges all companies to provide an option for users to receive all data held on them; takeout and FB'd equivalent were implemented in response to that.
For all other companies, at least if you are in the EU, you should he able to request the data by eg email and they are obliged to send it. You just don't know what format you'll get.
Another view might be that this means you are investing in the community behind it and some of the leading people who hopefully will help to ensure that the project lives on.
The law is not about cookies, it's about an obligation to inform on and let users opt out of tracking features that go beyond technically necessary features.
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
They are not mandatory, it's a choice by the site owner to include them. They are only mandatory if you include tracking features that track users across the web (= ads and Google analytics).
One can include ads and analytics without consent being granted - they're "just" restricted to a method of delivering ads and performing analytics which don't track the user.
IANAL, mind you - but that's how we implemented it - you're opting-in to the ads that target you and analytics which track you, or you get the non-tracking/non-targeting ads and analytics.
If you do this you don't even need to check for consent since you're not tracking the user or storing any PII. In my case this is what I call if the user doesn't accept advertising cookies, but there's no reason you can't disable them completely on your site if that's what you'd like.
You also have pretty tight control over the categories of ad that Adsense can display, and you can even go as far as to review individual adverts. I've booted a couple of ads that I found to be unethical/distasteful from my site using the review feature in Adsense.
The only issue with Adsense is that there are a gazillion ads it might show on your site, so I'd recommend filtering out any categories you don't much like first, and then reviewing ads sorted by popularity/impressions in descending order, otherwise you'll quickly go mad.
[1] Obviously not an option if you absolutely don't want to do business with Google.
> If you do this you don't even need to check for consent since you're not tracking the user or storing any PII.
Google seems to disagree [1]: Non-personalized ads are targeted using contextual information rather than the past behavior of a user. Although these ads don’t use cookies for ads personalization, they do use cookies to allow for frequency capping, aggregated ad reporting, and to combat fraud and abuse. Consent is therefore required to use cookies for those purposes from users in countries to which the EU ePrivacy Directive’s cookie provisions apply.
What's not clear from Google's documentation, but what I assume, is that they also do not use the info about the context & visitor to serve them personalized ads on other websites.
Hmm, that's interesting because that would suggest that if somebody declines advertising cookies then you can't serve them ads via Adsense at all... which would be an odd decision by Google.
That's not the issue. The issue is that if the user has and sends Google cookies AdSense will use them. (And many people have third party cookies on, and AdSense might be using some tricky bypass there too.) Getting sneaky about tracking is their business model. And then cookie law is in full force.
Sure but it sounds like the only way to guarantee those cookies aren't sent by Adsense is simply not to use it in the event that consent is declined. Or am I missing something?
That's my understanding. You can't use most Google services without prior consent. Adsense, Youtube (even youtube-nocookie, which just uses localstorage for tracking), maps etc. Google is not in the business of not tracking users.
But this is what I find strange. It seems unlikely that Google would simply opt out of serving people who refuse to accept advertising or tracking cookies.
Granted, from measurements on my own site that's only 1 - 1.5% of people, but Google's ad revenue for 2019 was $134.81 billion, meaning that they'd potentially be leaving $1.3 - $2 billion on the table by not serving ads to these people. Maybe it would be half that or less because the ads aren't personalised, so they're a bit more hit and miss and therefore probably wouldn't attract the same level of bids from advertisers.
But still, they'd be leaving a lot more money on the table than it would cost to fix the problem (an order of magnitude? two orders of magnitude?). Whilst they might choose to leave it due to opportunity cost, it doesn't seem that likely to me. Here's an example: I once worked at a company whose revenue sat in the £250-300 million range, and they absolutely considered it worth supporting 1% of their userbase for the extra £2 - 3 million it brought in (this is back in the day when IE7 and 8 were still a thing), because it probably only cost them high 5 to low-ish 6 figures per year in PITA workarounds to do that[1].
So, as I say, it seems odd to me that Google don't have a solution for serving cookie-free ads that require no consent.
Going back to skrtskrt's original question, "What are some good non-tracking & non-intrusive ad providers?"
[1] Obviously all us devs hated this, but it was tough to argue against from a rational standpoint.
I don't know whether they really could. It's not just an issue of matching ads, it's also an issue of having relevant ads.
I use adblock by default, so I have no ad-profile at Adsense that they'd use to show me "relevant ads". When I occasionally have to debug some issue with ads somewhere, I'm essentially getting the context-sensitive, not-personalized ads, and they're terrible. At least to me they look as if they were using very simple keyword-matches with little regard to context and primary language. It may be that they don't care to invest more, but it may also be that they don't have enough ad buyers that care for unpersonalized ads so they simply don't have a large pool they can choose from.
I'm also not sure that "cookie-free" would be enough, really. If you're loading ads directly from Google, the user makes the request and can therefore be tracked by Google. Even with Google Analytics and anonymizeIp, at least in the medical sector in Germany, GA is considered opt-in only. In that sense, I'm not sure a central service that delivers ads for you can work without requiring consent.
What very much should work would be a server-side system that's sale/lead-based, where the service would crawl your site, manage your affiliate programs and create ads for you that you'd then insert into your site. That way, no third party learns anything about the individual user and you don't require consent.
Well, sure - you can still send some signals to see ads that are relevant to the _content_ as opposed to the _viewer_.
Example: you're seeing an article about devops and you get an ad about AWS instead of an ad that has followed you around from another website you visited previously.
The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.
The other types of cookies can be pretty much disabled at the point of calling the google tag, or enabled (along with more tracking/targeting ads) if the user consented to that.
> The cookie used for frequency capping is considered to be a "technical cookie" and has no bearing on privacy, best I can tell.
But the comment you're responding to says it right there: Even google is telling you it requires consent. It's a cookie, so it requires consent, period. Don't fool yourself.
Could google serve ads without cookies, and do fraud detection by other means? Yes, perhaps lowering payout due to increased risk. But it much better to pretend that a cookie-banner is needed, so that you might as well enable ad-tracking cookies.
Since it's a technical cookie that's required for ads/marketing, it very much falls under marketing, I believe. Imho "technical cookies" are e.g. Cloudflare's __cfduid or your framework setting a session cookie because it wants to be stateful.
> > What are some good non-tracking & non-intrusive ad providers?
> You don't need to look far. You can simply tell Adsense[1] to serve up non-personalised ads
This discussion describes exactly the problem. How long has this tracking consent law been there now??
And it's just an option in Adsense?!!!
So whenever I see a cookie banner, you can assume they are simply too greedy to flip the switch.
Clearly the adtech and adtech-supporting industry hasn't even slightly bothered to look for alternatives, instead opting to annoy the public with banners. It's pure propaganda in the hope that the annoyance will turn into defeat, and somehow they manage to turn people's disgust towards the EU law instead of them, simply continuing to do their useless crap business and pretending the EU got their hands tied ... when there's a literal boolean switch to tell their shit to behave.
Affiliate marketing is the best way to go. You have full control on how you advertise products.
For my website [1], I have build close relationships with local experts. They provide services my readers need, and I know they can be trusted. I get a commission from resulting sales. I like that model because advertisers have zero access to or control over the readers' data. Unfortunately, it's simply not applicable to all websites.
Which means any website that does anything useful. That doesn't mean ads, but Google Analytics (or another comparable service) is just about everywhere these days.
The only reason you need consent is when you're tracking people or storing data that isn't required for the functionality of the site.
Shopping carts, subscription services etc. will still work, you don't need to consent to that, as long as you're not tracking people or handling their data unecessarily.
When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.
> When you see one of those cookie popups it is a sign that the website is trying to get more information out of you than they need.
Or the owner of the website has failed to understand the nature of the law. Given the amount of confusion in this comment section this also seems likely.
The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.
As with most law, you're not excused from following it if you fail to understand it.
If the admin of a site thinks they need a cookie banner when they don't, it's really because they haven't really bothered to give much thought to reducing the amount of data collection they do on their users.
But I bet it's not really that common, website admins who think they need a cookie banner when they really do not. What is WAY more common: the website admins that do need a cookie banner, but ONLY because they use Google Analytics, and don't realise this is a choice they get to make.
Or people (right here in this thread) saying "I can't make a useful website otherwise" -- it's not that the law is hard to understand, it's not. It's that they refuse to give the problem any thought. The ones "failing to understand the nature of the law", actually just don't give a crap. It's like a butcher complaining "Why do I have to label my meat with 'made from tortured animals', I have to kill them right? I can't possibly produce any meat without using this rusty spoon that I've used for decades".
> The ones which deliberately make the flow for closing the popup and accessing the site without 'consenting' are the ones I think are actually acting malicously.
You can easily not act maliciously, and still be a crucial part of the problem. That's also what laws are for, even if you cross them non-maliciously, you get punished. That's because people "not understanding the nature of the law", when it directly applies to their business, is undesirable, and really a responsibility they should carry.
> Or the owner of the website has failed to understand the nature of the law.
Oh, sure, but if they don't understand it then they probably shouldn't be gathering people's data either.
GDPR is pretty complex, but website operators have proved for years and years that they can't be trusted to do the right thing themselves, so here we are.
An exageration, but in aggregate, the time wasted on this by users having to close yet another pop-up (and being more reluctant to browse new websites), and providers implementing the functionality on their websites is not negligible.
I hate the consent popups, but to me they signal something different to me than I think perhaps they do you or the parent commenter.
Bear in mind:
- Extra data collection or processing must be opt in.
- Not opting in must be as easy as opting in.
- The content must be available if the user chooses not to opt in.
Then:
For instance, you go to a site, tumblr.com for example. Why is not important. You get a consent popup. Opting in to extra data collection is easy but you don't want to. Navigating this consent popup is almost impossible. within a few clicks you are lost, you find a list of several hundred "partners" tumblr wants to share your data with. All are checked and need to be individually unchecked. You still can't work out how to opt out.
To me it's like someone's trying to scam you out of your data. They are so desperate to get your information that they are jumping through all sorts of hoops to try to trick you into giving it.
Do I really want to give my data so an entity that is acting so creepily? Nope. I close the window.
Both these time wasters are on website providers. If they stuck to collecting only what they need to provide the service, they wouldn't need to ask for consent. Alas, they're greedy, but then they don't get to complain.
How much time and effort have gone into compliance, it's insane. That's measurable. The real cost is the delay to new projects, uncertainty, increased costs - its what we wont have...
But the flip side is we get back control of our data. Having to treat users data and privacy with respect seems like a completely reasonable thing to ask, and it takes you longer to create something because you're now having to do that then that's good right?
It being inconvenient to you to treat people's data and privacy with respect seems like something it's hard to feel sorry for.
It's not about treating it correctly, it's about worrying about vageries in the law and complying with them.
Of course information should be protected, but there are all sorts of compliance procedures and processes that significantly increase complexity and cost.
Asking for consent doesn't significantly increase complexity and cost. The required level of audits to support a world without asking for consent - now that would increase complexity and cost.
And no, not asking for consent and collecting data without supervision is not an option, neither legally nor ethically.
The cost of compliance is directly proportional to the amount of personal data you're processing.
GDPR compliance is usually expensive because people ignore Art. 5.1.(c):
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
If you choose to collect personal data, you're responsible for handling it with due care. If you don't want that responsibility, don't collect the data. If your business model is predicated on doing shady things with personal data, find a different business model.
I know some people in adtech, and the time they spend on "compliance" isn't really a very big chunk of the total time spent on why they need compliance in the first place.
But I'm eagerly awaiting your measurements ...
Truly. Even if it shows the really big numbers you seem to imply. Because that shows something about their choice. How much trouble they're willing to go through to track you regardless.
Tracking has a giant cost to society, the sole reason it exists is so we can be manipulated by advertisers into spending more than we otherwise would have.
GDPR isn't very hard to understand, it's just that website owners want to have their cake and eat it too. Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting, and all this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".
It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.
> Looking around for loopholes to do analytics that aren't actually what the user came to the site for is fundamentally the thing that the legislation is targeting...
Totally agree, and this shouldn't be done.
> ...this handwringing about cookie popups and consent and anonymized data is "complicated" simply because it is not in the nature of the law. You do that, you need permission, period, and you need to be OK with people saying "no, I'd really rather you not do that".
This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
> it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints
The only different "constraints" relevant here would be "we get to play fast and loose with the data we collect or allow to be collected about users, without repercussions".
If that wasn't the "constraints" they were operating under, they have no problem now either.
> Calling it handwringing is hand-wavey and dismissive -- this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution. Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
This is indeed where we disagree, except the law also disagrees with you:
It's. Not. About. Cookies.
It's simply about collecting and storing more data on your users than you strictly need to run your business.
There's really nothing technological about it, if you did it with pen and paper, you'd be subject to the same GDPR. Talking about HTTP response headers or "waging a war against cookies" is just misleading.
> It may not be terribly difficult to understand, but it is indeed very complex to enact at scale, especially with large systems that were designed under different constraints.
As a developer, I agree. As an end user, I am OK with this.
If organisations have to think hard about what data they collect, because it means they have to think hard about how to safely store and destroy it, then that's a good thing.
It has been easy to collect, store and disseminate user data without thought for a long time, and website operators have proved they can't (in general) act responsibly.
> This is where we disagree a little. Calling it handwringing is hand-wavey and dismissive
My honest opinion about most of the consent popups I see is that they are at best trying to weasel out of having to comply with the regulations, or at worst applying dark patterns to trick the user into "consenting".
I am sure there are some honest people with consent popups out there, but I'm not generally generous enough to attribute anything other than malice or incompetence.
> this stuff isn't easy to get right, and it's arguably a large cost for the wrong solution.
For sure, but it works both ways. There is a (potential) financial penalty for not taking care of user data, but at the same time, there's a pretty large cost to a user if their data is spaffed all over databases on the Internet when they didn't want that.
Also, I'm pretty sure if you are actually trying to be GDPR compliant then your first interaction with the information commissioners office will be them trying to help you comply, and you do always have the option of just deleting the data if you can't treat it safely.
> Cookies come in HTTP response headers. Don't want the cookie to do anything? Don't read it! Tell your browser to ignore it. Don't like the JS that's being run? Disable JS.
I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.
> Waging a war against cookies is just a cop-out for fighting the actual problem. What's next? Opt-in banners for JS in webpages? For using HTTP? TCP?
It would be a mistake to think that Cookies are the focus of the GDPR. See https://gdpr.eu/cookies/:
"However, throughout its’ 88 pages, it only mentions cookies directly once, in Recital 30."
The GDPR is about user privacy, cookies are one of the primary tools for violating it, and the most prominent artefact seen on the web, so it's the focus of a lot of discussion, but the main thrust of the regulations aren't around cookies themselves.
It is significantly unlikely that there will be opt in banners for JS, HTTP, TCP, phone calls, cameras at the beach, or just looking at people with your eyes any time soon.
> I feel like I read somewhere that telling the user to adjust their cookie settings in the browser was speficically discussed, and not allowed, but I could be wrong.
Consent must be informed and specific, so simply asking users to set their browser to accept or reject all cookies (regardless of purpose) is not compliant.
On the other hand, if browsers get their act together and standardize a consent API with the necessary features, then browser-based consent management would surely be compliant. GDPR and ePrivacy don't address this explicitly, though GDPR Recital 32 considers consent by “choosing technical settings for information society services”.
Centralising consent in browsers is a key consideration in the proposal for an updated ePrivacy Regulation, but the EU is not going to mandate specific technologies. Everyone is well aware of the mess that is the Do-Not-Track header.
These are good points. It definitely cuts both ways.
I'm not against GDPR, and I'm glad these issues are getting attention. I just want to make sure we recognize there is a lot of nuance here, and there are real costs and second- and third-order consequences to consider.
> The only reason you need consent is when you're tracking people or storing data that isn't required for the functionality of the site.
You forgot one more... you're a citizen of an EU member state. I live in a sovereign nation and EU law doesn't apply to me.
It's been quite funny seeing Americans fall over themselves to comply with GDPR requirements. It won't be funny when they also fall in line behind Chinese law.
> Which means any website that does anything useful.
That's a ridiculous over-generalization. My bank's website doesn't have ads on it; is that not useful? Wikipedia doesn't either, can you earnestly say you've never found wikipedia useful?
There is much more to the web than shitty ad-riddled websites.
It doesn't have to be a modal popup either. If your default is truly "off" then you could have a banner on top or bottom or somewhere saying something like "please help us make the site better..." or whatever.
Google Analytics doesn't do anything useful for the visitor of the website, only for the lazy administrator of the site. But the latter isn't the one giving up consent, are they?
Also it's kind of sad if you believe you can't make a useful website without having to hand over private user tracking data to Google. In fact you are using a website just like that, right now.
Facebook personalizes the Facebook wall. Google personalizes almost every other page you visit and mobile applications/games you use. Not sure how Facebook is more dangerous here.
You don't have to assume your user wants to be A/B tracked, or wants to purchase anything. You can allow the user to enable them nicely and non-intrusively without a popup. You can ask the user intrusively when they actually initiate a purchasing action.
Most sites choose do popup instead because (they think) it is more effective. So be it, but don't say it's "mandatory" or that "they are forced to".
Crazy how people whose job it is to build this crap, don't even know what the actual rules are.
It's almost as if they just want to collect all the data on all the users forever without any oversight, by continuously rehashing bad and misunderstood versions of the GDPR and pretending it's hard and complex and vague.
I refuse to include them. I am not a citizen of an EU country and I don't give a rats arse what the EU thinks of my website. They aren't the boss of me.
Gdpr does not force the banners. It forces to ask for consent before tracking users across sites. This doesn't have to be a banner and it doesn't have to be if you only use technical cookies (login, session,
..)
You only need consent if you include Google analytics or ads or a similar platform. Those platforms push the banners on people, pretending that those are needed.
The reason you see the banners everywhere is that a huge number of sites integrate these spy services.
For all other companies, at least if you are in the EU, you should he able to request the data by eg email and they are obliged to send it. You just don't know what format you'll get.