No, they can show you ads that don't use your data. You'd have to allow them to use your data to give you better ads, but you'd just get worse ads in the meantime.
So I need to explicitly accept targeted ads from every company that shows targeted ads? Does this mean every website that shows targeted ads, or can a blanket large provider (e.g. Google) get a single consent and apply it to all websites hosting Google ads?
This seems like it would give a market advantage to Google, because they have products that people want and can likely get a fair number of people to consent if the consent was among useful consents. But smaller advertising companies would have a much harder time getting consent, especially if people don't recognize the name as providing anything useful.
And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?
> And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?
I'm not certain on the details, but in eg Norway that is already much in line with the GDPR ip addresses are considered personal data, and as such regulated. However, there are provisions for storing such information for auditing purposes (both security, technical and financial/invoicing) - but would likely require explicit consent. ("i accept"/"i will not use this service" - more of an informational confirmation - like signs stating a shop is under camera surveillance - and you could choose not to shop the (even if: good luck finding a shop w/o surveillance cameras)).
In general "personal data" is anything that can significantly help identify a single individual (time/place, ip, phone number/date, address, full name, email, etc).
Ed: regarding logging ips for auditing - there's usually a fixed time limit. It's longest afaik for financial purposes (and the data storage directive explicitly states/stated minimum duration - effectively being lobbied into a tool to go after amateur copyright infringement by forcing isps to keep records longer than before). But from a data protection viewpoint, you can't say/get consent for "we log for auditing" and then keep the data indefinitely . More like 6 or 12 months.
Yes. If the data cannot be tracked to one person, it is not regulated. So anonymous tracking cookies are still OK, but attaching it to an IP/name/phone number etc. is not.
I don’t believe that’s true. “Anonymous” tracking cookies are still unique to the individual and such can easily contribute to identifying them, and so are included as personal.
Only if you can/do meaningfully anonymize the data. Eg, knowing the subnet of most/all Norwegian isps, it's trivial to recover ips that are simply hashed (probably even with salt), similarly Norwegian phone numbers are only eight digits, so any kind of deterministic mapping is likely to be too trivial to actually amount to anonymization.
Also rember that one of the goals is to avoid illicit linking - so being able to verify that ip n.n.n.n is the same as slow_hash(salt+other-ip) won't fly as "not storing".
In general, anonymizing data in sparse populations is tricky - where "small" can be quite large. Just imagine building a bitfield of variables like: sex,age +/-50;2 bits. Rough location (easily 6 bits), browser (2 bits), mobile? 1 bit - that's already 12 bits etc. See also NYC taxi dataset, eg (not the article I had in mind, but seems to cover similar points):
The blanket version. Google et al neither sell nor (generally) share your data with advertisers. They make the decision on what to show to you and thus, only they need to get your consent once for that express purpose.
By the way: it's still a topic of heavy debate how much of this can be done through terms and conditions after all.
Disclaimer/source: working for large Google customer, involved in GDPR compliance. Edit: spelling.
But does the website itself where the ads are shown need to get consent?
How about this, what if I own a.com and embed an image from b.com (a completely different organization from me). And then b.com tracks the users' IP addresses, urls, referers, etc. Do I need to get permission for that? I'm not the one doing the tracking. Does b.com need to get permission for that? There's no opportunity for b.com go get permission, the user never is on a website controlled by them, there is never an opportunity to click an accept button for b.com . The user likely has never heard of b.com .
As far as I know, GDPR disallows “bundled” consent. Google will be obligated to provide all the same services even if it cannot use the data for targeted ads.
Yes, but if the consent checkbox is nestled among a lot of other useful checkboxes, the user will likely accept it because they won't notice that it's different at all.
And how granular do these consents have to be? Would there be a page with 100 consent boxes, with a top box saying "accept all" for people too lazy to sort through all of the boxes?
Don't underestimate how bad bad ads can be. I turned off targeted advertising on my Android phone for a while. The result was that around 50% of ad banners I saw were ultra-spammy strobing things--presumably the only ones that will pay for untargeted ads--making apps with built-in ad banners essentially unusable. I wound up changing back. That may have been the intention.
(An Android ad blocker would probably work best, but getting one running on my ancient phone was more hassle than I wanted.)
There are two possible transactions: selling you ads, or selling you to a better class of advertisers.
I see parallels to the 3rd class rail (or coach-class air) problem. If you improve the conditions of the lowest service class, nobody upgrades to higher levels of service. So the lowest class is intentionally bad.
I'd say that highly targeted ads are harmful, as it's more likely to undermine the viewer (eg: political ads tweaked based on current family situation/emergencies derived from data mining). Eg: target people who recently lost loved ones to an attack by one of our times typical "lone gunmen" by ads advertising increased surveillance as a way to mitigate "terrorist" attacks.
Or substituting in first names of friends in paid content ("<person with same name as your friend> give the following reasons to vote x!/buy this").
Not to mention that if advertising works - then it undermines the idea of a free marked where purchases are made by informed independent agents (I think that's a fantasy anyway, but it seems to be a somewhat popular idea).
Is there anything inherently bad about a site using your data to serve you more relevant ads, as long as your data is not passed on to a 3rd party?
Is there anything inherently bad about a stalker passively observing and recording your every move, as long as they don't disturb your daily routine or pass the data along?
Even if you find the stalking behavior (cross-site tracking) of ad companies acceptable, there is a significant risk that your data leaks or is stolen. So, I should be able to decide who I trust with saving intimate data and who I don't.
Show me a site that gathers data about me directly, transparently, and without any creepy cross-site tracking, and I’ll consider your question. Unfortunately that’s not how anyone works.
Except we know that not passing data is a pipe dream. Between hacks and governmental abuses, no company can promise that, no matter how honest they are.
It's been looking really creepy after I purchased a Plush Cuddle Death Star, because now it keeps showing several repeated ads for them right next to each other. I already have one, and now they want me to buy a whole cuddly fleet of them! Oddly enough, I haven't seen any ads for the R2D2 mug I ordered with it.
