No. Basically the GDPR is structured around a whole bunch of reasons why you might _need_ to store and process data about people ("Subjects"), for which you have implicit permission because it's necessary to something you're doing for the Subject. You need to make sure Subjects can find out what you needed, and why, and you can't change your mind later.
These purposes do not need Consent. You don't need to Consent to a retailer knowing your credit card number when you use the card to buy something. You don't need to Consent to Amazon knowing your delivery address when you buy stuff.
Consent comes in when you and the Subject both want to enable processing that isn't necessary. For example, if I buy a book from Amazon, it makes sense that I'd get a confirmatory email saying I ordered the book, and they're agreeing to sell it to me, and another one saying the book has been shipped and will be with me in 2-4 days. Those feel pretty necessary. But why would I get email about how great Amazon's new Fire tablet is? Well, Amazon could try asking me for Consent to send that sort of crap to me.
The GDPR is clear that you can't insist on implied Consent, you can't have "By visiting this web page I consent" or "To stop receiving our marketing, just unselect the default-selected boxes in the marketing permissions sub-section of your user profile, this may take up to 400 years to take effect" or similar nonsense. It needs to be a clear informed choice to give you this extra permission.
Some of the specifics will get litigated. I'm sure somebody will try to claim it's "necessary" to their business to track people and sell everything they possibly can, and I expect European courts to decide that's laughable nonsense.
>I'm sure somebody will try to claim it's "necessary" to their business to track people and sell everything they possibly can, and I expect European courts to decide that's laughable nonsense.
Who pays the verge for the reporting that you wish to read?
Is this verge reporting on this article made for free, by a volunteer, etc?
Or were they paid?
OK, so the Verge is a business, who has to make money.
How do they make money? Are you paying them to read this article? No?
So they sell advertisements to make money to show you content.
" I'm sure somebody will try to claim it's "necessary" to their business to track people and sell everything they possibly can"
In this case, tracking you through cookies for advertising purposes seems to be a "necessary" part of the verge, as it is literally a core aspect of the monetization strategy to offer free content in exchange for tracked advertising, as they explain in the pop-up.
No ads = no content. I can't see a European court claiming that Europeans have a right to free content in violation of the monetization strategy of the author. At the end of the day, verges servers are private servers and you do have to agree to their terms of use before connecting to their servers. In this case, the terms of use of connecting to a verge server for free articles is advertising tracking.
Good luck suing them, but what would be the end game? Ruin their business model?
> In this case, tracking you through cookies for advertising purposes seems to be a "necessary" part of the verge, as it is literally a core aspect of the monetization strategy to offer free content in exchange for tracked advertising, as they explain in the pop-up.
That is not how GDPR defines "legimitate interest".
Even if it is less effective, you can serve ads without tracking users via cookies. Therefore it isn't legitimate.
True, but this isn't about serving ads or not, but about tracking individuals.
You can serve ads without user profiling, which is what TV stations have been doing since the invention of the TV. You can even infer certain demographics from the content, which should be enough to hit a target. Articles on publications like The Verge emit tons of signals about who their readers are. Consider just the profile of the website. You don't actually have to track individuals.
It's also true that tracking individuals can yield better profits, although I have my doubts about that. It's also true that, due to abuse, ads are less and less effective, but this is a race to the bottom so might as well stop it now, instead of permitting these companies to collect data that can be abused later.
But yes, if there has to be an end game, the end game IMO is for companies that are doing user tracking to fuck off and do something else.
> Good luck suing them, but what would be the end game? Ruin their business model?
Are you another American? We seem to keep having Americans who have this idea that the regulation is about lawsuits. I understand that in the US the law enforcement regime is so broken that you end up with "Sued for wrongful death" rather than "Prosecuted for murder" and "Sued for breach of constitutional rights" rather than "Prosecuted for rape" and so on ad infinitum, but everybody else with the rule of law didn't replace their courts with elected politicians and their cops with a violent gang so they still actually have criminal law.
The GDPR doesn't create a new civil tort or anything like that, its an EU regulation, disobeying is a crime so the relevant government agency could _prosecute_ if they can't get you to obey.
The European courts don't have to decide that Europeans have a "right to free content", only that this business model in which you track people without permission isn't legal.
Suppose I have a great idea for a business, I'm going to set up a stall, I'll sell bottles of Coca-Cola for 10¢ each. Obviously at this price I can't buy them wholesale, but no problem, per your agreement that I have "to make money" I will just take them from the bottling plant. Simple.
The court doesn't care about how I needed "to make money", they care that it's a crime to steal the bottles, and I'll go to jail. Oh my 10¢ Coke bottle stall doesn't work as a business if I have to pay wholesale costs instead of just taking the bottles? Well boo hoo.
Newspapers and magazines have sold advertising without individual reader targeting for years and it continues to be a viable business model. Individually tracking users is not necessary.
>Newspapers and magazines have sold advertising without individual reader targeting for years and it continues to be a viable business model
Newspapers and magazines charges a subscription. Are you suggesting we should now charge Europeans a subscriptions where we do not for others? I'm ok with that. Don't want tracking? Then give me your credit card and subscribe, or there's the door.
Plus, nearly all newspapers are in economic free fall, advertising was completely destroyed by the internet, and there are almost no newspapers which are in the "green" without having an internet product or being owned by a larger corporation.
> Then give me your credit card and subscribe, or there's the door.
I don't understand this type of thinking from some of the posters here on HN, as if GDPR is right now personally affecting you in a negative way. It's a very aggressive way of writing and I've seen a few posters comment in this way.
If you want an example of a company that does non-personalised advertising and is successful: DuckDuckGo.
How do you know I am not personally affected by freeloaders who wish to steal content from me and use laws as justification for their entitlement to free no-strings access to my work?
a) If you were, you would have mentioned it by now. Your name appears all over this thread, it's incredible how much GDPR has aggravated you.
b) If you are running a website and don't wish us 'thieving Europeans', then don't allows traffic from Europe.
This is the perplexing thing about your seemingly apoplectic rage on this topic. There are options available for these companies who still want to track people individually.
If you post content on the web without using a paywall, then people aren't "freeloading" or stealing your content. Just as I don't have to read every word on a website, nor do I have to view every add, run every piece of code, and let myself be tracked. Don't like that? Don't run a website/service without a paywall.
Newspapers and other sources of information ARE having a horrible time and it going to get worse.
BUT the solution to the revenue problem - aka advertising - is now a problem in its own right and driving the creation of content to keep itself going.
All of our major information problems trace back to 3 related things.
1) the makeup of our wetware
2) advertising as a way to subsidize/pay for content
3) the vicious cycle of increasingly louder techniques to grab audience attention, ranging from “sex sells”, partisan news, product placements, and invasive online ads.
Basically you can say that a company doing home deliveries needs your home address to do so, therefore that's a legitimate interest. But note the same company cannot use your address for sending marketing materials.
And publishers cannot claim to have a legitimate interest in tracking users, even if their revenue comes from serving ads and even if their performance improves by tracking. That is because you can serve ads and do optimizations without tracking users. Even if it is less effective, it's not legitimate.
And it's not that complicated, really. The question is, by providing the service, does the user expect you to use his data or not? In case of pizza delivery, the customer does expect you to use his address for delivering pizza, but at the same time the customer doesn't expect you to give his address to other companies or to use his address for sending marketing materials.
Is that a typo? Isn't GDPR the implementation of the right to be forgotten plus "left-the-fuck-alone after used your shitty site for 0.5 EUR to buy an emoji"? So you can request removal of all your personal information.
Yes, Amazon needs your delivery and billing address, but they don't need the delivery address after delivery. So you can request them to delete it pronto! And the billing stuff has to be kept for 5 years, and must be used for tax administration purposes only, no spam, etc.
"You" here is the Data Controller, not the Subject.
Under the GDPR Amazon can't say "Oh, we told our customers we collected email addresses to send them stuff about their delivery, but now we've decided to use those to seed our Orbital Weapons Robots. So we'll just update our T&Cs and done, right?"
If they decide now they want email addresses for the Orbital Weapons Robots they're going to have to collect from scratch. Too bad, ask first.
EU probably won't give a big shit about a tracking cookie, because you can delete that. But if Data Controllers won't perform proper delete/anonymization, then shit will find and maximize the action potential, even if there's a rotating blade in the way.
All of the "Oath" sites are using the same process that makes you go through multiple screens and manually deselect over 100 options. I'm hoping that investigations into them are opened very quickly.
They can block the EU entirely (after deleting all data they may have on EU subjects) or implement a compliant privacy policy. This is not. (if you click on the policy link, they will lie that it is in accordance with GDPR, but very clearly it is not).
> I'm sure somebody will try to claim it's "necessary" to their business to track people and sell everything they possibly can, and I expect European courts to decide that's laughable nonsense.
That's basically what CBSi are doing. They are claiming "Necessary Cookies are required for our sites, products, and services to function properly", where "necessary cookies" includes:
> Google Analytics / Adobe Analytics / comScore / Akamai / Nielsen / Evidon / Moat / Cedexis / Chartbeat / Index Tag Manager / Tealium Tag Manager / Google Ad Serving
These purposes do not need Consent. You don't need to Consent to a retailer knowing your credit card number when you use the card to buy something. You don't need to Consent to Amazon knowing your delivery address when you buy stuff.
Consent comes in when you and the Subject both want to enable processing that isn't necessary. For example, if I buy a book from Amazon, it makes sense that I'd get a confirmatory email saying I ordered the book, and they're agreeing to sell it to me, and another one saying the book has been shipped and will be with me in 2-4 days. Those feel pretty necessary. But why would I get email about how great Amazon's new Fire tablet is? Well, Amazon could try asking me for Consent to send that sort of crap to me.
The GDPR is clear that you can't insist on implied Consent, you can't have "By visiting this web page I consent" or "To stop receiving our marketing, just unselect the default-selected boxes in the marketing permissions sub-section of your user profile, this may take up to 400 years to take effect" or similar nonsense. It needs to be a clear informed choice to give you this extra permission.
Some of the specifics will get litigated. I'm sure somebody will try to claim it's "necessary" to their business to track people and sell everything they possibly can, and I expect European courts to decide that's laughable nonsense.