Aside: This was the first time I've tried to read a techcrunch article in Austria (or the EU in general). The splash screen implies I must consent to tracking cookies or I can't view their content. Is that not illegal?
Edit: On second thought, I'm not sure if the cases are sufficiently similar as Der Standard offers a subscription free of tracking and advertising as an alternative for those who reject cookies. I'm not sure if buying a TechCrunch subscription means they will stop tracking you.
Techcrunch breaks navigation for me on iOS/Chrome. Cant go back without longpressing back and choose referring page from history. Gonna check that plugin. Thanks.
Also, they immediately set a cookie "GCUS" with some hash-id as value, before redirecting to the consent domain. So even if you don't accept they already set a cookie!
IANAL, but why would it be illegal. Isn’t that like saying a company can’t charge you for a product if you don’t want to pay for it. Tech crunch chooses tracking as its fee for reading its content. The law simply states that they must notify you of said tracking. It’s not a public service, and the content is generally pretty crap anyway.
Tracking and advertising cookies are hardly personal information as defined by GDPR, which has a very specific and well defined meaning - name, phone numbers, addresses, government-issued IDs.
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If the tracking id cannot be correlated to a name, identification number, precise location data (not country level), then it's not PII as far as the law is concerned. The criteria is clear: "relating to an identified or identifiable natural person". There is no way that simply a session ID stored in a cookie can be traced to an identity IRL.
I fell that I know what I'm talking about as I designed and implemented an customer authentication system for a medium-sized company that is based in EU, needs to respect GDPR, and I worked closely with their lawyers and operations to make sure we are fully GDPR compliant, and we passed the relevant audits.
The word indirectly in "who can be identified, directly or indirectly" seems like it opens everything up. A session ID isn't directly PII, but it can be linked a user account and from there someone's name, address, etc.
Which is still not PII. More importantly, 3rd party advertising cookies CANNOT be linked to a user account if you don't have code that stores them in your environment. CAN has a very limited meaning, whereas it requires all the preconditions to be true (i.e. I'm storing both 3rd party cookie ID, AND session ID, AND the tables have a correlation), it does not mean "COULD if more code was written".
> and from there someone's name, address
Only if you ask for AND store those. If you're asking for example for a real name and address for an e-commerce transaction, and you're passing them to the card processor, and not saving them anywhere, not even in logs, then you're not storing PII, and you CANNOT link tracking cookies and session ID to data.
Don't get me wrong, I'm still using Firefox containers, and uBlock Origin, and pi-hole, so I totally don't like to get tracked, even if anonymous. But the tendency on HN to label anything that could be used to track a user as PII is actually damaging, because it creates false expectations about how the law actually works and how much somebody is protected.
It’s enforced for the public sector. Which is frankly great in my opinion. Our communication departments have always been the black-sheep of privacy.
Between us, I’m not sure why they are so addicted to various tracking that tells them that absolutely no one clicked on 90% of their content, but they are, and they lack the technical ability to do it themselves without relying on frameworks that steal privacy information.
I believe people have gotten pretty good about auto accepting anything, in no small part due to the 'hey, just wanted to let you know we use cookies, like every other website on the planet!'.
But if people really did overwhelmingly say no, I just see no way for most of the internet to exist. You get overwhelmingly less per click/impression for 'dumb ads,' and news sites have already had to resort to click bait today. It'd pretty much guarantee anything not owned by one of the top 10 would be paywalled in some way.
Sites that rely on tracking to generate targetted ads might not exist. There are still plenty of sites that don't depend on ads, or get sufficient context without tracking. E.g. a car enthusiast forum doesn't exactly need tracking to know it should show car adverts.
I think the internet would stay much the same as it is now. Companies would simply be breaking the law. As a side effect, I think they'd be more willing to do other illegal things too, such as straight up selling your data. They're already breaking the law after all.
For me it redirects to a page from https://guce.advertising.com, telling me my browser is out of date and that I have to go to browsehappy.com to get a new one...
You're right. Disable javascript on [*.]archive.org, and you can read techcrunch just fine. Arguably, better :D
TL;DR: Google cloud revenue includes Saas offerings (docs, gmail etc), in addition to the infrastructure part. They may make roughly 2.5bln per quarter now, but it's still small compared to Microsoft (12.5bln per quarter, includes Azure + Office/outlook) or Amazon (10bln per quarter, AWS only). What is impressive is the growth of the business unit - more than 50% in the last year (they do have to keep it up at the same rate for 4 more years to catch up to competitors though)
This is a more complicated question that it seems!
Cookie banner are not directly related to the GDPR, but to the Eprivacy directive, which, not being a Regulation, is subject to variation in national law transcription. So the answer may vary depending on your country!
Still in an effort to have a uniform position on the question, DPAs( Data protection agency) are working at the EDPB (the European Data Protection Board, a sort of council of DPAs) to have a common position.
One of the currently shared position is that a cookie wall impedes the "free" part of the consent, since you have to support a negative consequence.
In a communication regarding the (future?) Eprivacy regulation, the EDPB clearly stated that:
"In order for consent to be freely given as required by the GDPR, access to services and functionalities must not be made conditional on theconsentof a userto the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited." [1]
If I remember correctly the Austria DPA is not of favor of a cookie wall ban though..
Per GDPR it is not, you can't be banned from something if you does not give you consent. But nobody cares, if you have smart lawyers they can argue that those consents are essential for a given page to work and everything is compliant... The same with being opted out from consents by default. Nobody cares too - to opt out you typically need to click through maze of screens searching for small print links that let you say no. That's also against GDPR, BTW.
For now GDPR seems like one more toothless EU regulation. Maybe they manage to catch some big US company and make them pay a few millions just to make a big show and justify the existence of GDPR. Maybe they will catch some poor guy maintaining forum for some hobby group and does not provide "right to be forgotten" functionality (that's why effectively all independent forums are going away in favor of Facebook - good job, EU). But I doubt GDPR will manage to give people more privacy.
I hope that people themselves will figure out what's going on and start fighting back (by using browser plugins, stubbornly reporting misbehaving sites, trying to engage authorities to enforce GDPR, etc.). If yes, maybe GDPR will turn out to be something valuable, for now, it is not.
It's almost certainly illegal but the GDPR is not 100% clear about it and it has literally never been enforced, so most sites are happy to do this because they have plausible deniability and safety in numbers.
