IANAL, but why would it be illegal. Isn’t that like saying a company can’t charge you for a product if you don’t want to pay for it. Tech crunch chooses tracking as its fee for reading its content. The law simply states that they must notify you of said tracking. It’s not a public service, and the content is generally pretty crap anyway.
Tracking and advertising cookies are hardly personal information as defined by GDPR, which has a very specific and well defined meaning - name, phone numbers, addresses, government-issued IDs.
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If the tracking id cannot be correlated to a name, identification number, precise location data (not country level), then it's not PII as far as the law is concerned. The criteria is clear: "relating to an identified or identifiable natural person". There is no way that simply a session ID stored in a cookie can be traced to an identity IRL.
I fell that I know what I'm talking about as I designed and implemented an customer authentication system for a medium-sized company that is based in EU, needs to respect GDPR, and I worked closely with their lawyers and operations to make sure we are fully GDPR compliant, and we passed the relevant audits.
The word indirectly in "who can be identified, directly or indirectly" seems like it opens everything up. A session ID isn't directly PII, but it can be linked a user account and from there someone's name, address, etc.
Which is still not PII. More importantly, 3rd party advertising cookies CANNOT be linked to a user account if you don't have code that stores them in your environment. CAN has a very limited meaning, whereas it requires all the preconditions to be true (i.e. I'm storing both 3rd party cookie ID, AND session ID, AND the tables have a correlation), it does not mean "COULD if more code was written".
> and from there someone's name, address
Only if you ask for AND store those. If you're asking for example for a real name and address for an e-commerce transaction, and you're passing them to the card processor, and not saving them anywhere, not even in logs, then you're not storing PII, and you CANNOT link tracking cookies and session ID to data.
Don't get me wrong, I'm still using Firefox containers, and uBlock Origin, and pi-hole, so I totally don't like to get tracked, even if anonymous. But the tendency on HN to label anything that could be used to track a user as PII is actually damaging, because it creates false expectations about how the law actually works and how much somebody is protected.
It’s enforced for the public sector. Which is frankly great in my opinion. Our communication departments have always been the black-sheep of privacy.
Between us, I’m not sure why they are so addicted to various tracking that tells them that absolutely no one clicked on 90% of their content, but they are, and they lack the technical ability to do it themselves without relying on frameworks that steal privacy information.
I believe people have gotten pretty good about auto accepting anything, in no small part due to the 'hey, just wanted to let you know we use cookies, like every other website on the planet!'.
But if people really did overwhelmingly say no, I just see no way for most of the internet to exist. You get overwhelmingly less per click/impression for 'dumb ads,' and news sites have already had to resort to click bait today. It'd pretty much guarantee anything not owned by one of the top 10 would be paywalled in some way.
Sites that rely on tracking to generate targetted ads might not exist. There are still plenty of sites that don't depend on ads, or get sufficient context without tracking. E.g. a car enthusiast forum doesn't exactly need tracking to know it should show car adverts.
I think the internet would stay much the same as it is now. Companies would simply be breaking the law. As a side effect, I think they'd be more willing to do other illegal things too, such as straight up selling your data. They're already breaking the law after all.
