> we don't want to track individuals - we just want to measure if the ads we paid for led to sales
well. if your goal isn't tracking individuals, then why are you attaching unique ID's (in cookies) to track individuals on your website?
And I'm not talking about third-party cookies disguised as first-party.
logglytrackingsession (lifetime: session)
notion_experiment_device_id (lifetime: 1 year)
Both are unique to a specific user and are used to identify a single individual. The first one is short-lived, but obviously meant for tracking and the second one can be used for tracking, identifies a single individual and is long-lived.
Yes like the peer reply said that's Notion, not us. But good point, another thing to keep in mind if you try to use the "Share to the web" notion feature.
My real point is, if you use a service to provide your own service, you give them your blessing to do whatever they want with your brand. This includes facebook and their tracking scripts.
Thus we need to audit what our service providers are doing and limit their impact once we've completed the evaluation, making sure they don't alter the deal later.
Also tracking ad conversions is as simple as using a unique parameter per campaign, when buying the add. Just append `?campaign=facebook_campaign-name_202202` to your link and that's enough to measure the ads effectiveness. No need to attach unique ID's to users, sessions etc... Aggregates keep the users anonymous and give you enough actionable insight.
While I agree with the sentiment of your first point, in practice if each small business were expected to audit every one of their inputs, it would be hard to get any business done.
As for your second point, yes, that is precisely what I referred to in my original post - that we could deal with the end of IDFA / that we just want to make sure ads are effective - SKAN which provides aggregated statistics is mostly ok for us.
> in practice if each small business were expected to audit every one of their inputs, it would be hard to get any business done.
While I agree, that a full audit would be difficult for smaller operations, it took me 2-5 minutes to do a quick check on what is being stored client-side and to come to a logical conclusion if individual users are being tracked or not.
It's a decision, one that you can (probably) make. For me, in the EU, it's no longer a choice and I personally think regulation(GDPR) was needed because, without it, no one took user-privacy seriously.
> As for your second point, yes, that is precisely what I referred to in my original post - that we could deal with the end of IDFA / that we just want to make sure ads are effective - SKAN which provides aggregated statistics is mostly ok for us.
GDPR would also apply here. If there's an option to process less data and achieve a similar result, one should use that option and using a more invasive method(identifying individuals) for tracking would be illegal. It's called "the data minimisation principle"
Yes, agree, we wanted to try it out for this because we like it for work and it was quick to write up and publish and we thought it might be more flexible for writing up documentation, linking, etc. But we are not satisfied either: Very slow to load, formatting is fiddly and imperfect. We will have to use something else.
this is just the first step. If the consent string wasn't PII, all the other data tied to the consent string would not be PII as well, because this is the cookie that brings all the data together.
So now that we have confirmed that they do indeed process PII and use the consent string as the unique identifier that ties the whole profile together we can start doing what you want. Going after the companies that attach other datasets to the consent string.
Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply. Now we have a ruling, saying that this is not a valid excuse.
"Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply."
That is not correct. These companies use TCF because the GDPR applies. If it did not - they would not have to use it. The GDPR automatically applies as soon as cookies come into play - regardless of what is in the TCF string.
The main thing here is not that PII data comes into play but that the IAB is the controller. Until now the controller was/is the website that actually controls (and passes to 3rd parties) user data. That is why you have to agree to joint controller agreements if you want to integrate the TCF frameworks on larger web sites.
Some background in IPs: The ruling mentions the reason TCF is PII because it can be combined with IP addresses. No one challenges IP addresses as PII data anymore. There were many ruling that classify IPs as PII - specifically in Germany (even pre GDPR).
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Keep your consent requests separate from other terms and conditions.
Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Be clear and concise.
Make it easy for people to withdraw consent and tell them how.
Avoid making consent to processing a precondition of a service.
Personalized analytics and tracking roll-out (including on-prem) was pulled back ~2 years ago[0], they're on another try[1] currently with a heavy-handed hiding approach. Including small additions to release notes[1], short lived and hard to find feedback threads[2] etc...
Including deleting/hiding tickets that get posted on HN[3][4] and contain plans/info that users might take negatively/provide negative feedback on.
PS: full disclosure, I've been an active opponent of these changes, as they are illegal in the EU and make it impossible to self-host the service while protecting our users privacy.
yeah, it's going to happen and someone else will come and win everyone over by acting nicely.
It's a cycle and I can confidently say, working in a company that has used the same approach to win customers over, it's really hard to keep the honest culture going.
> There's a reason (many? most?) people are jerks. Being a jerk works.
Yes, but I would argue that it only takes a few sociopaths to ruin an entire community, by exploiting trust, and doing other things that most other people wouldn't dream of doing.
You're not wrong. That doesn't mean it's going to change, however.
Might I recommend perusing "Meditations on Moloch"? It will both depress you (since you seem like a decent person) and give you a framework for why and how these things happen.
Also prompt departure of their VP of compliance after her concerns about discriminatory practices where dismissed/ignored in the open discussion thread.
It's actually very dependent on the country and jurisdiction.
Some EU countries require that you offer a simple and effective option to opt-out when gathering the contact details. Depending on the content, that can be a required to be an opt-in toggle.
It's not enough to offer users a way to unsubscribe once you've already started spamming them, there should be a way to not have the first spammy newsletter/newsletter group.
Full disclosure, I have some rather strong feelings about telemetry on gitlab and the implementation process itself.
-----------------------
I originally posted a different issue labeled "Pseudonymization MVC Rollout Plan"[1] but that issue went private rather quickly after appearing here. Sadly it wasn't archived.
As a counter point to this. Facebook has (tried and mostly succeeded) to replace community forums that used to be either public or with open registration and without the negative effects of facebook.
Stuff that's running phpbb or other similar software.
the way it should be done is not just crossing it out. You also add the signatures of both sides to the redaction. One copy stays with you, the other with the employer.
In digital terms, it's easier just to amend the whole file.
Neither feeling is invalid.