IMO data should be radioactive for companies, especially if it approaches PII. Companies should be forced into thinking deeply about every single bit of data they collect from people, and they should be terrified of receiving data and be chomping at the bit to get rid of it ASAP.
To intercept the usual argument of "But my business can't exist without all this data!", to that I say "Good!". If your business can't exist without tracking every single iota of your customer's existence, then it truly shouldn't. I couldn't tell you the amount of times I've had to fight back against implementing yet another tracking tool at work, just to collect data that I know for a fact no one will look at after the first few weeks of the tool being there. The amount of times I've heard some stupid shit like "Well we don't need this data yet, but what if we need to have their mother's maiden name at some point in the future?!" is depressing, and I'm glad that we're starting to have legal channels to push back against such idiocy.
You have an issue with customer behavior so you set up tracking to understand it.
Keep it running for a few days, then check on but the tracking doesn't output meaningful data that you can exploit to solve your issue.
At this point, you search for alternative tracking but do you disable the old one ? What's the benefit ? Either it's free or cost very little, none of your customer know they are being tracked and in the eventuality it may become useful later on you keep it.
Repeat a few times and you end up with bloated website that tracks where you were, are and will be. What you're watching, cursor position, scrolling, how long you spent watching that image or these one, have access to every technical details about your device because it's required for fingerprinting, all while no one actually is exploiting the data.
It's junk yet you collect it because it's free.
If there was a meaningful reason to limit the number of tracking, like the law and fear of getting sued, then it would be a different story.
> IMO data should be radioactive for companies, especially if it approaches PII. Companies should be forced into thinking deeply about every single bit of data they collect from people, and they should be terrified of receiving data and be chomping at the bit to get rid of it ASAP.
100%. Unless a cooperative model (like most businesses should be run, bit that's a different issue) exists in which I am compensated for you having my data. At that point all the time and friction I have to spend/deal with because all of you have my data is worth it. Right now all this friction in my life because you have my data and I'm dealing with your beaches is "paid" for by me, and that's lame.
> IMO data should be radioactive for companies, especially if it approaches PII
It's pretty much the idea of GDPR. The wording of the GPDR is "You should make your systems private by design", which they explain as "Store PII only you really have no choice"
In this case, the legal ruling means that even if they somehow fix their consent, they have to remove all the data they currently have! Also all their clients need to remove all the data. Having to tell your customers they have to remove all their data ought to completely kill their business.
That being said, it will likely not happen: It's not the first time they lose a ruling and I'm pretty sure no-one removed any data, despite being required to...
> I couldn't tell you the amount of times I've had to fight back against implementing yet another tracking tool at work, just to collect data that I know for a fact no one will look at after the first few weeks of the tool being there.
I'm curious, how does such a conversation usually go? Is your main angle to point out how useless the data ultimately will be, or did you find a resonating way to point out the negative effects on users?
I think the current situation is actually quite good. GDPR was well thought out.
You need to be clear about what you collect, get clear consent (and all the courts decisions on that are actually going in the direction that it really needs to be clear and specific) and give people the ability to have their own data modified.
Plus, enforcement makes a lot of sense. Companies get a lot of warning before things escalte and fines are proportional to companies results so it hurts but is not a death sentence unless they repeatedly offend.
What you're advocating for has a few 2nd order effects.
1. Entrenches Google, Facebook, etc. because they are the only people that have enough money to comply with the regulation.
2. Makes the rest of the internet worse (e.g. people show MORE ads because they are less effective because they show me boats and I hate boats)
3. Makes data brokers even more important because companies can't get data anywhere else.
4. Reduces competition because the incumbents will always have more data than startups (Nike knows I wear a size X and the startup can't ever get that data)
Everything is a tradeoff. I, for one, would rather these regulatory agencies go after the 100,000s of data brokers that mine for SSNs, birth certificates, financial info, etc., rather than them going after Facebook, TikTok, etc.
Ads are here to stay, if you don't want ads, then ban ads, and with it most of the internet, but if people keep making terrible regulations like this that try to hurt big companies and get rid of ads and in reality, you just enable and feed these massive companies. Regulation makes them MORE valuable, not less. (see Meta stock price vs. Snap after ATT)
> IMO data should be radioactive for companies, especially if it approaches PII.
That's an idealistic, but highly unrealistic, thought.
As long as a market exists that can profit from exploiting PII, and is so large that it can support other industries, data will never be radioactive. The only way to make it so is with regulation, either to force companies to adopt fair business models, or by _heavily_ regulating the source of the problem—the advertising industry. Since the advertising industry has its tentacles deeply embedded everywhere, regulating it is much more difficult than regulating companies that depend on it.
So this is a good step by the EU, and even though it's still too conservative IMO, I'm glad that there are governments that still want to protect their citizens from the insane overreach by Big Tech.
As a customer, I want the ability to choose the way in which I pay a business I interact with, with the consent of that business of course.
Europe gives me less control of my personal data than the US would. I am no longer allowed to decide that I'd rather choose services that take payment in data instead of services that take payment in Euros.
I think people who disagree with this perspective should be accommodated. It's a valid objection and technology inherently favors monopolies, so you can't really have the Facebook equivalent of a vegan restaurant or gay club. I'm not against forcing (large) tech companies to offer tracking-free plans at reasonable prices for those for whom this is the right tradeoff.
What Europe is doing is just plain stupid, though, and it will be felt most by those who can least afford it.
> data should be radioactive for companies, especially if it approaches PII
Cute theory. Fails in practice. Especially with LLMs on the horizon, this would be tantamount to unilateral nuclear disarmament. (Practically, it fails in that we haven't quantified the cost of breaches commensurate with what those of us who are security minded estimate it to be.)
I have advocated for privacy issues for a short while. "Data is radioactive" is the "defund the police" of our movement.
"Personalized" advertising isn't good for anyone except the ad networks.
It isn't good for consumers whose privacy is being violated as they are being annoyed with unwanted, irrelevant ads and they get charged higher prices due to the cost of the advertising.
It isn't good for companies buying the ads by participating in sham "auctions" with no real insight into or control over the process. They are literally begging to be ripped off.
It doesn't have to be this way. "Context sensitive" advertising is more privacy respecting, easier to implement and monitor and can be more cost effective.
Example: The fact that I recently shopped for and bought a car is no reason to show me auto ads on a web site devoted to pet supplies. There is a logical disconnect here because context is ignored in favor of "personalization".
Those paying for these dumb "personalized" ads are wasting their money and my time and bandwidth because I already made a purchase. I'm not making another one any time soon.
By the way, this doesn't really happen to me any more because I now block these "personalized" ad networks. And you should too --- it's the only logical recourse to this stupidity.
lol at IAB's choice of headline: "Belgian Market Court Confirms Limited Role of IAB Europe In The TCF"
IAB was on the hook for the dreadful cookie "consent" popups that ruined the web (no, it wasn't GDPR that ruined it, it was a very deliberate action by "industry groups" like IAB).
The only reason the Market Court annulled the previous decision was on procedural grounds, while agreeing that IAB is responsible, and keeping the 250 000 EUR fine in place.
Too bad. I wish Market Court would've burned IAB to the ground, salted the earth and scattered the ashes.
Does anyone know what the consequences are? I have no idea exactly what it is that applies immediately.
I would guess that starting today Google and others should stop advertising as they currently do it, it being illegal. I doubt it's that simple, and even if it was, I am sure they will not simply stop. So what happens now?
Tracking has no legal basis, but it's still permitted with consent. The problem with IAB Europe (and other similar ad providers, as well as IAB's customers) is that IAB Europe didn't obtain consent; it tried to hide its tracking by using supposedly non-personal identifiers, which wouldn't necessitate consent, but the court ruled that these identifiers were actually PII. IAB also tried to weasel its way out of its responsibilities, but preventing that seems to have failed.
As a result, data collected through IAB about European customers was collected unlawfully, and third parties must delete that data. IAB also can't smuggle consent like this anymore, and needs to pay a fine that was handed down a few years ago.
I very much doubt ad companies will actually delete the illegally obtained data, but IAB and other companies in the cyberstalking industry this can be a problem, because they need to actually comply with the law.
Totally agree. The current ad model feels extractive on all sides. Context-based targeting feels like a more honest middle ground that doesn’t require spying on users.
The "problem" is that oh so many sites have no context. They exist solely to host ads, the content on their pages provide no actual value and is rehashed press-release, direct copies of reporting from Reuters, 10 ten lists written by interns or AI junk.
If this works it will be good for everyone, the many issue with today's internet is the perverse incentives to get views or "engagement" so you can sell ad space. The ads are the goal, not the message.
> Dr Johnny Ryan said "Today's court's decision shows that the consent system used by Google, Amazon, X, Microsoft, deceives hundreds of millions of Europeans. The tech industry has sought to hide its vast data breach behind sham consent popups. Tech companies turned the GDPR into a daily nuisance rather than a shield for people."
I feel this so often gets lost in the conversation where a huge amount of people in communities like this one will loudly point out how annoying consent banners are but never give any thought as to why so many websites feel that just because you want to read a single article on their website that they are now entitled to sell your information often to hundreds and even thousands of different data brokers and that this is now so normalised that it’s almost every bit of content I consume now.
The original purpose of the GDPR was clearly to try and put an end to this kind of thing while still leaving cutouts for legitimate purposes with informed consent.
I’m so glad to see them come at this from a new angle entirely now to just firmly say that this surveillance capitalism bullshit is illegal and you can’t cookie banner your way out of it as some kind of legal protection.
Good, that makes me extremely happy as an EU resident and I wholeheartedly support whatever steps you need to take in order to enforce this. There’s no reason at this point to continue playing nice with US spyware companies masquerading as “data brokers”, let them deal with the mess they made but we don’t need it here.
Corporations should pay $0.01 per data point stored, per day, to that citizens country.
For once, a corporations actions will then disproportionately affect the rich, since they will be the only ones worth holding data points on. Those best able to financially and legally enforce the rule.
As I always say, you can’t outlaw being an asshole. But I am curious about what sort of assholery we will see next. Maybe all tracking will become “legitimate interest” (I’m kidding, please don’t actually entrench that garbage any more than it already is).
It would be nice to have an opt-in platform where you could select products that you'd like to see ads for. For example, you're looking for a TV or automobile and you want to see deals related to those products.
Would not work, you’d end up with hundreds of such platforms (because why not, free market) and some would even exist for the sole purpose of inferring your consent from multiple other platforms (that would sell access) and it would then become so opaque that you would have no way of actually confirming which choices you made.
I understood as a SWE that the perfect solutions we often conjure never work as expected in the real world because we do not understand basic human nature and also how society as exists today works, including many many perverse incentives.
I've been working on open source mobile app tracking for advertisers to use (an MMP specifically). Would love to connect with anyone in this thread to discuss it.
Specifically, is tracking inside of a single app/property acceptable?
So much mobile tracking is added due to a lack of real HTTPS links (in mobile called deferred deep links). To just know whether a user from link X did or did not open the app.
Happy to chat with people opposed or pro, feel free to reach out for a longer discussion.
Keep in mind that the fines are intended to be progressive. If they don't quit their current practices now that is is clear how the law should be interpreted, the next fine will be substantially larger.
What do you think happens if they are caught again? By then the precedent has been set. Easy decision. Fine them again. And obviously the previous fine didn't work so increase it. Courts have no patience for repeat offenders.
Also, it sends a signal to wannabe competitors to this company that there are laws and there are consequences for breaking those.
And of course given that these companies have money, there are going to be lawyers paying attention to see if they can get at that money in some way. Germany is almost as bad on that front as California. Lots of enterprising lawyers here. So, one successful court case can trigger many more once the precedent is set.
The fine is nothing, but their core selling point (selling ads without bothering to ask for consent) has been exposed and ruled illegal. The implication is also that data collected for years by those 600+ advertising agencies has been collected illegally, though I doubt deletion of that data will be enforced without a second suit.
What's the likely outcome of this?
I cannot see Google et. al. giving up their surveillance apparatus.
Instead I suspect we will end up with more extensive consent forms, which will end up making the surrendering of privacy from the user even more explicit.
I hope I'm wrong, but I cannot see a more plausible outcome.
> The court says, the logic holds, but the advertisers will not be fined.
That's common in European jurisdiction. We tend to operate on a "first strike is free" principle, especially in contested / purposefully left unclear legal environments. Only when the case law is clear, it can be shown that a law was intentionally exploited or broken or it's a repeat offender, then we bring the hammer down.
"Although decision 21/2022 is annulled for procedural reasons, the Market Court endorses the reasoning of the Belgian DPA and confirms the fine of 250,000 euros imposed. However, the Court rejects the BE DPA's conclusion that IAB Europe acts as (joint) data controller for the processing operations that take place entirely within the OpenRTB protocol." https://www.dataprotectionauthority.be/citizen/the-market-co...
I hate tracking with a passion. I browse internet in incognito mode with ublock origin.
That said, I don't understand how TC String can be considered PII.
I haven't been following this case so probably miss a lot of context, but my understanding is that the TC String encodes user's preferences for which advertises to share your info with. For example, I visit example.com and deselect everything. This information then gets passed around so that advertisers know I don't want their advertising.
Isn't that kind of the point? I want them to know I don't want them. I'd rather setup that once and then not do it again for every site under the sun. Is the issue here that you can somehow be identified based on your tracking preferences alone?
The ruling here is confirmation of an earlier ruling where TC String was considered personal data. As an effect, the organization coordinating all this tracking (IAB) is considered data processor.
Is the ruling just a technicality (the fine is pretty low) because IAB isn't listed in data processor lists for all the sites I visit, or is there a deeper consequence arising from the ruling?
> That said, I don't understand how TC String can be considered PII.
IANAL (or even Belgian).
There wasn't a direct ruling on if TC strings itself were PII. They were personal data that can be linked to individual since CMP will get both the IP address and the TC string.
As for IAB being (joint) data controller, the reason (sections 68 to 80) given for that is that they determine purpose and means of processing. They might not hold any data, but they set the rules for the framework.
I think that 70 % of web users believe, that each website that they open can see their real name, their address, their phone number, the files on their computer, their browsing history and a lot more, and they believe that the GDPR laws are the only attempt to prevent websites from misusing (e.g. selling) all their private data.
I've tried to do the same steps in the past and eventually, the xandr pages linked there were removed - now being in Microsoft something page - and being even harder to contact (even if it's still possible to fill a form asking for your data when you get there. I received the same answer as noyb)
The ruling today shows how consent pop-ups used by tech giants like Google and Amazon have been misleading Europeans, turning GDPR into a nuisance rather than a protection.
With real-time bidding and tracking cookies at the heart of online ads, it’s clear that the entire system needs a serious overhaul.
But how will this ruling change the game for advertisers? Will they actually be forced to respect privacy, or will we just see more ways to sidestep the rules?
[+] [-] sensanaty|9 months ago|reply
To intercept the usual argument of "But my business can't exist without all this data!", to that I say "Good!". If your business can't exist without tracking every single iota of your customer's existence, then it truly shouldn't. I couldn't tell you the amount of times I've had to fight back against implementing yet another tracking tool at work, just to collect data that I know for a fact no one will look at after the first few weeks of the tool being there. The amount of times I've heard some stupid shit like "Well we don't need this data yet, but what if we need to have their mother's maiden name at some point in the future?!" is depressing, and I'm glad that we're starting to have legal channels to push back against such idiocy.
[+] [-] aucisson_masque|9 months ago|reply
Keep it running for a few days, then check on but the tracking doesn't output meaningful data that you can exploit to solve your issue.
At this point, you search for alternative tracking but do you disable the old one ? What's the benefit ? Either it's free or cost very little, none of your customer know they are being tracked and in the eventuality it may become useful later on you keep it.
Repeat a few times and you end up with bloated website that tracks where you were, are and will be. What you're watching, cursor position, scrolling, how long you spent watching that image or these one, have access to every technical details about your device because it's required for fingerprinting, all while no one actually is exploiting the data.
It's junk yet you collect it because it's free.
If there was a meaningful reason to limit the number of tracking, like the law and fear of getting sued, then it would be a different story.
[+] [-] apercu|9 months ago|reply
100%. Unless a cooperative model (like most businesses should be run, bit that's a different issue) exists in which I am compensated for you having my data. At that point all the time and friction I have to spend/deal with because all of you have my data is worth it. Right now all this friction in my life because you have my data and I'm dealing with your beaches is "paid" for by me, and that's lame.
[+] [-] phh|9 months ago|reply
It's pretty much the idea of GDPR. The wording of the GPDR is "You should make your systems private by design", which they explain as "Store PII only you really have no choice"
In this case, the legal ruling means that even if they somehow fix their consent, they have to remove all the data they currently have! Also all their clients need to remove all the data. Having to tell your customers they have to remove all their data ought to completely kill their business.
That being said, it will likely not happen: It's not the first time they lose a ruling and I'm pretty sure no-one removed any data, despite being required to...
[+] [-] neobrain|9 months ago|reply
I'm curious, how does such a conversation usually go? Is your main angle to point out how useless the data ultimately will be, or did you find a resonating way to point out the negative effects on users?
[+] [-] StopDisinfo910|9 months ago|reply
You need to be clear about what you collect, get clear consent (and all the courts decisions on that are actually going in the direction that it really needs to be clear and specific) and give people the ability to have their own data modified.
Plus, enforcement makes a lot of sense. Companies get a lot of warning before things escalte and fines are proportional to companies results so it hurts but is not a death sentence unless they repeatedly offend.
[+] [-] BlueTemplar|9 months ago|reply
[+] [-] stogot|9 months ago|reply
[+] [-] motoxpro|9 months ago|reply
1. Entrenches Google, Facebook, etc. because they are the only people that have enough money to comply with the regulation.
2. Makes the rest of the internet worse (e.g. people show MORE ads because they are less effective because they show me boats and I hate boats)
3. Makes data brokers even more important because companies can't get data anywhere else.
4. Reduces competition because the incumbents will always have more data than startups (Nike knows I wear a size X and the startup can't ever get that data)
Everything is a tradeoff. I, for one, would rather these regulatory agencies go after the 100,000s of data brokers that mine for SSNs, birth certificates, financial info, etc., rather than them going after Facebook, TikTok, etc.
Ads are here to stay, if you don't want ads, then ban ads, and with it most of the internet, but if people keep making terrible regulations like this that try to hurt big companies and get rid of ads and in reality, you just enable and feed these massive companies. Regulation makes them MORE valuable, not less. (see Meta stock price vs. Snap after ATT)
[+] [-] imiric|9 months ago|reply
That's an idealistic, but highly unrealistic, thought.
As long as a market exists that can profit from exploiting PII, and is so large that it can support other industries, data will never be radioactive. The only way to make it so is with regulation, either to force companies to adopt fair business models, or by _heavily_ regulating the source of the problem—the advertising industry. Since the advertising industry has its tentacles deeply embedded everywhere, regulating it is much more difficult than regulating companies that depend on it.
So this is a good step by the EU, and even though it's still too conservative IMO, I'm glad that there are governments that still want to protect their citizens from the insane overreach by Big Tech.
[+] [-] miki123211|9 months ago|reply
Europe gives me less control of my personal data than the US would. I am no longer allowed to decide that I'd rather choose services that take payment in data instead of services that take payment in Euros.
I think people who disagree with this perspective should be accommodated. It's a valid objection and technology inherently favors monopolies, so you can't really have the Facebook equivalent of a vegan restaurant or gay club. I'm not against forcing (large) tech companies to offer tracking-free plans at reasonable prices for those for whom this is the right tradeoff.
What Europe is doing is just plain stupid, though, and it will be felt most by those who can least afford it.
[+] [-] JumpCrisscross|9 months ago|reply
Cute theory. Fails in practice. Especially with LLMs on the horizon, this would be tantamount to unilateral nuclear disarmament. (Practically, it fails in that we haven't quantified the cost of breaches commensurate with what those of us who are security minded estimate it to be.)
I have advocated for privacy issues for a short while. "Data is radioactive" is the "defund the police" of our movement.
[+] [-] jqpabc123|9 months ago|reply
It isn't good for consumers whose privacy is being violated as they are being annoyed with unwanted, irrelevant ads and they get charged higher prices due to the cost of the advertising.
It isn't good for companies buying the ads by participating in sham "auctions" with no real insight into or control over the process. They are literally begging to be ripped off.
It doesn't have to be this way. "Context sensitive" advertising is more privacy respecting, easier to implement and monitor and can be more cost effective.
Example: The fact that I recently shopped for and bought a car is no reason to show me auto ads on a web site devoted to pet supplies. There is a logical disconnect here because context is ignored in favor of "personalization".
Those paying for these dumb "personalized" ads are wasting their money and my time and bandwidth because I already made a purchase. I'm not making another one any time soon.
By the way, this doesn't really happen to me any more because I now block these "personalized" ad networks. And you should too --- it's the only logical recourse to this stupidity.
[+] [-] morjom|9 months ago|reply
Press release from Belgian Data Protection Authority:
https://www.dataprotectionauthority.be/citizen/the-market-co...
IAB response post:
https://iabeurope.eu/belgian-market-court-confirms-limited-r...
[+] [-] morjom|9 months ago|reply
[+] [-] troupo|9 months ago|reply
IAB was on the hook for the dreadful cookie "consent" popups that ruined the web (no, it wasn't GDPR that ruined it, it was a very deliberate action by "industry groups" like IAB).
The only reason the Market Court annulled the previous decision was on procedural grounds, while agreeing that IAB is responsible, and keeping the 250 000 EUR fine in place.
Too bad. I wish Market Court would've burned IAB to the ground, salted the earth and scattered the ashes.
[+] [-] lucianbr|9 months ago|reply
Does anyone know what the consequences are? I have no idea exactly what it is that applies immediately.
I would guess that starting today Google and others should stop advertising as they currently do it, it being illegal. I doubt it's that simple, and even if it was, I am sure they will not simply stop. So what happens now?
[+] [-] jeroenhd|9 months ago|reply
As a result, data collected through IAB about European customers was collected unlawfully, and third parties must delete that data. IAB also can't smuggle consent like this anymore, and needs to pay a fine that was handed down a few years ago.
The legal publication can be found here (translated into various languages, though I believe the original may have been Dutch or French as it was the Belgian DPA that started the suit): https://curia.europa.eu/juris/documents.jsf?num=C-604/22 and here https://www.dataprotectionauthority.be/the-market-court-rule...
I very much doubt ad companies will actually delete the illegally obtained data, but IAB and other companies in the cyberstalking industry this can be a problem, because they need to actually comply with the law.
[+] [-] juliangmp|9 months ago|reply
U guess they'll either try to fight it in court somehow or find a loophole to abuse. Or yknow... just ignore the ruling as long as possible.
[+] [-] iamacyborg|9 months ago|reply
[+] [-] Kim_Bruning|9 months ago|reply
What more would be needed? Does the GDPR need to be amended?
[+] [-] portaouflop|9 months ago|reply
[+] [-] craftedid|9 months ago|reply
[+] [-] mrweasel|9 months ago|reply
If this works it will be good for everyone, the many issue with today's internet is the perverse incentives to get views or "engagement" so you can sell ad space. The ads are the goal, not the message.
[+] [-] mdhb|9 months ago|reply
> Dr Johnny Ryan said "Today's court's decision shows that the consent system used by Google, Amazon, X, Microsoft, deceives hundreds of millions of Europeans. The tech industry has sought to hide its vast data breach behind sham consent popups. Tech companies turned the GDPR into a daily nuisance rather than a shield for people."
I feel this so often gets lost in the conversation where a huge amount of people in communities like this one will loudly point out how annoying consent banners are but never give any thought as to why so many websites feel that just because you want to read a single article on their website that they are now entitled to sell your information often to hundreds and even thousands of different data brokers and that this is now so normalised that it’s almost every bit of content I consume now.
The original purpose of the GDPR was clearly to try and put an end to this kind of thing while still leaving cutouts for legitimate purposes with informed consent.
I’m so glad to see them come at this from a new angle entirely now to just firmly say that this surveillance capitalism bullshit is illegal and you can’t cookie banner your way out of it as some kind of legal protection.
Good, that makes me extremely happy as an EU resident and I wholeheartedly support whatever steps you need to take in order to enforce this. There’s no reason at this point to continue playing nice with US spyware companies masquerading as “data brokers”, let them deal with the mess they made but we don’t need it here.
[+] [-] brador|9 months ago|reply
For once, a corporations actions will then disproportionately affect the rich, since they will be the only ones worth holding data points on. Those best able to financially and legally enforce the rule.
A clean win win.
[+] [-] caseyy|9 months ago|reply
[+] [-] vv_|9 months ago|reply
[+] [-] figassis|9 months ago|reply
I understood as a SWE that the perfect solutions we often conjure never work as expected in the real world because we do not understand basic human nature and also how society as exists today works, including many many perverse incentives.
[+] [-] x0f1a|9 months ago|reply
[+] [-] ddxv|9 months ago|reply
Specifically, is tracking inside of a single app/property acceptable?
So much mobile tracking is added due to a lack of real HTTPS links (in mobile called deferred deep links). To just know whether a user from link X did or did not open the app.
Happy to chat with people opposed or pro, feel free to reach out for a longer discussion.
https://openattribution.dev
[+] [-] caseyy|9 months ago|reply
[+] [-] crote|9 months ago|reply
[+] [-] jillesvangurp|9 months ago|reply
Also, it sends a signal to wannabe competitors to this company that there are laws and there are consequences for breaking those.
And of course given that these companies have money, there are going to be lawyers paying attention to see if they can get at that money in some way. Germany is almost as bad on that front as California. Lots of enterprising lawyers here. So, one successful court case can trigger many more once the precedent is set.
[+] [-] jeroenhd|9 months ago|reply
[+] [-] geremiiah|9 months ago|reply
I hope I'm wrong, but I cannot see a more plausible outcome.
[+] [-] mschuster91|9 months ago|reply
[+] [-] sam_lowry_|9 months ago|reply
It's a win for advertisers. The court says, the logic holds, but the advertisers will not be fined and will not have to follow the 21/2022 decision.
[+] [-] mschuster91|9 months ago|reply
That's common in European jurisdiction. We tend to operate on a "first strike is free" principle, especially in contested / purposefully left unclear legal environments. Only when the case law is clear, it can be shown that a law was intentionally exploited or broken or it's a repeat offender, then we bring the hammer down.
[+] [-] yorwba|9 months ago|reply
It's not a pure win.
[+] [-] senko|9 months ago|reply
That said, I don't understand how TC String can be considered PII.
I haven't been following this case so probably miss a lot of context, but my understanding is that the TC String encodes user's preferences for which advertises to share your info with. For example, I visit example.com and deselect everything. This information then gets passed around so that advertisers know I don't want their advertising.
Isn't that kind of the point? I want them to know I don't want them. I'd rather setup that once and then not do it again for every site under the sun. Is the issue here that you can somehow be identified based on your tracking preferences alone?
The ruling here is confirmation of an earlier ruling where TC String was considered personal data. As an effect, the organization coordinating all this tracking (IAB) is considered data processor.
Is the ruling just a technicality (the fine is pretty low) because IAB isn't listed in data processor lists for all the sites I visit, or is there a deeper consequence arising from the ruling?
[+] [-] buzer|9 months ago|reply
IANAL (or even Belgian).
There wasn't a direct ruling on if TC strings itself were PII. They were personal data that can be linked to individual since CMP will get both the IP address and the TC string.
As for IAB being (joint) data controller, the reason (sections 68 to 80) given for that is that they determine purpose and means of processing. They might not hold any data, but they set the rules for the framework.
[+] [-] IvanK_net|9 months ago|reply
[+] [-] amarcheschi|9 months ago|reply
https://noyb.eu/en/microsofts-xandr-grants-gdpr-rights-rate-...
I've tried to do the same steps in the past and eventually, the xandr pages linked there were removed - now being in Microsoft something page - and being even harder to contact (even if it's still possible to fill a form asking for your data when you get there. I received the same answer as noyb)
[+] [-] debuggerson|9 months ago|reply
[+] [-] iamacyborg|9 months ago|reply
[+] [-] seydor|9 months ago|reply