GDPR and the Adtech Bubble ⇥ blogs.harvard.edu

In just two weeks, the E.U. can begin fining GDPR violators. This is a must-read essay by Doc Searls, touching on the law itself, consent, and adtech. There’s a lot in this piece that is quotable and brilliant, but I think this is a truly critical paragraph:

And that’s on top of the main problem: tracking people without their knowledge, approval or a court order is just flat-out wrong. The fact that it can be done is no excuse. Nor is the monstrous sum of money made by it.

In addition to GDPR, Apple’s anti-tracking feature in iOS 11 and MacOS High Sierra has also, apparently, caused great concern amongst adtech companies that rely upon users’ implied consent, as most browsers’ default preferences permit the setting of third-party cookies. In cases where they don’t — for example, in Safari — adtech companies actively try to subvert your preferences. For example, Criteo:

Criteo may use non-cookie technologies in limited cases where the by-default settings of your browser aim to prevent the use of cookies for cross-site personalization and only if you have unambiguously accepted our services after being asked to do so (and offered the possibility to refuse subsequently).

A reminder that Criteo’s idea of unambiguous consent has long been represented by a banner across the bottom of the screen that indicates that any further clicks on the webpage will be construed as consent, and that you can opt out in the future if you read the banner in full and managed to remember the name of the third-party company that is now tracking you across the site.

It’s obvious — but no less revealing about their suspension of morality — how adtech companies will take full advantage of browser defaults to imply consent, but will actively fight against browser defaults through nefarious behaviours when it impacts their business.

Searls’ next paragraph is key, too:

Without adtech, the EU’s GDPR (General Data Protection Regulation) would never have happened. But the GDPR did happen, and as a result websites all over the world are suddenly posting notices about their changed privacy policies, use of cookies, and opt-in choices for “relevant” or “interest-based” (translation: tracking-based) advertising. Email lists are doing the same kinds of things.

Understanding that the GDPR is the direct result of widespread bad behaviours is truly critical. I don’t think this will eliminate bad actors, but it will provide a framework for adequate consequences. If a company cannot bear the legal blowback from a failure of responsibility to adequately protect users’ information, they should not be collecting it in the first place.