First, european union law like the GDPR works in the form, that they cannot directly make laws for every european member, but each european nation has to transform the european law into national law. So the implementation of the irish GDPR is different than from the german GDPR and while the general idea behind a european law must be abided by the nations, each one has their own pecularities. The german GDPR law is called the DSGVO and since I’m from germany, I’m most knowledgable there. So some of my comments might be wrong under GDPR, but completely valid for the DSGVO.
Under GDPR, every time a service (in this context the homepage) is requesting or using data sent from the client (the browser), the service owner has to have written down and abides to a set of privacy rules, which govern
what data falls under this set of rules,
how long the data is being processed and stored,
(if used without consent) if it has a legitimate purpose to use the data for this purpose, and
that they thought about and excluded a less privacy-invasive way of processing the data
All of these have been more or less required before as well, but with the GDPR, the service is also responsible for each and every 3rd party data processor they use (e.g. doubleclick as an ad provider). So if they send data over to a 3rd party, and they mishandle the data or use it for a different purpose than originally stated, the original service is now responsible—with hefty fines attached.
Having said that—let’s get back to your points.
Are services allowed to use data for personalization of content (specifically ads) without consent?
Yes and no—Direct Marketing is a legitimate interest according to the GDPR, so you would not need to have consent. But: Is there a less privacy-invasive way of processing the data? Yes there is, not serving personalized ads, but only according to the (unpersonalized) content of the page. And, there’s the right to object to direct marketing, so this has to be taken care of somehow as well.
This is what Der Spiegel and other news websites have been basing their modus operandi on: Give the user the choice to either consent to personalized ads, or to pay for not seeing ads.
Are services allowed to use data for security purposes (specifically fraud detection)?
Yes, they are. They can collect and use pretty much every bit of data they can generate and get from the browser. There is no less privacy-invasive way, because it’s a everylasting race between fraudsters and counter-measures.
But: The data must be used for this purpose only. They must not be used to ads, personalization, login, marketing, whatsoever—or they risk a hefty fine. When Facebook used the 2 factor authorization phone number to send out ads, they were violating the GDPR and will hopefully get a hefty fine for it.
Can websites finance themselves without personalized ads?
Most likely. Non-targeted ads only reduce their effectiveness by around 4% in contrast to targeted / personalized ads—which makes sense, since if e.g. a user is reading an article on topic X, they are already interested in the topic. So an ad for people interested in topic X is already very likely to be effective.
(as said before: websites are still allowed to use any data for security purposes like fraud detection.)
Why are big companies like Microsoft being sued for data usage for fraud detection anyway?
Because they are trying to push the boundaries and how far they can go again, and the courts (and politicians) are using the GDPR to punish them for it.
Most big companies still have no clue what data is being requested, stored for what purpose, distributed to whom, etc. - which was one of the reasons the GDPR initiative was started in the first place.
Example Microsoft: after a brief period of being privacy-concerned, Windows 10 is much more “androidized” in terms of spying on the user, pushing bloatware and ads, installing invasive features without consent, and trying to trick the user into giving consent for more data. It’s e.g. not possible to simply say “I don’t want to create a microsoft account” (which would enable Microsoft to track the user better) - only “I don’t want to create a microsoft account at the moment (we’ll ask you again in two weeks)”.
I predict, that the previous rulings will be thrown out at the upper courts and that no smaller websites (even if they are Der Spiegel) would be sued for using data for fraud detection—assuming that they are not using the data for other purposes.
Are other means of financing websites possible?
Sometimes, yes—main question is the availability of competition (scarcity) and the relation a company has to their users. Spotify, Amazon Music Unlimited, Apple Music, etc. all have no problem of raising money from users through a subscription model, because a lot of music is simpy not available for free without a payment option. Even free “user-content” on sites like Youtube, where a lot of music is uploaded illegally from users, the content-id system is effective (if an artist or their publisher don’t want their music to be available there).
Other services like Patreon, SubscribeStar, Substack, Locals, etc. show, that people are willing to pay creators just for the content they create. This only seems to work sufficiently well for parasocial relationships—most bigger Youtube creators are effectively businesses with dozens of freelancers or employees, but focusing everything on one person for the parasocial relationship.
Conclusion
Ads can be GDPR-compliant, don’t have to be personalized and their fraud detection is a separate legitimate interest.
The “don’t have to be personalized” part of your argument rests on the “4% less revenue” statistic from Marotta et al. (2019), but that seems to be a very bad source. Here’s Garrett Johnson’s literature review slide: https://twitter.com/garjoh_canuck/status/1318989360407236609.
Of the six studies, five (from academia, industry, and government sources) come to the conclusion that removing personalization would cost websites somewhere between 50% and 70% of their revenue, and one concludes 4%. Moreover, the Marotta paper rests on subtle statistical methods aimed at the problem “We have a lot of observational data but we can’t run an A/B experiment, so let’s (use augmented inverse probability weighting to) figure out what would happen if running the direct experiment were possible.” That’s a hard but admirable goal. But in the Google paper they actually did run exactly that A/B experiment, the very same one that Marotta et al were trying to predict, and they got 52% rev loss instead.
There are good reasons to be skeptical of the 50%-70% range — in particular those measurements are all happening in an environment where personalized advertising channels still exist, so they don’t get at global equilibrium after the forced behavior changes that would come from personalization going away across the board. From observing what happened to ads prices on iOS in recent years, I’d say it seems very plausible that the stable outcome would be more like 40% instead of 50%-70%.
But the 4% number is quite unsupportable given the data at hand. And telling most websites in the EU that they will lose ~half of their revenue is not an appealing prospect.
Good points, I’ll look into the other studies at another time. I remember a german newspaper actually switching completely to non-targeted ads after their own experiment, but can’t find the source anymore. I’ll comment it here, if I find it again.
Thanks especially for your transparency on your Motivation and Disclaimer.
There’s a lot to unpack here.
First, european union law like the GDPR works in the form, that they cannot directly make laws for every european member, but each european nation has to transform the european law into national law. So the implementation of the irish GDPR is different than from the german GDPR and while the general idea behind a european law must be abided by the nations, each one has their own pecularities. The german GDPR law is called the DSGVO and since I’m from germany, I’m most knowledgable there. So some of my comments might be wrong under GDPR, but completely valid for the DSGVO.
Under GDPR, every time a service (in this context the homepage) is requesting or using data sent from the client (the browser), the service owner has to have written down and abides to a set of privacy rules, which govern
what data falls under this set of rules,
how long the data is being processed and stored,
(if used without consent) if it has a legitimate purpose to use the data for this purpose, and
that they thought about and excluded a less privacy-invasive way of processing the data
All of these have been more or less required before as well, but with the GDPR, the service is also responsible for each and every 3rd party data processor they use (e.g. doubleclick as an ad provider). So if they send data over to a 3rd party, and they mishandle the data or use it for a different purpose than originally stated, the original service is now responsible—with hefty fines attached.
Having said that—let’s get back to your points.
Are services allowed to use data for personalization of content (specifically ads) without consent?
Yes and no—Direct Marketing is a legitimate interest according to the GDPR, so you would not need to have consent. But: Is there a less privacy-invasive way of processing the data? Yes there is, not serving personalized ads, but only according to the (unpersonalized) content of the page. And, there’s the right to object to direct marketing, so this has to be taken care of somehow as well.
This is what Der Spiegel and other news websites have been basing their modus operandi on: Give the user the choice to either consent to personalized ads, or to pay for not seeing ads.
Are services allowed to use data for security purposes (specifically fraud detection)?
Yes, they are. They can collect and use pretty much every bit of data they can generate and get from the browser. There is no less privacy-invasive way, because it’s a everylasting race between fraudsters and counter-measures.
But: The data must be used for this purpose only. They must not be used to ads, personalization, login, marketing, whatsoever—or they risk a hefty fine. When Facebook used the 2 factor authorization phone number to send out ads, they were violating the GDPR and will hopefully get a hefty fine for it.
Can websites finance themselves without personalized ads?
Most likely. Non-targeted ads only reduce their effectiveness by around 4% in contrast to targeted / personalized ads—which makes sense, since if e.g. a user is reading an article on topic X, they are already interested in the topic. So an ad for people interested in topic X is already very likely to be effective.
(as said before: websites are still allowed to use any data for security purposes like fraud detection.)
Why are big companies like Microsoft being sued for data usage for fraud detection anyway?
Because they are trying to push the boundaries and how far they can go again, and the courts (and politicians) are using the GDPR to punish them for it.
Most big companies still have no clue what data is being requested, stored for what purpose, distributed to whom, etc. - which was one of the reasons the GDPR initiative was started in the first place.
Example Microsoft: after a brief period of being privacy-concerned, Windows 10 is much more “androidized” in terms of spying on the user, pushing bloatware and ads, installing invasive features without consent, and trying to trick the user into giving consent for more data. It’s e.g. not possible to simply say “I don’t want to create a microsoft account” (which would enable Microsoft to track the user better) - only “I don’t want to create a microsoft account at the moment (we’ll ask you again in two weeks)”.
I predict, that the previous rulings will be thrown out at the upper courts and that no smaller websites (even if they are Der Spiegel) would be sued for using data for fraud detection—assuming that they are not using the data for other purposes.
Are other means of financing websites possible?
Sometimes, yes—main question is the availability of competition (scarcity) and the relation a company has to their users. Spotify, Amazon Music Unlimited, Apple Music, etc. all have no problem of raising money from users through a subscription model, because a lot of music is simpy not available for free without a payment option. Even free “user-content” on sites like Youtube, where a lot of music is uploaded illegally from users, the content-id system is effective (if an artist or their publisher don’t want their music to be available there).
Other services like Patreon, SubscribeStar, Substack, Locals, etc. show, that people are willing to pay creators just for the content they create. This only seems to work sufficiently well for parasocial relationships—most bigger Youtube creators are effectively businesses with dozens of freelancers or employees, but focusing everything on one person for the parasocial relationship.
Conclusion
Ads can be GDPR-compliant, don’t have to be personalized and their fraud detection is a separate legitimate interest.
The “don’t have to be personalized” part of your argument rests on the “4% less revenue” statistic from Marotta et al. (2019), but that seems to be a very bad source. Here’s Garrett Johnson’s literature review slide: https://twitter.com/garjoh_canuck/status/1318989360407236609.
Of the six studies, five (from academia, industry, and government sources) come to the conclusion that removing personalization would cost websites somewhere between 50% and 70% of their revenue, and one concludes 4%. Moreover, the Marotta paper rests on subtle statistical methods aimed at the problem “We have a lot of observational data but we can’t run an A/B experiment, so let’s (use augmented inverse probability weighting to) figure out what would happen if running the direct experiment were possible.” That’s a hard but admirable goal. But in the Google paper they actually did run exactly that A/B experiment, the very same one that Marotta et al were trying to predict, and they got 52% rev loss instead.
There are good reasons to be skeptical of the 50%-70% range — in particular those measurements are all happening in an environment where personalized advertising channels still exist, so they don’t get at global equilibrium after the forced behavior changes that would come from personalization going away across the board. From observing what happened to ads prices on iOS in recent years, I’d say it seems very plausible that the stable outcome would be more like 40% instead of 50%-70%.
Motivation&Disclaimer: I’m https://mathstodon.xyz/@Log3overLog2, and I work at Google on the Chrome & Android effort to move to a much more private way to do ads personalization. So I’m deeply vested in this question.
But the 4% number is quite unsupportable given the data at hand. And telling most websites in the EU that they will lose ~half of their revenue is not an appealing prospect.
Good points, I’ll look into the other studies at another time. I remember a german newspaper actually switching completely to non-targeted ads after their own experiment, but can’t find the source anymore. I’ll comment it here, if I find it again.
Thanks especially for your transparency on your Motivation and Disclaimer.