You may not have heard of the “Transparency & Consent Framework”, but you’ve most likely interacted with it, probably on a daily basis. The TCF is used by 80% of the internet to obtain “consent” from users to collect their data and share it among advertisers – you know, the cookie popups. In a landmark EU ruling yesterday, the TCF has been declared to violate the GDPR, making it illegal.
For seven years, the tracking industry has used the TCF as a legal cover for Real-Time Bidding (RTB), the vast advertising auction system that operates behind the scenes on websites and apps. RTB tracks what Internet users look at and where they go in the real world. It then continuously broadcasts this data to a host of companies, enabling them to keep dossiers on every Internet user. Because there is no security in the RTB system it is impossible to know what then happens to the data. As a result, it is also impossible to provide the necessary information that must accompany a consent request.
↫ Irish Council for Civil Liberties
It’s no secret that cookie consent popups do not actually comply with the GDPR, and that they are not even necessary if you simply don’t do any cross-site sharing of personal information. It seems that this ruling confirms this in a legal sense, forcing the advertising industry to come up with a new, better system. On top of that, every individual company that participated in this scheme is now liable for fines and damages.
Complaints coordinated by Johnny Ryan, Director of Enforce at the Irish Council for Civil Liberties, prompted the ruling. He said:
Today’s court’s decision shows that the consent system used by Google, Amazon, X, Microsoft, deceives hundreds of millions of Europeans. The tech industry has sought to hide its vast data breach behind sham consent popups. Tech companies turned the GDPR into a daily nuisance rather than a shield for people.
↫ Irish Council for Civil Liberties
The problem here is not so much the clarity of applicable laws and regulations, but the cost and effectiveness of enforcement. If it takes years of expensive and complex legal proceedings to bring a company that violates the GDPR to heel, is it really an effective legal framework? Especially when you take into account just how many companies, big and small, there are that violate the GDPR?
OSNews uses a cookie popup and displays advertising, something we have to do to gain a little bit of extra income – but I’m not happy about it. Our ads don’t provide us with much income, perhaps about €150-200, but that’s still a decent enough chunk of our income pie that we need it. I would greatly prefer we turn off these ads altogether, but in order to be able to afford that, we’d need to up our Patreon income. OSNews Patreons get an ad-free version of OSNews.
That’s a long and slow process, especially with the current economic uncertainty making people reconsider their expenses. Disabling our ads altogether for everyone once we’re fully reader-funded is still my end goal, but until the world around us settles down a bit, that’s a little while off. If you want to speed this process up – you can become an OSNews Patreon and enjoy an ad-free OSNews today.
I know the GDPR is not perfect, and neither are the jurisdictions that are charged with enforcing it. But please don’t ask of the justice system that it acts ruthlessly. The time it takes for jurisprudence to form is part of what makes a democracy. The GDPR began being effective 7 years ago. 10 years to build a jurisprudence that forces the most powerful industry of our age to radically change its ways is not a lot. The jurisprudence will make the next decisions easier and quicker, as it should. This is reasonable, and I do believe we should all want more reason in our lives, what with the world going full-on wild these days.
Please don’t throw the GDPR with the bath-water, this is exactly what the industry would want (and is actually on the verge of reaching with the current crop of heads ruling the EU commission, thanks a bunch).
GDPR is for online data.
enable adblock “annoyances” and solved. You can also like all server sided based bullplop just block it through /windows/system32/drivers/etc/hosts
IANAL but I believe that dialogs that come with default allow or with the legitimate interest crap, or that use dark patterns to hide the ‘deny all’ are illegal.
The main problem with a site like OSNews is most of the audience is techie and has ublock origin and consent-o-matic on, so ads don’t really work anyway.
Speaking of dark patterns the email I got from Ko-fi after doing a one time donation certainly qualifies. It’s worded to look like it comes from you and not Ko-fi and to lead me to believe I need to confirm my donation, when instead they (Ko-fi) just want me to sign up to their site.
Guess you just can’t win on today’s internet…
Don’t know about others, but I disable adblock for sites like this.
I kind of doubt OSNews has a source of non-tracking ads.
torp,
Is there a reason you are ignoring the article ads that osnews periodically runs for other companies? I don’t think they have 3rd party tracking. It’s probably much harder to land advertisers willing to do business directly with websites, but personally I don’t have a problem with them. If they were a reliable enough, it would be easy to replace the google ads, but it isn’t easy.
Out of genuine curiosity – have you folks at osnews looked at options like medium.com or substack?
It is impossible to know what happens to the data, it’s all based on trust. TBH they don’t seem to appreciate the fact that this will always be the case no matter what the website operators do. What’s the point of GDPR if it’s not possible to satisfy it?
Take Osnews, which is hosted by Kinsta – a reseller for google hosting services. (Before cloudflare was enabled, doing an IP lookup on osnews would point to google datacenters). So all of us, including the osnews owner, have to trust that google aren’t using their access to spy on us, but no one can prove it. I’m not trying to accuse anyone of anything here, but the reality is that the trust relationship is inherent and nobody can strictly prove private data isn’t being abused. I’m rather unclear what they would have website owners do short of banning advertisers altogether. But even that wouldn’t prove private data isn’t being improperly shared. Maybe I am misunderstanding, but it seems impossible to comply with these GDPR interpretations.
Edit: I know my hosting example isn’t the focus of the GDPR, but it was to illustrate the nature of “trust” and how everything relies on it. I don’t see how the GDPR can get around it.
When you surf the internet, the web sites do not know your name. They don’t know your address, dob or other personal details.
If my understanding is correct, the cookie tracking that websites does only knows your web browsing history, and it is associated to anonymous identity X.
If websites don’t know your name, email address or other personal info, then I think GDPR should not apply.
Like it or not, we all have an involuntary digital profile or “avatar” online, created by technologies such as cookies and browser fingerprinting. So you have an identity to protect, if not in name.
My biggest issue with the OSNEWS site is it slows my PC dramatically sometimes if I leave the tab open. If they can get more patrons to avoid this it would be nice. I have a Lenovo Yoda with 12th Gen Intel(R) Core(TM) i5-1240P 1.70 GHz and 8G RAM. it should be able to cope with a few ads,, although Windows 11 has certainly moved it in the opposite direction.
I appreciate you might be making a practical or ethical point about what should or shouldn’t be considered personal info, but since the original article is specifically about the GDPR, I think it’s worth reflecting on how it defines personal data.
The GDPR says that an individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals. That means it’s not about knowing their name, but about being able to distinguish them from someone else.
IP addresses, for example, are generally considered to be online identifiers according to the GDPR. The following page goes into much more detail (this is about the UK GDPR which isn’t identical to the EU GDPR, but it was derived from it and broadly follows the same principles):
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/
Thank you for explaining that the GDPR specifically applies to anonymous persons as well as known persons. Personally, I think GDPR has gone too far when it applies to anonymous “identities”.
tom9876543,
There are degrees of “anonymous”, it’s not a binary on/off. This is not to say your opinion doesn’t have merit, however we should be able to agree that anyone buying normal internet service and expecting to be anonymous on the internet is rather foolish even if they don’t explicitly identify themselves to the sites they wish to be anonymous on. IP addresses can unmask identifies quickly, but there’s a lot of other subtle ways to leak information and for databases to be mined for matches. People unwittingly leak information all the time and it’s even a problem for the military.
https://www.vice.com/en/article/we-found-another-secret-military-site-that-was-revealed-by-a-fitness-app/
When it comes to the GDPR, I think they are right to call out these risks to privacy, however I also think it’s it’s foolish to believe that the GDPR can really do much about users having to assume service providers are following the rules. You HAVE to trust the tech companies are in compliance, the GDPR can not guarantee it no matter what the legislation says. I don’t blame EU regulators for this problem, however I think they need to do a better job informing consumers that the GDPR is not and will never be a panacea for privacy. If a provider wants to violate GDPR, they can do it and neither users nor GDPR officials will necessarily find out about it beyond taking them at their word.