Complying with the new EU data protection directive requires a top-to-bottom redo of the adtech industry


Originally published at:


Looks like a step in the right direction as no one is happy with the current web surfing and ad relationship. Why the industry won’t let me tell them what kind of ads I want to see is beyond me.


Is this why you had a disney ad that opened up when I scrolled and destroyed my scroll bar and trying to get out of it I ended up zooming in 3 levels and had to refresh the page to use it again? Because if so, great meta-commentary!


I wouldn’t hold my breath. Look at what happened with the EU rule that users had to be given a choice to opt in or out of tracking cookies. A few exceptions apart, websites just demanded total consent up front and continued unchanged.

Until websites take these rules seriously, web users are just going to have to keep on with the current protocol. Treat advertising as damage and route around it.


The ads on BoingBoing lately are literally the worst of any site I browse these days. Autoplaying videos WITH SOUND that expand and contract unexpectedly, moving the viewport and/or the content. Blech. The only other site so obnoxious was Yahoo Sports, and I finally got fed up and dropped from out of my Feedly queue.


I work in the data protection field so this is a big topic for many of our international customers. The issue goes beyond ads and consumer tracking into all business-consumer relationships in the EU (or with EU people, no matter where the vendor is located).

The overall approach has been do nothing and almost nobody in any field will be ready to comply in May 2018. It will require a year or more to set up the systems needed to keep companies in compliance and the topic really only got attention at the tail end of 2017. Fines are €10,000,000 or 2% of global turnover and double that for egregious breaches. If you think the EU is not serious about making some big examples of multinational companies, you know nothing about the EU.

The online ad industry is mostly based in the US and is not used to serious enforcement of standards or rules. They think they can bribe a congressman with $50k and the issue will go away. It doesn’t work like that in the EU and the Google fine proves they will hit US companies hard. Those companies are stuck, since their tax avoidance strategies have put large parts of their companies under EU jurisdiction to avoid US tax responsibilities (Luxembourg, Ireland, and Netherlands are popular).

The people who point to the ineffective “cookie notification” popup as an example of EU ineffectiveness are actually pointing out that the EU gave the online companies a way to address consent and privacy, and those companies blew it. So now they get draconian measures.


This is probably one of the few situations where I find myself in a charitable mood toward this…fine and upstanding…industry.

If only I had the incendiaries to spare I would gladly donate them for this overhaul.


My proposed solution to collecting data on you? Share the wealth. You get 50% of any transaction that sells data about you. Online tracking, credit information, purchasing history, etc. They sell any part of it and you get 50%.

It’s not the 50% that will be the problem for them. It’s the additional cost of sending you a “check” that will shut down 90% of information collecting.


As pointed out above that approach really won’t work with the GDPR. Blanket opt ins won’t work.

The ad industry hasn’t taken privacy or the rights of internet users seriously and they need to start. Johnny Ryan, who wrote this article, is well worth reading on it. I’ve followed his work off and on for 10-15 years. I noticed a tweet from him at the end of the year that an interview he’d done on this was the most listened to podcast in some ad network.

Everybody I know in marketing (in the EU) is taking this seriously. They don’t work for tracking networks though. People are training, and auditing, and hiring. EU companies will be wary of doing business with US companies unwilling to do so also.


Eh. Honestly, 4% of global revenue may actually be an acceptable cost for doing business for companies making money in the EU in the ridiculously high margin advertising space.

Hell, since most of the user tracking behavior done by ad networks is supplied by the user’s browser and not the website displaying ads, I don’t see what the EU is going to do about ad companies with no physical EU presence at all collecting browsing habits from EU citizens and sharing them with whomever they want. The US sure as hell isn’t going to enforce an EU data protection laws and fines will be promptly ignored.

Never mind US companies which happen to have EU citizens as customers. The idea that Safeway is going to ask every customer their nationality just in case an EU tourist shops there before deciding whether to store tracking information about what they purchased is downright laughable.

I mean, they use the money they make from that to pay for the service you use, so… if depersonalized advertising isn’t enough to pay for the service then charging you the difference seems more appropriate, doesn’t it?

Of course not everything falls in that bucket. I’m sure stuff like Amazon, Pandora, etc could just depersonalize everything and still cover their costs.


Speaking as someone in the software industry, I can say unequivocally that GDPR is a pain in the ass for way more than just the ad industry.


Hey, Doctorow programs these ads himself! They are not meant to be annoying.


It’s not that those rules are especially new. EU companies have had to comply with them for decades. The only reason US companies got away with not complying for so long is that the Safe Harbor Principle was totally toothless, with laughable control and no enforcement. And now it’s obsolete, good riddance.


This topic was automatically closed after 5 days. New replies are no longer allowed.