Reflections on GDPR

GDPR's sunrise date looms large, with only 6 short days to go before fines start racketing up. This panic has lead to an ever increasing amount of teeth-gnashing on Twitter/HN/other websites, particularly killing "startups" like Klout and Unroll, both of which I've gleefully celebrated on Twitter. These startups relied on a specific form of "advertising", which was far less like advertising and more akin to direct mailing, as Doc Searls writes. In light of this schadenfreude, I thought it best to reflect on how we got here, from the first proposed technical solution, to the light-touch regulation solution, and finally big daddy GDPR.

1. Facebook

Facebook revolutionized the ad industry by becoming the largest database of human interaction. This is obviously a glib statement, as it ignores the enormous technical challenges Facebook conquered in becoming the market leader, but Facebook's "golden years" (circa ~2006-2010) allowed personal data to roam free on the internet and developers played fast and loose with its implications. Data breaches were not considered a huge problem, as identity theft and fraud vectors were unsophisticated and the average user was far more vigilant of their online data. As more and more users flooded into the internet, whether for Facebook, Amazon, LinkedIn, Twitter, or any and all other forms of social media, the party seemed like it would never stop.

Ads during this time were also less intrusive, as the ability to hyper-target ads were relatively rudimentary. Advertisers had not developed sophisticated ways of tracking like tracking pixels, and simply clearing your cookies got rid of most of the targeting. Data had yet to be connected between companies at well, meaning that there was no distinction of "customer intelligence", as storing massive amounts of user data meant there was more headache, more server costs, and more stuff to manage.

2. DNT

DNT (Do Not Track) was originally proposed in 2010, which, under the auspices of the W3C, is still in the standardization process. Although it started to roll out to browsers in 2010, Microsoft hilariously faced a riot from ad companies about automatically enabling it. DNT was a camel in all forms, it had to be surfaced to the user in a settings box, must not be enabled by default per an agreement with the Digital Advertising Alliance, required a specific HTTP header, and provided no obvious benefit to the majority of users. Worse yet, code changes in Apache and Nginx were not technically required, nor were advertisers bound legally to respect DNT. Members of the Digital Advertising Alliance, despite launching a series of articles slandering DNT, are not actually bound to respect DNT!

The first attempt to respect user privacy was technological in nature, born out of researchers and guided through the W3C. However, the process was repeated torpedoed by companies, which Google and Facebook simply stating that they would not respect DNT, digital advertisers simply ignoring it while attacking DNT, and the death knell was the W3C's committee process, which leaves companies wiggle room.

3. Cookie Banners

DNT was effectively dead in 2013. Google and Facebook refused to respect it, and the majority of users barely knew of its existence. However, in 2011, an EU directive (not regulation, therefore does not come into effect immediately) gave users the right to refuse the use of cookies in tracking. In order to comply with the cookie law, companies were required to inform users about the possible usage of cookies, often showing up as large banners across the site. The law specifically required companies to tell visitors how cookies are used, although this often manifested itself in banal comments such as "we use cookies to enhance your site experience". The "cookie law" was a light touch regulation, and gave companies significant berth to determine what needed to be done and how to reign in user tracking.

Yet, around this time non-cookie forms of tracking became popular as well. Tracking pixels, web beacons, and other forms adopted around this time gave companies data that lay outside the legal ramifications of the cookie law. Although PR warfare was out of the question this time, the loose regulations of the cookie law did not meaningfully help to increase user privacy on the web.

4. GDPR & Ad Blockers

Which brings us to today, and the looming GDPR sunrise date. Ad-blocking today is itself a massive industry, with more than 1.7 billion people actively using ad-blockers. This is all coupled to the "arms race" of ad-tech and digital advertising, as more companies seek to harness user data in order to get better "analytics", although GDPR has exposed that the majority of this data is simply wrong. Is it any wonder advertisers are desperate for more user information if Twitter is this bad at ads?

The past decade has seen a remarkable growth in cheap bandwidth and massive smartphone adoption. Conjoined with the development of using machine learning to leverage user data for advertising, more users across the web, and cheaper storage + server costs, the ad-tech industry has ballooned. GDPR is the first backlash against it, as more users adopt ad-blockers and see the ad-tech industry as the enemy. The best case solution for the advertisers is that GDPR sets firm guardrails against what ad-tech companies can and cannot do, and these companies choose to abide by these rules going forward. Yet, as history has shown us, the ad-tech industry is hilariously bad at self-regulating, which means that GDPR is just one of many regulations coming in the future to reign in ad-tech.

Posted: 2018-05-19
Filed Under: tech