Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The real time bidding on ad placements seems like a thing that a user could never give consent to as it's literally feeding your info to a massive ever churning list of companies that get to bid on it.

Aka - you land on a site, it send your IP and whatever identifiers it has to 10,000+ companies who all then figure out if they want to bid on showing you an ad.



Do you have to give consent for each individual third party your data gets shared with? I’d thought that if you give consent for some purpose, the company can use whatever processors it wants as long as it ensures they protect your privacy.


If ten thousand people agree to protect your privacy, is it really protected?


IANAL, but I have spent a lot of time reading the GDPR and associated guidance as the DPO for my small company.

As I understand it, you're correct. The Data Controller (Google) is responsible for getting consent, and the Data Processors (the third parties in this case) don't have to get consent themselves.

However, assuming Google's legal basis for processing your personal data is based on consent (rather than fulfillment of a contract or one of the other legal bases), then Google is required to get your unambiguous, opt-in, and non-coerced consent for each specific way your personal data will be used.

It seems likely that Google is covering themselves by acting as a Data Processor, not Data Controller, and the web site using Google is the actual Data Controller. In that case, the web site, not Google, is the one responsible for getting consent.


Yep, thats what those ridiculous pop up boxes with 400 (I counted one) "carefully select partners" of the websitd you visit are supposed to be.

It is IMO just a mockery of the intent of the law and I wonder when this will be punished.

I personally think GDPR might be a bit strict, but adtech have practically been begging for this for years so acting surprised now doesn't cut it.


I seem to recall (correct me if I'm wrong) that European courts ruled that “agreeing” to a very-long EULA for desktop software didn't constitute informed consent, because it's trivial to demonstrate that the users didn't actually read the entire agreement — even if they scrolled to the end, it's unreasonable to believe that most people read 10,000 words in 15 seconds.

So I assume that eventually these performances of consent-gathering will be legally judged meaningless.


But where does your PII end up, only at Google, no?


IP addresses and identifiers are considered to be PII under the GDPR. These get sent to the advertisers.


Is that necessary for some reason? Can't they just send the /24 of the IP? (Or other pseudoanonymized versions?)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: