Comment by bad_user

3 years ago

In the EU, as far as the ePrivacy Directive (cookie law) is concerned, fingerprinting is similar to using a tracking cookie, even if no cookies are actually involved. And as far as GDPR is concerned, fingerprinting can identify a visitor, it counts as personal data, therefore you need a legal basis for processing it.

Not sure what the point you're trying to make is.

Also, Google under Privacy Sandbox has been exploring ways to introduce a fingerprinting limitations and a budget. Which may as well be smoke and mirrors, but if you watch their marketing materials, they talk of fingerprinting in general.

9 comments

bad_user

Reply
imiric  3 years ago

Sites that use tracking cookies rarely comply with the law as it is, and even then skirt around it via "legitimate interests" and other dark patterns. What makes you think they would disclose a behavior that is even more difficult to detect?

We can't assume good will and behavior from an industry that is built on deceiving and manipulating the user. The GDPR is a good first step at regulating these practices, but it's too vague, and it's applied far too leniently. It also obviously only applies to EU citizens, and not to the global industry.

I wasn't familiar with the privacy "budget", but it sounds like Google is trying to define privacy as a scale, where some amount of fingerprinting is OK. Users can be identified with just a few data points, and some are more valuable, depending on the context. Some might even be required for the site to function, so will there be "legitimate" exceptions to the budget in those cases? It sounds like a backwards approach that will be difficult to manage, so I'm not sure it will be a win for protecting privacy.

More importantly, I don't trust that an adtech company will go out of its way to implement solutions that go against its bottom line. These companies have a track record of abusing user data, and the only reason they take these initiatives is for good PR, which is again protecting their bottom line. The entire industry needs much broader and stronger regulation for any of this to actually improve.

  • bad_user  3 years ago

    The parent complains that lawmakers don't understand fingerprinting, or that companies like Google are trying to avoid the regulation of fingerprinting by focusing on cookies. Such statements are false.

    You're moving the discussion towards law enforcement.

    Well, DPAs in EU are overwhelmed, but lawsuits and rulings are progressing. For instance, Facebook found out that they can't force behavioral advertising via their ToS or via legitimate interests:

    https://thisisunpacked.substack.com/p/the-eu-war-on-behavior...

    I'd also add that small companies may fly under the radar, but big companies like Google and Meta are big targets.

pharmakom  3 years ago

Yeah and the Legal Basis will be something like “we need to track users to improve our services”

  • seanhunter  3 years ago

    That's not a lawful basis under GDPR. There are only 6.[1]

    (a) Consent

    (b) Contract

    (c) Legal obligation

    (d) Vital interests

    (e) Public task

    (f) Legitimate interests

    What a lot of companies are trying to do right now is weasel through under "legitimate interests" (eg a lot of scumbag seo-monkey websites have cookie consent dialogs stuffed with "legitimate interest" switches even though that doesn't work the way they think), but it's not clear that "improving my services at the expense of people's privacy" would pass the "legitimate interest" test if that ever goes to court. Legitimate interest requires them to pass "purpose", "necessity" and "balancing" tests. The "balancing" test in particular balances the companies interests against the interest of the user in maintaining privacy. Here's more about "legitimate interest" under GDPR.[2] it's not the get-out clause that people seem to think.

    [1] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

    [2] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...

    • Nextgrid  3 years ago

      It doesn't matter what the law says if it's not being enforced. Much more blatant GDPR breaches are still going unpunished, so do you really think they are going to audit every single website to make sure they comply?

      2 replies →

    • pharmakom  3 years ago

      How on earth do these HR companies that scrape LinkedIn and sell the data fall under GDPR? They claim to.