It's not just mobile app people, it's anyone who uses AdSense.
It's especially annoying as these days, Google is pretty much the only game in town. Yes, there are competitors, but not really very many outside the USA.
Android app developers have hours left to decide whether to change their business models or leave Google's ad ecosystem because of its stubborn stance on the EU's new Global Data Protection Regulation (GDPR) regulations, due to come into effect tomorrow. Devs tell us uncertainty over whether they comply with GDPR is forcing …
@Zippy's Sausage Factory
And People like you let them in here....
<<<Seriously what did you expect?>>>
Ripley: You know, Burke, I don't know which species is worse. You don't see them fucking each other over a goddamn percentage.
Seems like there's no difference between Facebook and Google, except Google's made developers show a dialog box so it looks like the developers have a responsibility for something, which they don't because Google have defined themselves as the data controller. They can't have it both ways.
Most of these "free" ad supported apps are crap anyway and the ads are over intrusive.
I would much rather pay for a fully working version with no ads.
Saying that, many of the really good independent apps I bought when android started have been snapped up by the big boys and that creates it's own problems ......
I'm just hoping those really will go away.
There's one particularly egregious spammer with the truly dismal name of "nethouseprices" sent me a "please opt in". They appear to be UK-focussed, and could be worth making a test case of reporting to the information commissioner if they don't stop.
Drinks all round if today's really was the last spam from them!
Depending on how egregious the spammer is, I'll just add their IP / netblock to my blacklist, which refuses ALL mail from that IP space. Haven't seen an instance yet where I've had to roll one of those changes back because I accidentally got a false positive.
Combine that with things like SBLs, Reputation scores, and other anti-spam methods, and I get upwards of 90% of my volume being refused.
There's one particularly egregious spammer
My old work email (that I still have access to) receives a *lot* of spam (mostly b2b IT stuff).
It too has had a lot of these "we'd love to carry on talking to you" emails, all of which I've deleted without responding to.
Oh - and today (Friday) I've had one spam email (from a company in Brum) that is quite clearly in contravention of GDPR. Which I took great pleasure in pointing out to them in a reply (yes - I broke my own rules and replied to a UCE). Hopefully, it might wake up a few neurons in the spammers brain . Either that or lead to them getting fined again and again and again. Either is acceptable.
 Ah - the good old Usenet days in the anti-spam newsgroups. And watching the high-quality troll baiting that went on..
 If spammers have such a thing. I suppose they need an organ to hold their unmitigated and bloated greed while excluding anything like conscience or morality. Can you tell I don't like spammers? Mind you, advertisers are only a step above them in the ethics scale..
"Have got loads of email about GDPR asking me to sign up for continued junk email."
How about a company using GDPR as an excuse to send marketing crap?
Since the start of May, a supplier to one of my clients has been sending emails to my address for that client (at their domain). So far, five emails.
The first two were ostensibly requests for me to opt in to receive future emails because GDPR - but they were really marketing emails using that as an excuse. The last three reverses that: They were quite openly marketing emails, with a section asking me to opt in because GDPR.
Prior to May, I wasn't receiving any such emails from that supplier.
And thankfully, I should receive no more.
"IP address is defined as personally identifiable"
If you collect NOTHING else?
The Server needs it to serve the page. Though you'd not store it.
You need it to identify DDOS sources or malicious posts?
I don't know. Surely the IP is only really personal if collected with other information, or if a warrant obtained and IP + time presented to ISP?
But yes an IP address can be part of personal information.
Twitter, Facebook, Google etc are using IP address to make a good guess on where you live. It worries me that the "guess" is usually much better than which ISP you are using (mobile may be different due carrier NAT). Surely WHERE ISPs have allocated their IPs should be private or are they guessing from people with Location on etc?
If you request a web page and supply your IP address as the delivery address, then clearly, you can use the IP address to fulfil the request. What you do afterwards with it could be a problem.
Collecting data for security / law enforcement is fine, see for example CCTV cameras in shops.
When they look up based on my IP address, they think I am in a small town that is not particularly close to me. To explain how not very close it is, there is a bus that runs from my town centre past my house to the nearest big town. That bus takes about 90 minutes. From that town, it would be about another 20 minutes.
Amazon and a few others think I live in some obscure town on the other side of England.
"IP address is defined as personally identifiable"
"If you collect NOTHING else?"
You can, however, collect and store personal data in your server logs for the limited and legitimate purpose of detecting and preventing fraud and unauthorized system access, and ensuring the security of your systems.
Ironically illegal or pointless.
1) If you already have suitable consent (a pre-ticked box or scraped data isn't consent, then the email is pointless, and might be illegal depending what it asks.
2) If you don't have consent, then sending an email asking for it is illegal.
Even before GDPR much Corporate behaviour was illegal in EU. Aided by US Law. In reality use of the USA CANSPAM act is illegal when used against EU people.
Also only an idiot clicks "unsubscribe" to opt out, unless it's email YOU signed up to from a sensible company, because it tells the Spammer you exist.
Bin every GDPR email unless it's something you did sign up to and still want.
I think we take that for granted.
I've had it from some people who are emailing me legitimately:
- clubs/societies of which I am a member. Yes you can mail me.
- bigcos with whom I do business legitimately. Yeah, that's fine: I've already cut off those who've abused my email address (helped by using a separate custom address for each commercial entity).
- startups in which I've invested through crowdfunding. Hmm, on a case-by-case basis.
Others haven't contacted me, including the big financial institutions (like bank, stockbroker, share registrars) who presumably have the lawyers to tell them their usage re: my accounts is already compliant. Like El Reg, who have our addresses as commentards.
The hardest case is GDPR mails in a grey area. Like my local council, with whom I've presumably corresponded by email sometime in the past without explicitly signing up for mail. They haven't spammed me, so the GDPR mail was probably superfluous. If I say yes, I'm potentially consenting to spam. If I don't then they're removing me from a list that appears never to have been used, but might make sense to stay signed up to in case there's some emergency alert.
If there's a possibility your local council will send an emergency alert via e-mail then I think you should stop worrying about GDPR and move to a different county. Preferably one not run by sociopathic bureaucrats. Or bureaupaths, as I call them.
Aside from that you've made some good points. So good that I've just e-mailed my local fencing club (that I sadly haven't attended for a couple of years) to assure them that they have my consent to keep e-mailing me about all the sword fights I could be having. Also, seeing as they haven't yet asked, it'll hopefully give the guy that runs it a bit of nudge to look into what GDPR means for him/the club.
If you already have suitable consent (a pre-ticked box or scraped data isn't consent, then the email is pointless, and might be illegal depending what it asks.
AIUI many data controllers do have consent - but might not have evidence to the standard required under GDPR, and might not have given clear enough information to the level required by GDPR. Because of this, AIUI the ICO is recommending that data controllers go back to the data subjects and get fresh consent - so they can show that they have obtained informed consent from each subject.
...does that make Google (as the implementor) an accessory to the crime?
I ask, not out of any legal interest, but simply because it seems rather implausible that all the liability can be transferred to the users of the AdSense service "just because Google say so". It seems more likely to me that a court will decide that Google are the ones mis-using personal data.
I suppose we'll have a test case in a few days...
Don't forget the way the GDPR is supposed to work re enforcement is that a user has to make a request for data, then complain, then the IC can take it up. Then if they find you in breach they will give you time to put stuff right and if you don't they can fine you.
From all I have read there is not an option for individuals to bring legal cases directly against a business.
Also if a user asks an app owner who does not store account details for what PII data is used for personalised ads there is no way they can do anything but pass it to Google. What a stupid mess.
"Also if a user asks an app owner who does not store account details for what PII data is used for personalised ads there is no way they can do anything but pass it to Google."
That fact might be just what it takes for the IC to decide that Google is the controller, not the app-slinger. Saying, "this new law doesn't apply to me because I said so" hasn't worked for ICANN and I doubt it will work for Google.
I can only think Google are assuming they can ignore it as long as possible, then throw lawyers at it until it goes away but I really don't think they've thought it through.
I was having a conversation with the missus yesterday which came down to her saying GDPR was proving a nightmare for the marketing department. The rules are too vague so people can't work out how to change their current policies and they don't know where the boundaries are.
My point was that the rules are deliberately vague because the basis of GDPR is: Don't Be A Dick.
It's that simple. The biggest reason for finding compliance a nightmare is because you weren't compliant with data protection but previously knew it wasn't going to cost you anything.
And the biggest reason for whining that you don't know how to apply the rules is because your mindset is "How much can I get away with?" when the entire point of the rules is that you should be thinking "What's the minimum I need to do business?"
It's the same principle of least privilege that you find in security and it exists for the same reason. The less access you have, the less damage you can do*.
*Intentionally or otherwise.
"It's that simple. The biggest reason for finding compliance a nightmare is because you weren't compliant with data protection but previously knew it wasn't going to cost you anything."
Well, to be fair, there's also just plain old not being fully aware or realising it applies to them. You may or may not wish to label that under the term "ignorance".
Case in point, where I was working today. They've been running around like headless chickens to make sure they're compliant - a bit of a last minute thing because they didn't know. (Technically, they did: I pointed out to them when discussing this today that I told them a very long time ago - problem is, it was me that told them, so it almost certainly went in one ear and out the other.)
Their argument is that there has been no attempt to officially notify anyone that this law is coming - no significant campaign. I couldn't really argue the point; it seems to have been well publicised to me, but that could very easily be down to the channels I read etc, so I don't know if they're right or not.
That aside, they believe it to be nonsense because if there was a breach, they think the only thing that would be stolen is email addresses. (!)
In my book, "only" email addresses is bad enough - but in this case, depending on exactly what was compromised, those email addresses could come with names, phone numbers, addresses... hell, it could include specific information about the services the customers have received, which in turn could include addresses of third parties again! Why they think it would only be email addresses, I don't know, but I couldn't be bothered to argue: by this point in the conversation I just wanted to do some work. (And I'm a lazy bastard - so that's how exasperated I was!)
Look at these :
The Tumblr page lists a huge list of Ad Providers all pre-ticked !
People using the web will be going mad tomorrow if a large number of web sites do this.
On Forbes, you can't comment unless you accept advertising cookies.
I've seen this on quite a few sites today - along the lines of "you must accept the whole policy in order to use this site". Often, the whole policy isn't easy to access since it too is blocked until you accept the policy..
My response is to close that browser window/tab and vow to never visit that site again.
Engadget just gave me a comprehensive list of ad partners serving personalized ads. Along with an 'opt out of all' button that on Firefox apparently did nothing. Does that count as opting out or not?
If my memory is correct... Google are nothing more than "Guardians" of the "ANDROID" infrastructure, despite the way they behave with it, and that Guardianship is currently being challenged.. what will happen to all their consent as and when they lose control over the O/S
Will we finally have a mobile infrastructure whereby we will be able to choose which apps we keep installed and be able to remove components that we already duplicate in an attempt to replace?
Although I suspect to use one part you will be expected to use all of it - tho that will also contravene GDPR..
Biting the hand that feeds IT © 1998–2019