"This stressed out a lot of email marketers, who quite rightly realised that the new regulations would have a significant effect on their ability to acquire and market to customers via their email address"
"The overwhelming majority of commercial email sent today contains tracking pixels and tracking links, these are used to uniquely identify individuals so that opens and clicks can be correctly attributed to them"
Good.
While spammers may have a problem, people don't.
If I want your tracking pixels and emails then I'll opt in.
You can tracking pixels to track per-user engagement. You can also use tracking links to connect the email address to website activity. As you say, it's possible to use these to track in the aggregate, but many platforms allow tracking by individual.
You are correct that the email was already personal data. But, GDPR requires that each new use of data be transparently communicated and legally justified (which may or may not mean consent), even if it's only using data you already have. The fact that they have already identified the user does not resolve the issue--GDPR still cares when you collect more data about a known user.
Meaning, even though you are justified using the email address to send the newsletter, you may not be in the clear building an engagement profile associated with that email. Which, apparently, some email marketers do.
Do they? Remember that under the GDPR, a five-page ToS with a "I consent" button at the end is not considered valid. In particular, the user must consent for each use of the PI separately. I don't remember ever seeing a specific consent box for building an engagement profile.
I would argue that pixel trackers for the purpose of checking whether the email is read is covered by the consent to receive marketing by email in the same way as what emails were sent to whom and when will likely also be tracked.
None of these are personal data if not liked to the email address, which they do not have to.
If linked to email address and considered personal data then the argument is what is covered by consent to receive email marketing? IMHO tracking whether the email was opened is covered (in the same way as agreeing to receive phone marketing should imply they can track whether you answered the phone...). They will also obviously keep track of what emails they sent you and when.
> While spammers may have a problem, people don't.
Marketing spammers maybe, but now scammers and malware spammers have the floor instead. Laws only stop the law abiding citizens from doing their thing, it sure doesn't stop the criminals from.... being criminals.
Sure… but that is always true when it comes to law. I just don't see how that makes the situation worse for the people?
I don't want to be tracked by marketing emails without consent (or, more realistically, ever, because please). If you want to do it anyway, from here on out you have to violate the law.
If you had no trouble with doing that before (being a filthy spammer/scammer), you still won't. If you do, then you will stop tracking me. Hooray.
There's usually an unsubscribe button for marketing spam, and if there isn't I usually block their email. You can't do that with scammers / illegal spam.
Fuck the unsubscribe button. I never subscribed in the first place.
It’s one disgusting thing when people hide signup behind email confirmation without clearly marked opt-in spam confirmation. It’s another when I get home from a professional event and I have a dozen new “subscriptions” and people “just reaching out” or “following up on our prior conversation” to a single-purpose email address I gave to one place and used a fake name and fake company name.
Marketers, spammers and scammers are the same thing - sources of unsolicited e-mail, engaging with whom is not good for you. Eliminating marketers from the trio means only that much less messages to worry about.
I guess I must not be important enough or something because I don't recall the last time I got any marketing emails without sharing my email with a marketing person. The only marketing outside of "Rewards" programs that I get is marketing from the one conference I go to every year, and I get plenty of free swag from them, then I unsubscribe.
Did you take a look at your Spam folder? On my primary address (one I used for almost two decades), 90% of my spam is unsolicited marketing communication. Quickly skimming it, roughly half of that 90% is from parties I may have interacted with in the past, the other half is from apparently legit companies that I haven't interacted with, that pulled my address from somewhere (possibly because I used it to register my business).
Outside of spam, I spent some time and unsubscribed from most of the pseudo-solicited communications I got (i.e. the kind of pre-GDPR bullshit where I register for some service and this automatically counts as consent to receive marketing communication). About solicited marketing messages I don't whine much (except that they exist), that's on me.
(I actually used this occasion to softly threaten one of the marketers from the top of my box with legal action, because they are clearly breaking Polish law - they tried the "this message is only request for consent to sent the actual message" trick, but executed it badly.)
Have you ever clicked one of those? I've never been sure if that wouldn't have worsened the situation by giving feedback that this is an active mail address managed by somebody.
If it's from a legitimate company in American jurisdiction they are legally obligated to stop sending emails if you click unsubscribe. I suppose that piece of information has some nonzero value that you are giving up in exchange to not be contacted by that company.
If you filter just a single address that address can change. If you filter their domain you might lose legitimate correspondence.
I’ve had several groupings of unsolicited marketing emails over the years where I’ve clicked Unsubscribe and ended up on what’s very clearly a Totally Not That Email List, Honest...but it’s advertising the same things, in the same way, just from a slightly different email and possibly different company name. They have all been American in origin.
It's so asymmetrical though. The amount of effort it takes to spam someone is vastly lower than a complaint.
What would be great is a third-party site where you can somehow document/log unsubscribe requests. Then, if the company still spams you, document that. A few hundred users is pretty good proof, and the company can't just argue a glitch. It'd pay for that.
Easy enough to fix: use a unique address for a company, unsubscribe, then take the related company to court later. Works even better in a GDPR location.
I click it all the time when I feel I'm getting way too many emails. If I feel like it's not some malware spam at least but genuine marketing trying to sell me something. Every now and then I go back to all those "rewards programs" emails and unsubscribe to the least relevant ones to me.
It's not like legitimat-ish email marketing will suddenly switch to scammers or illegal spam, they would actually get in trouble for violations. Companies that don't rely on scams aren't desperate enough to risk getting fined for such a weak lead (I'd hope).
Not that I'll ever configure my email client to automatically download images, as far as I'm concerned downloaded images is just making your email address more valuable to the spammer by confirming you got it.
You're right, but this law isn't targeted at scams and malware. It's meant to stop broader commercial tracking, and leaves us better off on that front, while criminals were going to do what they do anyway so we're no worse off there.
Actually it does, because if industry stops using tracking pixels, it demotivates email clients from having to support it, and makes it easier to block bad actors. Same with tracking on websites and browser support. Chrome would instantly put in a tracking blocker if Google couldn't do tracking any more. But so far Google's strategy is fighting and working around the law because they think they would lose a huge amount of revenue without tracking.
> it demotivates email clients from having to support it.
Hardly. It's just the abuse of being able to display images in HTML-formatted mail. You would have to remove every tag and attribute that is able to request an external URL from a mail HTML dialect to counteract tracking.
Laws don't stop criminals from being criminals (except when they do of course), but it isolates them so they can't easily blend into the crowd of non-abusive individuals.
Plus, if something is illegal there's less likely to be an industry driving down the price of that activity. If something is more expensive and less convenient, then people (including criminals) are less likely to do it.
Gmail, among others. Gmail proxies remote content when the email is opened, so the IP address of the user is not disclosed, but the time and number of opens can be tracked.
Google could proxy and cache remote content in emails when they are accepted by Gmail servers, and that would render Gmail users untrackable by third-parties.
Do any email clients block tracking pixels? My understanding is that they block images by default but if you choose to view them you will load all the tracking pixels.
I guess I'm just not that familiar with HTML email anymore in general, and when I do read it I generally do not have images regardless.
I always assumed that disabling 1x1px images would be first on the list of mitigations against this technique. I was under the impression that email clients, in addition to an option to block images in general (usually on by default for an address or origin), generally prevented the loading of remote images. Embedding images directly into emails is fine, isn't it?
Or I guess the mail server could just always precache all images at the time of receipt. Then nothing new happens when the mail is read. I think somebody here is describing GMail's approach that way.
gmail's cache hides a users location but you can still tell when they've opened an email, and you can still get a ton of information if they click a tracked link within the email as well.
The easiest way is to disable them by default which is why Thunderbird defaults to not loading from senders not yet whitelisted, which thankfully most HTML email has the text on the email, it's those darn emails that have all the text in an image that I get suspicious of and delete (usually spam / probably malware). It would be nice to see plugins to block them for sure. I use Thunderbird for work, keep forgetting to use it for regular email. At least even webmail email services block pictures by default now, probably to prevent browser exploitation, never know when someone finds some rogue PNG exploit.
I am surprised that Apple's built-in email clients on both macOS and iOS load remote content by default. One of the first things I disable when I set up a new machine.
It is more than just tracking pixels - there is also things like personalized links that proxy the underlying link that are generated by the email provider to track clicks.
A tracking pixel hit only means that that the email was received and loaded in some email client, not that it was read (in detail, or at all), understood, or acted on.
Why would you want to rely on a thoroughly unreliable mechanism primarily used by marketers for a case where it's actually important for the user that you know you reached them? Maybe just ask them instead, record responses, and deal with people who don't respond (and with autoresponders).
It’s only people who are in the email marketing industry who think that they are the email industry.
The email industry would comprise a lot more than just marketing.
You have email providers. You have email clients. You have non commercial newsletters. You have evites. You have e-cards. You have emails related to ticketing and reservations.
The email industry is far larger than email marketing, despite what the email marketeers would like us to believe.
I don't think email marketers think they encompass the entirety of the email industry, I was writing that article from the perspective of being an email marketer proposing something to my peers, ie others in the industry.
The article title, "Dear Email Industry, We’ve Got a GDPR Problem", implies that.
Either you do think email marketing comprises the entire industry, or the article title (and HN submission) are (or give the impression of) clickbait.
At least it doesn't seem you are doing any direct tracking on the post though ...
(I used to work for an ISP with a pretty large email service, so it touches nerves that were exposed when our enemies, those companies who try and find ways to irritate our customers, think they are the only important parts of the actual email industry)
I think you might have a bit of a bias in this instance though, given your confessed work history.
This is something I wish ISP's took more care of, they could easily protect users by blocking image loading by default and warning users when links in emails are tracked, for example.
Browsing the web in Europe is like experiencing the rebirth of the pop-up ads era. It has lead to compulsory acceptance. This too shall pass.
There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.
> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services
Certainly not. If I didn't check a box saying "I want to receive commercial emails related to your products and services" I expect not to receive those. I might unsubscribe from the whole thing if I don't have any other means of avoiding those useless commercial emails.
I generally report such "you bought something and so we signed you up to the mailing list" activity as spam in Gmail, and if the unsubscribe button links me to a third party vendor, list "I never signed up for this list" as the reason.
This is how at least local businesses do here now, I don't have problem with marketing emails from them. You actually have to check the input, not accidentally forget.
The issue here is "relating to their products and services". Per GDPR, the consent can not be "bundled". When you signup for an account you consent to communications about your account only and things like product updates or tips for using product should be under their own explicit consent.
Most email marketing service providers don't even support multi-interest opt-out page, or charge a lot for configuring your unsubscribe page this way (like a multiple of list size for each option gasp), so this makes it impossible for email recipients to choose what emails types to opt-out of so marketers in turn don't bother to collect unbundled consent.
>Browsing the web in Europe is like experiencing the rebirth of the pop-up ads era.
Very much so; the pop-ups interrupt and obstruct, breaking immersion. I sincerely hope a browser gets brave enough to start blocking those obstructions by default.
It irks me how every "Cookies" banner is an unpaid advertising billboard saying, "Your privacy is valuable to us. Yours faithful, EU".
>This too shall pass.
For now, uBlock Origin[1] + the ruleset from I Don't Care About Cookies[2].
This is incorrect, an EU website must provide notification of cookies if they use cookies at all, even for basic session tracking of authenticated users.
Incorrect. I guess this must be a lie pushed by bad actors who are inconvenienced by the regulation and want the public to perceive the regulation negatively.
You do not need consent for cookies that power basic website functionality or a feature the user is trying to use. So setting a cookie when someone logs in or adds an item to their shopping cart.
You do not actually need to provide notification for necessary cookies. See https://ico.org.uk/for-organisations/guide-to-pecr/guidance-... and the following few sections. Most clearly, this paragraph on the ICO’s recommendations (quite unreasonable, in my opinion—if all you’re storing is a necessary session cookie, notifying the user in a non-actionable way is just being foolishly annoying):
> Although the exemption applies to both the provision of information and the gaining of consent, it is good practice to continue to provide clear information about all cookies including those that are strictly necessary, and if personal data is involved then you will be required to do this under the fairness and transparency requirements of data protection law.
I was directed to that ICO cookie banner as an example of what I need to do, by an EU law firm who we're paying to guide our compliance activities.
I'm not a lawyer and I can't give you legal advice. I can just report that the legal advice that was given to me was that any cookie setting activity needs to be notified, even if consent is not required.
One potential discrepancy is that we are being prepared for the e-Privacy Regulation (which is not yet in effect), while it looks like the page you linked to covers the e-Privacy Directive.
It should be noted that's related to the cookie law (ie, the ePrivacy Directive), not the GDPR, and there is a proposed replacement (the ePrivacy Regulation), since basically everyone agrees the current situation is not good. Unfortunately it's taking longer than initially expected.
No. It leads to non-acceptance by default. If you are seeing forms where you are opted in to data capture by default that isn't a core part of the service, that's a breach.
Wait for a small number of companies practicing the “by using this service you agree to” thing to be fined a large part of their turnover. After that companies will adapt.
Now we are in a sort of transition phase where laws are written but companies interpret them themselves (badly) and there are few guiding cases.
I look forward to the next phase when the notices will be gone or say “did you know you can enable tracking so we show more relevant ads that we get more money for showing?”. I’ll say no regardless of how much I enjoy that content.
My point was that the laws are in place now, but appear to be toothless. I received a marketing email disguised as an order update after an explicit opt out, and reported it to ICO in the UK. ICO told me I had to take it up with the provider, and if they didn't resolve it to get in touch. The provider said sorry and closed my ticket, and I contacted ICO again who just mothballed me.
Laws are only effectivr if they're enforced, and right now the tracking laws of the GDPR don't appear to be enforced, or have any sort of method for reporting, which is really really disappointing
> the laws are in place now, but appear to be toothless
Currently the country's regulators (such as ICO in the UK) are swamped with GDPR complaints and are prioritising the most egregious cases. I imagine cookies are a way down the list.
In terms of reporting, you tell the company itself first, if you don't get satisfaction you report to your own European country's regulator, or that where the company is based.
The agencies responsible are unable to deal with requests, so for all intends and purposes, the laws are toothless until they start cracking down on it, and there's nothing I can do/nobody I can tell about it.
Every country implements their version of GDPR and it's sanctions. You can tell your authorities or dedicated organization about violations. Not all countries have yet implemented procedures for them however.
I've been very satisfied to the extent to which these popups allow you to not opt in to everything and still use the site. I think the previous popups have trained us to assume that the popups are meaningless and we just have to click yes on everything. This is not so!
As an european who rejects ad trackers on every website, I can confirm that a good 95% of them are correctly implemented and will let you keep browsing. Some of them (usually americans with a poor understanding of why they even implemented that) will kick you out or ask you again on every page load until you accept.
We need a standard for managing these controls on the browser side, which major browsers can then implement. It wouldn't surprise me if people were already working on something like that. If I reject ads from google doubleclick specifically, they should be pre-rejected for every subsequent website that asks the same question. Likewise for the various cookie purposes.
(I do understand the unfortunate potential for fingerprinting here...)
> As an european who rejects ad trackers on every website, I can confirm that a good 95% of them are correctly implemented and will let you keep browsing.
Really? Any chance you could share some examples, because my strong impression is that a clear 95% of those I see are not compliant.
How does that work anyway? If you decline to allow the site to store a cookie on your machine, how does the site know that you already rejected the popup to avoid showing it to you on your next action?
They store that information on a cookie! Some websites try to break their own permission manager on purpose (or at least I can only imagine it's on purpose) by burying the cookie that stores the permission manager's settings within the list of cookies you have to accept or reject, so if you "reject all" you will be asked again and again. Non malicious implementations either include the permission manager among the essential cookies or list it at the very top so you can choose to keep it.
If the permissions were managed by the browser then cookies could be managed directly on the client side without server side interference, and preferences could be communicated to the website via headers (like DNT but GDPR requires a lot more granularity, and is also legally enforceable in the EU).
Clearly they are asking because they hope that you click "Yes". Once you click "Yes" they give you a cookie and stop bugging you. It's a nasty trick of the tracking industry.
GDPR does not forbid websites to ask or even deteriorate your experience (afaik). Perhaps that should change.
GDPR does forbid providing a lesser experience for people who do not consent to tracking. (Obviously aside from the direct consequences of not having tracking, like getting different adverts.)
i don't think its a problem that people don't let you use the site if you don't opt-in. thats a design choice, not a fault or problem or bad implementation. just a show of that they would really really like to track you. if you don't want to be tracked, then it's a clear indicator to avoid such site in the future.
I wholeheartedly agree on your point though, that if i reject 'A' on one site, it could be assumed by the browser i'd like to reject 'A' on the next site. Perhaps the same kind of block could occur like they do with faulty ssl settings, just stating that you blocked 'A' on some site ,and this site is using the same, with a button to proceed if you accept that fact.
That's not how GDPR is designed. In Europe, the business model to 'sell' Web content for the permission to track has now become illegal. Web site owners will need to change their business model, or they will be fined.
Note that you can still 'sell' Web content for forcing your customers to see advertisments. You just aren't allowed anymore to track that on a person-by-person basis.
I find that some vendors will have a section for "information storage and access" and list both the cookie used to remember your gdpr setting and cookies from doubleclick in there.
Or the opt out page just leads to instructions to disable cookies in your browser.
Every single website seems to have a slightly different layout for the permission manager thing, even when the software for multiple websites is (in name) the same software developed by the same company. Why? Tricking the user into accepting something they wouldn't want to seems to be a major reason. It drives me nuts. If there was a single permission manager whose layout is controlled by the Firefox devs this wouldn't be a problem.
> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.
not true, i mark all those as spam, if there is a "newsletter checkbox" i check it out, but if they have hidden it somewhere i dont care, mark as spam and next.
That, and many implementations are deliberately inconvenient in the hope that you will eventually capitulate or accidentally opt-in, while trying to make it look like the legislation is the problem rather than their implementation.
> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.
No. Most of the services out there require an email to sign up to the service itself. Using that email for anything beyond the core provision of the service I signed up for is a breach. If I bought a fucking pencil sharpener from your website, any communication beyond keeping me abreast of (and optionally checking if I was happy with) my order is abusive.
> Browsing the web in Europe is like experiencing the rebirth of the pop-up ads era.
And this by itself says a lot, but not what people usually think it says.
In fact, you don't need any kind of cookie popups _unless_ they're tracking cookies. Any reasonable use of cookies for site-specific reasons (authentication, session, csrf, load-balancing, settings) is already allowed with no need to opt-in[1].
The reason why cookie popups are so widespread is two-fold:
1. Because indeed most sites track you to death, and are unwilling to back off even if it costs them visits (many people just close the tab upon being presented with all but the least obnoxious popups). In this perspective, the GDPR is working as intended;
2. General ignorance about the cookie exceptions. You can hardly blame the regulators for that. In fact, AFAIK the GDPR clarified a few things that were ambiguous WRT cookies. That backfired horribly, but just beacause ignorance is rampant.
So much this. Every time I see a popup with "We respect your privacy", I think "no you don't" and try to see if it is something I can block in privacy badger to remove the popup.
If the site respect users privacy it will not track the users and don't need the warning
I have a simple heuristic: if there is a big overlay preventing me from looking at the content, I just disable javascript altogether for the site. Most of the time this result in a clean experience with just the text I was interested in in the first place. If it breaks the article I close the tab.
> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and service
"Communications" as in "valuable information", like letting you know somebody logged into your account. That's fine and unaffected by the GDPR.
If by "communication" you mean unsolicited advertisements about the company you are describing illegal behavior that was already illegal before the GDPR. "I agree to be contacted for marketing purposes" checkboxes are ubiquitous precisely because without my opt-in they can't.
> It has lead to compulsory acceptance. This too shall pass.
Indeed, mandatory acceptance is not a meaningful choice and hence explicitly ruled out by the GDPR.
> There is a reasonable expectation that when you submit your email to a company in exchange for their service, they will email you communications relating to their products and services.
Sure, and all necessary use of information is just fine and unproblematic. Just the additional spying on top of that requires an additional, unforced opt-in.
Just because you associate emails with spam doesn't solve the problem of every charity, business, church, school and group needing to communicate with large numbers of email subscribers. Like anything, bad actors make it worse.
> The only ones that are (negatively) affected are ...
Not true. GDPR imposes costs on every company. Specifically there are the legal compliance costs, software compliance costs, support costs, and that's if you're a "good guy."
Off-topic: I absolutely love the design choices made by the author of this site. It's the basic browser stylesheet with some nice refinements. A real triumph of minimalism and incredibly readable.
Quite. It's like I've wondered into the Large Print section of the library. What's wrong with normal sized fonts, and letting the minority with impaired eyesight or curious hardware resize as desired? Or maybe browsers could expose some standard config info to sites saying "yeah, extra normal for me please"? I could use reader mode for everything, except it breaks some sites.
Their normal paragraph is 24px. Which is huge compared to the average content you find on web. The title is 48px. I find it more legible than the average web content, yet it's a little jarring. Some 22px/40px worked very well for me. Still a good example of minimal design.
I'm also on 1440p and seeing your website with that "huge" font made my instantly happy.
My Firefox is scaled up using layout.css.devPixelsPerPx with a value of 1.2 and even then I've to scale up most websites to at least 120% in order to see anything.
You are incorrect. All CSS units are defined in a resolution-dependent way. (I think there has only every been one exception to this, an experimental unit `mozmm`, now discontinued, that attempted to be resolution-independent, representing one physical millimetre.) On screen, the px unit is king, being defined however the device chooses to define it—most commonly one or two device pixels. All other units are defined in terms of it: 1in = 96px = 72pt, &c. On print, the ratios are the same, but physical length units actually have meaning now, corresponding to physical measurements—well, maybe they do; in practice browsers play fast and loose with it all, second-guessing the website’s stylesheets all over the place, which is normally a good thing for users because few websites take care for print stylesheets, but is utterly debilitating if you actually care and want precision.
Now the question of what the root font-size is (a unit I like to call “browser em” or “bem”—I’ve never heard anyone else give it a proper name)—that’s a much more interesting question. It’s almost always 16px (I have no stats ready to hand, but I’d suggest >99% of page views), but there are devices out there that have other values, mostly between 13px and 19px, and you can change the value in some browsers also. However, website layouts commonly break if the value is not 16px, if the font sizes are based in bems and media queries in px, or font sizes in px and media queries in bems, and the developers have assumed 16px (which is completely normal). The ideal situation is to use either px everywhere or bem everywhere.
In theory, using relative units everywhere is potentially nicer. In practice, you’re fine using pixel units everywhere.
I'm sure you're right - I am only ever a front end CSS dev in an emergency, and then only for desktop. That said, when I see a relative discrepancy between sizes on different media, px vs pt is where I'd look. That is, two things that might e.g. look the same size on a desktop browser but look different sizes on mobile.
As a web developer in the past I found - though maybe that has changed in recent years, let me know if that is the case - there aren't any real resolution-independent units you can use to design an interface that is comfortable on every medium. You can peg your design to things like viewport width or font size, but you always end up having to make an arbitrary decision at some point, because there is no way for the web browser to know the physical dimensions of the screen the webpage is actually being displayed on. You have to make educated guesses based on the relationship between width and height, user agent and other headers, stuff like that, and create different stylesheets for each case. The style for the 1920x1080 screen (rotated horizontally) of the smallest smartphones can't have the same font size as the style of a 1920x1080 30 inch desktop monitor.
This is what kills me about web developers of 2017-2019 (maybe farther back to 2015 or 2016?). We had this awesome hype about supporting mobile resolutions with CSS years ago but now it seems like nobody accounts for the various screen form factors available when designing websites.
Like those sites with the overly huge logos that look ridiculous and annoying on 1080p but I'm sure on 2k and higher they look fine. I don't want to scroll down an entire page worth of scrolling to read your article, it should be immediately available.
I don't think I've encountered that yet, though I could see how someone living in a 4k would could overlooked us 1080plebs. It's like when the world switched from 640x480 to 800x600 and then to 1024x768.
I'm more curious though if what you're experiencing might also be sites designed for high res phones. Most phones these days are 1080p or better.
It's been over a year now and so many sites are not in compliance. I'm surprised the EU doesn't start collecting fines from companies like Yahoo and TechCrunch (and all oath sites). Just two that come to mind that are blatantly violating the gdpr with absolutely no way to not consent to their tracking. Mass email spammers are another issue. Why isn't the EU collecting this money from these large orgs that are clearly in violation? It could do a lot to help the people here.
I think the GDPR is a good opportunity to reflect how much tracking we really need.
Tracking has become so ubiquitous, it's become the default to put Google Analytics on a site, to put a tracking pixel into every email, to personalize every link we send out...
But so much of that tracking isn't really necessary. I've stopped tracking website visitors and stopped including tracking pixels in emails a few years ago, and nothing has really changed.
So, I guess I won't know if 10% open my marketing emails or 50%. But who cares? I wouldn't even know what to do with the information anyway. I'd rather focus on making my product better.
Doesn't gmail load images when the email get to the server and not when the email is opened? (That is at least what some who know more about email than I do say) So the only thing tracking pixel really have shown is if the user uses gmail or not
> But so much of that tracking isn't really necessary.
I've just launched my e-commerce platform and I see 34 unique visitors and no sales. Analytics is key to figure out if something is wrong and I'm not talking about the code.
> I'd rather focus on making my product better.
How do you make it better? Having numbers without analyzing user engagement is shooting in the dark with a shotgun.
How about asking? What about some live chat to gather information?
We have found this to be highly valuable for our shop(s). It automatically pops up after 30 seconds on a product page, on other pages the badge is always present. Lot of good chats, lots of "I'm looking for XY"-feedback that helped us improve.
Do you need to know that they were 34 unique visitors or would properly anonymised data be enough?
I suspect it would be. The GDPR doesn't say you can't have analytics, but it quite rightly tries to prevent the kind of tracking you're talking about without explicit consent from the user being tracked.
Yes, properly anonymised data would be enough. I'm not talking about anything intrusive. I don't care who they are, I care about how they use my product. That can be done in a GDPR complaint way.
> But so much of that tracking isn't really necessary.
The problem with Google Analytics and tracking is it's hard to tell what the motive is for putting it onto your site from the visitor's POV.
Not everyone who uses GA is using it for evil purposes.
They use it because GA makes it easy to gain useful business metrics, such as 100 people visited this page, 30 people filled out the account form, 5 people completed the checkout. Now you have a way to measure how good or bad your checkout flow is working and implementing this took almost no work at all. Rigging up your own DB model and tracking this stuff locally is a huge burden (especially if you account for bot traffic).
GA is also really useful to track referring URLs (with UTMs) because if you use these links from Youtube videos or blog posts, suddenly you can see exactly which posts are doing well. And "doing well" isn't just being more profitable if you're selling something. It helps you know what to write about or make videos on because this is what people want.
At the very least it's also good for just answering "am I growing?" where you look at unique visitors on a monthly basis and hope to see your chart moving up per month.
I just see it as a pragmatic tool to help you measure things. It's unfortunate it can also be used in other more malicious ways.
From the POV of someone who's both just a visitor on most sites and used GA himself: GA is often used for evil purposes, and as a tool it's optimized to enable and support evil purposes. Therefore, it's reasonable to assume, in absence of evidence to the contrary, that the site that loads it uses it for evil purposes.
Does it inconvenience honest people who'd like to use those tools for honest purposes? Sure. But think of it this way: it would be much more convenient for me if I could just give a merchant or service provider my on-line banking login and password, so they could take care of billing me directly. Would I ever do this if asked? No fucking way (even ignoring that my bank would consider it a TOS violation).
Problem is, there's no good way to signal honest intentions between parties that aren't already in a long-term relationship (and no, "we only use cookies to improve your experience" doesn't count; in fact, it's an anti-signal; thank marketers for that). So the only option for honest people is to not do the same things evil people would do.
GDPR wants 0 tracking. That's wrong too, the internet can't work that way, even governments can't work that way. EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads. That's regression
GDPR wants 0 tracking without explicit, informed consent. That's the key thing in this regulation: informed consent. Dealing with people fairly.
> EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads.
Not true, unfortunately. EU wants the ads to not track people without their explicit, informed consent. GDPR isn't an anti-advertising law, it's a data protection law (says so literally in the name).
- users could always install an adblocker if they dont consent.
- users could consent once for each tracker if thats what the law cared for. Consenting for each tracker x for each website is purposeful obstruction in order to make advertising optional
> - users could always install an adblocker if they dont consent.
- To consent, one must be informed, so the sites would have to advertise adblockers, why they exist and how can they be used.
- Current adblockers rely on volunteers compiling lists of ads, and sites trying to evade those lists. That's not a reasonable way to ensure a legal right, so sites / networks would have to publish those lists themselves.
- The GDPR is about way more than website access tracking, so you'd still need all the same rules about the rest of the use of personal information. Seems like a duplication of effort and complexity.
> - users could consent once for each tracker if thats what the law cared for.
Just because I'm OK with a network knowing I visit nytimes.com doesn't mean I'm OK with them knowing (and using the information) that I visit pornhub.com. Consent per site is crucial.
> GDPR wants 0 tracking. That's wrong too, the internet can't work that way, even governments can't work that way.
How did it work like that all the time? It can work perfectly without all the tracking. Tracking is just so omni-present that some people can not imagine a world without it.
> EU wants advertising to go back to the popup / animated gifs & flash / interstitial era to maximize clickthroughs in the off-chance one of them is actually interested in your ads. That's regression
Actually that would be a great regression! I'd soooo love to have static images delivered to me again, instead of some JS bullshit which is tracking me all over the web.
Let's just kill all the ad networks over night. It will be a great time and we have a second chance to make the internet a great place.
While conducting a GDPR review I discovered that our email service provider (Campaign Monitor) was logging IP addresses of our list members associated with each email open. My jaw dropped when I noticed that they were doing geo-ip enrichment, so that I could drill into any subscriber, see a history of their opening of our newsletters, and a map of their approximate location. I could see if "Bruce" was in Melborne or Petaluma on April 23rd. That kind of data is straight up dangerous and would be very hard to justify on a Legitimate Interest Assessment. That said, I haven't found a way to disable or purge that data thus far, and have been having a hard time finding an ESP that doesn't log IPs for its open tracking. We legitimately need open tracking, but certainly not with non-hashed IPs exposed. Realistically, just overall open rate reporting would suffice for our use case, not tracking of individual list member's activity.
This and only this is a valid, legal solution according to the GDPR.
Especially all the "by continuing to use our site, you'll agree to getting the shit tracked out of you"-messages are highly illegal, because the GDPR requires explicit consent.
Sadly there have been no big legal cases up till now. But the time will come.
The last thing I need is another godforsaken preferences center inside a product I was forced to become a "user" of just because some asshole bought my email address.
> True that the European user should be able to opt-out just from tracking.
No, and if that's how it's implemented by you then you're breaking the rules here. It should be opt-in. And yes, I know that at that point you could probably just delete the tracking. If that breaks your business model, all I have to say to you is bye.
GPDR missed a massive opportunity to standardize encrypted email. Instead we're now stuck with crappy 3rd party "secure mail" systems.
I have a startup in Denmark, and the incubator we're part of applied for an EU funding scheme. The bureaucracy for these programs is out of control, and there are claims out there that 90% of state innovation funding is blown on administration.
Long story short, I had to fill out some timesheets, and because of GDPR print out the sheets filling in everything except the personally identifying information, and then fill the rest of them out with a PEN.
We already have more than enough cookie popups and "heads up" emails whenever a company changes a comma in their ToS. GDPR is a bureaucratic madness and not something to be imitated.
Want to educate users about privacy? do it with extensive educational campaigns, not by ruining everyone's experience on the web
But the general idea of GDPR is not only to educate. It also aims to give you tools at your disposal to control how and if your data is processed and stored. That is the most remarkable feat of GDPR. To complain that this is "bureaucratic madness" is not a problem with the regulation, it is a problem with your perception of personal data. If you didn't have tools before to enable users to control _their_ personal data, you are the problem and it is definitively good that you now have to invest into making sure you create those tools.
It's not GDPR's fault that websites have awful user experience. If they really cared about privacy then they wouldn't use popups that required multiple clicks to remove tracking cookies.
If you have to untick boxes they're not in compliance with GDPR. If the button to not have tracking is gray and "accept all" is green, you're not in compliance. Many websites deliberately try to make it harder to opt-out, which is directly against the GDPR.
GDPR wants to ensure that user privacy is protected. If you do that in your business, you don't need to show any cookie popups.
A honest cookie popup would ask "Do you want to be tracked for advertising purposes? yes/no", and any sane person would klick "no". No education needed at all, if the advertisement industry would play honest.
If the Web experience is ruined now, the Web advertisement industry needs to fix it.
1) "GDPR is europe's problem" --> I'm saying it's an attempted solution, not a problem
2) "not of the entire 'email industry'" --> the whole 'email industry' is in fact, affected. Where you operate from isn't a factor. Only if you don't email EU citizens (which is quite unlikely), you don't have to worry about it. If you do (which is very likely), you should know and implement GDPR rules.
I understand your FACTA analogy, but don't see how you disagree with me.
I misunderstood the fact that you don't see it a as a problem.
I don't think the GDPR solves much or anything, iff you want to play on the internet, almost [there are good exceptions, where you can just choose to have a 'lesser' experience] all of the time you'll have to click "I agree".
The GDPR is much more than an EU regulation that forces a cookie wall. In fact, there is no cookie wall obligation anywhere. The fact that companies are so uncreative and can only come up with these silly solutions shows how broken the internet is and how widespread tracking is.
GDPR does solve some problems, in my view. For example, it allows EU citizens to ask companies to disclose what they know about them and how it is being used. You can ask companies (and they must comply) to delete your records. Data must be pseudonymized / anonymized in many cases. Those are all real effects. It offers transparency and gives more control to individuals.
If you want to learn more about what the GDPR does do, what protection and control it brings EU citizens, I refer you to the wikipedia page which has all of that and more.
> I don't think the GDPR solves much or anything, iff you want to play on the internet, almost … all of the time you'll have to click "I agree".
That in itself is a GDPR violation. If you care enough, report it. That said, this is not what happens “almost all of the time” at all. In my experience most websites are completely or partially usable when you disagree with being tracked. At worst (and also in violation of GDPR), the tracking dialog makes it intentionally difficult to refuse being tracked.
"The overwhelming majority of commercial email sent today contains tracking pixels and tracking links, these are used to uniquely identify individuals so that opens and clicks can be correctly attributed to them"
Good.
While spammers may have a problem, people don't.
If I want your tracking pixels and emails then I'll opt in.