A Personal (Data) Foul


Last week, on Amazon, I bought a toothbrush kit for my dog Bissell. I bought it from home using a Galaxy Tab S2. Now, one week later, everywhere I go, on any device, I see ads for dog toothbrushes, even at work on my Windows PC. While I personally brush my teeth a few times a day, brushing beagle teeth is a twice a week proposition at best. I am not sure how many toothbrushes most dogs need, but I’m pretty sure one will cover us for a while. My dark side tempts me to click on some of those ads so the vendors serving them up will have to pay for their foolishness, but being petty takes time that I don’t want to waste.

It is going to be a few more years before web advertising figures out how to be truly effective. Currently they serve up thousands of ads that miss the mark completely for every ad that hits. The advertising field has changed so quickly that old school ad people are lost trying to figure out what to do. They are just happy to have any sort of numbers to report to their clients. There is also an army of young people being paid to play on social media all day, so they are not in a hurry to change things. Despite the status quo, something in on-line advertising is going to change, and the catalyst might be the EU’s new regulations on personal data.

In May of 2018, about 200 days from now, the General Data Protection Regulation (GDPR) goes into effect in the European Union, and for anyone outside the EU who does business in the EU. The list of affected vendors is long, but the obvious biggies come to mind: Amazon, Google, Apple, Microsoft, Facebook, JP Morgan Chase, Samsung, and your favorite multinational. Unlike previous “guidelines,” this regulation carries strong enforcement penalties, including up to 4% of profits. For companies that have become accustom to routinely stockpiling, using, and trading our personal data, it going to be a cold slap in the face.

Unlike US regulations that usually get their teeth pulled by the time they are law, the GDPR has clear language and built-in interpretations. In summary, the GDPR has six components.
1. Personal Data Definitions
2. Requirements for Stored Data Minimization
3. Individual Data Rights, including the right to have your data forgotten or corrected
4. Data Breach Notifications
5. Increased accountability
6. Explicit Consent requirements.

They are not fooling around. The definition of “personal data” is both clear and strong. I have edited out a few words, but no content: “Any information relating to a person who can be identified, directly or indirectly by reference to name, identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” An “online identifier” includes browser cookies. Websites will ask you to turn cookies on if you have them off in your browser, technically asking you to consent when you allow cookies, but the consent in GDPR #6 is something new.

The Future is Clear

After May 2018 in the EU, there will be no clouds of legalese with a checkbox to gain consent to use your personal data. The regulation requires plain language. The GDPR website summarizes, “companies will no longer be able to utilise (sic) long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous.” Lawyers all over the country shudder when they hear those words. “Consent must be clear and distinguishable from other matters . . . using clear and plain language.” The law requires an affirmative opt-in for sensitive personal information.

It will not be acceptable to have statements like “Do you want to use cookies to improve your browsing experience?” pass as consent. Statements will need to be clear like this:

This website can collect and store my personal data to share it with advertisers. □Yes | □No

Also part of the rule on consent requires that it must be as easy to withdraw consent, as it is to give it. Therefore, the checkbox cannot disappear to be hidden away in a hard to find menu like the Facebook’s privacy settings. The law is clear that consent cannot be assumed, as it is now for nearly every app on most smartphones. The GDPR specifically states that insufficient forms of agreement include: “silence, pre-clicked boxes, or inactivity.” If a user does not give consent actively and affirmatively, there is no consent.

Tilting at Windmills

Anyone who has ever tried to stop ad tracking knows what a fool’s errand it has become. In an effort to clear the canine dental equipment from my personal history, I started with Firefox on my work computer. It took three different advertising opt-out tools to get the 131 tracking devices off my browser. Two of them, Kargo Global and Krux Digital (Salesforce), refused to let go. I made the fateful toothbrush purchase on Chrome with a different device, and it followed me to my phone, and to work, on multiple browsers in each device, without any affirmative action on my part. Conversely, to remove the Ad Tracking from my life I have to apply the Opt-out tools one at a time to every browser on each device. The trackers are smart enough to find me at work, but not smart enough to follow themselves back to my home. This will not meet the standard of being as easy to opt-out, as it is to opt-in.

Better control of ad tracking is just one, relatively minor positive advantage that GDPR will bring the Europeans. In the long run, they will enjoy much more secure personal data. In the US we will not enjoy these rights, yet there is still reason for optimism. The world is a much smaller place and with the EU setting an example of how personal data should be respected, we will learn the hurdles to getting there ourselves. Many of our on-line experiences come from multinational sources which will be required to respect the privacy rights of people in the EU. It will not take long for people in the USA and other countries insist on the same protections. I just hope it happens before Bissell needs a new toothbrush.

— ♦ —

From our offices in the USA and the Netherlands, Frontier Computer provides IT hardware, enterprise computing support, Peplink SD-WAN routers, and IP communications to the world. We also bring our dogs to work, which is why fresh breath is important.

Contact Frontier at
Your Contact Information

Maximum size 10MB

Please wait...

Frontier Computer Corp. is a leader in providing IT solutions worldwide.