just answering on a few relatively disparate points:
There is an important difference between trading in personal data and trading in data derived from personal data. There are a few companies out there working on enabling this for small publishers in the same way that larger publishers can build for themselves. If I worked in adtech (and given everything exciting that’s happening these days, it’s certainly an interesting industry!) I think I would focus on that kind of innovation instead of trying to prolong the status quo of mostly doing the same thing as Google but at smaller scale.
This is not a big vs small publisher issue — all sizes of publishers are dying under the current régime, only a few are keeping their head out of the water. Change is needed. Thanks to the current evolution of the data economy we are finally seeing innovation in adtech that is bringing it out of the old unsafe, ungoverned, anything-goes model under which publishers lost control over their core advertising asset — access to their audience. I’m very excited about some of the options I’ve seen being developed by small innovative startups.
I am also familiar with the GDPR. One important part of the GDPR is Article 25: Data protection by design and by default. This does not preclude choice and neither are browsers currently preventing choice. They are simply going with the privacy by design and by default that aligns with their users’ expectations. Note that when the browser vendor makes the decision to process data in a manner that is not essential to support the user’s request and that makes it so that the browser is determining the means and purpose, it is arguably a data controller.
The open programmatic ecosystem carries well-known data protection risks since it essentially broadcasts data to a large number of participants with no purpose limitation. I have no objection if users choose to enter their personal data in such a market, but they should do so in full deliberation. This means that the manner in which they decide to participate should be commensurate and well balanced with the risks to their data protection. Things like the TCF and CMP dialogs fall very short of the mark there. But as I suggested above, nothing prevents a company or a group of companies from implementing an extension that users could choose to install in order to return to being tracked across their entire digital lives if that’s what they want. That would make it possible to provide greater notice, and would give a clear way for them to exercise their rights — something which the previous ecosystem failed at.
I don’t disagree that some browser vendors can be unilateral and inconsiderate of others in the ecosystem (you know who you are folks ;). However, what browsers are doing with cookies is in line with existing standards and has been for a very long time. For instance, if we look back to RFC 2965 §3.3.6, from October 2000, it states very clearly:
When it makes an unverifiable transaction, a user agent MUST disable
all cookie processing (i.e., MUST NOT send cookies, and MUST NOT
accept any received cookies) if the transaction is to a third-party
This restriction prevents a malicious service author from using
unverifiable transactions to induce a user agent to start or continue
a session with a server in a different domain. The starting or
continuation of such sessions could be contrary to the privacy
expectations of the user, and could also be a security problem.
User agents MAY offer configurable options that allow the user agent,
or any autonomous programs that the user agent executes, to ignore
the above rule, so long as these override options default to "off".
Browser vendors made the unilateral decision, against the standards community, to support third-party tracking by default back then. This decision put all publishers at a disadvantage compared to intermediaries and was a direct contributor to today’s crisis.
If you prefer to look at the more recent RFC 6265 §7.1, it had to accept the reality of third-party tracking but still stated:
Particularly worrisome are so-called "third-party" cookies. In
rendering an HTML document, a user agent often requests resources
from other servers (such as advertising networks). These third-party
visits the server directly. For example, if a user visits a site
that contains content from a third party and then later visits
another site that contains content from the same third party, the
third party can track the user between the two sites.
Some user agents restrict how third-party cookies behave. For
example, some of these user agents refuse to send the Cookie header
in third-party requests. Others refuse to process the Set-Cookie
header in responses to third-party requests. User agents vary widely
in their third-party cookie policies. This document grants user
agents wide latitude to experiment with third-party cookie policies
that balance the privacy and compatibility needs of their users.
However, this document does not endorse any particular third-party
Third-party cookie blocking policies are often ineffective at
achieving their privacy goals if servers attempt to work around their
restrictions to track users. In particular, two collaborating
servers can often track users without using cookies at all by
injecting identifying information into dynamic URLs.
As you can see, what browsers are doing today is exactly what the open standards community has been expecting of them to do for twenty years. Everything from ITP to eliminating 3P cookies isn’t just what users want, it’s what the standards actually say should happen. They took a unilateral detour experimenting with third-party tracking. It contributed to the world of excessive concentration, dying publishers, vanished online privacy world that we know.
I for one welcome them back into the fold. Innovation is much better when it is is aligned with users than when it is hostile to them, and we’re already starting to see these changes bear fruit.