#35 Do we get any benefit removing cookie consent?
Why... How would that help me?
As we witness yet another attack from the AdTech lobby against the need for consent to track your browsing across websites and connected services.
What benefit do I get from those annoying banners that always ask me the same thing and if I refuse, oops, “maybe the website won’t work”?
The answer in two brief comments:
.- Do you know ICE, that new American law enforcement agency that has earned a well-deserved good reputation for its know-how, exemplary behavior, pristine compliance with fundamental rights, and the warm welcome of the neighborhoods where it operates?
Well, ICE buys from AdTech companies (and updates daily) the geolocation information that allows it to find and detain its unfortunate targets. This data is extracted from all American citizens’ phones either (i) from real-time digital ad auctions, or (ii) from SDKs or little pieces of spy code embedded in most conventional apps.
Both sources are subject in the EU to the principle of purpose limitation and user consent, and this user option must be respected.
When you see your neighbor’s beard being shaved…
.- Have you ever seen a personalized ad that WOW, offers you something you just talked about with your friend, neighbor, brother-in-law, or speech therapist a moment ago? Have you thought Instagram is listening to you? Well, that’s a brother-in-law bias: companies actually achieve that effect by combining THOSE SAME cookie and geolocation data.
I talked about it once on the radio. Link here .
Exactly the same as ICE. Easy, cheap.
You are reading ZERO PARTY DATA. The newsletter about privacy news, technopolies, and tech law by Jorge García Herrero and Darío López Rincón.
In the spare moments this newsletter allows us, we enjoy solving complex issues in personal data protection and artificial intelligence. If you have one of those, give us a little wave. Or contact us by email at jgh(at)jorgegarciaherrero.com
Thanks for reading Zero Party Data! Sign up!
🗞️News of the Data-world 🌍
.- The complaint from Noyb against Lithuanian Whitebridge.ai has it all: shady company using AI for questionable things, AI-generated false information to scare you into paying for access to “your data,” totally ignoring the free nature of the access right, claiming “manifestly public” to bypass compliance in massive scraping of the internet, “freedom of enterprise,” or the wonderful almost criminal background check–style extract shown by Noyb. A clear “Bet you can’t violate the GDPR and the RIA top to bottom?” Hold my bleach cocktail.
.- The big fines always come via competition and civil law made in the USA. $2.5 billion against Amazon for the thousand deceptive patterns in Prime subscriptions. $1.5 billion in consumer compensation, and the remaining $1 billion via civil route. Let’s see if the contagion effect spreads, since they do the same with tons of other things. Ever had to double-check if they were sneaking in another product, or a pre-checked recurring purchase/subscription?
And the most transferable as good practices against any pattern. Already well-known in data protection:
Clear and visible button to reject Prime. Goodbye to Amazon’s misleading “No, I don’t want free shipping.”
Clear and visible information on all conditions; cost, date, frequency, or if the subscription renews automatically.
Easy way to cancel Prime, using the same method as for sign-up.
And as a bonus, the screenshot compilation post of the very easy cancellation that has been part of Amazon’s great work worthy of public recognition (in your face). We rarely remember the great Harry Brignull who coined the term Dark Pattern, but the original website is still a solid hub for updated posts and examples of this stuff.
.- The Hamburger DPA seems to fine a financial institution €492,000 (they don’t say which one in this preliminary note) for not providing adequate information about the logic and operation behind the automatic card issuance denial by the bank’s system. Via Luis Montezuma.
📄High density docs for data junkies
.- CNIL publishes the final version of its guide for the Transfer Impact Assessment (TIA). Includes practical checklists and proportionality criteria, emphasizing the importance of documenting residual risks and mitigation measures. IMHO, after going head-to-head with Max Schrems and the AEPD over these things, doing this based on “adequacy – or, ha! equivalence – to the European level of protection of the recipient state’s surveillance regulations” is a waste of time doing kabuki theater: papers that have no practical effect. Better listen to Christopher Kuner: he’s been preaching in the desert for years, but we shall prevail.
.- Sergi Ariño keeps going at the Data Act. Now with spot-on comments about the new version of the FAQS from the European Commission. The ones published the same day the regulation went into effect, yep.
.- This rant from Peter Hense on AI is entertaining. The ISO he proposes next – EC TR 21221:2025 – is extremely useful.
.- If you want to dive into a case combining GDPR, DSA, and RIA, you can read this by Christakis on DeepSeek. Stuff about international data transfers, algorithmic transparency, automated decision-making, and user rights. Things no one runs into in their daily life.
.- Good note from Gerard Espuga on this ICO infographic explaining the “identifiability test” from the Scania doctrine.
Meaning: how to assess whether a given third party can reidentify the data subjects in your dataset, and therefore, whether their access to that dataset is or isn’t governed by the GDPR. Too bad the infographic doesn’t properly distinguish “anonymization” and “pseudonymization,” which can have disastrous consequences.
To avoid (or rather, mitigate the possibility of) those disastrous consequences… keep reading.
📄Papers of the week
.- For interesting AI papers, we also have Jorge Morell with his weekly compilations. Not to be taken lightly the first one – “When Ads Become Profiles: Large‑Scale Audit of Algorithmic Biases and LLM Profiling Risks” by Baiyu Chen, Benjamin Tag, Hao Xue, Flora Salim and Daniel Angus – on analyzing Facebook ad impressions: an algorithm that leads vulnerable groups to gambling or political ads + the LLM seems capable of reconstructing a user’s demographic profile from their ad sequence.
The paper warns about a delightful possibility called “autonomous microtargeting” where the model optimizes in real time without direct human intervention, which could create biases and regulatory challenges yet to be discovered.
Marvelous.
.- From the data side, a not-too-long one (Why Data Anonymization Has Not Taken Off) by Matthew J. Schneider, James Bailie, and Dawn Iacobucci, that makes us reflect on anonymization, differential privacy, and synthetic data. Especially statements like this wonderful excerpt:
And a couple of simple and meaningful examples, a little further ahead:
“For example, anonymization solutions for four-decimal-place GPS coordinates are probably not going to work well (the resolution of analysis is too high), but anonymization solutions for reporting disease prevalence in major cities across large population subgroups (a low resolution) can be effective.
Relative to the size of the data, more noise must be added to protect a company with data on 10 consumers compared to a company with 10 million consumers for the same level of protection.”
💀Death by Meme🤣
LinkedIn, that new Twitter/X with a very dumb algorithm. Though the posturing was always there.
Dr. Seuss, creator of The Grinch, illustrates things in this cartoon: the year was 1941.
🤖NoRobots.txt or The AI Stuff
.- How are things with, eh, “frictions” and “overlaps” regarding lawsuits over third-party rights violations in AI model training? Caitlin Andrews sums it up nicely in a single article on the IAPP blog.
.- Can you get dumb if you ask AI everything-all-the-time? IMHO, this is one of the main risks of this thing, and if you know the human race even a little, I see little hope. Let me explain with an example.
🙄 Da-Tadum-bass
The acquisition of EA, the video game company, has a tasty little easter egg. Assuming you don’t find it tasty that money from Saudi Arabia also took part of Pokémon GO. They didn’t buy Niantic, but they did buy the whole “games business” aka geolocation and profiling apps disguised as games.
If you think someone might like—or even find this newsletter useful—feel free to forward it.
If you miss any document, comment, or bit of nonsense that clearly should have been included in this week’s Zero Party Data, write to us or leave a comment and we’ll consider it for the next edition.