It sounds to me like Superhuman e-mail service is in permanent breach of the GDPR by collecting the reading behaviour and geolocation of every recipient of an email from one of their users. So that user can get a ‘message read’ signal, except it shows the user every time you opened a mail and your geolocation at that moment. Without the recipient’s knowledge, and thus without explicit consent, which is definitely needed for something like geotracking.

Also: switch off loading remote images in your e-mail client, so tracking pixels and other image based beacons won’t automatically load upon opening your mail.

You’d think the habit would have died out in the last millennium, but apparently not. An Italian business’ platform at which I registered just sent me a friendly email confirmation that contains my name, username and password in plaintext. What better way to start a relationship with a new client than with a security breach, eh?

I mentioned it here six months ago, that US National Public Radio (NPR) provides a GDPR based choice: get tracked or get text.

If you don’t agree to their tracking ….

[We] use cookies, similar tracking and storage technologies, and information about the device you use to access our sites to enhance your viewing, listening and user experience, personalize content, personalize messages from NPR’s sponsors, provide social media features, and analyze NPR’s traffic. This information is shared with social media services, sponsorship, analytics and other third-party service providers.

…then you have the option to see their content in plain text, which is hosted on a separate subdomain, text.npr.org.

I find I only access NPR now through plain text. The pages are made from straight forward HTML, no loading of any other files or snippets, and are therefore as fast as can be. A breath to read, no distraction etc.

NPR’s plain text news page

NPR plain text article

Only HTML, here NPR’s news page in full. No frills, so very fast

The only downside might be that without imagery, self-starting videos, distracting calls to action and ads, you might notice that a lot of news stories are without much informational content. You can’t blame NPR for that, because news itself as a format has worn a bit thin. GDPR and AdTech (not advertising) are at extreme odds. I like the look of AdTech being stripped away, even if it makes the early 1990’s web fashionably Retro.

I wish more sites would offer the ‘get tracked or get text’ option.

After California, now the Washington State senate has adopted a data protection and privacy act that takes the EU General Data Protection Regulation (GDPR) as an example to emulate.

This is definitely a hoped for effect of the GDPR when it was launched. European environmental and food safety standards have had similar global norm setting impact. This as for businesses it generally is more expensive to comply with multiple standards, than it is to only comply with the strictest one. We saw it earlier in companies taking GDPR demands and applying them to themselves generally. That the GDPR might have this impact, is an intentional part of how the EC is developing a third proposition in data geopolitics, between the surveillance capitalism of the US data lakes, and the data driven authoritarianism of China.

To me the GDPR is a quality assurance instrument, with its demands increasing over time. So it is encouraging to see other government entities outside the EU taking a cue from the GDPR. California and Washington State now have adopted similar laws. Five other States in the USA have introduced similar laws for debate in the past 2 months: Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.

The contortions US media outlets go through, to be able to ignore the inescapable conclusion that adtech isn’t GDPR compatible (adverts are though). After the bluntness of the LA Times and others switching their site off for EU visitors. Aside from the NYT berating me that I have an adblocker when ads are their lifeblood (which must be why they outsource it). Now comes the NPR with a novel twist: they provide a plain text version of their content. It seems to be an interpretation of the GDPR element that you can’t deny basic service to those that refuse permission to collect personal data. Basic service apparently means no CSS files. Although it’s a slightly silly choice, I do appreciate being able to read the articles. It’s not much different from how material is presented in my feed reader, after all. They provide the text version of the site for all, on a separate subdomain, which seems a rendering of their rss feed: text.npr.org

NPR GDPR Choices
Get tracked, or get text: NPR’s GDPR choice

NPR plain text
A plain text page version of an NPR article

This is a very interesting article to read. A small French adtech company Vectaury has been ordered to stop using and delete the personal data of tens of millions of Europeans, as it cannot show proper consent as required under the GDPR. Of interest here is that Vectaury tried to show consent using a branche wide template by IAB. A French judge has ruled this is not enough. This is an early sign that as Doc Searls says GDPR is able to, though at the speed of legal proceedings, put a stake through the heart of ad-tech. Provided enforcement goes forward.

A month after the verdict, Vectaury’s website still proudly claims that they’re GDPR compliant because they use the concept of a ‘consent management provider’. Yet that is exactly what has now been ruled as not enough to show actual consent.

This Twitter thread by NYT’s Robin Berjon about the case is also interesting.