So yes, technically you can ask the user for consent, but it has to be explicit ("we'd like to share your e-mail/phone number with our advertising partners such as Facebook, accept/decline?") and I can't imagine anyone in their right mind consenting to that.

> You've signed up for a web service and never seen ads on other sites for it ? Very strange.

I sign up for stuff only when I have no other choice for exactly this reason, and often provide fake details. Reminds me of an ex-client where they had an issue with their potential customers not providing the right contact details because they're afraid we're going to spam them. "But do we actually spam them? -Yes."

Questionable. I guarantee the vast majority of users don't even read the massive legalese text walls companies show them before they sign up. Usability studies have shown that people don't even read small error messages, they just want to get rid of the annoying message as quickly as possible. The few of them that actually do read these things probably won't have the foggiest idea what any of it means or the risks associated with the breach of their privacy. So how could this be real informed consent?

Of course, we also have sites where this document is not shown at any time and can only be reached through a link buried in the page's footer. Sites that just write whatever terms they want into this hidden page and then say everyone is agreeing with it by virtue of using the site.

That's not how it works. Hiding the "consent" in the fine print doesn't count, and at least in Germany, it's clear that you need valid consent and can't weasel out of it by claiming "legitimate interest" etc.

I already had a DPA explain this to one of the companies that decided to give my data to Facebook, and the DPA indicated that they were acting on multiple complaints in that regard.

There's a good chance they'll let you get away with a warning the first time if you haven't gotten in trouble before, but especially if you keep doing it (or if they decide that by now, you certainly should have known), expect quickly escalating fines.

Is it? I've never seen such ads. Or any ads for that matter, since every device and browser has adblock these days.

I agree with you on this part. It is not a violation of GDPR on the ad platform side since you, as the data controller, are responsible to obtain a permission from the end-user. The ad platform is a data processor defined under GDPR. I am sure that the agreement between you and the ad platform is stating that you have a permission to use the email addresses for targeted advertising purposes and bear the full legal responsibility if not.

> since users are giving consent when they signup.

See Nextgrids comment. Yes, the GDPR admittedly lacks on the enforcement side and yes, I agree that this is a common practice, but that does not make it legal. Not for a data subject residing in the EU.

I think we'll see regulators take a different view when they get around to challenging this practice, and the businesses who get made into examples might find it an expensive lesson. Handing over personal details to big data hoarders for remarketing purposes is the epitome of behaviour the GDPR was intended to curtail. You can't just mutter the word "consent" and claim some small print on a Ts & Cs page no-one reads protects you, and regulators have shown very little sympathy so far for data controllers who have tried to weasel their way out of GDPR obligations with this kind of strategy.

Those regulators are still under-resourced and it will presumably take some time for them to get around to dealing with this issue. Right now they're still going after serious leaks and the like. But they're already handing out 9-figure fines to big name businesses for those breaches, and by default those fines go back into central government coffers. Given the current economic climate, how long do you think it will be before their governments realise that this is potentially a very lucrative revenue stream that the public is unlikely to mind, and so start pushing the funding for those regulators up? The ICO (the UK's regulator) has already significantly increased its budget and headcount since the GDPR came into effect, and is reportedly looking at ways to ringfence some of the fines to cover the litigation costs when it inevitably has to defend the big penalties it will hand down from time to time.

When the Cambridge Analytica scandal happened here in the UK, the ICO fined Facebook £500,000. That was the largest fine they could legally impose at the time. As they observed themselves, in what might charitably be considered a thinly veiled threat, under the GDPR that could have been well over £1B instead. Even an organisation the size of Facebook is going to feel that, particularly since there is nothing that says it can't be repeatedly fined on that scale if it misbehaves in multiple different ways.

A couple of potentially important issues have, as far as I know, not yet been resolved in this area.

Firstly, what happens if processing in violation of the GDPR is widespread, the businesses you give your address to are the data controllers, but you still have the likes of Facebook hoovering up huge amounts of personal data inappropriately but possibly only in a capacity of data processor? No doubt there will be some interesting legal arguments about where liability is going to be placed if Facebook was actively soliciting that sort of activity as part of its business model.

Secondly, what happens after the UK has fully separated from the EU at the end of this year, if as the government has stated we retain the GDPR in our national law? Until Brexit was relevant, the GDPR was an EU-wide measure, and typically one member state's regulator would take the lead role in any given case. Anyone breaking the GDPR's rules could be duly investigated and penalised, but only once, not in the same way by every regulator in every member state where there was offending behaviour. If the UK is no longer to be a part of that scheme, will regulators still co-ordinate in this way, or will the businesses sharing data with Facebook face a kind of double jeopardy where both the UK and a lead regulator from an EU member state can potentially fine them for the same behaviour, effectively doubling the maximum penalty they could receive?

If both of those issues were resolved in ways unfavourable to the marketing platforms like Facebook, they could be looking at huge fines for promoting this sort of scheme on the scale that they do, potentially enough to make whole strategies based on selective targeting unviable.