heck, the payment processor plugin probably on that costume's site that's all they needed considering the email came from Paypal, which I assume you have an account with. an IP address lookup table internal to Paypal would do it alone.
It's ingenious. The incentives are set up entirely against you. The people who know and care the least about privacy decide what to do with your data, and they are enticed to hand it over by the promise of tracking ad spend, i.e. the promise of making their jobs easier and of making their success quantifiable.
Or could it be beaten by high privacy browsers like Brave and a system of shuffling through and sharing random anonymous online identities with strangers like Tor does with IP?
Just to confuse the hell out of the ad platforms…
What would the legislation even be though?
That can be combined with other sources that the Web site vendors have contract with, including so called knowledge databases, that can correlate such information.
People that keep arguing for native being less secure than Web, just because they can use telemetry, have no idea to what extent marketing engines are able to extract information from each HTTP request.
This stuff is done because it works.
"How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did "
https://www.forbes.com/sites/kashmirhill/2012/02/16/how-targ...
fyi I work at Google but not on Ads.
However, I do think there is an inherent creepiness involved in the amount of tracking involved to achieve that level of targeting. Normally, as a person who is not terribly privacy minded, I'm not thinking about this tracking that watches everything I do. That is, until I had an experience like the top comment. I ripped the mic out of my Amazon FireTV remote that day. It made me uncomfortable that my conversation left the room without my knowledge or consent. (I realize this was Amazon, not Google, but they all do this sort of thing.)
Edit: I think ad targeting has to achieve a delicate balance of serving potentially helpful ads, while not alerting the target that they are part of the Matrix.
Moving all of the tracking and data sharing server-side means there is nothing you can do to stop it other than simply not visit sites that use it and even that isn't so simple because how are you supposed to know if they have implemented server-side tracking other than maybe a vague mention in the ToS or PP?
They may not use it for nefarious reasons (one can argue if unwanted targeted ads is or isn't) but that data may leak either directly or via a 3rd party who purchased it.
Then you have a situation where you have all this product and personal history which could be embarrassing and be used for blackmail.
Can you delete this data? Do you know everything they are tracking?
Someone else said it best, this is a cyber stalking industry.
For getting good targeted ads, you need to know a lot about targets. And that knowledge can be used for other things than just selling ads.
It can be used by politicians to target specific groups, it can be used by scam artist to get access to more susceptible people. It can be used by business, like payday loans, cc companies, lotteries, etc. to target people that are in already bad place, to dig a hole even deeper (and that already happens today). It can be used to target people who are whales in one microtransaction whatever, to spend on some other etc. It can be used by bad governments to target people with specific viewpoints, smear campaigns, find dissidents etc.
They all need same kind of data. And even if you collect that data for one purpose today, doesn't mean it cant be used for something else in 10 years time. Just because Google might not sell that data right now, doesn't mean it wont in the future.
I would have a lot less problems it it was just ads, but it's really not.
People don't like it - people don't like that form of targeting. It may not be clear why they have issues with it, but they do.
At my kids school, if someone is repeatedly doing something to you that you don't like, then it is classed as a form of bullying.
How about neither?
Due to cross-site “third-party” cookies being disabled in modern web-browsers and the HTTP Referer [sic] header being unofficially deprecated the only way for websites and ads to work together is by either IP address tracking or visitor fingerprinting.
IPv4 address tracking is a blunt instrument that is next to useless when visitors are using ISPs with CG-NAT. But IPv6 makes every device addressable - and thus - followable. I imagine that eventually CPE (home internet modem and router) will offer some kind of IPv6 address randomisation system on a per-TCP-connection basis, though they’d all share the same 64-bit prefix (I think?) so it doesn’t mitigate per-residence tracking.
(EDIT: Ah, so IPv6 does have privacy protection by rotating autoconfigured addresses on a regular basis: https://www.internetsociety.org/blog/2014/12/ipv6-privacy-ad... )
————-
I do believe the end of third-party cookies is going to make internet advertising significantly less profitable and more and more ad-funded sites will either add paywalls or shut-down.
I’m surprised Google went this way, actually - I’d have thought a less-harmful way of protecting users’ privacy with balancing the need for attribution in advertising could be accomplished by, for example, auto-nuking cross-domain cookies after 24-hours.
Do you _really_ thing the OP didn't know that???
It is not a 1:1 replacement for tracking pixels and lacks some of those creepy features (you're unlikely to get tagged if you simply browse a website without giving up any personal info), but it offers new ones as well (the ability to send arbitrary data to an ad platform).
It would be a remarkably narrow law that made it illegal to do something client-side but not server-side. AFAIK it's usually about what data you collect and how you use it, not precise details about how it was collected and stored along the way.
Server-side allows businesses to defer the data transfer until it's known whether specific consent is granted or revoked. It also allows you to more easily keep a record of the data shared with other parties in the event that a user withdraws prior consent or invokes a right to be forgotten. You then have the ability to tell your partners to also delete those data points.
For the ad platforms, this lets them optimize their ads for better performance when they know which user profiles converted.
For advertisers, it's used for directional guidance on the platform, e.g. ad campaign A converts at 3x the rate of ad campaign B.
The famous quote in the industry is "Half the money I spend on advertising is wasted; the trouble is I don't know which half." This method gives you a better idea of which money is wasted, at least compared to something like a TV or a print ad.
It gets more complex when you're advertising on multiple channels. For instance, if you see an ad on FB, Google the product, then buy it, both will take credit for a conversion even though your business only had one sale. There are more scientific methods for modeling advertising results from multiple channels [1], that leverage control groups (say you run a Google ad in New York and a TV ad in California and monitor which market sees a bigger spike in sales).
The reported ROAS is all over the place on FB right now. It goes from previously 1 = 100% return on investment. Now it sometimes says 10X numbers like 70, which I assume is of the data they could measure 70% roi.
It seems to 'automagically' combine the offline conversion data with standard FBQ but I have no idea the match rates for the server-server data I send in and also importantly if it de-dupes.
I've tried to experiment with voting data in the past, I want to try that more this election. Run get out the vote ads and optimize for actual early votes.
Wait. Whose data is it, Google?
