This is an obvious, thinly-veiled advertisement for a company's services. It's widely known that ad companies track you everywhere by many mechanisms. This is why we use ad blockers of all sorts. This has nothing to do with DuckDuckGo, it's merely used as a vehicle to get clicks.
1vuio0pswjnm7 · 11h ago
"SimpleAnalytics" by "IronBrands" uses utm tracking in the URL to the study that they have so graciously provided to the reader.
Perhaps the name should be "IronyBrands"
yegg · 18h ago
This title is highly misleading, implying that Google tracks DuckDuckGo searches directly, which isn’t true. It also reinforces a conspiracy theory that we’re owned by Google, which also of course isn’t true. Kindly please change it to be more accurate about Google analytics and other Google trackers on websites you may visit.
We’ve been sounding the alarm about Google analytics, tag manager, and other Google trackers for years and why we started making our own extensions and browsers to block them and provide more comprehensive protection. On our homepage and everywhere else we can we try to get people to install those to get that additional protection, which you can compare here: https://duckduckgo.com/compare-privacy
jannes · 17h ago
DDG is only one piece in the privacy puzzle. I think the article doesn't make it clear enough that other pieces are necessary.
RamblingCTO · 17h ago
The threat is real though and I've recently noticed an uptick in the google SSO popup, which is just another way of tracking. Most notably on pornhub. I'm not too keen to let them know what I have a wank to.
FabHK · 18h ago
I don't think the title implies that Google is tracking DuckDuckGo searches directly, just that using DuckDuckGo instead of Google often doesn't prevent Google from tracking you. The article also makes clear that using DuckDuckGo is an improvement, just not enough.
Furthermore, I don't see any intimation in the article that Google owns DuckDuckGo.
All in all, it seems you and the article are on the same page.
nottorp · 18h ago
The way i read it, it implies that DuckDuckGo should protect you from tracking on the sites it points to and it's not doing a good job.
They could have done a marketing blog post about the evils of Google Analytics without dragging DDG into this...
unsupp0rted · 18h ago
According to the link, using DuckDuckGo's browser basically eliminates the threat 100%, particularly if paired with a VPN?
basquiyacht · 18h ago
Edit: I can see that it reads like that. Thats not the point. DDG are not the bad guys. Google is.
jacquesm · 18h ago
Any chance of a Linux version of your browser?
blackoil · 18h ago
Yeah. This is simple fear mongering to sell its own analytics product.
bentlegen · 17h ago
Hopefully you won’t mind me using their own arguments to promote this OSS web analytics project instead:
Unlike Simple Analytics (the post authors), you deploy Counterscale to your own Cloudflare account and control the code + data end-to-end. It also uses no cookies, has no browser fingerprinting, and has no monetized SaaS offering.
It only has 90 days retention though, which could be viewed positively.
blackoil · 17h ago
I am all for the hustle. Startups are difficult. So, even though I don't like the post, I understand it is done because it works.
figmert · 16h ago
It's simple fear mongering and aimed at the wrong audience. Companies want people tracked to improve their ads and have a higher reach. The people who are being tracked can't exactly do much about what tracking system a website uses.
randomtoast · 18h ago
Let's face reality: as soon as you browse the internet, you will be tracked and identified. Here are just a few data points used for fingerprinting:
IP address, User-Agent string, Referrer URL, Requested URL, Language, Locale, Screen resolution, Time zone, System time, Installed fonts, Installed plugins, Cookie data, Browser fingerprint, Canvas fingerprint, WebGL fingerprint, AudioContext fingerprint, Mouse movements, Click paths, Keyboard input timing, History sniffing, DNS queries, Destination IP addresses, HTTP traffic content, HTTPS metadata (host, SNI, timing), MAC address, Query parameters, Session ID, Login status, User account info, Geolocation (via IP), Geolocation (via browser API), Page interaction data, Time on page, Scroll behavior, Clicks, Form submissions, Browser type, OS type, Network provider, Client ID (\_ga cookie), Session ID, Timestamp, Pages visited, UTM parameters, Interaction events, Google Ad ID, DoubleClick cookie (IDE), Cross-site behavior, Cross-device behavior, Inferred demographics, Mouse tracking, Scroll depth, Video interactions, Audio interactions, Session replay, Keystroke logging, Facebook login status, Pixel events (Meta, LinkedIn, etc)
If you want to avoid that, you need to make a real effort (not just using DuckDuckGo). The Tails operating system might be a good place to start.
edoceo · 18h ago
How is the MAC collected?
blueflow · 18h ago
It isn't, parent is making stuff up. Browsers do not offer an interface that is exposing that information.
And remote servers are outside of your local network and thus cannot see these values, either.
randomtoast · 16h ago
That's true for browsers, but Google controls both the Android OS and Google Play Services, giving them access to hardware identifiers on Android smartphones. Given the broad adoption of Android devices and the potential to correlate data, this is not a case of "making stuff up." Even if your MAC address is spoofed/randomized, the remaining data points are still sufficient to track you.
blueflow · 16h ago
Doesn't make sense to track and correlate the mutable MAC address when you have access to the burnt-in device serial number and IMEI.
Arnt · 18h ago
The WLAN AP collects that. They really track you (they being the AP and Google).
You may assume that they collude, or not.
2716057 · 18h ago
Depending on your network configuration I could imagine abuse of EDNS(0). This is used for example by NextDNS to identify which device (MAC) on your local network sent the request in order to apply specific filters and log the request. A not-so-friendly DNS could sell such information.
johnisgood · 18h ago
I use dnscrypt with a supposedly secure configuration, is that not enough to counteract this?
IAmBroom · 17h ago
Ask your friendly local CIA agent, not us. We don't have access to that intel.
johnisgood · 17h ago
How do you know? Someone might!
poisonborz · 17h ago
MAC is easily spoofed, most smartphones do it already by default - although only per session
mvieira38 · 16h ago
This list manages to be mostly correct while still spreading FUD. These can all be tracked, but the threat actors are very much uncoordinated in exploiting this info, and much of it (especially things like keystroke and mouse fingerprinting) is expensive to track en masse.
Just using Firefox with uBlock, no history, and privacy settings on max, through a somewhat trustworthy VPN like Mullvad will make your data mostly useless. Yeah, "they" could still catch you in a million ways, but if your threat model revolves mostly around surveillance capitalism you'll just be too much of a hassle to matter
fn-mote · 18h ago
To me just posting this long list is spreading FUD.
It mixes voluntary user actions, like submitting forms and “query parameters”, with things like “WebGL fingerprint” which we agree is evil sneaky fingerprinting.
I agree tracking is a serious problem, but this list isn’t contributing to any discussion.
blitzar · 17h ago
People complain about google logging their search queries when they are in "incognito mode" and logged into their google account - we need a lot more education.
johnisgood · 18h ago
What I would like is effective solutions against most fingerprinting.
sfebreiro · 16h ago
Tails and Qube OS, for example
No comments yet
fsflover · 18h ago
Tor Browser?
johnisgood · 18h ago
Besides that? I want more (if they exist). :P
fsflover · 17h ago
Whonix (which still relies on Tor Browser).
omeid2 · 18h ago
Query parameters are hardly voluntary, just about every linked acquired via "share" button on various platform includes tracking query parameters, including google search results. Combined with the fact that query parameters are has legitimate uses, the distinction complexity becomes indistinguishable from "legitimate WebGL usage" vs "WebGL fingerprint".
It is scary where we are, but you can't solve it by dismissing it as FUD.
reconnecting · 17h ago
In the case of this particular website, perhaps Google tracks you less, but you get tracked by `https://test-v1.adriaan.com` — whatever that means.
So the correct title must be: "We track you when you're reading about Google tracking you (even when using DuckDuckGo)."
AdriaanvRossum · 17h ago
Ha, nice find! I'm the Adriaan in adriaan.com. I'm testing some new script features that might improve deliverability. It's not sending any personal data. I use another domain to have the least effect of ad-blockers.
rustc · 16h ago
> Ha, nice find! I'm the Adriaan in adriaan.com. I'm testing some new script features that might improve deliverability. It's not sending any personal data. I use another domain to have the least effect of ad-blockers.
You are sending the user agent, path, referrer, a session id + the IP (which is automatically sent) to your personal server and also using a different domain to track users who have ad blockers installed. Even Google Analytics does not use random domain names to track adblock users (yet).
reconnecting · 16h ago
So the correct title must be: "SimpleAnalytics track you TWICE when you're reading about Google tracking you (even when using DuckDuckGo)."
bit1993 · 15h ago
"Honeypot even when using DuckDuckGo"
mvieira38 · 16h ago
Nice reminder to disable javascript or just use Tor Browser to open any links you don't want associated with your public presence
reconnecting · 17h ago
Nice to meet you, Adriaan.
This is slightly incorrect. By sending a request from your business website (SimpleAnalytics) to your personal domain (Adriaan), you actually transfer personal data. In this case, it’s the IP address, which according to GDPR is considered PII.
Taking into account the scope of privacy terms provided on your business website, it doesn’t include data sharing with your personal entity through your website. So this is basically illegal, unless adriaan[.]com belongs and operated by SimpleAnalytics company.
openplatypus · 16h ago
PII is not GDPR term. PII is used some US-specific acts, like HIPPA.
Did you mean Personal Data?
reconnecting · 16h ago
Yes, I had use PII as synonymous of Personal data here.
> When organisations seek to protect their user’s data, it is necessary that they understand the data they need to safeguard. Personal data, in the context of GDPR, covers a much wider range of information than personally identifiable information (PII), commonly used in North America. In other words, while all PII is considered personal data, not all personal data is PII.
When you say PII in context of GDPR you are simply using wrong term.
reconnecting · 15h ago
IANAL, and wrote PII because it's personal non-legally binding communication, and there is nothing wrong with using any terms that are familiar to both sides.
You can read it as both PII and personal data, and it doesn't change the fact that this data sharing is out of scope of the company Privacy Terms.
amelius · 18h ago
User tracking only exists because it generates money. We should ban the entire practice. No more targeted ads (with very little exceptions).
v5v3 · 17h ago
Then something else will replace it. To make the same amount of money.
prox · 16h ago
You mean old timey wimey marketing pre-internet? Just target people instead of Bob at 17th Rosewood St.
How about this, I set a preference for some stuff I am interested in and that’s what they can show me.
giingyui · 15h ago
They don’t track Bob at 17th Rosewood St. They put him into groups of things they think he is likely to buy. Which is close to targeting people.
amelius · 15h ago
Multiple groups. And if you take the intersection of those groups you end up on 17th Rosewood St.
card_zero · 16h ago
Could we make that thing perhaps Being Very Nice?
v5v3 · 16h ago
Ok,what about all browsers should play John Lennon's Imagine on loop?
bit1993 · 16h ago
> User tracking only exists because it generates money.
3-letter-agencies.gif
ujkhsjkdhf234 · 13h ago
Ironically these agencies buy user information from third parties because it cost less and is legal.
tonyhart7 · 17h ago
how you can ban the practice??? in what way ?
amelius · 17h ago
You ban it by making it illegal.
dfxm12 · 16h ago
Rolling through stop signs is illegal, but people do it all the time without penalty. It's not enough to simply make something illegal. You also have to have groups empowered to enforce the law and dole out punishments heavy enough to act as a deterrent.
amelius · 16h ago
You picked an example at the extreme end, so let me choose another example at the opposite end. Breaking into people's homes and taking their stuff is illegal. It would happen a lot more if there were no laws against it.
dfxm12 · 15h ago
You've completely missed the point. I'll break it down.
When you break a law, it doesn't magically summon an LEO and judge to catch you in the act and give you the proper penalty, so words in a code is not a deterrent. The deterrent is knowing someone will hunt you down, getting thrown in jail, it's fines that hurt your bottom line.
Yes, our society places a premium on policing break ins very harshly. Police have huge budgets for street crime & judges have harsh penalties available to them. White collar crime, like financial crime or breaking what little privacy protections is on the books? Not so much... So, again, you can't just make a law. You also have to have groups empowered to enforce the law and dole out punishments heavy enough to act as a deterrent.
amelius · 15h ago
So you are saying we should not have laws because who is going to enforce them?
dfxm12 · 14h ago
No.
amelius · 14h ago
Ok, let's make this law and enforce it then.
int_19h · 11h ago
This boils down to difficulty of enforcement. Enforcing the law regarding stop signs is very difficult because it's hard to detect all the violations at scale. Tracking, though, is much easier to detect even automatically by its very nature.
fc417fc802 · 9h ago
Tracking arguably isn't much of an issue until data sale and aggregation gets involved. That requires a functioning marketplace which tends to leave a lot of evidence behind.
The hyperscalers are a notable exception to that but the larger a company is the more likely systemic illegal practices are to get exposed.
LargoLasskhyfv · 15h ago
That could be remedied by installing cameras with AI on the edge, coupled with autonomous RPGs, or drones starting and dropping a fragmentation grenade on the offender.
DaSexiestAlive · 17h ago
yeah..
with any frontier or frontier tech it's the same story..
the folks that made it to the frontier.. they make all the calls.. they establish all the rules.. they do all the abusive things they want cus...
we plebs, who buy their frontier stuff?, just don't know any better..
and then one day, after living in the frontier/futureland sufficiently, it clicks, we recognize we are being had..
then we organize, we get politicians to fight back the tide of abuse..
and it's our time to correct things, make the abuse illegal..
good luck fellow plebs..
knowing how the system is rigged in so many dimensions, i don't have much hope..
but we can dream right?
amelius · 16h ago
In the US maybe, in the EU it's a different story.
tonyhart7 · 17h ago
how can you make it illegal??
>make a new law
>they just move elsewhere
how??? tell me
amelius · 17h ago
You just tell Congress that the data brokers have all the rights to sell our data to Chinese data brokers. Maybe that will change their mind.
mtillman · 16h ago
Is tiktok still up and running?
aniviacat · 17h ago
The EU was pretty successful with mandating cookie banners and GDPR.
On the other hand, I think a great firewall would be useful to the US and especially the EU, to be able to enforce their laws even better.
tonyhart7 · 17h ago
"mandating cookie banners and GDPR."
this is only works if your business located in EU, no one stop EU people visit US site and still get tracked
bayindirh · 17h ago
I'm not pretty sure about that. I get cookie banners from US companies all the time and choose to reject them.
Just visited www.vmware.com. Site is located in the US. Company is located in USA, and OneTrust's cookie banner welcomed me, and allows me to make choices.
giingyui · 15h ago
VMware wants to sell to European clients. If they didn’t they wouldn’t have cookie banners.
bayindirh · 15h ago
Basically, if you have any tracking on your site, you either
a) Show the cookie banners if somebody is coming from a GPDR or GDPR-compliant country, since it's required by EU law and these GPDR-compliant laws.
b) You geofence your site and prevent access.
So, in practice regardless you whether sell anything or not, if your site, proverbially, touches European soil, you have to show these choices.
giingyui · 15h ago
What’s the EU going to do to you if you don’t have operations in the EU?
fc417fc802 · 9h ago
That's option c, ignore EU law and forever give up the possibility of doing business there. The larger a company is the less likely it is to find that route palatable.
giingyui · 8h ago
Why would the EU fine you for something you did before you had operations in the EU? I don’t think it works that way.
aniviacat · 7h ago
If you are taking EU citizens' data when they access your website from within the EU, then of course the EU will prosecute you for that.
Just like they will prosecute you for scamming EU citizens, for hacking EU citizens, for impersonating EU citizens, and anything else you can do to EU citizens while being located somewhere else.
closewith · 17h ago
If you market your services to EU residents, the EU will hold you subject to the GDPR (and many other EU Regulations) irrespective of your location.
I clicked on this expecting an interesting read, but the big reveal was...
Google analytics??
daft_pink · 16h ago
I really wish we could change the search engine in apple products directly to Kagi instead of leaking searches through DuckDuckGo
v5v3 · 17h ago
A lot of browser's have tracking blocked and there will be a icon in the top bar which will show this.
And many vpns also offer an option to block trackers and ads before they get to you.
figmert · 16h ago
VPN providers can't meaningfully block trackers. If they say they do, they have to be intercepting SSL which requires extra work (must install their generated CA on all clients) and you are literally handing over all data to the VPN provider, more so than without of course, as they'd be able to decrypt HTTPS payloads.
v5v3 · 16h ago
Wouldn't they just be blocking the DNS queries?
So any client side requests to a known URL is just blocked. So only server side would work.
baal80spam · 18h ago
Isn't DDG a Bing wrapper?
Arnt · 18h ago
It does lots of things itself, and gets lots of other things from Bing.
buyucu · 18h ago
No they don't. My PiHole and uBlock Origin stops it.
nottorp · 18h ago
And as far as i know DDG is a search engine, not a privacy plugin. It only gives you links, it doesn't modify web pages and it's not its job to.
For stopping tracking, uBlock Origin.
tharkun__ · 17h ago
DDG is a privacy plugin (on desktop). On mobile it's its own browser. The one I'm writing this from.
And yes I still use uBlock on top on desktop.
nottorp · 17h ago
Huh? I use it daily, but I never installed any plugin...
tharkun__ · 7h ago
It's "all of the above" ;)
As in:
DuckDuckGo is a search engine you can go to from any browser, such as but not limited to the Chrome browser on various platforms.
DuckDuckGo is also a plugin for desktop browsers (e.g. for Firefox: https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-fo..., find the equivalent for Chrome on the webstore ...) that you can install. You can then exclusively use the Google Search engine while having the "DuckDuckGo Search & Tracker Protection" plugin installed if you so choose.
jgalt212 · 18h ago
> Even in countries with strict laws like the GDPR, Google's trackers are still everywhere. That raises questions about how effective these regulations really are in practice.
This is basically it. GDPR is a stupid unenforceable law, and should be wiped from the books. Try again with something new.
cherryteastain · 17h ago
It is enforcable but EU has been quite cautious and conservative with its enforcement approach.
China has a ton of laws aimed to suppress political dissent, and a good chunk of their laws/regulations would be even more unenforceable if they adopted an EU style approach. Of course, China means business, so they just go ahead and deploy the sledgehammer: you are banned from China unless you comply with the law. You typically can't even read the letter of the law and implement what it says verbatim; if you violate the spirit of the law (that is, don't disseminate anti-CCP content) you will still get the banhammer.
It's all about what political capital you're willing to give up to enforce the law.
simpss · 17h ago
It took a while, but is starting to work.
Many "cookie banners" have finally started to work in the EU. Once you deny PII processing many sites don't load GA etc... The time of malicious compliance is starting to pass. Some sites have figured it out and realized they really don't need personalized analytics and have replaced implementations with privacy respecting ones(ex, plausible). This lets them remove the dark-patternish banner and no additional consent is required as all data is pooled together and one persons actions truly can't be singled out.
GDPR obviously has other good effects but as PII processing through cookies is what most people know, I chose that as an example. Email tracking links & pixels are another good example.
There's also a big difference between 2018 and 2025 when discussing GDPR in work contexts and saying that implementing this or that tracking would be illegal.
It's a slow process, but it's working as intended.
tremon · 13h ago
Once you deny PII processing many sites don't load GA etc
The way you phrase this is expressly non-compliant with the GDPR, because what you're describing is an opt-out. To be compliant, websites should only load GA etc after you accept PII processing.
simpss · 13h ago
Sorry. They do wait and force a choice before loading the external scripts.
That's the only mechanism one can use to really be compliant as GA (and other providers) stick identifiers onto the session as soon as the script has been loaded.
jgalt212 · 16h ago
Enforcing sites not calling out to third party data processors via client-side JavaScript is detectable and enforceable, but taking such actions server-side is undetectable (and therefore unenforceable).
simpss · 12h ago
yes, that's a possibility, but we're far from server-side GA implementations and we do have an option to make a data request to figure out what companies are doing.
If they get caught lying (and that tends to happen in the end) that's another violation that is taken seriously nowadays.
For example, my e-mail server started picking up messages from DELETEDmyname@mydomain.org. Making it pretty clear a company did not respect my wishes to completely delete all data and user account references. They simply changed my email in the DB.
Perhaps the name should be "IronyBrands"
We’ve been sounding the alarm about Google analytics, tag manager, and other Google trackers for years and why we started making our own extensions and browsers to block them and provide more comprehensive protection. On our homepage and everywhere else we can we try to get people to install those to get that additional protection, which you can compare here: https://duckduckgo.com/compare-privacy
Furthermore, I don't see any intimation in the article that Google owns DuckDuckGo.
All in all, it seems you and the article are on the same page.
They could have done a marketing blog post about the evils of Google Analytics without dragging DDG into this...
https://counterscale.dev/
Unlike Simple Analytics (the post authors), you deploy Counterscale to your own Cloudflare account and control the code + data end-to-end. It also uses no cookies, has no browser fingerprinting, and has no monetized SaaS offering.
It only has 90 days retention though, which could be viewed positively.
IP address, User-Agent string, Referrer URL, Requested URL, Language, Locale, Screen resolution, Time zone, System time, Installed fonts, Installed plugins, Cookie data, Browser fingerprint, Canvas fingerprint, WebGL fingerprint, AudioContext fingerprint, Mouse movements, Click paths, Keyboard input timing, History sniffing, DNS queries, Destination IP addresses, HTTP traffic content, HTTPS metadata (host, SNI, timing), MAC address, Query parameters, Session ID, Login status, User account info, Geolocation (via IP), Geolocation (via browser API), Page interaction data, Time on page, Scroll behavior, Clicks, Form submissions, Browser type, OS type, Network provider, Client ID (\_ga cookie), Session ID, Timestamp, Pages visited, UTM parameters, Interaction events, Google Ad ID, DoubleClick cookie (IDE), Cross-site behavior, Cross-device behavior, Inferred demographics, Mouse tracking, Scroll depth, Video interactions, Audio interactions, Session replay, Keystroke logging, Facebook login status, Pixel events (Meta, LinkedIn, etc)
If you want to avoid that, you need to make a real effort (not just using DuckDuckGo). The Tails operating system might be a good place to start.
And remote servers are outside of your local network and thus cannot see these values, either.
You may assume that they collude, or not.
Just using Firefox with uBlock, no history, and privacy settings on max, through a somewhat trustworthy VPN like Mullvad will make your data mostly useless. Yeah, "they" could still catch you in a million ways, but if your threat model revolves mostly around surveillance capitalism you'll just be too much of a hassle to matter
It mixes voluntary user actions, like submitting forms and “query parameters”, with things like “WebGL fingerprint” which we agree is evil sneaky fingerprinting.
I agree tracking is a serious problem, but this list isn’t contributing to any discussion.
No comments yet
It is scary where we are, but you can't solve it by dismissing it as FUD.
9: <script src="https://test-v1.adriaan.com/script-v1.js" async></script>
https://test-v1.adriaan.com/simple.gif?type=event&hostname=t... Gecko/20100101 Firefox/128.0&version=test-2025-04-22-v2&event=onload&path=/blog/google-is-tracking-you-even-when-you-use-duck-duck-go&referrer=&session_id=ab6ceafa-47c1-48e4-b26b-79148e625a15&metadata={"beacon_ok":true,"keepalive_ok":false,"ts_ms":1752496007219,"send_method":"image"}&t=1752496007219
So the correct title must be: "We track you when you're reading about Google tracking you (even when using DuckDuckGo)."
You are sending the user agent, path, referrer, a session id + the IP (which is automatically sent) to your personal server and also using a different domain to track users who have ad blockers installed. Even Google Analytics does not use random domain names to track adblock users (yet).
This is slightly incorrect. By sending a request from your business website (SimpleAnalytics) to your personal domain (Adriaan), you actually transfer personal data. In this case, it’s the IP address, which according to GDPR is considered PII.
Taking into account the scope of privacy terms provided on your business website, it doesn’t include data sharing with your personal entity through your website. So this is basically illegal, unless adriaan[.]com belongs and operated by SimpleAnalytics company.
Did you mean Personal Data?
https://en.wikipedia.org/wiki/Personal_data
https://techgdpr.com/blog/difference-between-pii-and-persona...
> When organisations seek to protect their user’s data, it is necessary that they understand the data they need to safeguard. Personal data, in the context of GDPR, covers a much wider range of information than personally identifiable information (PII), commonly used in North America. In other words, while all PII is considered personal data, not all personal data is PII.
When you say PII in context of GDPR you are simply using wrong term.
You can read it as both PII and personal data, and it doesn't change the fact that this data sharing is out of scope of the company Privacy Terms.
How about this, I set a preference for some stuff I am interested in and that’s what they can show me.
3-letter-agencies.gif
When you break a law, it doesn't magically summon an LEO and judge to catch you in the act and give you the proper penalty, so words in a code is not a deterrent. The deterrent is knowing someone will hunt you down, getting thrown in jail, it's fines that hurt your bottom line.
Yes, our society places a premium on policing break ins very harshly. Police have huge budgets for street crime & judges have harsh penalties available to them. White collar crime, like financial crime or breaking what little privacy protections is on the books? Not so much... So, again, you can't just make a law. You also have to have groups empowered to enforce the law and dole out punishments heavy enough to act as a deterrent.
The hyperscalers are a notable exception to that but the larger a company is the more likely systemic illegal practices are to get exposed.
we plebs, who buy their frontier stuff?, just don't know any better.. and then one day, after living in the frontier/futureland sufficiently, it clicks, we recognize we are being had..
then we organize, we get politicians to fight back the tide of abuse..
and it's our time to correct things, make the abuse illegal..
good luck fellow plebs..
knowing how the system is rigged in so many dimensions, i don't have much hope..
but we can dream right?
>make a new law
>they just move elsewhere
how??? tell me
On the other hand, I think a great firewall would be useful to the US and especially the EU, to be able to enforce their laws even better.
this is only works if your business located in EU, no one stop EU people visit US site and still get tracked
Just visited www.vmware.com. Site is located in the US. Company is located in USA, and OneTrust's cookie banner welcomed me, and allows me to make choices.
a) Show the cookie banners if somebody is coming from a GPDR or GDPR-compliant country, since it's required by EU law and these GPDR-compliant laws.
b) You geofence your site and prevent access.
So, in practice regardless you whether sell anything or not, if your site, proverbially, touches European soil, you have to show these choices.
Just like they will prosecute you for scamming EU citizens, for hacking EU citizens, for impersonating EU citizens, and anything else you can do to EU citizens while being located somewhere else.
Google analytics??
And many vpns also offer an option to block trackers and ads before they get to you.
So any client side requests to a known URL is just blocked. So only server side would work.
For stopping tracking, uBlock Origin.
And yes I still use uBlock on top on desktop.
As in:
DuckDuckGo is a search engine you can go to from any browser, such as but not limited to the Chrome browser on various platforms.
DuckDuckGo is also a browser for mobile phones. It's an app you can install e.g. https://play.google.com/store/apps/details?id=com.duckduckgo.... You can then, if you want to, use Google Search exclusively from within that DDG browser ;)
DuckDuckGo is also a plugin for desktop browsers (e.g. for Firefox: https://addons.mozilla.org/en-US/firefox/addon/duckduckgo-fo..., find the equivalent for Chrome on the webstore ...) that you can install. You can then exclusively use the Google Search engine while having the "DuckDuckGo Search & Tracker Protection" plugin installed if you so choose.
This is basically it. GDPR is a stupid unenforceable law, and should be wiped from the books. Try again with something new.
China has a ton of laws aimed to suppress political dissent, and a good chunk of their laws/regulations would be even more unenforceable if they adopted an EU style approach. Of course, China means business, so they just go ahead and deploy the sledgehammer: you are banned from China unless you comply with the law. You typically can't even read the letter of the law and implement what it says verbatim; if you violate the spirit of the law (that is, don't disseminate anti-CCP content) you will still get the banhammer.
It's all about what political capital you're willing to give up to enforce the law.
Many "cookie banners" have finally started to work in the EU. Once you deny PII processing many sites don't load GA etc... The time of malicious compliance is starting to pass. Some sites have figured it out and realized they really don't need personalized analytics and have replaced implementations with privacy respecting ones(ex, plausible). This lets them remove the dark-patternish banner and no additional consent is required as all data is pooled together and one persons actions truly can't be singled out.
GDPR obviously has other good effects but as PII processing through cookies is what most people know, I chose that as an example. Email tracking links & pixels are another good example.
There's also a big difference between 2018 and 2025 when discussing GDPR in work contexts and saying that implementing this or that tracking would be illegal.
It's a slow process, but it's working as intended.
The way you phrase this is expressly non-compliant with the GDPR, because what you're describing is an opt-out. To be compliant, websites should only load GA etc after you accept PII processing.
That's the only mechanism one can use to really be compliant as GA (and other providers) stick identifiers onto the session as soon as the script has been loaded.
If they get caught lying (and that tends to happen in the end) that's another violation that is taken seriously nowadays.
For example, my e-mail server started picking up messages from DELETEDmyname@mydomain.org. Making it pretty clear a company did not respect my wishes to completely delete all data and user account references. They simply changed my email in the DB.