Suing all of ad-tech

Will an EU country finally enforce the GDPR?

Cory Doctorow
4 min readJun 16, 2021


A giant eyeball whose pupil has been replaced by the EU circle-of-stars flag; it floats in a void of ‘Matrix waterfall’ blackness and green and white letters, numbers and symbols. Image: Carol M Highsmith/Library of Congress (modified)

The EU’s General Data Protection Regulation (GDPR) has been a mixed bag, but at its core is an exemplary and indisputable principle: you can’t give informed consent for activities you don’t understand.

Since the dawn of online commercial surveillance, ad-tech sector maintained the obvious fiction that we agreed to allow it to nonconsensually suck in our private information, either by clicking “I Agree” on a garbage novella of unreadable legalese, or just by using a service.

GDPR exposes this “consent theater” for a sham. It says, “Look, if you think users are cool with all this surveillance and data-processing, you’ve got to ask them. Lay out each use of data you want to make, one at a time, and get consent for it.”

That means that if you’re Google and you’re thinking of using the data you ingest in 800 different ways, you’ve got to show your users 800 yes/no questions, defaulting to “no,” to see if they consent to it, and you have to give them a “no to all” box to opt out of everything.

It won’t shock you to learn that virtually no one consents to this. It’s a lesson we learned again when Apple updated Ios to let users install apps but opt out of their data-collection — and to opt out of being asked whether they want any app to collect their data.

That said, there are some problems with the GDPR; some are structural (the “right to be forgotten” is a poorly thought-through dumpster fire that lets rich sociopaths erase the records of their crimes from the internet) and some are technical.

The principle technical problem with the GDPR is that EU prosecutors just haven’t enforced it vigorously enough. In particular, they lack the resources to take on the biggest names in ad-tech, Facebook and Google, who have them substantially outgunned.

However, the GDPR has a saving grace in this regard: it includes a “private right of action,” that allows everyday Europeans to seek enforcement of the law, even if prosecutors are too timid to take up the case.

Private rights of action are key, but political conservatives hate them because they don’t…



Cory Doctorow

Writer, blogger, activist. Blog:; Mailing list:; Mastodon: