Microsoft's Xandr grants GDPR rights at a rate of 0%

Original Article ↗ Hacker News Discussion ↗

Xandr and GDPR rights handling

  • Xandr (Microsoft ad platform) is reported to grant 0% of GDPR access/deletion requests.
  • Users describe receiving boilerplate replies: Xandr claims it cannot verify identities because its platform supposedly lacks directly identifying data (name, email, etc.).
  • One commenter challenged this using the uuid2 cookie (documented in Microsoft’s cookie policy) as an identifier; Xandr then replied that, if the identifier exists, they will delete it — seen as proof they can in fact link data to that ID.
  • Some links in Xandr’s “privacy center” are broken; contact is cookie-based per-device and resets when caches are cleared.

Targeted vs “trackerless”/content-based advertising

  • Debate over whether targeted ads are more effective than contextual ads.
  • One cited Dutch case where a publisher’s trackerless ads “didn’t pan out,” apparently less profitable on the sell-side and hard to integrate with existing ad tech.
  • Others emphasize they don’t care about effectiveness if the cost is pervasive tracking and profiling.

Privacy, ethics, and personal choices

  • Strong objections to surveillance advertising; some users block ads at multiple layers and encourage others to do so.
  • Discussion on moral compromise: whether people would tolerate invasive ads if their job depended on ad-driven revenue.
  • Some say they avoid working for companies whose practices they oppose; others argue this is hard when all major vendors are “varying degrees of unscrupulous.”

Are cookies and segments “personal data”?

  • Discussion of GDPR’s Article 4: cookies and online identifiers can be personal data if they can indirectly identify a person.
  • Some argue a random cookie ID alone isn’t easily mapped to an individual; others note that combining attributes (location, age, gender, interests) is often enough to uniquely identify people.
  • Consensus in the thread leans toward: Xandr’s profiling segments (health, religion, sexuality, etc.) tied to an ID are clearly GDPR-relevant and enjoy special protection.

Regulation, fines, and enforcement

  • Many argue EU regulators should impose large, escalating fines until compliance is cheaper than non-compliance.
  • Several propose fine formulas: at least all ill-gotten gains, scaled by probability of getting caught; some suggest fines plus a percentage of total revenue or equity dilution into public funds.
  • Counterpoint: large fines may lead to layoffs; response: shielding shareholders at the expense of workers encourages lawbreaking.

Ad industry behavior and “regulatory theater”

  • Commenters describe a pattern where companies move privacy-invasive practices into subsidiaries to absorb regulatory risk (“regulatory condoms,” “privacy theater”).
  • Opt-out mechanisms and consent UIs are seen as largely performative while data collection remains deeply embedded in platforms.

Broader views on advertising and capitalism

  • Some see advertising, especially targeted ads, as a zero-sum or parasitic activity that doesn’t create real value.
  • Others argue business and advertising underpin modern economies, though they agree tracking abuses are serious.
  • Brief side debate on capitalism vs. alternatives, with no consensus and some frustration over vague criticism without concrete proposals.