My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising. If before a service can show any ads they need to offer the user a free choice on whether to see ads, where there are no consequences for clicking "no" other than that they don't see ads, users will overwhelmingly click "no" and the site will not be viable.
(I additionally think that it should be legal to offer services that are supported only by personalized ads, where users can choose between (1) using the service and having personalized ads vs (2) doing neither. I've argued that elsewhere in this discussion, but that's a bit of an aside to my main point.)
While I don't think the GDPR as-written prohibits such services, with the decisions coming out of the data protection agencies in the more privacy sensitive European countries I think the GDPR as-interpreted does make them economically non-viable for most sites because viability requires effective fraud detection.
If a service is going to show ads even if the user has clicked "no" and consented to nothing, it needs to be able to run the full ads stack without relying on anything that requires user consent. This includes:
* No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
* No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2] and follow-up rulings on applications such as analytics [3], fonts [4], and CDNs [5].
Together these rule out all commercially available adtech options I know about.
But let's say you decide to build something fully in-house, or you use some future ad product from a startup run by very careful Germans. What do you still need to do?
The GDPR requires you to have one of several legal bases for any personal data you process. With "consent" out of the picture, almost all of them are irrelevant for ads, with the potential exception of "legitimate interest". [6] Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
The ad industry has historically thought that sites did. For example, the TCFv2 categorizes this under "Special Purpose 1", with users having "No right-to-object to processing under legitimate interests" [7]. On the other hand, points 52 and 53 of the recent Microsoft ruling [8] read to me as saying that since users do not visit sites to see ads that sites cannot claim that they have a legitimate interest in using personal data to attempt to determine whether their ads are being viewed by real people. This is not fully settled; among other things the Microsoft ruling was on the interaction of GDPR and ePrivacy, and ePrivacy is stricter on some points. But I think it's more likely than not that when we get clarity from the regulators it will turn out that the kind of detailed tracking of user behavior necessary for effective detection of ad fraud is not considered to be within a publisher's legitimate interests.
[1] https://news.ycombinator.com/item?id=34096210
[2] https://trustarc.com/blog/2022/11/30/schrems-ii-decision-cha...
[3] https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...
[4] https://www.theregister.com/2022/01/31/website_fine_google_f...
[5] https://www.theregister.com/2021/12/08/germany_cookie_servic...
[6] https://gdpr.eu/article-6-how-to-process-personal-data-legal...
[7] https://iabeurope.eu/iab-europe-transparency-consent-framewo...
[8] https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989
