We do it exactly the same in all accounts—context is important and kids are perfectly capable of distinguishing those from a very early age on (and I had many discussions with relatives, who doubted that).
One thing to add to the “who supersedes who” when multiple adults are present: We had the additional problem, that my wife and I do have different styles of parenting as well and while we tried our best to harmonize them, there are some edge cases, where we handle things differently. This lead (and still leads) to some stress, because if both parents are present, every situation with the kids is more … noisy? The kids express more energy? IMHO, this is due to the problem of context: which parents’ context to follow now? So from the kids’ view the situations’ context is ambiguous.
We introduced the rule, that if one parent starts to … parent and starts solving a situation, the other parent must shut up and not intervene at all. The parent who started handling a situation also finishes. If the other parent disagrees on how this situation is handled, they still shut up and we sit down later without the kids, talk about it and try to harmonize our approaches.
That greatly reduced the stress with (and in) the kids—they (and we) have a predictable context to follow and are less stressed from the context being ambiguous.
There’s a lot to unpack here.
First, european union law like the GDPR works in the form, that they cannot directly make laws for every european member, but each european nation has to transform the european law into national law. So the implementation of the irish GDPR is different than from the german GDPR and while the general idea behind a european law must be abided by the nations, each one has their own pecularities. The german GDPR law is called the DSGVO and since I’m from germany, I’m most knowledgable there. So some of my comments might be wrong under GDPR, but completely valid for the DSGVO.
Under GDPR, every time a service (in this context the homepage) is requesting or using data sent from the client (the browser), the service owner has to have written down and abides to a set of privacy rules, which govern
what data falls under this set of rules,
how long the data is being processed and stored,
(if used without consent) if it has a legitimate purpose to use the data for this purpose, and
that they thought about and excluded a less privacy-invasive way of processing the data
All of these have been more or less required before as well, but with the GDPR, the service is also responsible for each and every 3rd party data processor they use (e.g. doubleclick as an ad provider). So if they send data over to a 3rd party, and they mishandle the data or use it for a different purpose than originally stated, the original service is now responsible—with hefty fines attached.
Having said that—let’s get back to your points.
Are services allowed to use data for personalization of content (specifically ads) without consent?
Yes and no—Direct Marketing is a legitimate interest according to the GDPR, so you would not need to have consent. But: Is there a less privacy-invasive way of processing the data? Yes there is, not serving personalized ads, but only according to the (unpersonalized) content of the page. And, there’s the right to object to direct marketing, so this has to be taken care of somehow as well.
This is what Der Spiegel and other news websites have been basing their modus operandi on: Give the user the choice to either consent to personalized ads, or to pay for not seeing ads.
Are services allowed to use data for security purposes (specifically fraud detection)?
Yes, they are. They can collect and use pretty much every bit of data they can generate and get from the browser. There is no less privacy-invasive way, because it’s a everylasting race between fraudsters and counter-measures.
But: The data must be used for this purpose only. They must not be used to ads, personalization, login, marketing, whatsoever—or they risk a hefty fine. When Facebook used the 2 factor authorization phone number to send out ads, they were violating the GDPR and will hopefully get a hefty fine for it.
Can websites finance themselves without personalized ads?
Most likely. Non-targeted ads only reduce their effectiveness by around 4% in contrast to targeted / personalized ads—which makes sense, since if e.g. a user is reading an article on topic X, they are already interested in the topic. So an ad for people interested in topic X is already very likely to be effective.
(as said before: websites are still allowed to use any data for security purposes like fraud detection.)
Why are big companies like Microsoft being sued for data usage for fraud detection anyway?
Because they are trying to push the boundaries and how far they can go again, and the courts (and politicians) are using the GDPR to punish them for it.
Most big companies still have no clue what data is being requested, stored for what purpose, distributed to whom, etc. - which was one of the reasons the GDPR initiative was started in the first place.
Example Microsoft: after a brief period of being privacy-concerned, Windows 10 is much more “androidized” in terms of spying on the user, pushing bloatware and ads, installing invasive features without consent, and trying to trick the user into giving consent for more data. It’s e.g. not possible to simply say “I don’t want to create a microsoft account” (which would enable Microsoft to track the user better) - only “I don’t want to create a microsoft account at the moment (we’ll ask you again in two weeks)”.
I predict, that the previous rulings will be thrown out at the upper courts and that no smaller websites (even if they are Der Spiegel) would be sued for using data for fraud detection—assuming that they are not using the data for other purposes.
Are other means of financing websites possible?
Sometimes, yes—main question is the availability of competition (scarcity) and the relation a company has to their users. Spotify, Amazon Music Unlimited, Apple Music, etc. all have no problem of raising money from users through a subscription model, because a lot of music is simpy not available for free without a payment option. Even free “user-content” on sites like Youtube, where a lot of music is uploaded illegally from users, the content-id system is effective (if an artist or their publisher don’t want their music to be available there).
Other services like Patreon, SubscribeStar, Substack, Locals, etc. show, that people are willing to pay creators just for the content they create. This only seems to work sufficiently well for parasocial relationships—most bigger Youtube creators are effectively businesses with dozens of freelancers or employees, but focusing everything on one person for the parasocial relationship.
Conclusion
Ads can be GDPR-compliant, don’t have to be personalized and their fraud detection is a separate legitimate interest.