It's worth noting that the same re-identification problem also applies to advert placement that doesn't use any information about the person being advertised to and is based solely on the topic of the website or webpage, and - according to this blog post - this investigation is in fact going after Google for using that information in ad placement. They're basically trying to kill Google's online advertising business full stop.
This is something that annoyed me about “anonymous” ad techniques. It’s pretty easy, I think, for an unethical company to make a very specific ad that still has thousands of people “10 miles of DC, male, >60, English speaker, Spanish speaker, college graduate, etc” that still has a population in tens of thousands and have the click through offer a signup with email. So the site gets the email and knows from the targeted campaign lots of info about the person they would not share with the site normally.
Do this enough and you end up in Cambridge Analytica-town with portfolios on millions of email addresses that can then be sold independently of the advertiser’s knowledge.
So what? If you don't want some random person to know you by your email address, don't give them your email address. Or use a separate email address for them.
I was working in adtech company and heard that a lot about GDPR. Oh, we had some loses due to GDPR, it is ruining the ad industry etc. Guess what? The population didn't change there's the same number of internet users. What changed is how much information you are able to collect about users, and not just you but your competitors as well. You might need to adapt, but that happens in every industry.
Frankly laws like GDPR might actually be saving the industry, because the arms race to figure out how much information you can get about users is why users start using ad blockers.
