TL;DR: "The sca.js pixel as mentioned collects data required for ad verification. There is no individual user tracking happening as the browser signals they collect via their js does not collect any PII." is wrong, SO isn't starting audio but ads use it for fingerprinting, IAS ToS + GDPR invalidates the quote. Please use an ad blocker and stay safe (pro tip: Firefox also has included fingerprinting protection, and there's also browser plugins for I think all the major browsers that add the feature as well). If you want to help send an even clearer message to SE, consider using AdNauseam (uBlock derivative).

Disclaimer: I'm not a lawyer.

Stack Overflow is not trying to start audio

Well, you're completely correct. Nothing is attempting to start audio, and that was never the question either. Honestly, if you attempted to add audio ads to the site, that being Stack Overflow or any other Stack Exchange site, that's not something I can support. You've already stated you have no intention of blocking animated ads, which is yet another reason I'm using an ad blocker (beyond the privacy concerns and failure to keep malicious ads at bay), but ads containing audio is something I personally classify as destructive for the site (it's fine on YouTube or Spotify because the context is different, but here? No.)

The highly upvoted answer by the temporary user deleted on request shortly after the answer was posted also outlined this for you:

The ad is attempting to use the Audio API as one of literally hundreds of pieces of data it is collecting about your browser in an attempt to "fingerprint" it, to uniquely identify you across sites despite your privacy settings.

We're highly aware Stack Overflow wasn't trying to start audio, so if you'd like better title, how does this one sound: "Stack Overflow enables ads to identify and track users across sessions by using the audio API"

The ads access the audio API, but not with the intent of starting audio.

But seriously, are you OK with this now? Was Nick Craver's answer at any point the opinion of the company, or did you change your mind on that later? Was it before or after you were "reassured" this behavior was only "required for ad verification" and that they do "not collect any PII"? Spoiler: none of that is true. The ad network collects PII, and it's not exclusively for identifying fraud ad viewing

The honestly worst part about this whole mess is, in my opinion, this announcement. You completely ignored the post documenting the fingerprinting, and you effectively replaced your initial announcement in addition to announcing false information.

Some of our advertising clients use a third-party ad fraud service to verify their ads are running on the correct sites and to a real audience.

Again, you're right! They do use the data for fraud detection. Here's what you left out:

Additionally, IAS uses advertising impression information, mobile app information, and website traffic information including IP address and browser header information to: Identify traffic sources by their geographic location and determine if the location is correct and located within the advertiser’s campaign parameters or traffic settings

Determine if traffic is being acquired is fraudulent, or if traffic acquisition practices that are out of compliance with an advertiser’s guidelines or contractual requirements.

Determine if a middleware is attempting to misrepresent its operating characteristics to prevent the identification of fraud or other invalid traffic.

Determine if traffic or ad impressions are originating from a server farm unlikely to be responsible for human-generated browsing activity.

"Geographic location". Doesn't that sound an awful lot like PII to you? There are more examples of this throughout the terms of service, as well as on their blog. They even agree it's PII under GDPR. source later

Further, I'll have to call your, or your ad provider's, lie:

The sca.js pixel as mentioned collects data required for ad verification. There is no individual user tracking happening as the browser signals they collect via their js does not collect any PII.

Their privacy policy:

For the purpose of identifying and preventing online ad impression fraud and invalid traffic and determining if advertisers and publishers are in compliance with their agreements, our Technology Solutions utilize the following additional technologies (in addition to the data described above): Device identification technology, which analyzes device parameters collected as described above, including IP address and browser header information, to probabilistically identify a particular device. [...]

Quite honestly, this alone is enough to back up my initial statement, but where's the fun in that? This uses "device identification technology", whatever that fully implies. Combined with the IP address, that is enough to personally identify people, and location (which they have explicitly stated they're using) is also personal data under GDPR (reference later).

Also:

We minimize our use of Personal Data by, for example, truncating the IP address after 30 days.

Additionally, the pixel tag collects data as per earlier in the privacy policy, which also lists IP addresses:

Our pixel tags allow cookies to be set, read, and modified when Individual users visit a website, and directly collect the Personal Data described under “Data We Collect.”

The reason I called your statement a lie is because IP addresses are personal data under GDPR. It might not be considered personal data elsewhere, but it's considered PII in the EU, and that's more than enough to invalidate your statement for traffic from an entire continent.

I dislike slamming GDPR on the table to make you see the reality, but when you're clearly disregarding the points outlined in their privacy policy, so I don't have a choice.

This was very helpful for us to know and we are satisfied that there is not anything nefarious going on here

Okay, so you're dealing with a company that tries to uniquely identify users by using factors classified as personal data under GDPR, who then tell you they don't collect personal data, and you're satisfied? Anton Menshov already made my point, and the company even put it on their blog that they're collecting data classified as PII under GDPR. They also stated it's not used in the EU, but it was posted in 2015:

A handful of other offerings that do rely on data considered personal data under the new regulation have been withdrawn from EU markets while we explore alternative solutions. IAS looks forward to providing this measurement capability to our EU customers once an alternative solution is available and/or an industry-wide consent management platform is made scalable.

Their privacy policy doesn't mention whether the data collection practice is limited to areas outside the GDPR, so I doubt that's still the case. In fact, there's no mention of GDPR. The reasonable assumption is that they found their legal reason to collect the data, and I'm not doubting the lawfulness of the collection. You (the Stack Overflow company) have outlined the use of data in your ToS, and so has IAS. As I mentioned at the start of this post, I'm not a lawyer, and I'm not familiar enough with GDPR to start questioning that. It's still easy to read up on it to find definitions and see that they indeed are collecting PII.

Something you need to realize is that advertising is more than tracking. Quite honestly, I block ads from sources that attempt to track me, because of data leaks from sources such as Facebook, who have proven to be outright incompetent at keeping data safe. The real difference between advertiser/tracker data leaks and service leaks is that I at least know what my data is. If my data here on SO gets leaked, I'll at least get notified or read about it a lot quicker than for a third party service I don't want that stores data because I use a website.

If you step back and think about the amount of users you might end up with who use ad blockers, what do you earn in the end? I'm assuming you're using ads as an alternative income source, and I honestly understand that. I whitelist sites I trust that rely on ads to support themselves, or otherwise need it for funding. However, if you legitimately believed that statement without referring to a lawyer and checking their privacy policy before making that statement, then you don't have my trust.

In the past couple of months, there have been a couple topics on tracking, and several related to the behavior of ads.

(feel free to append to that list or leave a comment with suggestions for links to add if I've missed anything)

All it takes is one improperly handled ad and one unpatched XSS exploit no one has noticed or a bug in the safe frame you forced to make the SE network a much worse place for the users without ad blockers. That being said, are ads still sandboxed? If you're over on IAS, then I'm assuming you've moved away from Google as an ad provider, which kinda invalidates the initial solution. Are we still safe from ads attempting page redirects for fun?

One metric you really should look out for is how many users decide to block your ads. In the end, ads are only useful if you actually have people viewing them. Personally, I use Firefox and an extremely (likely overkill) protection system: I've enabled fingerprinting blocking, tracker blocking, and cryptominer blocking (because you never know what unfiltered ads might do), as well as uBlock and Privacy Badger. uBlock targets ads, while the tracking and fingerprinting protection just blocks known trackers. Privacy Badger knocks out cross-site trackers thinking they're safe by sneaking past the other two defenses. Nothing gets through unless I say otherwise.

Beyond the periodic annoyance of seeing some ads (which I can live with if I like the site enough), privacy is my concern. What worries me the most is that we have a post fully documenting the fingerprinting, and the ToS of IAS to back up that this practice does happen (and that GDPR defines it as PII), but you come in what appears to be an official announcement and spread false information. I don't know if you've done your research, or at least consulted a lawyer before posting, but the answers here (specifically the ones posted before mine) point to that not being the case. Whitelisting ads is, in my opinion, a matter of trust. With this post, you've lost the rest of my trust on the advertising front, and my trust in your (the company's, with extremely few exceptions) statements.

What concerns me more, however, is this announcement. The answer that exposed the use of the audio API was to fingerprint users exists. If you've ignored it, that's your choice, but it doesn't change the fact that your announcement blatantly ignores several privacy concerns, and neglects to mention several of the data usage areas. You could at least be honest in terms of what data is being used instead of requiring users to read several legal documents to find what data is being collected, what it's classified as, and arguably most importantly, what it's used for. You missed all three and presumably relied on the statement of IAS instead of their legal documents.

That being said, I have no idea which services you've enabled or disabled (if that's something you can do), but judging by the existence of fingerprinting attempts in logs documented on meta, I'd say you're using the services that, according to their privacy policy, collects data classified as personal data under GDPR.

Also, do I really need to point out your own privacy policy?:

In providing this opportunity, Stack Overflow and its third party partners may collect and use your personal information to tailor your advertising experience to suit your interests, skills, as well as to monitor your account activity in order to optimize our Products and Services. We seek to limit what information advertisers and similar third parties have access to, as well as to ensure that your user experience on the public and private Stack Overflow network is not overwhelmed by advertising initiatives. However, our advertising products and services require us to collect certain personal and non-personal information on you, which includes: Data from advertising technologies like cookies, web beacons, pixels, ad tags, and browser/device identifiers

Information you have provided to us directly including profile information, your Developer Story, and in limited instances your job history

Usage analytics including your visits to the Network, browsing and search history

Information from our advertising partners (e.g., device type and location)

You admit in your own privacy policy that your ad provider(s) collects data. The thing it doesn't mention, but that's pretty obvious, is that this also classifies as PII under GDPR, just like the stuff IAS collects. Location is undisputably PII.

And I really need to ask this again: Are you seriously going against Nick Craver's initial statement on fingerprinting adverts?