U.S. publishers find themselves wrestling with unfamiliar issues due to the coming implementation of GDPR (General Data Protection Regulation). Under GDPR, E.U. citizens are given the right to protect and control the way their data is collected and how it might be used anywhere in the world. This global reach is a new development, and U.S. publishers aren’t entirely sure what they need to actually do to comply.
What kind of issues? Take the right to erasure, for example. If a user can show consent to process their personal data was not given, or that the data is outdated or irrelevant for whatever purposes it was collected, that individual can force the data holder (e.g., website operator) to erase that offending data and prevent any third parties from processing it. In Europe, this is a tightening-up of an older idea—the “right to be forgotten”, which has been on the books since 2006. Google claims it received at least 385,000 requests to be digitally forgotten in a two-year period. But to U.S publishers, these privacy efforts might seem arcane and counterintuitive to effective marketing or advertising strategies.
New E.U. Privacy Laws Have a Global Reach
Publishers and vendors alike who are looking at these changes tend to agree the overall impact of GDPR will be felt on a global level. Anyone who operates a website—not just-ad-supported publishers—is liable to feel some kind of reverberation, and responsibility will extend beyond revenue operations (ops) and throughout the publisher’s business, e.g., risk, legal, IT, etc. What’s new with GDPR is that E.U. residents (aka “data subjects”) are protected regardless of what data is collected or where it goes as long as they are physically within the EU.
Ecommerce sites and publishers that require logins or registrations should be on particular alert. GDPR broadens the scope of what could be considered “personal” information, which involves a combination of information the user willingly enters (registration, preferences, etc.) and collected/compiled/associated behavioral data that could be used to target a user.
Approved in 2016, and set to go into effect on May 25, 2018, GDPR effectively replaces or updates the 22-year-old E.U. Data Protection Directive (a/ka/a the “cookie directive”). GDPR goes several steps further than the earlier directive—it requires the user’s “unambiguous” consent before their data can be processed; users need to purposely provide it. Users will likely need to set their opt-in or opt-out preferences at the browser level. Therefore, the onus will be on publishers to manage these browser-based privacy preferences and take responsibility for determining what data gets passed along to upstream partners. If there’s any type of breach or data mishandling, the publisher (or website operator) is liable unless they have the documentation to prove otherwise.
To be compliant with GDPR, publishers need a comprehensive opt-in/opt-out system that explains to the user what data is being collected and for what purpose. Fortunately for publishers, revenue generation and direct marketing activities are considered legitimate reasons for data collection, per the E.U.’s language.
Tough Talk on Enforcement
GDPR sets up a new apparatus for reporting and enforcing potential data violations. Every E.U. nation will have a Data Protection Authority (DPA) to mediate—when improper data handling is suspected, an E.U. citizen reports to the DPA in their own country, rather than an authority in another country, i.e., the home country of the entity under suspicion.
The penalties for violating GDPR are stiff. The E.U. itself administers those fines, and at their maximum, they can reach 4% of the company’s annual global earnings or 20 million Euro, whichever is greater. Fines are set at various levels (percentages of earnings or straight fees) based on the severity of the offense. As a word of warning: authorities are not shying away from levying large fines.
Tech vendors who collect and process a ton of data (e.g., ad networks, DMPs, DSPs, SSPs, etc.) appear less anxious about GDPR than publishers, likely because publishers are the public-facing front line. In fact, most consumers don’t even know those major data players even exist. GDPR addresses this shortcoming. The mandate to protect consumer data not only applies to a publisher (data collector), but also extends to any vendor in their digital ecosystem with access to it.
One question that can be raised at this stage in the game is where liability would fall in a complaint wherein the publisher and a third-party vendor BOTH claimed full compliance. There’s an opportunity for the publisher to mitigate the penalty by demonstrating an active GDPR-compliance process and has made every effort to adhere to it. In this scenario, it’s possible for the publisher to push liability upstream to the offending party that actually attempted to track a consumer, e.g. cookie drop or device identification. U.S. companies should be familiar with this mitigation concept, which has proven beneficial when working with the FTC and other stateside authorities.
How Publishers Can Get With the GDPR Program
Right now, many U.S. publishers find themselves wondering if they need to take precautions for dealing with GDPR, or whether their E.U. audiences are too small for them to sweat it. Like we said, the language of the regulation could be more specific, and it doesn’t feel intuitive to companies accustomed to U.S. data policies.
At the same time, it’s clear that the implications of GDPR are far-reaching. It expands the definition of personal data to include location data, online identifiers, IP addresses and more. You can’t simply use geolocation to determine how to apply your data policy and opt-ins or–outs—you need to be prepared to apply that policy to any EU-located consumer accessing your website. This condition applies to any website that employs registration data, payment data and other methods of targeting individual users.
But as one vendor-side source explained to us, publishers need to ensure that perfectly “safe, unidentifiable” data, e.g., metrics or functionality enablers, cannot be married with each to create personally identifiable information, which would run afoul of GDPR. For example, a German resident books a train ticket from New York to Philadelphia and experiences a couple cookies drops that facilitate the online booking process. That’s totally fine, but if their cookies were then tied to a device ID or device fingerprint, that data is now subject to GDPR as a device ID is considered PII and could be used for retargeting without the user’s explicit consent. On the flip side, if the German resident executes the online booking while physically located in the U.S. GDPR does not apply. Confusing, right?
GDPR is serious. Another publisher—one that has audiences of significant size in both the U.S. and Europe—brought on new staff to help sift through E.U. digital law and properly educate their U.K. team where applicable. That same publisher is experiencing increasing challenges in revising existing contracts to address the whole scope of possible international legal issues. They are considering adoption of regional-specific contracts for upstream partners and buyers and are also insisting vendor partners take more responsibility for compliance.
Sources on both the publisher and vendor side agree GDPR compliance presents a mammoth task for publishers. However, there’s been little open objection from publishers. Surely, quality assurance issues ought to be distributed across the digital supply chain, not concentrated at the publisher’s level. It’s a matter a time before publishers advocate regulatory due diligence requirements for their partners.
Waiting for 2018
Questions remain for how GDPR will be applied and enforced, so it’s not easy to make a compliance checklist just yet. At the moment, if you’re concerned about getting on the wrong side of the regulation, keep an eye on the news headlines, talk to your DPO (or designate one), and update your website privacy policy accordingly.
Create lines of communication throughout your organization. Ops, legal, commercial, data privacy, IT and upper management all need to be in the same loop. Talk to your tech vendor partners—they need to understand your GDPR approach and you’ll also need to make sure they act on the opt-ins/-outs you pass along. Document processes to show what data your website collects and how and to whom it gets shared with other parties. Be prepared to contact any partner and request information regarding their controls regarding your customers’ data.
The geographically broad implications and high penalty structure require further clarity from Brussels about what GDPR will mean for publishers and the overall digital ecosystem. This is especially true for U.S. publishers that previously haven’t had to worry much about the E.U.’s historically more stringent data laws. But that doesn’t mean they should wait to make sure transparency and accountability is in place with their data policies once 2018 arrives.