Do you have any European subscribers, advertisers, e-mail addresses or Web site visitors? The European Union’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and it will affect you.
Eric Shanfelt, founding partner of Nearview Media and digital media executive and consultant for more than 20 years, shared what publishers need to know about how this will affect them, and how to comply in a recent INMA Webinar.
Though the GDPR regulations are from the European Union, it’s not just a European issue. It’s a global one. Shanfelt introduced the Webinar by saying that it would be looking at GDPR from a publisher perspective — not a legal one. He recommended that any company consult on their own specific legal needs concerning these requirements.
The topic opened with a quick review of the European Union’s General Data Protection Regulation:
- Set of consumer protection laws.
- Goes far beyond existing laws.
- Includes the United Kingdom until Brexit becomes official (and even after).
- Also affects the United States and other non-EU countries.
- Penalties up to 4% of a company’s annual revenue.
- Goes into effect on May 25, 2018.
The bottom line of how this affects you is that if you have any European subscribers, Web site visitors, app users, or subscribers, GDPR applies to you. So basically, that means it affects virtually any media publisher.
“Even if you don’t have a base or operating presence in Europe, you are still subject to European GDPR lawsuits or action,” Shanfelt said. Change will also be coming to privacy laws in the United States as well.
“The good news is that if you’re in the U.S. and you’re preparing for GDPR, you’ll be ready for what’s coming down the pike here as well.”
Risk for publishers
What risk are you comfortable with, Shanfelt asked. Any such similar regulations fall in a gray area; it’s not all black and white. There’s always some risk and room for interpretation, and each company must determine that. If you’re a big company, you’re a big target, he said.
“If you have a EU/UK headquarters or base of operations, you have a higher risk,” Shanfelt said. That doesn’t mean, he repeated, that you have no risk at all if you’re outside this. All news media companies need to be GDPR compliant.
B2B media companies could have advertising pulled if they aren’t compliant: “It’s not just the regulatory risk, but also potential advertisers who won’t do business with a company that isn’t GDPR compliant.”
Personally Identifiable Information (PII) includes name, e-mail address, phone number, demographics, and the like. However, non-PII is now considered part of “personal information,” such as cookies, digital fingerprinting, etc., Shanfelt said.
“That cookie or digital fingerprint is owned by that person,” he said. “That’s something that’s a relatively new concept.”
The good news, however, is that aggregated, anonymised data is not impacted. “They’re talking about individual data that is impacted; but the automatic information such as page views is not part of that.”
There are certain personal data touch points that we have with our users:
- Web sites
- Landing pages
- Circulation providers
- UAD/DCP such as Hubspot and Salesforce
- Remarketing custom audiences
“All these different places we need to think about and do an inventory of all these touchpoints that we have with customers,” Shanfelt said.
GDPR consent cycle
Shanfelt then gave the audience a look at the cycle of steps that exists for consent:
- Collect consent: How do companies collect and store consent?
- Query consent: News media companies can only use the data if we have consent to do so.
- Exercise right: Publishers need to be able to give subscribers and readers the ability to exercise their rights under GDPR.
- Revoke consent: They have the ability to revoke consent, as well as to re-opt back in and consent again.
When it comes to providing notice, news media companies need to understand why they are collecting the data, who is collecting it, and how long it is being kept.
Publishers must get consent that is:
- Freely given.
- Given by statement.
- Given by clear affirmative action.
- Signifying agreement.
Shanfelt said there are really two kinds of consent: one is for cookies, and another is for using the PII (personal information).
Using the example of iUbenda, another tool available provides a notification of cookie use at the beginning of a user’s Web site session with a publisher. It tells the user that the media company utilises cookies, gives a link to the full policy, and basically says that if the user continues to stay on the site, scrolls down the page, etc., they are consenting to this policy.
Another tool is OneTrust, a GDPR and privacy management software suite of tools.
Consent for direct PII
This is where publishers are collecting personal information through a form, for example with subscriptions. News media companies must have some form of affirmative action for this consent. It does not include silence, pre-checked boxes, or inactive, implied consent.
“What constitutes affirmative action?” Shanfelt asked. “These are the shades of grey I was talking about.”
The grey area, for example, is a simple sign-up box that does not have an explicit checkbox for consent; it’s implied that if you submit the form, you are giving clear consent. “Under the letter of the law, this complies,” Shanfelt said. But, it may not be as airtight as the system where the user has to actually check the box.
Storing and documenting consent
“You can go low-tech with this,” Shanfelt said. “You do have to be able to prove that you have that consent.”
Low-tech solutions include data fields in a customer database, simply storing the fact that the consent record exists and that the media company can show a compliant source.
More robust solutions include OneTrust, PrivacyCheq, and others that actually track each specific person, the date, and source of their consent. It will also track if the consent is active or has been revoked.
Blanket consent is the easiest and most simple way to handle this.
News medic companies must honour the customer rights that are laid out by GDPR, Shanfelt said. They need to develop processes to honour those rights. This includes thinking about how they will share a customer’s personal data back to them if they ask for it, and how they will handle updating that information upon request.
Publishers also must have a process for how they will “forget” the person when they request to be removed, and how to notify the person that their request was fulfilled. Don’t forget Facebook and Google re-marketing custom audiences.
Shanfelt ended with a brief overview of recommendations to comply with GDPR:
- Re-examine and update privacy and cookie policies.
- Implement consent collection, for both cookies and PII.
- Query consent prior to processing data.
- Have a way for people to submit requests.
- Have processes to honour those requests and document your responses.
- Consult your legal counsel.
The Webinar is available for INMA members to watch here.