GDPR is finally here (enforced from Friday 25th May 2018). For publishers the challenge isn’t over. In fact, it’s barely begun.
In order to cut through the noise and provide clarity to publishers, WNIP has compiled what we believe to be the definitive GDPR Publishers’ Resource.
This will act as a ‘live’ feed and will be updated on an ongoing basis. Click here for the Latest GDPR News feed.
Click here to view the full GDPR legislation in its entirety.
Information Commissioner’s Office
A general must-read is the Information Commissioner’s Office Guide to the General Data Protection Regulation (GDPR). This is a good foundation and essential reading for anyone looking into GDPR. Unlike what you’d expect from a Government body, the guidance is concise and clear.
The Guide also covers GDPR for Children, an absolute must-read for publishers holding data on children.
GDPR for Publishers: The Lawyer’s View
With ambiguity and confusion surrounding certain elements of GDPR, WNIP met with one of the world’s leading legal authorities on the subject, Gabriel Voisin, a partner with Bird & Bird LLP in the City of London.
Armed with a bevy of topics from publishers both large and small, Gabriel answers questions such as, “What is an adequate consent approach?”; “How do I know that my partners are GDPR compliant?”; “How do I, as a publisher, respect the data subject rights?” and many more besides….a 30 minute must-listen.
GDPR for Marketers: The Essentials
A concise and clear overview, the 30 page tome ends with the uplifting conclusion that whilst GDPR ‘can be seen as a hindrance for marketing activities, a closer examination of the regulation reveals that it gives marketers an opportunity to build more transparent and meaningful relationships with their customers’.
Checklists for Publishers
The ICO has (helpfully) created self-assessment checklists for both data controllers and data processors which are perfect for independent publishers lacking the resource to hire a dedicated data controller. The Government body has also written a more in-depth checklist which offers a 12-step roadmap to compliance. The latter is an excellent roadmap and guide.
For authoritative information on consent, read the Article 29 Working Party (WP29) guidance. This a legal document, written by lawyers for lawyers – if you don’t have five hours to spare, the ICO’s overview on consent is our preferred reading material. Five minutes, if that. Stop Press: May 10th, the ICO has just published its final guidance on consent.
Revealed: the best time to send GDPR consent emails
In short, avoid the morning! According to SmartFocus, emails sent earlier in the day are more likely to be seen as an intrusion, as recipients are busy at work and going about their day. Consequently, emails sent at night will be seen in a much more positive light.
SmartFocus chief marketing officer Sarah Taylor says: “Knowing when to contact your audience with a request for information or consent can make the difference between success and failure.”
Yep, the ICO has that covered with this checklist – it will take you through everything you need to be able to write accurate, legally compliant privacy notices. WNIP has also written a clear overview of what GDPR means for publishers’ privacy policies.
In short, any time anyone properly engages with your website – not just reading, but wanting to know more and signing up – then you need to have your privacy notice right up there. You need to let them know up front what you do with their data. If they have to go and search for this then, again, you are going to fall foul of GDPR.
There is a lot of scaremongering right now. You’ve heard the potential fines I’m sure: 4% of a company’s global turnover or €20 million. That’s enough to sink any publishing ship. However, the Information Commissioner Elizabeth Denham has spoken out about this in the ICO’s blog and tried to allay people’s fears. Yes, the potential fines are onerous but Denham stresses that, “this law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”
Crucially she adds, “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
But what about Brexit?
Because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe, the UK must still comply. In fact, a recent Data Protection Bill, published by the UK government in August 2017, essentially mirrors the requirements of GDPR into UK legislation (meaning those compliant with GDPR should be compliant with the new UK data protection law and vice versa).
Don’t Panic Mr Mainwaring
Perhaps the final word, at this juncture at least, should go to Bird & Bird LLP’s Gabriel Voisin who when asked what single piece of advice he’d give publishers over GDPR, responded, “Don’t panic and just stay calm.”
We’d also recommend this article from Econsultancy entitled, GDPR: Why the opportunities far outweigh the costs’. As the author concludes, “These rules are going to ensure that your organisation is providing a more secure, trustworthy service.” He also adds, “More importantly these changes are going to be enforced worldwide. This means GDPR is not (only) a European issue.”
Latest GDPR news:
At a glance: While both the California Consumer Privacy Act and Europe’s General Data Protection Regulation address the collection of personal information by businesses, they are actually quite different. Here’s where they diverge and why the advertising trade orgs are lobbying like bandits to block the California act’s passage.
At a glance: Google is reversing its policy for its consent management platform (CMP) that initially capped at 12 the number of vendors a publisher can list in opt-in messages, following critical feedback from publishers and the ad tech industry. The platform now has no limit.
At a glance: Pass the buck – once European regulators start enforcing GDPR, don’t be surprised if brands with non-compliant sites try to shift the blame to their agencies. In the latest in Digiday’s Confessions series, a digital agency executive whose company helps build Fortune 500 companies’ websites said brands make agencies contractually responsible for GDPR violations.
At a glance: GDPR is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation. Why? Google is gathering users’ consent far faster than its smaller competitors who have less resources.
At a glance: Acxiom is facing scrutiny over its data practices after Privacy International named the business as one of the key targets of a new campaign which will investigate what it brands “the hidden data ecosystem”. According to Privacy International, this “comprises thousands of non-consumer facing data companies – such as Acxiom, Criteo, Quantcast – that amass and exploit large amounts of personal data”.
At a glance: Some U.S. publishers have blocked visitors from the EU to their sites rather than comply with GDPR. The Washington Post has gone an extra step and put up a paywall for EU visitors, upselling them to a $90 a year “premium EU subscription” in exchange for no ads — and the privilege of not having their data tracked. The premium subscription is $30 more than the cost of a basic online subscription to the Post.
At a glance: The Verge reports that on the first day of GDPR enforcement, Facebook and Google have been hit with a raft of lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.
At a glance: Deputy Information Commissioner Steve Wood tells Decision Marketing: “May 25 is not the end, it is the beginning, and the important thing is that organisations take concrete steps to implement their new responsibilities – to better protect customer data. There isn’t a deadline in the sense that if organisations aren’t compliant by today, then they’ve missed their chance.”
At a glance: A number of high-profile US news websites are temporarily unavailable in Europe after new European Union rules on data protection came into effect. The Chicago Times and LA Times were among those posting messages saying they were currently unavailable in most European countries.
At a glance: Senior media buyers for hundreds of the world’s biggest brands are predicting 43 percent of EU consumer audience data will be unusable after the General Data Protection Regulation (GDPR) comes into force today. The research by contextual technology leaders, Vibrant Media, found that some of the problems brands are reporting include: low opt-in rates to email databases; slow uptake to review and set communications preferences; low traffic rates to websites so explicit consent can be attained; and a lack of confidence in the adequacy of GDPR compliance.
At a glance: Sourcepoint has launched a Consent Management Platform to help publishers navigate compliance. The CMP is fully compliant with the IAB Consent Management Framework, as well as non-IAB vendors, and is compatible with DoubleClick for Publishers, allowing publishers to not only gather consent signals but to also understand how to drive monetisation for all users.
At a glance: Apple has launched a new Data and Privacy website in order for the company to better comply with the new GDPR rules. While the service is available in the EU right now, it’s expected to be released worldwide in the coming months.
At a glance: Google plans to register for the IAB’s GDPR Framework but there are still important, unknown details – like how long before Google resolves its discrepancies with the IAB, or whether it will join only as a vendor or incorporate its consent opt-in service, Funding Choices, as an IAB-registered consent management platform. Questions remain, but it’s progress. Of a sort.
May 23rd: The best GDPR stats & surveys we’ve seen
At a glance: All the latest stats compiled across industries, sectors and platforms. One standout figure is that nearly half of UK marketers are already preparing for fines and putting money aside for such an eventuality.
May 23rd: No one’s ready for GDPR
At a glance: The Verge describes how very few companies are going to be 100 percent compliant on May 25th. Indeed, even MPS and the regulators themselves aren’t ready. But don’t panic, it says, as the general assumption is that when the deadline hits, European regulators will treat it as a soft opening.
May 23rd: GDPR Summit London
At a glance: If you’re having sleepless nights wondering whether you will be investigated or even fined, then the next GDPR Summit London is your chance to meet and listen to over 30 Data Protection experts all in one venue. Date: 25th June, Bishopsgate.
At a glance: Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR, according to Toni Vitale, the head of regulation, data and information at the law firm Winckworth SherwoodVitale, before adding, “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”
At a glance: Google has agreed to meet with a group of publishers this week at four of its global offices to discuss their concerns about its preparations for GDPR. Ahead of the meeting, publishing trade bodies are still seeking written responses from Google to the seven questions they set out in their April letter. Those include questions on whether Google will be explicit about the purposes for which it requires consent from end users and how the company will seek publisher input if it makes further changes to its GDPR policies.
At a glance: It’s unclear how easy things will actually be for WordPress site owners. A lot depends on to what extent plug-in makers add the privacy information that sites will refer to when creating or updating their own privacy policies. However, many plug-in makers are individual developers or small companies that lack their own legal teams to advise them.
At a glance: There’s a debate to be had about Facebook’s position and whether it truly represents GDPR compliance. According to some observers, it’s not cut and dried.
At a glance: The EU’s rules for data privacy were once derided as restrictive, but after the Facebook scandal Brussels hopes they will help bring big tech to heel worldwide and become the de facto data protection standard, reports the Financial Times.
At a glance: Companies worrying about whether they have received the best advice over GDPR compliance are not alone, even British MPs appear to be at sixes and sevens, amid claims that a data protection training programme – run by an external “GDPR specialist” – has advised them to delete years of casework.
At a glance: A proper GDPR audit should go beyond first party software on a publisher’s website and should include third party services in Ad Tech and MarTech stacks for a thorough inspection. This ebook also sheds some light on where online media will go after GDPR takes effect.
At a glance: GDPR isn’t just a European wide issue – it affects companies from all around the globe. In short, If your business has clients, customers or website visitors in the European Union, you must be in compliance with the GDPR.
At a glance: Forbes’ cybersecurity beat reporter outlines the five key checks you need to ensure GDPR compliance in advance of next Friday’s deadline (25th).
At a glance: This useful guide from Recode gives US businesses operating or serving customers in the EU an overview of what the GDPR means for them and its accompanying responsibilities. It’s getting a bit late in the day though.
At a glance: Instead of obsessing over the impossibilities, focus on what you can control: understanding your data deeply — what it is, where it is, where it’s going and what its limitations are. Only by getting to know your data better than ever will you be as equipped as possible.
At a glance: Companies will need to be far more transparent about the data they collect and how it will be used. And they will generally be forbidden from forcing users to agree to sharing of their data by denying them the ability to use their services if they refuse to opt-in to unnecessary sharing.
At a glance: If your email marketing is on-point, offers your subscribers value, uses the most engaging language possible (including good subject lines), your subscribers will trust your brand, engage with your emails and be glad to hear from you. In fact GDPR is encouraging brands to build trust with their subscribers, which they should’ve been endeavoring to do all along.
May 15th: It’s not too late to get GDPR ready
At a glance: Not yet GDPR ready? Don’t panic. GDPR compliance is a work in progress. Becoming fully compliant with all the obligations is a tall order. As long as companies can demonstrate a serious approach to GDPR implementation, regulators have said publicly they will allow some leeway to adjust to the new framework.
May 14th: 10 Unintended Consequences of the GDPR
At a glance: A must-read article on the unintended consequences of GDPR, not least the supposition that ‘big publishers will be the first victim of GDPR’ and that the Regulation will simply strengthen Google and Facebook’s hand.
May 14th: GDPR – a checklist for publishers
At a glance: Publishers’ trade association, FIPP, has produced a checklist for publishers to ensure they’ve implemented and interpreted next week’s GDPR guidance properly.
At a glance: The last piece of the GDPR jigsaw – the Information Commissioner’s Office’s guidance on consent – has finally been put in place, with a warning that companies embarking on a barrage of repermissioning emails could be wasting their time.
At a glance: A survey by Digiday has found that marketers’ most common fear about the General Data Protection Regulation is a decreased ability to target consumers.
At a glance: The widespread hand-wringing caused by the last-minute scramble of businesses ahead of the May 25 GDPR deadline is fueling a cottage industry of GDPR experts and consultants. Not all are qualified to do so and are peddling ill-informed advice.
At a glance: The Information Commissioner’s Office (ICO) will release its final consent guidance this week. With just over two weeks left before the deadline of May 25th, the decision to publish final guidance at such a late stage can best be described as troubling.
At a glance: Publishers still have granular questions over interpreting parts of the law and around how rigorously the EU will enforce these rules come May.
May 8th: GDPR claims its first victims
At a glance: Already, a few companies have decided that the burdens of GDPR compliance are too much to bear and are shutting part or all of their businesses. In addition, according to a survey of 400 US companies published last week, many firms are still confused about GDPR and 52% are “still exploring the applicability of GDPR to their business.”
At a glance: The largest German publisher, who own Business Insider and popular tabloid Bild, have been monitoring which kinds of messages drive more people to opt in, as well as the messages’ position on the page. The results: So far, the publisher’s readers are far more likely to give consent when they receive a fact-based static message, rather than a video message or one written in a tone that requests the readers’ support.
At a glance: Publishers using Google’s default consent technology will only be allowed to pass data to 12 supply chain partners, including Google itself, SSPs, exchanges, ad servers, DSPs, DMPs, plug-ins, tracking and measurement tags and third-party data suppliers, sources told AdExchanger.
At a glance: It’s not just consumers that GDPR protects, it’s also employees. Firms need to place as much focus on this as other aspects of the legislation, not least because disaffected employees are more likely to take a swipe at former employers, with GDPR being one stick with which to beat them.
At a glance: With the GDPR looming, ad tech partners that can’t guarantee compliance with publishers will be dropped fast. For instance, ad tech companies must be able to tell travel publisher Lastminute.com’s sales team how their technologies track readers legally under the regulation; otherwise, they won’t be able to access its inventory, according to Lastminute.com.
At a glance: The crux of GDPR is about putting the power of data back in the hands of consumers, giving us a better understanding of where our data is and what it’s being used for. But there’s a dark side to GDPR – the multi-year, multibillion-dollar, Herculean racket that GDPR has become.
At a glance: The three areas highlighted in the letter that pose the most concern for the trade groups are Google’s Controller Terms, responsibility of obtaining legal consent, and the complete placement of liability of consent on the publisher and not on Google. They’re not wrong.
At a glance: Market research giant YouGov is readying a blockchain solution that will allow EU consumers to choose which data they share with brands; a move that will not only help it preserve its nascent digital ad network post-GDPR, but one it’s pitching as a “great boon” for publishers too.
At a glance: According to research by Ensighten, nearly half of UK businesses expect to be fined for GDPR non-compliance. 61 per cent of respondents would also apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.
April 30th: Google and GDPR hand publishers a hard choice
At a glance: Publishers face an unexpected bind. Google operates DoubleClick Bid Manager and DoubleClick for Publishers, platforms nearly every publisher on the planet uses at some point or another. So declining Google latest terms could provoke catastrophic financial consequences.
At a glance: One of the first victims of GDPR is Super Monday Night Combat, the multiplayer online battle arena by Uber Entertainment. It’s closing down for good next month, saying the cost of complying with GDPR is too high to keep going.
April 30th: The 7 stages of GDPR grief
At a glance: The deadline for GDPR compliance is fast approaching, and it’s very likely that, in the early days of enforcement, large enterprises engaging in annoying and ruthless data marketing will be made an example of. Get your house in order before it’s too late.
At a glance: Econsultancy, one of the most respected titles around, has produced a great guide to repermissioning campaigns with some superb examples (as well as pointing out some of the poorer attempts and what to avoid).
April 27th: GDPR: A New Road, Not a Roadblock
At a glance: Done right, GDPR introduces the possibility of a more meaningful, trust-based relationship between business and consumer. Under the legislation there are still mechanisms that will enable companies to use the personal data they gather from their customers.
At a glance: One month away, GDPR has more than half of global institutions frazzled over compliance. According to the legal professionals who participated in the survey, one of the Achilles’ heels for compliance preparedness is third-party vendors.
At a glance: Facebook CFO David Wehner yesterday warned that “we believe MAU (monthly active users) or DAU (daily active users) might be flat or down in Q2 due to the GDPR rollout.” He also said that while Facebook doesn’t expect a significant impact on ads from GDPR, there may be a slight impact and it “will be monitoring for that”.
At a glance: Google’s email service is adding the option to allow messages to become inaccessible after a set time as it prepares for tougher data privacy laws. A new “confidential mode” can also be used to stop recipients being easily able to forward, copy, download or print correspondence sent via Gmail. The new facilities are part of a wider revamp of the cloud-based service.
At a glance: An excellent piece on The Drum looking at what marketers and publishers can do if they haven’t yet prepared for GDPR. Spoiler alert: there are a lot. The overriding message is that it’s ‘not too late, but get a move on’.
At a glance: When asked whether the new GDPR rules would impact advertisers’ targeting abilities, Google CEO Sundar Pichai emphasized that Google still makes most of its money from search advertising, where the effect of personalization is minimal. However, Pichai’s answer skips over the other 20 percent of its advertising revenue, which comes from its Network Members’ properties.
At a glance: EU security commissioner says new regulations may have to be brought in if tech firms fail to tackle issues voluntarily. The code would include a pledge for greater transparency, including algorithm transparency. Not surprisingly, the proposed regulations have been criticised for undermining freedom of expression.
April 23rd: Europe’s new privacy rules are no silver bullet
At a glance: EU national watchdogs still face an uphill struggle to come to grips with their expanded regulatory role at a time when most of their budgets are still relatively small and they remained understaffed. According to Politico, Europe’s expanded privacy standards also will do little to stop companies from harvesting personal data.
April 23rd: Nine top GDPR tips for email marketing
At a glance: IT Pro’s must-read article underscores the need for marketers ‘not to panic’ and not ‘to try and re-obtain consent from their lists for life-long messaging’. According to Skip Fidura, Dotmailer client service director and non-executive director at the Digital Marketing Association, this is an unnecessary effort.
At a glance: The World Federation of Advertisers – which represents the likes of Unilever, Mars, Shell and Danone – is launching an initiative to create a data ecosystem that properly respects consumer choices and their right to control their own data and goes way beyond the requirements of GDPR.
At a glance: Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally. Facebook will continue to book revenue through Facebook’s Irish office, but for privacy protections, users will deal with the company’s headquarters in California.
At a glance: Advertisers want to use location data in ad targeting, but they’re finding the coming enforcement of the General Data Protection Regulation is throwing a wrench in those plans. Some ad exchanges, for example, are reducing and redacting the information made available via their logs, according to some ad tech executives speaking to Digiday.
At a glance: An article in TechCrunch concludes that Facebook is ‘seeking consent from users in a way that’s not fair because it’s manipulative (which) means consent is not being freely given. Under GDPR, it won’t be consent at all.’ The piece emphasises why it’s important to comply with the spirit of GDPR, not just the technicalities.
At a glance: Facebook will no longer be able to process news feed posts for ad-targeting purposes, unless those posts are marked “public” or “friends of friends” because they tend to include what the GDPR defines as “special categories of data,” according to sources. Ethnicity, religious beliefs, political affiliation and sexual orientation are the kinds of data defined as special categories.
At a glance: According to a report on WABetaInfo , the latest version of WhatsApp for Android (2.8.113) will allow users to redownload older media files from the company’s servers. But it only seems to go back so far – beyond that users will be given a message asking the sender to re-send the media in question. According to Ian Woolley of Ensighten, “If WhatsApp, with the backing of Facebook, can’t easily provide access to a user’s historical content what can we expect of companies when it comes to even more complicated user consent compliance?”
April 17th: WTF is the CONSENT Act?
At a glance: Meanwhile, waiting in the wings in the U.S. is the Consent Act which has many parallels with GDPR. Its chances of making it through Congress are rated as ‘slim’ but following the Facebook uproar there may be renewed appetite among U.S. lawmakers for this to be ratified into legislation.
At a glance: If you need to call the regulator’s hotline (0303 123 1113 UK | +44 1625 545 700 RoW) don’t leave it too late. They are already getting 500 calls a day, with a wait time of half an hour.
At a glance: The spirit of GDPR is clear, but what that means practically is still unclear according to some participants at last week’s AdExchanger Programmatic I/O in San Francisco. A key event takeaway is that third party data hasn’t been killed stone dead, rather, “the data will just have to get cleaner out of necessity.”
April 16th: Google’s GDPR approach raises publisher concerns
At a glance: Further fallout from last week’s announcement that Google intends to become a controller of all the data on a publisher’s site. Not for the first time, publishers are viewing the move as “a commercial agenda that whilst wrapped up in a GDPR and privacy-language narrative, looks very much like large vendors seeking to steal ground.”
At a glance: Google’s proposed GDPR terms claim that it will be a “controller” of all the data on a publisher’s site (not just what they need to serve the ad). By declaring itself a controller over all the data on a publisher’s site, Google is asserting independent control of a publisher’s audience data. This is, essentially, a massive land grab by the already-dominant Google.
April 12th: What Does the EU’s GDPR mean for Blockchain?
At a glance: Publishers looking to make a foray into Blockchain could do worse than heed this warning from Washington DC think tank Coin Center, who say that blockchain technology may be ‘fundamentally incompatible with Europe’s new privacy laws’.
At a glance: On Monday, the ICO’s Elizabeth Denham said she plans to stick with the ICO’s existing approach to enforcement when the GDPR begins to apply. She describes enforcement as “a last resort” and that “hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.”
At a glance: Some publishers have concerns about what they regard as ambiguous terms in GroupM’s Data Protection Addendum, plus the agency group’s warning that it would likely cease trading with them if they didn’t sign the contract. A meeting has been organised in tandem with the AOP.
At a glance: In this outstanding missive, the author writes about GDPR as a concept in relation to media trends, and considers what this means for publishers’ editorial strategies. Spoiler alert: it’s big.
At a glance: Facebook has just promised to offer its users worldwide the same privacy controls as required under GDPR. To do this, it would need to provide its users with all the data that it has collected or created about them, including any categories, descriptions or assigned behaviour scores.
At a glance: The DMA is calling on the Information Commissioner’s Office to provide urgent guidance on how third-party data will be affected by GDPR, amid growing concerns that the industry could be caught in the cross-fire from the ongoing Cambridge Analytica data scandal. The DMA says the ICO has published “very little guidance for marketers as to how they can buy, share and use third-party data under GDPR” and insists it is crucial that the regulator “addresses the concerns of the industry”.
At a glance: Apple will roll out four privacy management tools that will provide users the ability to obtain a copy of their data, request a correction of data and deactivate account or delete the account. The tools, which will be available on the Apple ID account page, will be introduced in the EU in May and later rolled out globally.
Ian Woolley, Chief Revenue Officer at Ensighten comments, “Tim Cook, CEO of Apple, stands out for his unequivocal commitment and advocacy of consumer privacy. Trusted brands, such as Apple, will be rewarded with greater levels of opt-in consent, which will enable them to further develop consumer insights and customised experiences. In contrast, brands with questionable, historical data practices will see low rates of opt-in consent, which will increase their customer acquisition costs.
“In the new GDPR world it’s critically important for brands and publishers to understand that consumer trust is the new currency. Trust is built by design from the ground up, which includes how data is collected and shared within brands’ underlying website technologies, long before consent is ever granted.”