Advertising Digital Publishing Top Stories
38 mins read

GDPR: The Ultimate Resource Guide for Publishers

Getting your Trinity Audio player ready...

GDPR is finally here (enforced from Friday 25th May 2018). For publishers the challenge isn’t over. In fact, it’s barely begun.

In order to cut through the noise and provide clarity to publishers, WNIP has compiled what we believe to be the definitive GDPR Publishers’ Resource.

This will act as a ‘live’ feed and will be updated on an ongoing basis. Click here for the Latest GDPR News feed.

Resources

The Legislation

Click here to view the full GDPR legislation in its entirety.

Information Commissioner’s Office

A general must-read is the Information Commissioner’s Office Guide to the General Data Protection Regulation (GDPR). This is a good foundation and essential reading for anyone looking into GDPR. Unlike what you’d expect from a Government body, the guidance is concise and clear.

What we particularly like is its ‘At a Glance’ overviews covering The Right To Be Informed; Consent; and Legal Obligation.

The Guide also covers GDPR for Children, an absolute must-read for publishers holding data on children.

GDPR for Publishers: The Lawyer’s View

With ambiguity and confusion surrounding certain elements of GDPR, WNIP met with one of the world’s leading legal authorities on the subject, Gabriel Voisin, a partner with Bird & Bird LLP in the City of London.

Armed with a bevy of topics from publishers both large and small, Gabriel answers questions such as, “What is an adequate consent approach?”; “How do I know that my partners are GDPR compliant?”; “How do I, as a publisher, respect the data subject rights?” and many more besides….a 30 minute must-listen.

GDPR for Marketers: The Essentials

Written in conjunction with ISBA and the Data Protection Network, the Direct Marketing Association’s ‘GDPR for Marketers; The essentials’ is, well, essential.

A concise and clear overview, the 30 page tome ends with the uplifting conclusion that whilst GDPR ‘can be seen as a hindrance for marketing activities, a closer examination of the regulation reveals that it gives marketers an opportunity to build more transparent and meaningful relationships with their customers’.

Another useful resource is from SEOptimer which has written a comprehensive article looking at how GDPR will impact SEO and the digital marketing industries. Many of its predictions are already proving true.

Checklists for Publishers

The ICO has (helpfully) created self-assessment checklists for both data controllers and data processors which are perfect for independent publishers lacking the resource to hire a dedicated data controller. The Government body has also written a more in-depth checklist which offers a 12-step roadmap to compliance. The latter is an excellent roadmap and guide.

Consent

For authoritative information on consent, read the Article 29 Working Party (WP29) guidance. This a legal document, written by lawyers for lawyers – if you don’t have five hours to spare, the ICO’s overview on consent is our preferred reading material. Five minutes, if that. Stop Press: May 10th, the ICO has just published its final guidance on consent.

Consent Management Platforms

A CMP is the tech infrastructure a business uses to collect and store what data customers have consented to be used and for what. The CMP then feeds that information to other selected partners in the digital ad supply chain. The goal is for everyone in a publisher’s supply chain to understand what data they may use and for what.

Publisher-centric exchange, Sovrn, recently conducted a study of free and paid for CMPs found across the top 200 UK Alexa sites (excluding CMPs that are publisher-specific or are not IAB supported) and rated each one against a top 10 feature set, defined based on conversations with publishers in the UK and US.

Revealed: the best time to send GDPR consent emails

In short, avoid the morning! According to SmartFocus, emails sent earlier in the day are more likely to be seen as an intrusion, as recipients are busy at work and going about their day. Consequently, emails sent at night will be seen in a much more positive light.

SmartFocus chief marketing officer Sarah Taylor says: “Knowing when to contact your audience with a request for information or consent can make the difference between success and failure.”

Privacy notices

Yep, the ICO has that covered with this checklist – it will take you through everything you need to be able to write accurate, legally compliant privacy notices. WNIP has also written a clear overview of what GDPR means for publishers’ privacy policies.

In short, any time anyone properly engages with your website – not just reading, but wanting to know more and signing up – then you need to have your privacy notice right up there. You need to let them know up front what you do with their data. If they have to go and search for this then, again, you are going to fall foul of GDPR.

Fines

There is a lot of scaremongering right now. You’ve heard the potential fines I’m sure: 4% of a company’s global turnover or €20 million. That’s enough to sink any publishing ship. However, the Information Commissioner Elizabeth Denham has spoken out about this in the ICO’s blog and tried to allay people’s fears. Yes, the potential fines are onerous but Denham stresses that, “this law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”

Crucially she adds, “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”

Editor’s note, 4th Oct 2018: The aforementioned blog post has since been taken down by the ICO. For an up-to-date assessment of potential fines, the Project Consulting Group have written an article clarifying matters.

Editor’s note, 28th Nov 2019: Privacy Affairs has published a regularly-updated list of GDPR fines. Largest fine to date? Google, €50M.

But what about Brexit?

Because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe, the UK must still comply. In fact, a recent Data Protection Bill, published by the UK government in August 2017, essentially mirrors the requirements of GDPR into UK legislation (meaning those compliant with GDPR should be compliant with the new UK data protection law and vice versa).

Don’t Panic Mr Mainwaring

Perhaps the final word, at this juncture at least, should go to Bird & Bird LLP’s Gabriel Voisin who when asked what single piece of advice he’d give publishers over GDPR, responded, “Don’t panic and just stay calm.”

We’d also recommend this article from Econsultancy entitled, GDPR: Why the opportunities far outweigh the costs’. As the author concludes, “These rules are going to ensure that your organisation is providing a more secure, trustworthy service.” He also adds, “More importantly these changes are going to be enforced worldwide. This means GDPR is not (only) a European issue.”

Latest GDPR news:

NB: This list is no longer being updated.

Nov 22nd: ‘It’s hurting us’: Confessions of an ad tech exec on GDPR consent-string fraud

At a glance: There are still technical examples of consent strings not being properly transmitted. And that’s not necessarily because of shadiness, but due to how complex our ecosystem is — there are lots of ways publishers connect to demand through containers, header bidding, tags — some things just get lost along the way.

Nov 16th: Think You Ticked All the Boxes for GDPR? Think Again.

At a glance: Recognize that GDPR isn’t wholly a technology problem and that it is an ongoing commitment across the whole company. Make staff aware of not only what GDPR is but also why they have a responsibility to protect the personal data of customers and other employees.

Nov 9th: An early test of the GDPR: taking on data brokers

At a glance: Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.

Nov 8th: How Content Marketing Can Benefit In A Post-GDPR World

At a glance: Because the GDPR commands a global reach, it has had a significant effect on the digital marketing landscape over the last few months. The GDPR is simply asking content marketers to adhere to best practices. It’s raising the bar and asking brands to be a lot more transparent with their customers. 

Oct 24th: Tim Cook blasts ‘weaponisation’ of personal data and praises GDPR

At a glance: Apple chief executive Tim Cook has demanded a tough new US data protection law, in an unusual speech in Europe. Referring to the misuse of “deeply personal” data, he said it was being “weaponised against us with military efficiency”. The strongly-worded speech presented a striking defence of user privacy rights from a tech firm’s chief executive. Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR).

Oct 19th: How US Companies Are Becoming GDPR Compliant

At a glance: US companies can still be affected by the GDPR if they have EU customers or audiences. But US companies typically are not as sensitive to the GDPR as those in the EU. In a June 2018 survey of 600 IT and legal professionals by Dimensional Research and TrustArc, more than a quarter of respondents said their firms were fully GDPR compliant while just 12% of US companies said they were GDPR compliant.

Oct 15th: France – CNIL publishes initial analysis on Blockchain and GDPR

At a glance: Many questions surround the Blockchain’s compatibility with EU General Data Protection Regulation (GDPR). The French Data Protection Supervisory Authority (the CNIL) has recently published its initial thoughts on this topic, providing some responses and practical recommendations on how the usage of a blockchain may be compatible with GDPR and more generally Data Protection Law, taking into account the “constraints” imposed by such technology.

Oct 12th: Google is the main beneficiary of GDPR

At a glance: The number of web trackers operating in the European Union since the introduction of the General Data Protection Regulation (GDPR) has declined by up to 31%, but new research suggests that Google is getting access to even more data than before. Many people within the advertising industry had expected the GDPR’s transparency provisions to curtail Google and other tech giants when it came to the collection of personal information. Not so.

Oct 8th: GDPR is leading to more second-party data deals

At a glance: GDPR has accelerated demand for risk-free buying options. Contextual targeting has enjoyed a bump, as have programmatic-guaranteed deals. Now, second-party data partnerships are getting a second wind, according to some major publishers. The Guardian, News UK and Business Insider have all claimed a noticeable increase in the number of requests for ways to co-mingle advertiser first-party data with their own customized audience data sets.

Oct 3rd: Europe is drawing fresh battle lines around the ethics of big data

At a glance: It’s been just over four months since Europe’s tough new privacy framework came into force. You might believe that little of substance has changed for big tech’s data-hungry smooth operators since then — beyond firing out a wave of privacy policy update spam, and putting up a fresh cluster of consent pop-ups that are just as aggressively keen for your data. But don’t be fooled. This is the calm before the storm, according to the European Union’s data protection supervisor, Giovanni Buttarelli, who says the law is being systematically flouted on a number of fronts right now — and that enforcement is coming.

Oct 2nd: It’s time for publishers to get back in the EU pool

At a glance: Since the GDPR’s introduction in May, many US publishers have still blanket-blocked traffic to their sites from the European Union. Despite the emergence of a simple and mostly free solution to GDPR compliance in the form of Consent Management Platforms (CMPs), only 15% of the websites that took the supposedly short-term approach of blocking European users have subsequently been updated.

Sept 28th: Bupa hit by £175,000 fine for mass insider data theft

At a glance: Bupa Insurance Services has been whacked with a £175,000 by the Information Commissioner’s Office for failing to have effective security measures in place to protect customers’ personal information after an employee stole hundreds of thousands of customer records and then sold them on the Internet.

Sept 28th: Uber to pay $148m for data breach cover-up

At a glance: Uber revealed last November that a flaw in how it stored passengers’ and drivers’ information online had allowed a hacker to access sensitive data including customers’ names, email addresses and phone numbers, etc. In the UK, 2.7m users were affected.

Speaking to WNIP, Ian Woolley, Ensighten’s Chief Revenue Officer, says, “Big fines are the tip of the iceberg for brands like Uber that conceal the truth from their customers following a security breach. The real cost is reputational damage. The new data economy demands trust and transparency between businesses and their customers. This is a wake-up call for all businesses to review their security strategy as a whole and ensure they address all vulnerabilities to prevent a future breach.”

Sept 24th: UK emits first GDPR notice… against Canadian Brexit campaigner

At a glance: AggregateIQ is thought to have “micro-targeted” possible voters through social media channel using data gathered by pro-Brexit campaigns. It spent $2m on Brexit-related advertisements on Facebook alone. Now it’s in trouble….big trouble.

Sept 20th: $273bn behavioural ad industry ‘is in breach of GDPR’

At a glance: The way behavioural advertising uses consumers’ personal data could be in direct breach of GDPR. This is the crux of a new official complaint – filed with the Irish Data Protection Commissioner and the UK Information Commissioner’s Office – on behalf of tech start-up Brave, the Open Rights Group and University College London, aimed at triggering an EU-wide investigation into the practice. The complainants argue that when users search on Google, personal information on their online behaviour is broadcast to multiple companies interested in targeting them with ads without users’ consent.

Sept 18th: Firms urged to set up their own EU data transfer deals

At a glance: With just six months to go before Brexit comes into force, the Government is now advising firms to draw up their own contracts for transferring data between the UK and EU countries – as well as the US.

Sept 15th: IAB Europe CMP Validator helps CMPs align with transparency & consent framework

At a glance: IAB Europe, the industry association for the digital advertising ecosystem in Europe, has launched its Consent Management Platform (CMP) Validator, a tool which validates whether a CMP’s code conforms to the technical specifications and protocols detailed in the IAB Europe Transparency & Consent Framework (Framework). While currently in beta, the tool will be available on October 1 this year.

Sept 14th: Google looking for ways to handle sites blocking searchers over GDPR

At a glance: Google admits it is a bad user experience for a European user to see content in web search, click on it and get a blocked page because of GDPR. According to reports, it’s looking for a solution(s).

Sept 13th: So far, GDPR compliance is uneven

At a glance: Compliance with new European data privacy regulations was spotty in the first three months after the rules took effect at the end of May, with an estimated 70 percent of global companies failing to comply with requests for personal data within the required one-month time period. Retailers were found to be the worst scofflaws, with 76 percent failing to respond to individual requests for private data within 30 days. The financial sector performed better, but only about half managed to respond to data requests within one month.

Sept 7th: Why Google and IAB Europe haven’t been able to resolve online consent

At a glance: The ad tech ecosystem is still waiting for Google to implement the IAB Europe Transparency and Consent Framework (TCF), a protocol for collecting consent and conveying it to intermediaries for data-driven advertising. The sticking point? “Even if TCF publishers’ consent standards match Google’s most of the time, Google isn’t going to expose itself to potential multibillion-dollar fines by accepting consent that doesn’t quite meet its interpretation.”

Sept 3rd: Two French location data companies receive GDPR consent warnings

At a glance: When partner apps were downloaded by users, consumer consent was obtained for use of location by the app — but not for transfer of that data to third parties Fidzup and Teemo, whose SDKs were integrated into the apps. In other words, users were not being asked to consent to the use of their location data by someone other than by the app publisher, even though that was happening.

Sept 1st: GDPR: What consumers want overwhelmingly contradicts their behaviour

At a glance: According to a study by Selligent Marketing Cloud – which polled 7,000 consumers on their brand engagement preferences, customer experience expectations, and marketing complaints – what consumers want overwhelmingly contradicts their behaviour.  It showed that expectations for personalised customer experience are high but so is consumer discomfort with sharing personal data that makes personalisation possible.

Aug 29th: Data breach complaints up 160% since GDPR came into force

At a glance: Complaints to the UK Information Commissioner’s Office (ICO) about potential data breaches have more than doubled since stricter regulations came into force in May. The ICO received 6,281 complaints between 25 May and 3 July this year, a 160 per cent rise on the same period in 2017. Commenting on the news, Ian Woolley, Chief Revenue Officer at Ensighten, told WNIP, “Governing bodies need to be tighter on the misuse of data and follow through with their word of placing financial sanctions on those who do not adhere to the regulation. And brands need to stop viewing GDPR as just a legal hurdle to jump. Consistent data governance is the only way to ensure that brands aren’t putting their customers or reputation at risk.”

Aug 24th: The impact of GDPR, in 5 charts

Unsurprisingly, it’s the smaller ad tech players that were always more likely to be affected by GDPR. Although partly dreamed up in order to slow the pace of growth of the dominant U.S. platforms, particularly Facebook and Google, many industry experts believe GDPR has inadvertently handed them more power.

Aug 21st: Has the GDPR law actually got European news outlets to cut down on rampant third-party cookies and content on their sites? It seems so

At a glance: The introduction of GDPR has provided news organizations with a chance to evaluate the utility of various features, including third-party services, and to remove code which is no longer of significant use or which compromises user privacy. In the UK, news sites had been loading a lot of third-party content; these news sites saw a 45 percent decline in cookies per page from April through July.

Aug 17th: Revealed: the top five GDPR compliance failings in UK

At a glance: According to a new survey, those working in technology are revealed as the worst culprits when it comes to GDPR non-compliance with 42% of responders, followed by those within the retail sector (26%). The biggest area of non-compliance is email campaign consent, with 35% admitting they are still sending marketing emails without expressed consent.

Aug 14th: GDPR is here and, yes, user experience is still broken

At a glance: New data regulations held the promise of an improved user experience for digital services, but the reality is more pop-ups, confusion and inconsistency. Indeed, whilst the killing off of sneaky language (‘click if you don’t want to receive marketing’) has certainly been a good thing, a focus on user consent for tracking and personalisation has resulted in sometimes stultifying user experiences.

Aug 12th: Under GDPR, publishers are adopting CMPs for fear of losing out on ad revenue

At a glance: More publishers are feeling under pressure to adopt a consent-management platform to be compliant with the General Data Protection Regulation, publishers and ad tech vendors say. FYI, here’s WNIP’s CMPs comparison guide.

Aug 10th: DMA opens twin offensive against ePrivacy overhaul

At a glance: The DMA (Direct Marketing Association, UK) is aiming to exploit new delays to the looming ePrivacy Regulation (2020) by launching a two-pronged attack against the legislation, amid claims that in its current form the law could wreak havoc with the economic well-being of the entire marketing sector.

Aug 9th: Experian in ICO sights as Emma’s Diary gets walloped

At a glance: The Information Commissioner’s Office has sent out a chilling warning with confirmation it has fined Emma’s Diary the £140,000 monetary penalty it flagged up last month, after revealing that Experian Marketing Services built a prospect database using illegally gathered personal information belonging to more than a million people.

Aug 6th: GDPR-based extortion could be the next cybercrime trend

At a glance: A number of companies have predicted that the GDPR regulations could lead to a rise in cyber-extortion; criminals breaching a company or discovering they are not GDPR complaint – and demanding money in return for not reporting them to the Information Commissioner’s Officer (ICO) or equivalent data regulator.

Aug 3rd: Over 90% of users consent to GDPR requests says Quantcast after enabling 1bn of them

At a glance: Over the past two months, 90% of consumers have consented to GDPR requests from publishers and marketers, according to adtech outfit Quantcast which has processed 1bn of them.

July 31st: Democrats have reportedly drawn up plans to slap big tech firms with privacy laws similar to GDPR in the EU

At a glance: Senator Mark Warner’s office has laid outlined ways for US policymakers to bring big tech to heel. Warner suggests that the US adopt data legislation similar to Europe’s recent GDPR regulations. He identifies key parts of GDPR which could be copied such as data portability, the right to be forgotten, 72-hour breach notification, and first party consent.

July 24th: GDPR has brought us Heath Robinson websites and Kafkaesque UX

At a glance: Another excellent article from Econsultancy which shows the confusion surrounding GDPR, especially when you first arrive at some publisher websites – “it’s clear that many companies completely fail to realise that a whiter-than-white approach counts for little if the first interaction with your digital service becomes confusing or even unusable.”

July 20th: ‘It’s all incredibly confusing’: Publishers complain GDPR consent signals are ignored by ad buyers

At a glance: Publishers are concerned that signals that inform ad buyers when users have given their consent to be served personalized ads are not being passed correctly across the digital ad supply chain. Several publishers have said they’ve lost ad revenue as a result.

July 19th: Post-GDPR impact: Programmatic remains strong

At a glance: It’s been reported that programmatic purchases have plummeted in the EU since GDPR has gone into effect. However, having evaluated programmatic ad spend in the U.S., the impact isn’t nearly as drastic as some may have believed.

July 18th: Hearst settles magazine subscribers’ Michigan privacy claim for $50 million

At a glance: Not directly related to GDPR but relevant – Hearst was accused of violating the Michigan Video Rental Privacy Act by selling readers’ magazine subscription histories and reading habits to data mining companies, and then selling “enhanced” customer profiles containing data from those companies to third parties.

July 16th: Major UK data firms under scrutiny as watchdog bites

At a glance: Some of the UK’s leading data companies, including CACI, Experian, Equifax, TransUnion (formerly Callcredit) and Data8, are among the businesses being investigated by the Information Commissioner’s Office as part of its probe into the use of personal data for political advertising. It also has evidence that some data brokers had initially failed to obtain lawful consent.

July 12th: ‘It’s impossible’: Google has asked ad tech firms to guarantee broad GDPR consent, assume liability

At a glance: Google is asking that programmatic exchanges and SSPs guarantee that their publishers have received consent for each of the roughly 200 vendors on Google’s commonly used vendor list. However, if an exchange or SSP declines to sign the agreement, it is limited to only selling non-personalized ads through DoubleClick Bid Manager. In the words of one executive, the situation ‘is impossible’.

July 11th: Emma’s Diary first broker to be fingered in ICO probe

At a glance: Emma’s Diary, the brand set up 25 years ago to target expectant and new mums, has become the first list broker to be incriminated in the Information Commissioner’s Office probe into the misuse of personal data in political advertising. The brand, which is owned by Lifestyle Marketing, has now been served with a notice of intent of regulatory action.

July 9th: They’re passing the liability onto us: Publishers balk at Publicis Media’s new GDPR requirements

At a glance: Several publishers are pushing back on demands by agency giant Publicis that are meant to get the agency in compliance with GDPR. The concerns center around Publicis’ shifting liability for the new European privacy law to publishers which would leave the publisher responsible if the agency retargets users who haven’t consented to be targeted.

July 6th: World’s biggest tech firms accused of flouting GDPR

At a glance: According to an analysis of online privacy policies, 14 of the world’s leading tech firms – including Facebook, Amazon, AirBnB and Apple, as well as Google – do not fully meet the requirements of the new regulation.

July 5th: Google delay on ads standard for EU privacy law creates compliance mess

At a glance: Google’s delayed entry into a consortium of advertising technology companies has spoiled the members’ push to comply with a new European privacy law, six people involved in the program told Reuters, leaving some firms exposed to fines.

July 3rd: US sites continue to block European visitors post-GDPR

At a glance: Many American publishers don’t want to lose their EU audiences, but they also want to avoid the risk of infringing the GDPR and paying 4 percent of their global revenue, especially in cases where EU revenue fails to justify that risk.

June 28th: ‘Everyone is breaking the law right now’: GDPR compliance efforts are falling short

At a glance: The arrival of the General Data Protection Regulation a month ago led to a flurry of activity, clogging email inboxes and flooding people with tracking consent notices. But experts say much of that activity was for show because much of it fails to render companies compliant with GDPR.

June 27th: GDPR: It’s Just The Tip Of The Iceberg In Regulatory Change

At a glance: Many businesses today are simply not prepared for the rising tide of regulatory action that has become the new normal for businesses. On balance, the GDPR is a wake-up call, for it’s given businesses everywhere an opportunity to review and modernize their cyber risk practices to secure their digital futures. GDPR is just the tip of the iceberg — what’s most visible — of the regulatory change that’s coming.

June 12th: How The California Consumer Privacy Act Stacks Up Against GDPR

At a glance: While both the California Consumer Privacy Act and Europe’s General Data Protection Regulation address the collection of personal information by businesses, they are actually quite different. Here’s where they diverge and why the advertising trade orgs are lobbying like bandits to block the California act’s passage.

June 7th: Google Reverses Course On GDPR Consent Tool Limiting Publishers To 12 Vendor Partners

At a glance: Google is reversing its policy for its consent management platform (CMP) that initially capped at 12 the number of vendors a publisher can list in opt-in messages, following critical feedback from publishers and the ad tech industry. The platform now has no limit.

June 5th: Confessions of a digital agency exec: Marketers are shifting GDPR liability to agencies

At a glance: Pass the buck – once European regulators start enforcing GDPR, don’t be surprised if brands with non-compliant sites try to shift the blame to their agencies. In the latest in Digiday’s Confessions series, a digital agency executive whose company helps build Fortune 500 companies’ websites said brands make agencies contractually responsible for GDPR violations.

June 4th: Google Emerges as Early Winner From Europe’s New Data Privacy Law

At a glance: GDPR is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation. Why? Google is gathering users’ consent far faster than its smaller competitors who have less resources.

June 1st: Privacy International probes ‘hidden’ Acxiom practices

At a glance: Acxiom is facing scrutiny over its data practices after Privacy International named the business as one of the key targets of a new campaign which will investigate what it brands “the hidden data ecosystem”. According to Privacy International, this “comprises thousands of non-consumer facing data companies – such as Acxiom, Criteo, Quantcast – that amass and exploit large amounts of personal data”.

May 30th: The Washington Post puts a price on data privacy in its GDPR response — and tests requirements

At a glance: Some U.S. publishers have blocked visitors from the EU to their sites rather than comply with GDPR. The Washington Post has gone an extra step and put up a paywall for EU visitors, upselling them to a $90 a year “premium EU subscription” in exchange for no ads  — and the privilege of not having their data tracked. The premium subscription is $30 more than the cost of a basic online subscription to the Post.

May 28th: Facebook and Google hit with $8.8 billion in lawsuits on day one of GDPR

At a glance: The Verge reports that on the first day of GDPR enforcement, Facebook and Google have been hit with a raft of lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.

May 25th: GDPR zero hour: Now the hard work begins say experts

At a glance: Deputy Information Commissioner Steve Wood tells Decision Marketing: “May 25 is not the end, it is the beginning, and the important thing is that organisations take concrete steps to implement their new responsibilities – to better protect customer data. There isn’t a deadline in the sense that if organisations aren’t compliant by today, then they’ve missed their chance.”

May 25th: GDPR: US news sites blocked to EU users over data protection rules

At a glance: A number of high-profile US news websites are temporarily unavailable in Europe after new European Union rules on data protection came into effect. The Chicago Times and LA Times were among those posting messages saying they were currently unavailable in most European countries.

May 25th: Biggest brands will lose the use of 43 percent of EU audience data after GDPR say media buyers

At a glance:  Senior media buyers for hundreds of the world’s biggest brands are predicting 43 percent of EU consumer audience data will be unusable after the General Data Protection Regulation (GDPR) comes into force today. The research by contextual technology leaders, Vibrant Media, found that some of the problems brands are reporting include: low opt-in rates to email databases; slow uptake to review and set communications preferences; low traffic rates to websites so explicit consent can be attained; and a lack of confidence in the adequacy of GDPR compliance.

May 25th: Sourcepoint launches Consent Management Platform

At a glance: Sourcepoint has launched a Consent Management Platform to help publishers navigate compliance. The CMP is fully compliant with the IAB Consent Management Framework, as well as non-IAB vendors, and is compatible with DoubleClick for Publishers, allowing publishers to not only gather consent signals but to also understand how to drive monetisation for all users.

May 24th: Apple launches new Data and Privacy website ready for GDPR

At a glance: Apple has launched a new Data and Privacy website in order for the company to better comply with the new GDPR rules. While the service is available in the EU right now, it’s expected to be released worldwide in the coming months.

May 24th: Google Plans To Join The IAB Europe GDPR Framework, But The Devil Is In The Details

At a glance: Google plans to register for the IAB’s GDPR Framework but there are still important, unknown details – like how long before Google resolves its discrepancies with the IAB, or whether it will join only as a vendor or incorporate its consent opt-in service, Funding Choices, as an IAB-registered consent management platform. Questions remain, but it’s progress. Of a sort.

May 23rd: The best GDPR stats & surveys we’ve seen

At a glance: All the latest stats compiled across industries, sectors and platforms. One standout figure is that nearly half of UK marketers are already preparing for fines and putting money aside for such an eventuality.

May 23rd: No one’s ready for GDPR

At a glance: The Verge describes how very few companies are going to be 100 percent compliant on May 25th. Indeed, even MPS and the regulators themselves aren’t ready. But don’t panic, it says, as the general assumption is that when the deadline hits, European regulators will treat it as a soft opening.

May 23rd: GDPR Summit London

At a glance: If you’re having sleepless nights wondering whether you will be investigated or even fined, then the next GDPR Summit London is your chance to meet and listen to over 30 Data Protection experts all in one venue. Date: 25th June, Bishopsgate.

May 22nd:  Most GDPR emails unnecessary and some illegal, say experts

At a glance: Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR, according to Toni Vitale, the head of regulation, data and information at the law firm Winckworth SherwoodVitale, before adding, “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”

May 22nd: Google to Hold Talks With Publishers Over Their GDPR Concerns

At a glance: Google has agreed to meet with a group of publishers this week at four of its global offices to discuss their concerns about its preparations for GDPR. Ahead of the meeting, publishing trade bodies are still seeking written responses from Google to the seven questions they set out in their April letter. Those include questions on whether Google will be explicit about the purposes for which it requires consent from end users and how the company will seek publisher input if it makes further changes to its GDPR policies.

May 21st: WordPress poses another GDPR compliance headache for publishers

At a glance: It’s unclear how easy things will actually be for WordPress site owners. A lot depends on to what extent plug-in makers add the privacy information that sites will refer to when creating or updating their own privacy policies. However, many plug-in makers are individual developers or small companies that lack their own legal teams to advise them.

May 21st: Facebook’s interest-based ad targeting highlights GDPR uncertainty

At a glance:  There’s a debate to be had about Facebook’s position and whether it truly represents GDPR compliance. According to some observers, it’s not cut and dried.

May 21st: Information wars: How Europe became the world’s data police

At a glance: The EU’s rules for data privacy were once derided as restrictive, but after the Facebook scandal Brussels hopes they will help bring big tech to heel worldwide and become the de facto data protection standard, reports the Financial Times.

May 21st: MPs ‘as clear as mud’ about how to comply with GDPR

At a glance: Companies worrying about whether they have received the best advice over GDPR compliance are not alone, even British MPs appear to be at sixes and sevens, amid claims that a data protection training programme – run by an external “GDPR specialist” – has advised them to delete years of casework.

May 21st: eBook: A Publisher’s Guide to GDPR Compliance

At a glance: A proper GDPR audit should go beyond first party software on a publisher’s website and should include third party services in Ad Tech and MarTech stacks for a thorough inspection. This ebook also sheds some light on where online media will go after GDPR takes effect.

May 18th: Europe’s GDPR rules mean big changes for businesses in Canada

At a glance: GDPR isn’t just a European wide issue – it affects companies from all around the globe. In short, If your business has clients, customers or website visitors in the European Union, you must be in compliance with the GDPR.

May 17th: Five Final Checks To Ensure GDPR Compliance

At a glance: Forbes’ cybersecurity beat reporter outlines the five key checks you need to ensure GDPR compliance in advance of next Friday’s deadline (25th).

May 17th: A practical guide to the European Union’s GDPR for American businesses

At a glance: This useful guide from Recode gives US businesses operating or serving customers in the EU an overview of what the GDPR means for them and its accompanying responsibilities. It’s getting a bit late in the day though.

May 16th: What to do if total GDPR compliance is impossible

At a glance: Instead of obsessing over the impossibilities, focus on what you can control: understanding your data deeply — what it is, where it is, where it’s going and what its limitations are. Only by getting to know your data better than ever will you be as equipped as possible.

May 16th: GDPR: What future for first, second and third-party data

At a glance: Companies will need to be far more transparent about the data they collect and how it will be used. And they will generally be forbidden from forcing users to agree to sharing of their data by denying them the ability to use their services if they refuse to opt-in to unnecessary sharing.

May 16th: GDPR and email marketing: Everything’s gonna be all right

At a glance: If your email marketing is on-point, offers your subscribers value, uses the most engaging language possible (including good subject lines), your subscribers will trust your brand, engage with your emails and be glad to hear from you. In fact GDPR is encouraging brands to build trust with their subscribers, which they should’ve been endeavoring to do all along.

May 15th: It’s not too late to get GDPR ready

At a glance: Not yet GDPR ready? Don’t panic. GDPR compliance is a work in progress. Becoming fully compliant with all the obligations is a tall order. As long as companies can demonstrate a serious approach to GDPR implementation, regulators have said publicly they will allow some leeway to adjust to the new framework.

May 14th: 10 Unintended Consequences of the GDPR

At a glance: A must-read article on the unintended consequences of GDPR, not least the supposition that ‘big publishers will be the first victim of GDPR’ and that the Regulation will simply strengthen Google and Facebook’s hand.

May 14th: GDPR – a checklist for publishers

At a glance: Publishers’ trade association, FIPP, has produced a checklist for publishers to ensure they’ve implemented and interpreted next week’s GDPR guidance properly.

May 11th: GDPR final consent guidance is published – with a warning

At a glance: The last piece of the GDPR jigsaw – the Information Commissioner’s Office’s guidance on consent – has finally been put in place, with a warning that companies embarking on a barrage of repermissioning emails could be wasting their time.

May 11th: European marketers see GDPR hurting audience targeting 

At a glance: A survey by Digiday has found that marketers’ most common fear about the General Data Protection Regulation is a decreased ability to target consumers.

May 11th: GDPR scrambling has spawned a swell of data protection ‘charlatans’ 

At a glance: The widespread hand-wringing caused by the last-minute scramble of businesses ahead of the May 25 GDPR deadline is fueling a cottage industry of GDPR experts and consultants. Not all are qualified to do so and are peddling ill-informed advice.

May 8th: UK: Final GDPR Guidance to be released imminently

At a glance: The Information Commissioner’s Office (ICO) will release its final consent guidance this week. With just over two weeks left before the deadline of May 25th, the decision to publish final guidance at such a late stage can best be described as troubling.

May 8th: Europe’s General Data Protection Regulation is coming May 25. How have news publishers prepared?

At a glance: Publishers still have granular questions over interpreting parts of the law and around how rigorously the EU will enforce these rules come May.

May 8th: GDPR claims its first victims

At a glance: Already, a few companies have decided that the burdens of GDPR compliance are too much to bear and are shutting part or all of their businesses. In addition, according to a survey of 400 US companies published last week, many firms are still confused about GDPR and 52% are “still exploring the applicability of GDPR to their business.”

May 4th: How Axel Springer is getting consent for GDPR

At a glance: The largest German publisher, who own Business Insider and popular tabloid Bild, have been monitoring which kinds of messages drive more people to opt in, as well as the messages’ position on the page. The results: So far, the publisher’s readers are far more likely to give consent when they receive a fact-based static message, rather than a video message or one written in a tone that requests the readers’ support.

May 4th: Google’s GDPR consent tool will limit publishers to 12 ad tech vendors

At a glance: Publishers using Google’s default consent technology will only be allowed to pass data to 12 supply chain partners, including Google itself, SSPs, exchanges, ad servers, DSPs, DMPs, plug-ins, tracking and measurement tags and third-party data suppliers, sources told AdExchanger.

May 3rd: Key elements of GDPR for employers: Are you ready for the changes?

At a glance: It’s not just consumers that GDPR protects, it’s also employees. Firms need to place as much focus on this as other aspects of the legislation, not least because disaffected employees are more likely to take a swipe at former employers, with GDPR being one stick with which to beat them.

May 2nd: Publishers say they’ll use GDPR to shed ad tech vendors

At a glance: With the GDPR looming, ad tech partners that can’t guarantee compliance with publishers will be dropped fast. For instance, ad tech companies must be able to tell travel publisher Lastminute.com’s sales team how their technologies track readers legally under the regulation; otherwise, they won’t be able to access its inventory, according to Lastminute.com.

May 2nd: The GDPR Racket: Who’s Making Money From This $9bn Business Shakedown?

At a glance: The crux of GDPR is about putting the power of data back in the hands of consumers, giving us a better understanding of where our data is and what it’s being used for. But there’s a dark side to GDPR – the multi-year, multibillion-dollar, Herculean racket that GDPR has become.

May 2nd: Four Publishing Trade Groups Criticize Google’s Ad Policy Change in Letter to CEO

At a glance: The three areas highlighted in the letter that pose the most concern for the trade groups are Google’s Controller Terms, responsibility of obtaining legal consent, and the complete placement of liability of consent on the publisher and not on Google. They’re not wrong.

May 1st: YouGov is pitching its GDPR-compliant blockchain targeting tool as a ‘boon’ for publishers

At a glance: Market research giant YouGov is readying a blockchain solution that will allow EU consumers to choose which data they share with brands; a move that will not only help it preserve its nascent digital ad network post-GDPR, but one it’s pitching as a “great boon” for publishers too.

May 1st: Nearly half of UK businesses expect to be fined for GDPR non-compliance

At a glance: According to research by Ensighten, nearly half of UK businesses expect to be fined for GDPR non-compliance. 61 per cent of respondents would also apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.

April 30th: Google and GDPR hand publishers a hard choice

At a glance: Publishers face an unexpected bind. Google operates DoubleClick Bid Manager and DoubleClick for Publishers, platforms nearly every publisher on the planet uses at some point or another. So declining Google latest terms could provoke catastrophic financial consequences.

April 30th: Super Monday Night Combat will close down, citing EU’s new digital privacy law

At a glance: One of the first victims of GDPR is Super Monday Night Combat, the multiplayer online battle arena by Uber Entertainment. It’s closing down for good next month, saying the cost of complying with GDPR is too high to keep going.

April 30th: The 7 stages of GDPR grief

At a glance: The deadline for GDPR compliance is fast approaching, and it’s very likely that, in the early days of enforcement, large enterprises engaging in annoying and ruthless data marketing will be made an example of. Get your house in order before it’s too late.

April 27th: GDPR: 15 (good & bad) examples of repermissioning emails & campaigns

At a glance: Econsultancy, one of the most respected titles around, has produced a great guide to repermissioning campaigns with some superb examples (as well as pointing out some of the poorer attempts and what to avoid).

April 27th: GDPR: A New Road, Not a Roadblock

At a glance: Done right, GDPR introduces the possibility of a more meaningful, trust-based relationship between business and consumer. Under the legislation there are still mechanisms that will enable companies to use the personal data they gather from their customers.

April 27th: GDPR Too Close, Half of Global Companies Not Ready

At a glance: One month away, GDPR has more than half of global institutions frazzled over compliance. According to the legal professionals who participated in the survey, one of the Achilles’ heels for compliance preparedness is third-party vendors.

April 26th: Facebook warns GDPR could flatten or reduce European user count

At a glance: Facebook CFO David Wehner yesterday warned that “we believe MAU (monthly active users) or DAU (daily active users) might be flat or down in Q2 due to the GDPR rollout.” He also said that while Facebook doesn’t expect a significant impact on ads from GDPR, there may be a slight impact and it “will be monitoring for that”.

April 26th: Google’s Gmail gets self-destruct option ahead of GDPR

At a glance: Google’s email service is adding the option to allow messages to become inaccessible after a set time as it prepares for tougher data privacy laws. A new “confidential mode” can also be used to stop recipients being easily able to forward, copy, download or print correspondence sent via Gmail. The new facilities are part of a wider revamp of the cloud-based service.

April 25th: One month sprint to GDPR: 5 things to do now if your business isn’t prepared

At a glance: An excellent piece on The Drum looking at what marketers and publishers can do if they haven’t yet prepared for GDPR. Spoiler alert: there are a lot. The overriding message is that it’s ‘not too late, but get a move on’.

April 24th: Google CEO tells investors not to worry about Europe’s upcoming privacy rules

At a glance: When asked whether the new GDPR rules would impact advertisers’ targeting abilities, Google CEO Sundar Pichai emphasized that Google still makes most of its money from search advertising, where the effect of personalization is minimal. However, Pichai’s answer skips over the other 20 percent of its advertising revenue, which comes from its Network Members’ properties.

April 24th: Tech firms could face new EU regulations over fake news and data mining

At a glance: EU security commissioner says new regulations may have to be brought in if tech firms fail to tackle issues voluntarily. The code would include a pledge for greater transparency, including algorithm transparency. Not surprisingly, the proposed regulations have been criticised for undermining freedom of expression.

April 23rdEurope’s new privacy rules are no silver bullet

At a glance: EU national watchdogs still face an uphill struggle to come to grips with their expanded regulatory role at a time when most of their budgets are still relatively small and they remained understaffed. According to Politico, Europe’s expanded privacy standards also will do little to stop companies from harvesting personal data.

April 23rdNine top GDPR tips for email marketing

At a glance: IT Pro’s must-read article underscores the need for marketers ‘not to panic’ and not ‘to try and re-obtain consent from their lists for life-long messaging’. According to Skip Fidura, Dotmailer client service director and non-executive director at the Digital Marketing Association, this is an unnecessary effort. 

April 20th: Global brands commit to go beyond GDPR compliance

At a glance: The World Federation of Advertisers – which represents the likes of Unilever, Mars, Shell and Danone – is launching an initiative to create a data ecosystem that properly respects consumer choices and their right to control their own data and goes way beyond the requirements of GDPR.

April 20th: Facebook moves 1.5bn users out of reach of new European privacy law

At a glance: Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally. Facebook will continue to book revenue through Facebook’s Irish office, but for privacy protections, users will deal with the company’s headquarters in California.

April 20th: The GDPR is spooking location-targeting companies

At a glance: Advertisers want to use location data in ad targeting, but they’re finding the coming enforcement of the General Data Protection Regulation is throwing a wrench in those plans. Some ad exchanges, for example, are reducing and redacting the information made available via their logs, according to some ad tech executives speaking to Digiday.

April 19thData experts on Facebook’s GDPR changes: Expect lawsuits

At a glance: An article in TechCrunch concludes that Facebook is ‘seeking consent from users in a way that’s not fair because it’s manipulative (which) means consent is not being freely given. Under GDPR, it won’t be consent at all.’ The piece emphasises why it’s important to comply with the spirit of GDPR, not just the technicalities.

April 18th: The GDPR is coming and will change Facebook ad targeting

At a glance: Facebook will no longer be able to process news feed posts for ad-targeting purposes, unless those posts are marked “public” or “friends of friends” because they tend to include what the GDPR defines as “special categories of data,” according to sources. Ethnicity, religious beliefs, political affiliation and sexual orientation are the kinds of data defined as special categories.

April 18thReport: Only 34% of Websites in the EU are Ready for GDPR

At a glance: vpnMentor ran a test of over 2,500 websites in the EU that will need to follow the new GDPR regulations and found that as little as 34% of websites are currently compliant. Most of the websites they checked either had old privacy policies, and in some cases no privacy policy at all.

April 17thFirst WhatsApp update since Facebook privacy scandal will make a huge change to your messaging

At a glance: According to a report on WABetaInfo , the latest version of WhatsApp for Android (2.8.113) will allow users to redownload older media files from the company’s servers. But it only seems to go back so far – beyond that users will be given a message asking the sender to re-send the media in question. According to Ian Woolley of Ensighten, “If WhatsApp, with the backing of Facebook, can’t easily provide access to a user’s historical content what can we expect of companies when it comes to even more complicated user consent compliance?”

April 17th: WTF is the CONSENT Act?

At a glance: Meanwhile, waiting in the wings in the U.S. is the Consent Act which has many parallels with GDPR. Its chances of making it through Congress are rated as ‘slim’ but following the Facebook uproar there may be renewed appetite among U.S. lawmakers for this to be ratified into legislation.

April 16thDenham confirms GDPR hotline gets 500 calls a day

At a glance: If you need to call the regulator’s hotline (0303 123 1113 UK | +44 1625 545 700 RoW) don’t leave it too late. They are already getting 500 calls a day, with a wait time of half an hour.

April 16thProg IO San Francisco: What Will Be The Fate Of Third-Party Data After GDPR?

At a glance: The spirit of GDPR is clear, but what that means practically is still unclear according to some participants at last week’s AdExchanger Programmatic I/O in San Francisco. A key event takeaway is that third party data hasn’t been killed stone dead, rather, “the data will just have to get cleaner out of necessity.”

April 16thGoogle’s GDPR approach raises publisher concerns

At a glance: Further fallout from last week’s announcement that Google intends to become a controller of all the data on a publisher’s site. Not for the first time, publishers are viewing the move as “a commercial agenda that whilst wrapped up in a GDPR and privacy-language narrative, looks very much like large vendors seeking to steal ground.”

April 13thGoogle to publishers on GDPR: “Take it or leave it”

At a glance: Google’s proposed GDPR terms claim that it will be a “controller” of all the data on a publisher’s site (not just what they need to serve the ad). By declaring itself a controller over all the data on a publisher’s site, Google is asserting independent control of a publisher’s audience data. This is, essentially, a massive land grab by the already-dominant Google.

April 12th: What Does the EU’s GDPR mean for Blockchain?

At a glance: Publishers looking to make a foray into Blockchain could do worse than heed this warning from Washington DC think tank Coin Center, who say that blockchain technology may be ‘fundamentally incompatible with Europe’s new privacy laws’.

April 11thGDPR: UK watchdog promises ‘proportionate and pragmatic’ enforcement

At a glance: On Monday, the ICO’s Elizabeth Denham said she plans to stick with the ICO’s existing approach to enforcement when the GDPR begins to apply. She describes enforcement as “a last resort” and that “hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.”

April 10th: UK publishers are banding together to get clarity on GroupM’s GDPR policy

At a glance: Some publishers have concerns about what they regard as ambiguous terms in GroupM’s Data Protection Addendum, plus the agency group’s warning that it would likely cease trading with them if they didn’t sign the contract. A meeting has been organised in tandem with the AOP.

April 9th: Publishers Haven’t Realized Just How Big a Deal GDPR is

At a glance: In this outstanding missive, the author writes about GDPR as a concept in relation to media trends, and considers what this means for publishers’ editorial strategies. Spoiler alert: it’s big.

April 9th: A Tough Task for Facebook: European-Type Privacy for All

At a glance: Facebook has just promised to offer its users worldwide the same privacy controls as required under GDPR. To do this, it would need to provide its users with all the data that it has collected or created about them, including any categories, descriptions or assigned behaviour scores.

April 4th:DMA demands answers over threat to third-party data

At a glance: The DMA is calling on the Information Commissioner’s Office to provide urgent guidance on how third-party data will be affected by GDPR, amid growing concerns that the industry could be caught in the cross-fire from the ongoing Cambridge Analytica data scandal. The DMA says the ICO has published “very little guidance for marketers as to how they can buy, share and use third-party data under GDPR” and insists it is crucial that the regulator “addresses the concerns of the industry”.

April 3rd: Apple rolls out privacy features ahead of GDPR

At a glance: Apple will roll out four privacy management tools that will provide users the ability to obtain a copy of their data, request a correction of data and deactivate account or delete the account. The tools, which will be available on the Apple ID account page, will be introduced in the EU in May and later rolled out globally.

Ian Woolley, Chief Revenue Officer at Ensighten comments, “Tim Cook, CEO of Apple, stands out for his unequivocal commitment and advocacy of consumer privacy. Trusted brands, such as Apple, will be rewarded with greater levels of opt-in consent, which will enable them to further develop consumer insights and customised experiences. In contrast, brands with questionable, historical data practices will see low rates of opt-in consent, which will increase their customer acquisition costs. 

“In the new GDPR world it’s critically important for brands and publishers to understand that consumer trust is the new currency. Trust is built by design from the ground up, which includes how data is collected and shared within brands’ underlying website technologies, long before consent is ever granted.”