Since the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, the global conversation around data privacy has only gotten louder. According to a 2019 GlobalWebIndex study, 62% of consumers surveyed are concerned about the internet eroding their personal privacy and 65% are worried about how their personal data is being used by companies. A survey by Akamai Research similarly found that 66% of those surveyed would support “GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security, and control of their personal data.”
In response to this consumer sentiment, the state of California has taken the next step towards more comprehensive privacy regulation in the United States with the passing of the California Consumer Privacy Act, effective January 1, 2020 (CCPA).
By now, most publishers understand the general implications of privacy regulation on their data collection practices and security measures. But here are four less discussed implications for today’s digital publisher.
Internet Protocol (IP) Address
Every website must keep – even if just for milliseconds – a record of the IP address of every visitor requesting a resource. This is necessary in order to send the requested information back to the requesting address, which over the internet means an IP address. However, IP addresses are now being implicated in privacy legislation like the GDPR and CCPA as potentially constituting personal information. This is notwithstanding the fact that any single IP address can be associated with many users and any single user can be associated with many IP addresses.
So what does this mean for publishers? Both the GDPR and CCPA seem to turn on whether the subject information can be reasonably capable of being associated with a consumer (or in the case of CCPA, also household). There are also “legitimate use” exceptions that come into play. When it comes to IP addresses specifically, publishers must consider how their web presences collect and use this important data and then make sure they understand and can articulate the legitimate legal foundations relied upon for such use.
In addition to being necessary to simply serve up web content to a consumer, two additional legitimate uses for IP address include analytics and security. For example, IP addresses are often used to give publishers an approximate sense of the geographic location of their readers. For security purposes, IP addresses are also critical in detecting security incidents and protecting against malicious, deceptive, fraudulent, and illegal activity by denying services to attackers.
Finally, publishers should consider what other personal information is being collected and associated with each IP address. A publisher’s best bet is to limit usage of IP addresses solely to security and other enumerated legitimate uses and to avoid the association of other personal information with a user’s IP address. This will limit the argument for IP addresses to be considered personal information under applicable privacy regulations.
Some web applications support the ability to share a page (or an entire publication) by email. But exactly how this feature works is now important when considering compliance with privacy regulations. If the web application itself generates an email for sharing and then handles the email transaction, then it is most likely collecting personal information like the sender and/or recipient email addresses and possibly personal information found in any message sent along with the email.
Outside of scrubbing this information, which might be difficult if it’s part of raw web logs used for security purposes, one solution to this problem is to offload the entire email transaction to the email client on the reader’s device and avoid the collection of data to begin with. An alternative option is to jettison this feature altogether, as today’s consumer is certainly adept at copying and pasting browser links into an email or sharing using native browser controls without going through a formal share interface within the website. Either way, this traditional share feature must be evaluated.
Ad Tech and Analytic Services
While not necessarily addressed in GDPR, one primary aim of the CCPA is to regulate the act of selling personal information. To the extent a publisher can avoid selling personal information, they are in a better position when it comes to compliance requirements. However, the CCPA goes on to broadly define what it means to “sell” personal information to include disclosing, making available, transferring, or otherwise communicating personal information to a third party for “valuable consideration.” This expansive definition calls into question a publisher’s web integration with ad tech services like Google Ad Manager and analytic services such as Google Analytics.
The CCPA does make an exception for the sharing of personal information with a “service provider,” so long as it is for a business purpose, pursuant to a written contract, and the contract prohibits the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.” But the looming question for publishers (and all businesses) is what ad tech and analytic solutions qualify under the service provider classification of the CCPA.
As of now, it looks like Google has taken the position that Google Analytics is already compliant, while Google Ad Manager and similar related services would require the customer to enable a “restricted data processing” setting to be compliant. According to Google, this would keep any collected information from being used by Google for its own purposes or from being more broadly shared for tracking or programmatic buying value. Of course, this is just Google’s position on the matter. Ultimately, publishers must now carefully scrutinize the tech they adopt in their web presences to make their own determination if there is support for a service provider classification under the CCPA. Publishers should further consider the fact that they have more obligations to their readers by virtue of their direct relationship than do any of the publisher’s service providers.
A related and similar implication of privacy legislation involves the general use of website cookies. For years, publishers have been striving to create personalized content experiences for readers. Given the feasibility problems associated with accomplishing this in print, most publishers serve up personalized content in the digital space using cookies and other data collected from the reader. However, once again, providing highly personalized content based on a reader’s preferences and behavior is fundamentally at odds with privacy regulation.
Once proper consents are obtained, publishers can also leverage their special brand relationships with readers by directly asking for and collecting first-party information relevant to serving up personalized content. Ultimately, first-party data is more reliable and safer to handle from a data privacy standpoint. Plus, informed and involved readers are more likely to get comfortable with the process when the end result is a better content experience.
As more and more privacy regulations are adopted throughout the world, publisher compliance headaches will only worsen. Publishers must be proactive and vigilant in routinely reviewing and addressing privacy regulation compliance. This not only includes their more obvious data collection practices and security measures but also the features they support and the tech they adopt.
Paul DeHart, CEO, BlueToad
Paul DeHart is Co-owner and CEO of BlueToad, Inc. Since its launch in 2007, BlueToad has grown over the years into one of the leading distributors of digital content, with more than a billion page views a year and has helped thousands of content creators build audience relationships worldwide.