GDPR is finally here (enforced from Friday 25th May 2018). For publishers the challenge isn’t over. In fact, it’s barely begun.
In order to cut through the noise and provide clarity to publishers, WNIP has compiled what we believe to be the definitive GDPR Publishers’ Resource.
This will act as a ‘live’ feed and will be updated on an ongoing basis. Click here for the Latest GDPR News feed.
Click here to view the full GDPR legislation in its entirety.
Information Commissioner’s Office
A general must-read is the Information Commissioner’s Office Guide to the General Data Protection Regulation (GDPR). This is a good foundation and essential reading for anyone looking into GDPR. Unlike what you’d expect from a Government body, the guidance is concise and clear.
The Guide also covers GDPR for Children, an absolute must-read for publishers holding data on children.
GDPR for Publishers: The Lawyer’s View
With ambiguity and confusion surrounding certain elements of GDPR, WNIP met with one of the world’s leading legal authorities on the subject, Gabriel Voisin, a partner with Bird & Bird LLP in the City of London.
Armed with a bevy of topics from publishers both large and small, Gabriel answers questions such as, “What is an adequate consent approach?”; “How do I know that my partners are GDPR compliant?”; “How do I, as a publisher, respect the data subject rights?” and many more besides….a 30 minute must-listen.
GDPR for Marketers: The Essentials
A concise and clear overview, the 30 page tome ends with the uplifting conclusion that whilst GDPR ‘can be seen as a hindrance for marketing activities, a closer examination of the regulation reveals that it gives marketers an opportunity to build more transparent and meaningful relationships with their customers’.
Another useful resource is from SEOptimer which has written a comprehensive article looking at how GDPR will impact SEO and the digital marketing industries. Many of its predictions are already proving true.
Checklists for Publishers
The ICO has (helpfully) created self-assessment checklists for both data controllers and data processors which are perfect for independent publishers lacking the resource to hire a dedicated data controller. The Government body has also written a more in-depth checklist which offers a 12-step roadmap to compliance. The latter is an excellent roadmap and guide.
For authoritative information on consent, read the Article 29 Working Party (WP29) guidance. This a legal document, written by lawyers for lawyers – if you don’t have five hours to spare, the ICO’s overview on consent is our preferred reading material. Five minutes, if that. Stop Press: May 10th, the ICO has just published its final guidance on consent.
Consent Management Platforms
A CMP is the tech infrastructure a business uses to collect and store what data customers have consented to be used and for what. The CMP then feeds that information to other selected partners in the digital ad supply chain. The goal is for everyone in a publisher’s supply chain to understand what data they may use and for what.
Publisher-centric exchange, Sovrn, recently conducted a study of free and paid for CMPs found across the top 200 UK Alexa sites (excluding CMPs that are publisher-specific or are not IAB supported) and rated each one against a top 10 feature set, defined based on conversations with publishers in the UK and US.
Revealed: the best time to send GDPR consent emails
In short, avoid the morning! According to SmartFocus, emails sent earlier in the day are more likely to be seen as an intrusion, as recipients are busy at work and going about their day. Consequently, emails sent at night will be seen in a much more positive light.
SmartFocus chief marketing officer Sarah Taylor says: “Knowing when to contact your audience with a request for information or consent can make the difference between success and failure.”
Yep, the ICO has that covered with this checklist – it will take you through everything you need to be able to write accurate, legally compliant privacy notices. WNIP has also written a clear overview of what GDPR means for publishers’ privacy policies.
In short, any time anyone properly engages with your website – not just reading, but wanting to know more and signing up – then you need to have your privacy notice right up there. You need to let them know up front what you do with their data. If they have to go and search for this then, again, you are going to fall foul of GDPR.
There is a lot of scaremongering right now. You’ve heard the potential fines I’m sure: 4% of a company’s global turnover or €20 million. That’s enough to sink any publishing ship. However, the Information Commissioner Elizabeth Denham has spoken out about this in the ICO’s blog and tried to allay people’s fears. Yes, the potential fines are onerous but Denham stresses that, “this law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that.”
Crucially she adds, “It’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.”
Editor’s note, 4th Oct 2018: The aforementioned blog post has since been taken down by the ICO. For an up-to-date assessment of potential fines, the Project Consulting Group have written an article clarifying matters.
Editor’s note, 28th Nov 2019: Privacy Affairs has published a regularly-updated list of GDPR fines. Largest fine to date? Google, €50M.
But what about Brexit?
Because the UK government only triggered Article 50 in March 2017, which sets in motion the act of leaving the EU within a two-year timeframe, the UK must still comply. In fact, a recent Data Protection Bill, published by the UK government in August 2017, essentially mirrors the requirements of GDPR into UK legislation (meaning those compliant with GDPR should be compliant with the new UK data protection law and vice versa).
Don’t Panic Mr Mainwaring
Perhaps the final word, at this juncture at least, should go to Bird & Bird LLP’s Gabriel Voisin who when asked what single piece of advice he’d give publishers over GDPR, responded, “Don’t panic and just stay calm.”
We’d also recommend this article from Econsultancy entitled, GDPR: Why the opportunities far outweigh the costs’. As the author concludes, “These rules are going to ensure that your organisation is providing a more secure, trustworthy service.” He also adds, “More importantly these changes are going to be enforced worldwide. This means GDPR is not (only) a European issue.”
Latest GDPR news:
NB: This list is no longer being updated.
At a glance: There are still technical examples of consent strings not being properly transmitted. And that’s not necessarily because of shadiness, but due to how complex our ecosystem is — there are lots of ways publishers connect to demand through containers, header bidding, tags — some things just get lost along the way.
At a glance: Recognize that GDPR isn’t wholly a technology problem and that it is an ongoing commitment across the whole company. Make staff aware of not only what GDPR is but also why they have a responsibility to protect the personal data of customers and other employees.
At a glance: Major data brokers Acxiom and Oracle are among seven companies accused of violating GDPR laws on personal information privacy. Advocates hope the complaints will shed light on the opaque ways that personal data is traded through third parties online both in the EU and the US.
At a glance: Because the GDPR commands a global reach, it has had a significant effect on the digital marketing landscape over the last few months. The GDPR is simply asking content marketers to adhere to best practices. It’s raising the bar and asking brands to be a lot more transparent with their customers.
At a glance: Apple chief executive Tim Cook has demanded a tough new US data protection law, in an unusual speech in Europe. Referring to the misuse of “deeply personal” data, he said it was being “weaponised against us with military efficiency”. The strongly-worded speech presented a striking defence of user privacy rights from a tech firm’s chief executive. Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR).
At a glance: US companies can still be affected by the GDPR if they have EU customers or audiences. But US companies typically are not as sensitive to the GDPR as those in the EU. In a June 2018 survey of 600 IT and legal professionals by Dimensional Research and
At a glance: Many questions surround the Blockchain’s compatibility with EU General Data Protection Regulation (GDPR). The French Data Protection Supervisory Authority (the CNIL) has recently published its initial thoughts on this topic, providing some responses and practical recommendations on how the usage of a blockchain may be compatible with GDPR and more generally Data Protection Law, taking into account the “constraints” imposed by such technology.
Oct 12th: Google is the main beneficiary of GDPR
At a glance: The number of web trackers operating in the European Union since the introduction of the General Data Protection Regulation (GDPR) has declined by up to 31%, but new research suggests that Google is getting access to even more data than before. Many people within the advertising industry had expected the GDPR’s transparency provisions to curtail Google and other tech giants when it came to the collection of personal information. Not so.
At a glance: GDPR has accelerated demand for risk-free buying options. Contextual targeting has enjoyed a bump, as have programmatic-guaranteed deals. Now, second-party data partnerships are getting a second wind, according to some major publishers. The Guardian, News UK and Business Insider have all claimed a noticeable increase in the number of requests for ways to co-mingle advertiser first-party data with their own customized audience data sets.
At a glance: Since the GDPR’s introduction in May, many US publishers have still blanket-blocked traffic to their sites from the European Union. Despite the emergence of a simple and mostly free solution to GDPR compliance in the form of Consent Management Platforms (CMPs), only 15% of the websites that took the supposedly short-term approach of blocking European users have subsequently been updated.
At a glance: Bupa Insurance Services has been whacked with a £175,000 by the Information Commissioner’s Office for failing to have effective security measures in place to protect customers’ personal information after an employee stole hundreds of thousands of customer records and then sold them on the Internet.
Sept 28th: Uber to pay $148m for data breach cover-up
At a glance: Uber revealed last November that a flaw in how it stored passengers’ and drivers’ information online had allowed a hacker to access sensitive data including customers’ names, email addresses and phone numbers, etc. In the UK, 2.7m users were affected.
Speaking to WNIP, Ian Woolley, Ensighten’s Chief Revenue Officer, says, “Big fines are the tip of the iceberg for brands like Uber that conceal the truth from their customers following a security breach. The real cost is reputational damage. The new data economy demands trust and transparency between businesses and their customers. This is a wake-up call for all businesses to review their security strategy as a whole and ensure they address all vulnerabilities to prevent a future breach.”
At a glance: AggregateIQ is thought to have “micro-targeted” possible voters through social media channel using data gathered by pro-Brexit campaigns. It spent $2m on Brexit-related advertisements on Facebook alone. Now it’s in trouble….big trouble.
At a glance: The way behavioural advertising uses consumers’ personal data could be in direct breach of GDPR. This is the crux of a new official complaint – filed with the Irish Data Protection Commissioner and the UK Information Commissioner’s Office – on behalf of tech start-up Brave, the Open Rights Group and University College London, aimed at triggering an EU-wide investigation into the practice. The complainants argue that when users search on Google, personal information on their online behaviour is broadcast to multiple companies interested in targeting them with ads without users’ consent.
At a glance: With just six months to go before Brexit comes into force, the Government is now advising firms to draw up their own contracts for transferring data between the UK and EU countries – as well as the US.
At a glance: IAB Europe, the industry association for the digital advertising ecosystem in Europe, has launched its Consent Management Platform (CMP) Validator, a tool which validates whether a CMP’s code conforms to the technical specifications and protocols detailed in the IAB Europe Transparency & Consent Framework (Framework). While currently in beta, the tool will be available on October 1 this year.
At a glance: Google admits it is a bad user experience for a European user to see content in web search, click on it and get a blocked page because of GDPR. According to reports, it’s looking for a solution(s).
Sept 13th: So far, GDPR compliance is uneven
At a glance: Compliance with new European data privacy regulations was spotty in the first three months after the rules took effect at the end of May, with an estimated 70 percent of global companies failing to comply with requests for personal data within the required one-month time period. Retailers were found to be the worst scofflaws, with 76 percent failing to respond to individual requests for private data within 30 days. The financial sector performed better, but only about half managed to respond to data requests within one month.
At a glance: The ad tech ecosystem is still waiting for Google to implement the IAB Europe Transparency and Consent Framework (TCF), a protocol for collecting consent and conveying it to intermediaries for data-driven advertising. The sticking point? “Even if TCF publishers’ consent standards match Google’s most of the time, Google isn’t going to expose itself to potential multibillion-dollar fines by accepting consent that doesn’t quite meet its interpretation.”
At a glance: When partner apps were downloaded by users, consumer consent was obtained for use of location by the app — but not for transfer of that data to third parties Fidzup and Teemo, whose SDKs were integrated into the apps. In other words, users were not being asked to consent to the use of their location data by someone other than by the app publisher, even though that was happening.
At a glance: According to a study by Selligent Marketing Cloud – which polled 7,000 consumers on their brand engagement preferences, customer experience expectations, and marketing complaints – what consumers want overwhelmingly contradicts their behaviour. It showed that expectations for personalised customer experience are high but so is consumer discomfort with sharing personal data that makes personalisation possible.
At a glance: Complaints to the UK Information Commissioner’s Office (ICO) about potential data breaches have more than doubled since stricter regulations came into force in May. The ICO received 6,281 complaints between 25 May and 3 July this year, a 160 per cent rise on the same period in 2017. Commenting on the news, Ian Woolley, Chief Revenue Officer at Ensighten, told WNIP, “Governing bodies need to be tighter on the misuse of data and follow through with their word of placing financial sanctions on those who do not adhere to the regulation. And brands need to stop viewing GDPR as just a legal hurdle to jump. Consistent data governance is the only way to ensure that brands aren’t putting their customers or reputation at risk.”
Aug 24th: The impact of GDPR, in 5 charts
Unsurprisingly, it’s the smaller ad tech players that were always more likely to be affected by GDPR. Although partly dreamed up in order to slow the pace of growth of the dominant U.S. platforms, particularly Facebook and Google, many industry experts believe GDPR has inadvertently handed them more power.
At a glance: The introduction of GDPR has provided news organizations with a chance to evaluate the utility of various features, including third-party services, and to remove code which is no longer of significant use or which compromises user privacy. In the UK, news sites had been loading a lot of third-party content; these news sites saw a 45 percent decline in cookies per page from April through July.
At a glance: According to a new survey, those working in technology are revealed as the worst culprits when it comes to GDPR non-compliance with 42% of responders, followed by those within the retail sector (26%). The biggest area of non-compliance is email campaign consent, with 35% admitting they are still sending marketing emails without expressed consent.
At a glance: New data regulations held the promise of an improved user experience for digital services, but the reality is more pop-ups, confusion and inconsistency. Indeed, whilst the killing off of sneaky language (‘click if you don’t want to receive marketing’) has certainly been a good thing, a focus on user consent for tracking and personalisation has resulted in sometimes stultifying user experiences.
At a glance: More publishers are feeling under pressure to adopt a consent-management platform to be compliant with the General Data Protection Regulation, publishers and ad tech vendors say. FYI, here’s WNIP’s CMPs comparison guide.
At a glance: The DMA (Direct Marketing Association, UK) is aiming to exploit new delays to the looming ePrivacy Regulation (2020) by launching a two-pronged attack against the legislation, amid claims that in its current form the law could wreak havoc with the economic well-being of the entire marketing sector.
At a glance: The Information Commissioner’s Office has sent out a chilling warning with confirmation it has fined Emma’s Diary the £140,000 monetary penalty it flagged up last month, after revealing that Experian Marketing Services built a prospect database using illegally gathered personal information belonging to more than a million people.
At a glance: A number of companies have predicted that the GDPR regulations could lead to a rise in cyber-extortion; criminals breaching a company or discovering they are not GDPR complaint – and demanding money in return for not reporting them to the Information Commissioner’s Officer (ICO) or equivalent data regulator.
At a glance: Over the past two months, 90% of consumers have consented to GDPR requests from publishers and marketers, according to adtech outfit Quantcast which has processed 1bn of them.
At a glance: Senator Mark Warner’s office has laid outlined ways for US policymakers to bring big tech to heel. Warner suggests that the US adopt data legislation similar to Europe’s recent GDPR regulations. He identifies key parts of GDPR which could be copied such as data portability, the right to be forgotten, 72-hour breach notification, and first party consent.
At a glance: Another excellent article from Econsultancy which shows the confusion surrounding GDPR, especially when you first arrive at some publisher websites – “it’s clear that many companies completely fail to realise that a whiter-than-white approach counts for little if the first interaction with your digital service becomes confusing or even unusable.”
At a glance: Publishers are concerned that signals that inform ad buyers when users have given their consent to be served personalized ads are not being passed correctly across the digital ad supply chain. Several publishers have said they’ve lost ad revenue as a result.
At a glance: It’s been reported that programmatic purchases have plummeted in the EU since GDPR has gone into effect. However, having evaluated programmatic ad spend in the U.S., the impact isn’t nearly as drastic as some may have believed.
At a glance: Not directly related to GDPR but relevant – Hearst was accused of violating the Michigan Video Rental Privacy Act by selling readers’ magazine subscription histories and reading habits to data mining companies, and then selling “enhanced” customer profiles containing data from those companies to third parties.
At a glance: Some of the UK’s leading data companies, including CACI, Experian, Equifax, TransUnion (formerly Callcredit) and Data8, are among the businesses being investigated by the Information Commissioner’s Office as part of its probe into the use of personal data for political advertising. It also has evidence that some data brokers had initially failed to obtain lawful consent.
At a glance: Google is asking that programmatic exchanges and SSPs guarantee that their publishers have received consent for each of the roughly 200 vendors on Google’s commonly used vendor list. However, if an exchange or SSP declines to sign the agreement, it is limited to only selling non-personalized ads through DoubleClick Bid Manager. In the words of one executive, the situation ‘is impossible’.
At a glance: Emma’s Diary, the brand set up 25 years ago to target expectant and new mums, has become the first list broker to be incriminated in the Information Commissioner’s Office probe into the misuse of personal data in political advertising. The brand, which is owned by Lifestyle Marketing, has now been served with a notice of intent of regulatory action.
At a glance: Several publishers are pushing back on demands by agency giant Publicis that are meant to get the agency in compliance with GDPR. The concerns center around Publicis’ shifting liability for the new European privacy law to publishers which would leave the publisher responsible if the agency retargets users who haven’t consented to be targeted.
At a glance: According to an analysis of online privacy policies, 14 of the world’s leading tech firms – including Facebook, Amazon, AirBnB and Apple, as well as Google – do not fully meet the requirements of the new regulation.
At a glance: Google’s delayed entry into a consortium of advertising technology companies has spoiled the members’ push to comply with a new European privacy law, six people involved in the program told Reuters, leaving some firms exposed to fines.
At a glance: Many American publishers don’t want to lose their EU audiences, but they also want to avoid the risk of infringing the GDPR and paying 4 percent of their global revenue, especially in cases where EU revenue fails to justify that risk.
At a glance: The arrival of the General Data Protection Regulation a month ago led to a flurry of activity, clogging email inboxes and flooding people with tracking consent notices. But experts say much of that activity was for show because much of it fails to render companies compliant with GDPR.
At a glance: Many businesses today are simply not prepared for the rising tide of regulatory action that has become the new normal for businesses. On balance, the GDPR is a wake-up call, for it’s given businesses everywhere an opportunity to review and modernize their cyber risk practices to secure their digital futures. GDPR is just the tip of the iceberg — what’s most visible — of the regulatory change that’s coming.
At a glance: While both the California Consumer Privacy Act and Europe’s General Data Protection Regulation address the collection of personal information by businesses, they are actually quite different. Here’s where they diverge and why the advertising trade orgs are lobbying like bandits to block the California act’s passage.
At a glance: Google is reversing its policy for its consent management platform (CMP) that initially capped at 12 the number of vendors a publisher can list in opt-in messages, following critical feedback from publishers and the ad tech industry. The platform now has no limit.
At a glance: Pass the buck – once European regulators start enforcing GDPR, don’t be surprised if brands with non-compliant sites try to shift the blame to their agencies. In the latest in Digiday’s Confessions series, a digital agency executive whose company helps build Fortune 500 companies’ websites said brands make agencies contractually responsible for GDPR violations.
At a glance: GDPR is drawing advertising money toward Google’s online-ad services and away from competitors that are straining to show they’re complying with the sweeping regulation. Why? Google is gathering users’ consent far faster than its smaller competitors who have less resources.
At a glance: Acxiom is facing scrutiny over its data practices after Privacy International named the business as one of the key targets of a new campaign which will investigate what it brands “the hidden data ecosystem”. According to Privacy International, this “comprises thousands of non-consumer facing data companies – such as Acxiom, Criteo, Quantcast – that amass and exploit large amounts of personal data”.
At a glance: Some U.S. publishers have blocked visitors from the EU to their sites rather than comply with GDPR. The Washington Post has gone an extra step and put up a paywall for EU visitors, upselling them to a $90 a year “premium EU subscription” in exchange for no ads — and the privilege of not having their data tracked. The premium subscription is $30 more than the cost of a basic online subscription to the Post.
At a glance: The Verge reports that on the first day of GDPR enforcement, Facebook and Google have been hit with a raft of lawsuits accusing the companies of coercing users into sharing personal data. The lawsuits, which seek to fine Facebook 3.9 billion and Google 3.7 billion euro (roughly $8.8 billion in dollars), were filed by Austrian privacy activist Max Schrems, a longtime critic of the companies’ data collection practices.
At a glance: Deputy Information Commissioner Steve Wood tells Decision Marketing: “May 25 is not the end, it is the beginning, and the important thing is that organisations take concrete steps to implement their new responsibilities – to better protect customer data. There isn’t a deadline in the sense that if organisations aren’t compliant by today, then they’ve missed their chance.”
At a glance: A number of high-profile US news websites are temporarily unavailable in Europe after new European Union rules on data protection came into effect. The Chicago Times and LA Times were among those posting messages saying they were currently unavailable in most European countries.
May 25th: Biggest brands will lose the use of 43 percent of EU audience data after GDPR say media buyers
At a glance: Senior media buyers for hundreds of the world’s biggest brands are predicting 43 percent of EU consumer audience data will be unusable after the General Data Protection Regulation (GDPR) comes into force today. The research by contextual technology leaders, Vibrant Media, found that some of the problems brands are reporting include: low opt-in rates to email databases; slow uptake to review and set communications preferences; low traffic rates to websites so explicit consent can be attained; and a lack of confidence in the adequacy of GDPR compliance.
At a glance: Sourcepoint has launched a Consent Management Platform to help publishers navigate compliance. The CMP is fully compliant with the IAB Consent Management Framework, as well as non-IAB vendors, and is compatible with DoubleClick for Publishers, allowing publishers to not only gather consent signals but to also understand how to drive monetisation for all users.
At a glance: Apple has launched a new Data and Privacy website in order for the company to better comply with the new GDPR rules. While the service is available in the EU right now, it’s expected to be released worldwide in the coming months.
At a glance: Google plans to register for the IAB’s GDPR Framework but there are still important, unknown details – like how long before Google resolves its discrepancies with the IAB, or whether it will join only as a vendor or incorporate its consent opt-in service, Funding Choices, as an IAB-registered consent management platform. Questions remain, but it’s progress. Of a sort.
May 23rd: The best GDPR stats & surveys we’ve seen
At a glance: All the latest stats compiled across industries, sectors and platforms. One standout figure is that nearly half of UK marketers are already preparing for fines and putting money aside for such an eventuality.
May 23rd: No one’s ready for GDPR
At a glance: The Verge describes how very few companies are going to be 100 percent compliant on May 25th. Indeed, even MPS and the regulators themselves aren’t ready. But don’t panic, it says, as the general assumption is that when the deadline hits, European regulators will treat it as a soft opening.
May 23rd: GDPR Summit London
At a glance: If you’re having sleepless nights wondering whether you will be investigated or even fined, then the next GDPR Summit London is your chance to meet and listen to over 30 Data Protection experts all in one venue. Date: 25th June, Bishopsgate.
At a glance: Businesses are not required to automatically ‘repaper’ or refresh all existing 1998 Act consents in preparation for the GDPR, according to Toni Vitale, the head of regulation, data and information at the law firm Winckworth SherwoodVitale, before adding, “The first question to ask is: which of the six legal grounds under the GDPR should you rely on to process personal data? Consent is only one ground. The others are contract, legal obligation, vital interests, public interest and legitimate interests.”
At a glance: Google has agreed to meet with a group of publishers this week at four of its global offices to discuss their concerns about its preparations for GDPR. Ahead of the meeting, publishing trade bodies are still seeking written responses from Google to the seven questions they set out in their April letter. Those include questions on whether Google will be explicit about the purposes for which it requires consent from end users and how the company will seek publisher input if it makes further changes to its GDPR policies.
At a glance: It’s unclear how easy things will actually be for WordPress site owners. A lot depends on to what extent plug-in makers add the privacy information that sites will refer to when creating or updating their own privacy policies. However, many plug-in makers are individual developers or small companies that lack their own legal teams to advise them.
At a glance: There’s a debate to be had about Facebook’s position and whether it truly represents GDPR compliance. According to some observers, it’s not cut and dried.
At a glance: The EU’s rules for data privacy were once derided as restrictive, but after the Facebook scandal Brussels hopes they will help bring big tech to heel worldwide and become the de facto data protection standard, reports the Financial Times.
At a glance: Companies worrying about whether they have received the best advice over GDPR compliance are not alone, even British MPs appear to be at sixes and sevens, amid claims that a data protection training programme – run by an external “GDPR specialist” – has advised them to delete years of casework.
At a glance: A proper GDPR audit should go beyond first party software on a publisher’s website and should include third party services in Ad Tech and MarTech stacks for a thorough inspection. This ebook also sheds some light on where online media will go after GDPR takes effect.
At a glance: GDPR isn’t just a European wide issue – it affects companies from all around the globe. In short, If your business has clients, customers or website visitors in the European Union, you must be in compliance with the GDPR.
At a glance: Forbes’ cybersecurity beat reporter outlines the five key checks you need to ensure GDPR compliance in advance of next Friday’s deadline (25th).
At a glance: This useful guide from Recode gives US businesses operating or serving customers in the EU an overview of what the GDPR means for them and its accompanying responsibilities. It’s getting a bit late in the day though.
At a glance: Instead of obsessing over the impossibilities, focus on what you can control: understanding your data deeply — what it is, where it is, where it’s going and what its limitations are. Only by getting to know your data better than ever will you be as equipped as possible.
At a glance: Companies will need to be far more transparent about the data they collect and how it will be used. And they will generally be forbidden from forcing users to agree to sharing of their data by denying them the ability to use their services if they refuse to opt-in to unnecessary sharing.
At a glance: If your email marketing is on-point, offers your subscribers value, uses the most engaging language possible (including good subject lines), your subscribers will trust your brand, engage with your emails and be glad to hear from you. In fact GDPR is encouraging brands to build trust with their subscribers, which they should’ve been endeavoring to do all along.
May 15th: It’s not too late to get GDPR ready
At a glance: Not yet GDPR ready? Don’t panic. GDPR compliance is a work in progress. Becoming fully compliant with all the obligations is a tall order. As long as companies can demonstrate a serious approach to GDPR implementation, regulators have said publicly they will allow some leeway to adjust to the new framework.
May 14th: 10 Unintended Consequences of the GDPR
At a glance: A must-read article on the unintended consequences of GDPR, not least the supposition that ‘big publishers will be the first victim of GDPR’ and that the Regulation will simply strengthen Google and Facebook’s hand.
May 14th: GDPR – a checklist for publishers
At a glance: Publishers’ trade association, FIPP, has produced a checklist for publishers to ensure they’ve implemented and interpreted next week’s GDPR guidance properly.
At a glance: The last piece of the GDPR jigsaw – the Information Commissioner’s Office’s guidance on consent – has finally been put in place, with a warning that companies embarking on a barrage of repermissioning emails could be wasting their time.
At a glance: A survey by Digiday has found that marketers’ most common fear about the General Data Protection Regulation is a decreased ability to target consumers.
At a glance: The widespread hand-wringing caused by the last-minute scramble of businesses ahead of the May 25 GDPR deadline is fueling a cottage industry of GDPR experts and consultants. Not all are qualified to do so and are peddling ill-informed advice.
At a glance: The Information Commissioner’s Office (ICO) will release its final consent guidance this week. With just over two weeks left before the deadline of May 25th, the decision to publish final guidance at such a late stage can best be described as troubling.
At a glance: Publishers still have granular questions over interpreting parts of the law and around how rigorously the EU will enforce these rules come May.
May 8th: GDPR claims its first victims
At a glance: Already, a few companies have decided that the burdens of GDPR compliance are too much to bear and are shutting part or all of their businesses. In addition, according to a survey of 400 US companies published last week, many firms are still confused about GDPR and 52% are “still exploring the applicability of GDPR to their business.”
At a glance: The largest German publisher, who own Business Insider and popular tabloid Bild, have been monitoring which kinds of messages drive more people to opt in, as well as the messages’ position on the page. The results: So far, the publisher’s readers are far more likely to give consent when they receive a fact-based static message, rather than a video message or one written in a tone that requests the readers’ support.
At a glance: Publishers using Google’s default consent technology will only be allowed to pass data to 12 supply chain partners, including Google itself, SSPs, exchanges, ad servers, DSPs, DMPs, plug-ins, tracking and measurement tags and third-party data suppliers, sources told AdExchanger.
At a glance: It’s not just consumers that GDPR protects, it’s also employees. Firms need to place as much focus on this as other aspects of the legislation, not least because disaffected employees are more likely to take a swipe at former employers, with GDPR being one stick with which to beat them.
At a glance: With the GDPR looming, ad tech partners that can’t guarantee compliance with publishers will be dropped fast. For instance, ad tech companies must be able to tell travel publisher Lastminute.com’s sales team how their technologies track readers legally under the regulation; otherwise, they won’t be able to access its inventory, according to Lastminute.com.
At a glance: The crux of GDPR is about putting the power of data back in the hands of consumers, giving us a better understanding of where our data is and what it’s being used for. But there’s a dark side to GDPR – the multi-year, multibillion-dollar, Herculean racket that GDPR has become.
At a glance: The three areas highlighted in the letter that pose the most concern for the trade groups are Google’s Controller Terms, responsibility of obtaining legal consent, and the complete placement of liability of consent on the publisher and not on Google. They’re not wrong.
At a glance: Market research giant YouGov is readying a blockchain solution that will allow EU consumers to choose which data they share with brands; a move that will not only help it preserve its nascent digital ad network post-GDPR, but one it’s pitching as a “great boon” for publishers too.
At a glance: According to research by Ensighten, nearly half of UK businesses expect to be fined for GDPR non-compliance. 61 per cent of respondents would also apply for an extension on the deadline if they had the choice, due to mounting fears that they will not meet GDPR requirements in time.
April 30th: Google and GDPR hand publishers a hard choice
At a glance: Publishers face an unexpected bind. Google operates DoubleClick Bid Manager and DoubleClick for Publishers, platforms nearly every publisher on the planet uses at some point or another. So declining Google latest terms could provoke catastrophic financial consequences.
At a glance: One of the first victims of GDPR is Super Monday Night Combat, the multiplayer online battle arena by Uber Entertainment. It’s closing down for good next month, saying the cost of complying with GDPR is too high to keep going.
April 30th: The 7 stages of GDPR grief
At a glance: The deadline for GDPR compliance is fast approaching, and it’s very likely that, in the early days of enforcement, large enterprises engaging in annoying and ruthless data marketing will be made an example of. Get your house in order before it’s too late.
At a glance: Econsultancy, one of the most respected titles around, has produced a great guide to repermissioning campaigns with some superb examples (as well as pointing out some of the poorer attempts and what to avoid).
April 27th: GDPR: A New Road, Not a Roadblock
At a glance: Done right, GDPR introduces the possibility of a more meaningful, trust-based relationship between business and consumer. Under the legislation there are still mechanisms that will enable companies to use the personal data they gather from their customers.
At a glance: One month away, GDPR has more than half of global institutions frazzled over compliance. According to the legal professionals who participated in the survey, one of the Achilles’ heels for compliance preparedness is third-party vendors.
At a glance: Facebook CFO David Wehner yesterday warned that “we believe MAU (monthly active users) or DAU (daily active users) might be flat or down in Q2 due to the GDPR rollout.” He also said that while Facebook doesn’t expect a significant impact on ads from GDPR, there may be a slight impact and it “will be monitoring for that”.
At a glance: Google’s email service is adding the option to allow messages to become inaccessible after a set time as it prepares for tougher data privacy laws. A new “confidential mode” can also be used to stop recipients being easily able to forward, copy, download or print correspondence sent via Gmail. The new facilities are part of a wider revamp of the cloud-based service.
At a glance: An excellent piece on The Drum looking at what marketers and publishers can do if they haven’t yet prepared for GDPR. Spoiler alert: there are a lot. The overriding message is that it’s ‘not too late, but get a move on’.
At a glance: When asked whether the new GDPR rules would impact advertisers’ targeting abilities, Google CEO Sundar Pichai emphasized that Google still makes most of its money from search advertising, where the effect of personalization is minimal. However, Pichai’s answer skips over the other 20 percent of its advertising revenue, which comes from its Network Members’ properties.
At a glance: EU security commissioner says new regulations may have to be brought in if tech firms fail to tackle issues voluntarily. The code would include a pledge for greater transparency, including algorithm transparency. Not surprisingly, the proposed regulations have been criticised for undermining freedom of expression.
April 23rd: Europe’s new privacy rules are no silver bullet
At a glance: EU national watchdogs still face an uphill struggle to come to grips with their expanded regulatory role at a time when most of their budgets are still relatively small and they remained understaffed. According to Politico, Europe’s expanded privacy standards also will do little to stop companies from harvesting personal data.
April 23rd: Nine top GDPR tips for email marketing
At a glance: IT Pro’s must-read article underscores the need for marketers ‘not to panic’ and not ‘to try and re-obtain consent from their lists for life-long messaging’. According to Skip Fidura, Dotmailer client service director and non-executive director at the Digital Marketing Association, this is an unnecessary effort.
At a glance: The World Federation of Advertisers – which represents the likes of Unilever, Mars, Shell and Danone – is launching an initiative to create a data ecosystem that properly respects consumer choices and their right to control their own data and goes way beyond the requirements of GDPR.
At a glance: Facebook has moved more than 1.5 billion users out of reach of European privacy law, despite a promise from Mark Zuckerberg to apply the “spirit” of the legislation globally. Facebook will continue to book revenue through Facebook’s Irish office, but for privacy protections, users will deal with the company’s headquarters in California.
At a glance: Advertisers want to use location data in ad targeting, but they’re finding the coming enforcement of the General Data Protection Regulation is throwing a wrench in those plans. Some ad exchanges, for example, are reducing and redacting the information made available via their logs, according to some ad tech executives speaking to Digiday.
At a glance: An article in TechCrunch concludes that Facebook is ‘seeking consent from users in a way that’s not fair because it’s manipulative (which) means consent is not being freely given. Under GDPR, it won’t be consent at all.’ The piece emphasises why it’s important to comply with the spirit of GDPR, not just the technicalities.
At a glance: Facebook will no longer be able to process news feed posts for ad-targeting purposes, unless those posts are marked “public” or “friends of friends” because they tend to include what the GDPR defines as “special categories of data,” according to sources. Ethnicity, religious beliefs, political affiliation and sexual orientation are the kinds of data defined as special categories.
At a glance: According to a report on WABetaInfo , the latest version of WhatsApp for Android (2.8.113) will allow users to redownload older media files from the company’s servers. But it only seems to go back so far – beyond that users will be given a message asking the sender to re-send the media in question. According to Ian Woolley of Ensighten, “If WhatsApp, with the backing of Facebook, can’t easily provide access to a user’s historical content what can we expect of companies when it comes to even more complicated user consent compliance?”
April 17th: WTF is the CONSENT Act?
At a glance: Meanwhile, waiting in the wings in the U.S. is the Consent Act which has many parallels with GDPR. Its chances of making it through Congress are rated as ‘slim’ but following the Facebook uproar there may be renewed appetite among U.S. lawmakers for this to be ratified into legislation.
At a glance: If you need to call the regulator’s hotline (0303 123 1113 UK | +44 1625 545 700 RoW) don’t leave it too late. They are already getting 500 calls a day, with a wait time of half an hour.
At a glance: The spirit of GDPR is clear, but what that means practically is still unclear according to some participants at last week’s AdExchanger Programmatic I/O in San Francisco. A key event takeaway is that third party data hasn’t been killed stone dead, rather, “the data will just have to get cleaner out of necessity.”
April 16th: Google’s GDPR approach raises publisher concerns
At a glance: Further fallout from last week’s announcement that Google intends to become a controller of all the data on a publisher’s site. Not for the first time, publishers are viewing the move as “a commercial agenda that whilst wrapped up in a GDPR and privacy-language narrative, looks very much like large vendors seeking to steal ground.”
At a glance: Google’s proposed GDPR terms claim that it will be a “controller” of all the data on a publisher’s site (not just what they need to serve the ad). By declaring itself a controller over all the data on a publisher’s site, Google is asserting independent control of a publisher’s audience data. This is, essentially, a massive land grab by the already-dominant Google.
April 12th: What Does the EU’s GDPR mean for Blockchain?
At a glance: Publishers looking to make a foray into Blockchain could do worse than heed this warning from Washington DC think tank Coin Center, who say that blockchain technology may be ‘fundamentally incompatible with Europe’s new privacy laws’.
At a glance: On Monday, the ICO’s Elizabeth Denham said she plans to stick with the ICO’s existing approach to enforcement when the GDPR begins to apply. She describes enforcement as “a last resort” and that “hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law.”
At a glance: Some publishers have concerns about what they regard as ambiguous terms in GroupM’s Data Protection Addendum, plus the agency group’s warning that it would likely cease trading with them if they didn’t sign the contract. A meeting has been organised in tandem with the AOP.
At a glance: In this outstanding missive, the author writes about GDPR as a concept in relation to media trends, and considers what this means for publishers’ editorial strategies. Spoiler alert: it’s big.
At a glance: Facebook has just promised to offer its users worldwide the same privacy controls as required under GDPR. To do this, it would need to provide its users with all the data that it has collected or created about them, including any categories, descriptions or assigned behaviour scores.
At a glance: The DMA is calling on the Information Commissioner’s Office to provide urgent guidance on how third-party data will be affected by GDPR, amid growing concerns that the industry could be caught in the cross-fire from the ongoing Cambridge Analytica data scandal. The DMA says the ICO has published “very little guidance for marketers as to how they can buy, share and use third-party data under GDPR” and insists it is crucial that the regulator “addresses the concerns of the industry”.
At a glance: Apple will roll out four privacy management tools that will provide users the ability to obtain a copy of their data, request a correction of data and deactivate account or delete the account. The tools, which will be available on the Apple ID account page, will be introduced in the EU in May and later rolled out globally.
Ian Woolley, Chief Revenue Officer at Ensighten comments, “Tim Cook, CEO of Apple, stands out for his unequivocal commitment and advocacy of consumer privacy. Trusted brands, such as Apple, will be rewarded with greater levels of opt-in consent, which will enable them to further develop consumer insights and customised experiences. In contrast, brands with questionable, historical data practices will see low rates of opt-in consent, which will increase their customer acquisition costs.
“In the new GDPR world it’s critically important for brands and publishers to understand that consumer trust is the new currency. Trust is built by design from the ground up, which includes how data is collected and shared within brands’ underlying website technologies, long before consent is ever granted.”