California’s privacy law will force publishers to be more upfront about subscriber data sales
Another obstacle is coming at print media.
Magazine and newspaper publishers that sell their subscribers’ data to other companies will be pressed to make changes to those businesses when California’s recently passed privacy law takes effect in January 2020. At minimum the law will compel those publishers to be more upfront about their subscriber data sales practices and to provide new opt-out options to their subscribers.
When California’s privacy law takes effect in January 2020, companies that sell people’s personal information will need to feature a “Do Not Sell My Personal Information” link on their websites’ home pages and to let people opt out of their information’s sale through the site. Since the law applies to any company that makes more than $25 million a year in gross revenue or that buys, sells or shares the personal information of at least 50,000 people or devices, it will likely concern many of the major publishers that sell their subscribers’ data. That will force a change for publishers that typically disclose their data sales practices within their privacy policies and compel people to make their opt-out requests through the mail or email.
Publishers including The New York Times, Meredith and Condé Nast state in their privacy policies that they sell or rent their subscribers’ information to other companies for those companies’ own marketing purposes; the California privacy law considers renting to be the same as selling. Those companies do not explicitly disclose that practice on their online subscription sign-up forms; instead they link to their privacy policies. (Of those three publishers, only Meredith lets people opt out through an online form; The New York Times and Condé Nast require people to submit their opt-out requests through the mail or email.)
A spokesperson for The New York Times said the company is reviewing potential changes it may make to comply with the California privacy law. A Condé Nast spokesperson declined to comment and a Meredith spokesperson did not respond to a request for comment by press time.
“In the same way that GDPR necessitated that data controllers be more explicit about their collection consent policies, media that are actively reselling first party subscriber data should consider a similar approach. Giving consumers a direct means to understand where their data has been sold and request stoppage is one thing, but the more proactive step is to be more transparent at the point of purchase rather than requiring users to do the heavy lifting to seek this out,” said Jed Williams, chief innovation officer at the Local Media Association.
California’s privacy law isn’t the first law in the U.S. or even California to affect publishers’ data-selling businesses. A law passed in California in 2003 called the “Shine The Light” law gave people a way to request what information companies share for direct marketing purposes and with whom, though it exempted companies that provide an opt-out option in their privacy policies. And a 20-year-old Michigan law, the Video Rental Privacy Act, restricts certain companies including magazine publishers from selling subscribers’ information without consent or without providing notice.
Within the past month, both Hearst and Time Inc. (now owned by Meredith) have agreed to settle multimillion-dollar class-action lawsuits that alleged the publishers violated the law by selling the personal information, such as names and mailing addresses, of Michigan residents who subscribed to the companies’ respective magazines. Hearst and Time Inc. are only the latest publishers to agree to settle lawsuits for allegedly violating the Michigan law. In 2016 Rodale (now owned by Hearst) reached a similar agreement. Conde Nast has also been hit with a lawsuit for allegedly violating the Michigan law; that litigation is ongoing.
However there may be a loophole in the California law for publishers that only sell people’s names and mailing addresses, though taking advantage of that loophole would require jumping through some hoops.
“The interesting thing about the California law is it exempts data that’s already out in the public domain,” said Debbie Reynolds, data privacy officer and director of eDiscovery at law firm Eimer Stahl. For example, if a person posts something about their birthdate as a public post on Facebook or Twitter, “in theory companies could argue that really isn’t private information because it’s publicly available someplace else,” she said.
If California’s attorney general, who is charged with enforcing the state’s privacy law, upholds that theoretical interpretation, then publishers selling California subscribers’ names and mailing addresses may be able to skirt around the law if those names and addresses are found in public records. According to Reynolds, if a person has purchased a home or donated to a political campaign, their name and address are likely to be in the public domain. Of course publishers would have to take pains to ensure that they only sell the names and addresses of subscribers whose information is in the public domain, and even then they would be in uncertain territory.
“There isn’t a precedent because there was never a law related to it,” said Reynolds. She added, “No one up to this point in the U.S. has argued that someone’s address is private information.”
More in Media
Digiday+ Research: Publishers’ programmatic revenue didn’t shake out the way they’d hoped, but it’s still a bright spot
Digiday+ Research found that publishers’ programmatic ad revenue didn’t quite live up to expectations this year, but they still see it as a growth area.
For a couple of publishers, referrals from Google are down upwards of 60%.
Lacking financial incentives, sustainability remains a hope, not a promise, in digital advertising next year
Reducing carbon emissions from the digital ad ecosystem is an important priority, but various players are skeptical that much can — and is — being done to practice sustainability.