The scramble to get businesses ready for the enforcement of the General Data Protection Regulation in May has led to a whirlwind of internal committees and strategy meetings. Legal teams are being wheeled out to explain the finer nuts and bolts of the new law, while publishing execs crane their necks to see what peers are doing.
But developing concrete plans of action is tough. That’s largely because there are still so many areas of the law that can be widely interpreted. The Information Commissioner’s Office is releasing details and guidance on the areas that are still vague, but in a piecemeal fashion. Some publishers and ad tech businesses feel like they’re in limbo, unable to push the button on action plans while they await details on how the law will be enforced. It’s a concern already voiced by the marketing side of the industry.
“It’s very hard to strategize before the next [ICO] guidance is out because we don’t know what the permissions are going to be,” said a publisher for a national newspaper who spoke on the condition of anonymity. “Companies like Google and Facebook are making a big PR play of being compliant, but we don’t know what that looks like yet. We need to go about getting those permissions [for consumer consent] without obliterating our user base,” this person said.
The ICO has recently released additional guidance on areas like user profiling and under what conditions consent will be required. But it has yet to issue further guidance on other areas where consent will be needed and what kinds of data processing will be acceptable under the new law. The final guidance is expected in December — leaving little time to implement.
That’s not to say publishers are sitting on their hands. As News UK’s chief data privacy officer Robert Streeter said in September at Rubicon Project’s Automation event, waiting around for additional guidance from the ICO isn’t the best move — there are other ways to push forward. Many have appointed chief privacy officers, and some publishers are already looking at messaging which would be used to inform users about consent.
“As long as you can demonstrate you have an audit trail that shows compliance plans, that’s the main thing,” said Charles Yardley, gm for strategic partnerships for Forbes Europe. “Everyone is in the same boat with this.”
But for some, the GDPR has become a bit of a hot potato, with vendors passing the compliance buck back to publishers. One bone of contention stems from the fact that a publisher will share liability if a vendor within its digital ad supply chain passes on that publisher’s data without the vendor itself having obtained consumer consent. In turn, some vendors are not taking much action, believing the onus is on the publisher to “fix it” and incorporate consent for the third-party vendors they use.
“It is all rather confusing now, as no one is fully sure how it should be interpreted. There’s a lot of uncertainty,” said another publishing exec.
Ensuring compliance throughout the supply chain is just one element that needs to be addressed. Publishers are also whiteboarding scenarios in which they must create totally different technology infrastructures and digital offerings that are appropriate for people who say they don’t want to give consent for their data to be used in exchange for personalized news. Publishers will need to come up with more vanilla, less personalized news services.
Some publishers have expressed concerns that they’ll be out of step with the rest of the industry in their interpretation of the law. Some may interpret the law strictly and switch off all their marketing, wipe their cookies, start over with a clean slate and then ask users politely for consent. Others could explore ways to get automated consent and then allow users to opt out easily. “Because of how broad the interpretation is, you could find you end up going one way and the industry going in another,” said a publishing exec.