The General Data Protection Regulation is looming, and for many publishers, it’s a mad scramble to get their sites compliant before the enforcement date on May 25. That’s when they have to start asking European visitors for permission to collect and use their data, or risk running afoul of the EU privacy law.
Some U.S. publishers with small European audiences and businesses are considering dealing with the issue by just blocking European IP addresses outright from accessing their sites. The thought: Why even bother with the risk of fines that could total 4 percent of global revenue.
“There’s a lot of things within GDPR that are kind of vague,” Roberts said. “Seeing what our competitors are doing will be helpful to seeing what is absolutely necessary. Blocking gives us some time.”
It’s an option Chris Tolles, CEO of entertainment news site Topix, is also considering. With a monthly reach of 22.3 million unique visitors, Topix gets more than 10 percent of its revenue from the U.K., revenue he doesn’t want to lose. But the rest of Europe isn’t necessarily worth the cost because high ad-blocking rates in countries like Germany make it hard to monetize those audiences. “It’s a rounding error for a lot of people,” he said.
Tolles admitted that blocking Europeans is a “pretty extreme” step, but he has some experience here. “It’s easy to block people by IP address,” Tolles said. “I’ve blocked most of Africa, Asia, most of the nations that cause me problems legally or from a spam or scam standpoint already. I’ve already blocked most of the former Soviet Union.”
Tom Sly, svp of digital revenue at local broadcaster E.W. Scripps Co., said Scripps has been working for the past eight months to get compliant with GDPR. But if Scripps doesn’t think it can get compliance across the board, it’ll block EU IP addresses. GDPR has sowed a lot of uncertainty about what it means to be compliant, and “the back-end data piece is a little scary,” he said. “Some would look at it as an extreme step, but we’re serious about compliance.”
Even here, though, there are unknowns. Some think publishers that sell programmatically will be required by their ad networks to be GDPR-compliant, as Google has said. “Every ad network is saying, ‘Here are set of things you have to do,’” Tolles said. Another view is that no vendor could really argue that publishers would need to get consent on non-EU traffic, though. Another concern is that filtering out EU IP addresses could slow down site speed and cut into audience, even if the impact is slight.
Some of these publishers are resting on the widely accepted assumption that if they’re not marketing directly to visitors in the EU, they shouldn’t have to comply. Chris Pedigo, svp of government affairs at Digital Content Next, a trade association for digital publishers, sees this approach as plausible, but not a long-term solution. It comes down to publishers’ business models and what “marketing” means to the EU enforcers.
“It’s an interesting approach, but I don’t think it’s long-term strategy,” he said. “Because long term, you wouldn’t want to shut out your ability to be in that marketplace. Also, other countries will follow suit; they tend to follow suit.”
Download Digiday’s official guide to GDPR for checklists, research and more that you’ll need to know before May 25.