Dear American publishers that think they will be fine when the General Data Protection Regulation takes effect next month: Check your email.
As brands, agencies and publishers scramble to get their data collection, usage and storage situations in line with European regulations, few have gotten their email newsletter subscriber operations into a GDPR-compliant state, either by securing affirmative consent for use of subscribers’ data or by updating their email onboarding process so people give consent when they subscribe.
Some haven’t done it because they have their hands full with other facets of GDPR compliance. Others haven’t because they’re still trying to figure out if their current situations are, in fact, acceptable under the regulations. Others are waiting for third-party providers to deliver tools to help navigate the problem. Still others are reluctant to do anything that could put a meaningful dent in their newsletter subscriber counts.
“This is definitely a risk,” said Brad Schorer, the president and CEO of data and marketing consultancy Digital Segment. “They need to prepare to have the steps in place to allow for their readers to opt out of the newsletter and/or be able to produce the level of detail on them that the publisher has in house.”
A common misconception about the GDPR is that it is for European companies. In fact, the GDPR covers any company that collects data from European Union citizens, which is to say most every publisher. Publishers have liability if they have any EU citizens on their email newsletter lists. Under GDPR rules, publishers must be able to point to a specific date when a reader affirmatively consented to have their data used by publishers. That covers all email subscribers, not just those acquired after the GDPR takes effect on May 25.
Most publishers don’t have those dates on file, particularly for email subscribers they’ve had for years, which presents them with an uncomfortable choice: Send an email asking European newsletter audiences to opt back in, risking a percentage of their subscriber base dropping out, or do nothing and hope the law is enforced for bigger violations.
“Any communication to consumers always entails the possibility of losing readerships due to opt-outs for any number of reasons,” Schorer said.
Many publishers also have to figure out how to get readers to actively consent, a break from the user experience templates that readers have been trained to expect in recent years. “It’s difficult to funnel people into signing up as it is,” said one source who oversees newsletter operations at one large publisher. “Now, we have to go completely out of the way to make sure consent is explicit by not having pre-checked boxes. Users have learned behavior that assumes boxes will be checked, and now we will have to teach them new behavior.”
The GDPR, to this point, has been a worry for European publishers, which have been busy hiring data protection officers and trying to build unified login systems to minimize shock when the regulations are enforced. As the May 25 enforcement date has drawn closer, fears among European publishers have subsided a bit, according to Digiday Research.
Yet many American publishers draw sizable chunks of their audience from outside the U.S. Just over 10 percent of The Washington Post’s digital subscriber base, for example, is based abroad. The New York Times said 14 percent of its 2.6 million digital subscribers reside abroad, though that number does not exactly correspond with its 13 million email newsletter subscribers; the Times does not break out the country of origin of newsletter subscribers.
Some publishers are trying to be proactive, despite the minimal risk to their business from being GDPR-compliant. At Morning Brew, a business-focused newsletter publisher with 180,000 subscribers and an open rate that hovers around 45 percent, just 3 percent of its subscriber base resides in Europe. But the company decided to add a double opt-in system to its newsletter onboarding program, in part because it minimizes bad actors taking advantage of its referral program and in part because it sees upside in adapting its system in ways that emphasize transparency and privacy.
Morning Brew is still trying to confirm that every facet of its business is GDPR-compliant, but it said it expects to be by next month. “The way we justified it is we need to do right by our readers,” Morning Brew co-founder Alex Lieberman said.