GDPR is leaving publishers with a newsletter list problem

Dear American publishers that think they will be fine when the General Data Protection Regulation takes effect next month: Check your email.

As brands, agencies and publishers scramble to get their data collection, usage and storage situations in line with European regulations, few have gotten their email newsletter subscriber operations into a GDPR-compliant state, either by securing affirmative consent for use of subscribers’ data or by updating their email onboarding process so people give consent when they subscribe.

Some haven’t done it because they have their hands full with other facets of GDPR compliance. Others haven’t because they’re still trying to figure out if their current situations are, in fact, acceptable under the regulations. Others are waiting for third-party providers to deliver tools to help navigate the problem. Still others are reluctant to do anything that could put a meaningful dent in their newsletter subscriber counts.

“This is definitely a risk,” said Brad Schorer, the president and CEO of data and marketing consultancy Digital Segment. “They need to prepare to have the steps in place to allow for their readers to opt out of the newsletter and/or be able to produce the level of detail on them that the publisher has in house.”

A common misconception about the GDPR is that it is for European companies. In fact, the GDPR covers any company that collects data from European Union citizens, which is to say most every publisher. Publishers have liability if they have any EU citizens on their email newsletter lists. Under GDPR rules, publishers must be able to point to a specific date when a reader affirmatively consented to have their data used by publishers. That covers all email subscribers, not just those acquired after the GDPR takes effect on May 25.

Most publishers don’t have those dates on file, particularly for email subscribers they’ve had for years, which presents them with an uncomfortable choice: Send an email asking European newsletter audiences to opt back in, risking a percentage of their subscriber base dropping out, or do nothing and hope the law is enforced for bigger violations.

“Any communication to consumers always entails the possibility of losing readerships due to opt-outs for any number of reasons,” Schorer said.

Many publishers also have to figure out how to get readers to actively consent, a break from the user experience templates that readers have been trained to expect in recent years. “It’s difficult to funnel people into signing up as it is,” said one source who oversees newsletter operations at one large publisher. “Now, we have to go completely out of the way to make sure consent is explicit by not having pre-checked boxes. Users have learned behavior that assumes boxes will be checked, and now we will have to teach them new behavior.”

The GDPR, to this point, has been a worry for European publishers, which have been busy hiring data protection officers and trying to build unified login systems to minimize shock when the regulations are enforced. As the May 25 enforcement date has drawn closer, fears among European publishers have subsided a bit, according to Digiday Research.

Yet many American publishers draw sizable chunks of their audience from outside the U.S. Just over 10 percent of The Washington Post’s digital subscriber base, for example, is based abroad. The New York Times said 14 percent of its 2.6 million digital subscribers reside abroad, though that number does not exactly correspond with its 13 million email newsletter subscribers; the Times does not break out the country of origin of newsletter subscribers.

Some publishers are trying to be proactive, despite the minimal risk to their business from being GDPR-compliant. At Morning Brew, a business-focused newsletter publisher with 180,000 subscribers and an open rate that hovers around 45 percent, just 3 percent of its subscriber base resides in Europe. But the company decided to add a double opt-in system to its newsletter onboarding program, in part because it minimizes bad actors taking advantage of its referral program and in part because it sees upside in adapting its system in ways that emphasize transparency and privacy.

Morning Brew is still trying to confirm that every facet of its business is GDPR-compliant, but it said it expects to be by next month. “The way we justified it is we need to do right by our readers,” Morning Brew co-founder Alex Lieberman said.

More in Media

climate change revenue

Lacking financial incentives, sustainability remains a hope, not a promise, in digital advertising next year

Reducing carbon emissions from the digital ad ecosystem is an important priority, but various players are skeptical that much can — and is — being done to practice sustainability.

Google’s 2024 cookie deprecation deadline is still on, says vp of global advertising Dan Taylor

Google’s vp of global ads is confident that cookies will be gone from Chrome by the end of next year, despite all the challenges currently facing the ad market.

Mythbuster: How the inconsistent definition of click-through rates affects publishers and their advertisers

Some email newsletter platforms’ click-through rates are actually click-to-open rates, which are measured against the number of emails opened rather than the emails sent. But buyers seem to prefer it that way.