Mixed signals from GDPR regulators spark industry confusion
It seems it isn’t just publishers and advertising companies that have interpreted the General Data Protection Regulation widely, but regulators too.
Media industry executives are becoming increasingly worried that the data protection authorities (DPAs) of the 28 European Union countries are interpreting and enforcing GDPR very differently. That could result in further uncertainty, confusion and result in higher costs for those businesses attempting to comply with multiple interpretations, according to privacy experts.
“It’s frustrating that DPAs across the EU have different interpretations of the same law,” said Matthias Matthiesen, director of privacy and public policy for the Interactive Advertising Bureau Europe. “The point of the GDPR is that the law is the same across the EU.”
Austrian publishers were recently thrown a bone by the country’s data protection authority when it dismissed a complaint against an online media publisher over its GDPR consent approach. The publisher, which wasn’t named fully in the DPA’s ruling, has created a paid-subscription offer of €6 ($7) per month for users who don’t want their data to be used for any advertising and tracking purposes. The publisher provides two other options: Users can browse all content for free in exchange for giving consent to being served personalized ads, or they can have partial access to content in return for giving consent.
The Austrian DPA deemed this approach totally fine and dismissed the complaint, citing the importance of publishers being able to maintain advertising revenue models. The regulator also stated that the €6 charge per month wasn’t regarded as high enough to be prohibitive for users. Other major Austrian publications including derStandard.at also use the paid model in return for no tracking.
In the U.K., however, the Information Commissioner’s Office has taken a stricter stance on the Washington Post’s consent strategy, which offers a $9 per month premium subscription option for users who don’t wish to be served personalized ads, and only partial access to content in exchange for consent.
The ICO hasn’t published an official ruling against the Washington Post but sent a letter informing the publication that the current approach is in breach of GDPR, according to the ICO. In its letter, the ICO stated: “The Washington Post has not offered a free alternative to accepting cookies on their website, and therefore in this case consent cannot be freely given and is invalid.”
The question of whether a publisher can block site access in return for consent, or give users a no-tracking option in exchange for a micropayment under GDPR, has been debated for some time. The GDPR states clearly that user consent must be freely given as well as specific, unambiguous and informed. The ICO has determined that in the Washington Post’s case, users shouldn’t have to pay not to be tracked.
In its letter, the ICO requested that the Washington Post improve its information rights practices and ensure its website users have the option to access all levels of subscription without having to accept cookies.
Although the two cases are subtly different (the Austrian publication does provide an option where users can have partial access in return for not giving consent, whereas the Washington Post has no free non-consent option), the different stances have concerned privacy experts. “This [Austrian] model looks very much comparable model with what WashPost is offering, which means that the two DPA decisions refer to comparable cases with contradictory results,” said Oliver von Versch, Hamburg-based publisher consultant.
“The fundamental change within the EU is that they are defining privacy as a ‘human right,’ which means that the concept of using privacy as a form of currency is illegal,” said Thomas Baekdal, Denmark-based publisher consultant. In other words, site visitors should be allowed to read all the free content regardless of whether they have given consent or not. “It seems pretty clear that publishers can’t do ‘give up your privacy or pay us,’” added Baekdal.
The European Data Protection Board, formerly known as the Article 29 Working Party, comprises the 28 EU regulators, is intended to help ensure DPAs align. The aim of this group is to provide consistency and discuss country-specific DPA decisions such as those made by French regulator CNIL last November. If a company operates across multiple countries, each with a DPA that has taken a different interpretation, the EDPB’s “consistency mechanism” kicks in, according to Matthiesen. However, no official clarification has yet been issued by the EDPB on how to resolve any discrepancies in approach. Digiday contacted the EDPB and will update this story if it responds. The ICO didn’t want to comment on another regulator’s decision until it had time to examine it in full.
Ultimately it’s the Court of Justice of the European Union, which gets the final say on any DPA opinion and decision. However, that can be a very lengthy process which could take years to be finalized, according to Matthiesen.
How BuzzFeed’s Creator Score is grading the impact of its creator network
BuzzFeed's Creator Network is a primary focus in 2023 for the publisher, and its campaign grading tool is being used to prove out its ability to create successful ads.
In graphic detail: Google’s Ads Safety Report shows suspect ad activities are on the rise
Google's ad transparency efforts detail how bad actors necessitate further investment.
Media Briefing: Publishers share their biggest challenges and opportunities at the Digiday Publishing Summit
While Q1 ad revenue, sales cycles and payment windows appeared to be equally bad across the media industry, bright spots arose around consumer revenue streams, new tech experimentation and traffic patterns.
SponsoredHow critical data pillars will increase brands’ confidence in CTV
Mario Diez, CEO, Peer39 With every quarter, the balance of TV viewership slips away from the traditional linear model and more towards connected TV. Less than half of the adults in the U.S. subscribe to cable or satellite, and fewer than half of the households watched linear TV daily in the second half of 2022. […]
The AMERICA Act spotlights Capitol Hill’s ingrained antipathy for Big Tech
A reprised version of the Competition and Transparency in Digital Advertising Act spells trouble for double-sided marketplaces.
How Dotdash Meredith worked through the challenge of integrating two major publishers’ tech stacks
At the Digiday Publishing Summit, Dotdash Meredith product chief Adam McClean shared why he had initially expected the integration to be done by summer 2022 and why the work is still ongoing.