Mixed signals from GDPR regulators spark industry confusion
It seems it isn’t just publishers and advertising companies that have interpreted the General Data Protection Regulation widely, but regulators too.
Media industry executives are becoming increasingly worried that the data protection authorities (DPAs) of the 28 European Union countries are interpreting and enforcing GDPR very differently. That could result in further uncertainty, confusion and result in higher costs for those businesses attempting to comply with multiple interpretations, according to privacy experts.
“It’s frustrating that DPAs across the EU have different interpretations of the same law,” said Matthias Matthiesen, director of privacy and public policy for the Interactive Advertising Bureau Europe. “The point of the GDPR is that the law is the same across the EU.”
Austrian publishers were recently thrown a bone by the country’s data protection authority when it dismissed a complaint against an online media publisher over its GDPR consent approach. The publisher, which wasn’t named fully in the DPA’s ruling, has created a paid-subscription offer of €6 ($7) per month for users who don’t want their data to be used for any advertising and tracking purposes. The publisher provides two other options: Users can browse all content for free in exchange for giving consent to being served personalized ads, or they can have partial access to content in return for giving consent.
The Austrian DPA deemed this approach totally fine and dismissed the complaint, citing the importance of publishers being able to maintain advertising revenue models. The regulator also stated that the €6 charge per month wasn’t regarded as high enough to be prohibitive for users. Other major Austrian publications including derStandard.at also use the paid model in return for no tracking.
In the U.K., however, the Information Commissioner’s Office has taken a stricter stance on the Washington Post’s consent strategy, which offers a $9 per month premium subscription option for users who don’t wish to be served personalized ads, and only partial access to content in exchange for consent.
The ICO hasn’t published an official ruling against the Washington Post but sent a letter informing the publication that the current approach is in breach of GDPR, according to the ICO. In its letter, the ICO stated: “The Washington Post has not offered a free alternative to accepting cookies on their website, and therefore in this case consent cannot be freely given and is invalid.”
The question of whether a publisher can block site access in return for consent, or give users a no-tracking option in exchange for a micropayment under GDPR, has been debated for some time. The GDPR states clearly that user consent must be freely given as well as specific, unambiguous and informed. The ICO has determined that in the Washington Post’s case, users shouldn’t have to pay not to be tracked.
In its letter, the ICO requested that the Washington Post improve its information rights practices and ensure its website users have the option to access all levels of subscription without having to accept cookies.
Although the two cases are subtly different (the Austrian publication does provide an option where users can have partial access in return for not giving consent, whereas the Washington Post has no free non-consent option), the different stances have concerned privacy experts. “This [Austrian] model looks very much comparable model with what WashPost is offering, which means that the two DPA decisions refer to comparable cases with contradictory results,” said Oliver von Versch, Hamburg-based publisher consultant.
“The fundamental change within the EU is that they are defining privacy as a ‘human right,’ which means that the concept of using privacy as a form of currency is illegal,” said Thomas Baekdal, Denmark-based publisher consultant. In other words, site visitors should be allowed to read all the free content regardless of whether they have given consent or not. “It seems pretty clear that publishers can’t do ‘give up your privacy or pay us,’” added Baekdal.
The European Data Protection Board, formerly known as the Article 29 Working Party, comprises the 28 EU regulators, is intended to help ensure DPAs align. The aim of this group is to provide consistency and discuss country-specific DPA decisions such as those made by French regulator CNIL last November. If a company operates across multiple countries, each with a DPA that has taken a different interpretation, the EDPB’s “consistency mechanism” kicks in, according to Matthiesen. However, no official clarification has yet been issued by the EDPB on how to resolve any discrepancies in approach. Digiday contacted the EDPB and will update this story if it responds. The ICO didn’t want to comment on another regulator’s decision until it had time to examine it in full.
Ultimately it’s the Court of Justice of the European Union, which gets the final say on any DPA opinion and decision. However, that can be a very lengthy process which could take years to be finalized, according to Matthiesen.
Cheat Sheet: How Shopify’s one-click checkout expansion could help Facebook, Google compete with Amazon
Shopify's Shop Pay option will compete with Amazon’s one-click buying button, potentially making it an even bigger competitor to the e-commerce giant.
BuzzFeed will finally monetarily reward its Community users for their viral quizzes, lists
BuzzFeed is testing to see if user-generated content could identify new areas of coverage for its staff, and bring in niche audiences, with a new summer program that could pay a contributor up to $10,000 for a viral post.
The TV upfront marketplace is moving along at breakneck speed, and eye-popping ad-rate increases
The TV upfront marketplace is wrapping up at a fast clip, with media buyers paying significant increases to secure ad time for their clients.
SponsoredHow three top brands transformed their video ad strategies to follow the views
Brian Albert, managing director, U.S. Agency and Brand Solutions, Google Video watch time, particularly for streamed content, is booming. In December 2020 alone, over 120 million Americans streamed YouTube or YouTube TV on their TV screens. Many advertisers are meeting consumers where they are by reinvesting in digital video. In particular, these three brands transformed […]
Amazon is blocking Google’s FLoC — and that could seriously weaken the fledgling tracking system
Amazon's under-the-radar move could be a significant blow to FLoC targeting performance and give Amazon a leg up in its own ad sales and targeting efforts.
How the Betches founders turned a blog into a multi-platform media company for young audiences
For Betches, there is more real estate in the millennials demographic to grow its audience, but with Gen Zers making up a large portion of the internet, platform growth strategy is top focus for expansion.