EU Publishers: Clean up your cookies or get burned by GDPR
The ticking clock on the General Data Protection Regulation (GDPR) website is a stark warning for digital publishers behind on preparations for the EU’s massive expansion of data privacy rules. The GDPR is coming, and soon.
Europe’s privacy laws are tightening even further, potentially limiting the data that publishers can collect and the ways they can collect it. The GDPR is technology neutral: but – once again – it’s the cookie that will be caught in the GDPR’s crosshairs. The GDPR has broadened the scope of personal data to include online identifiers, such as cookies and other identifying code such as pixel fires or device fingerprinting). Cookies gathering user data without a lawful basis (e.g. consent) will fall on the wrong side of GDPR. That puts publishers at risk of potentially groundbreaking fines and penalties. That’s why we’ve prepared this guide to the three types of cookies to watch out for, and how publishers can manage them.
What are they? – These are the cookies dropped by third-party widgets and partners that run on publisher pages. Adtech vendors, social media share buttons, and other outside integrations all drop their own cookies to capture user-identifying data.
What’s the problem? – Under GDPR these third-party cookies are a publisher’s problem, even if the publisher is not obtaining the information that those cookies collect. Third-party cookies usually report back to the third-party vendor who supplied them, often only sharing a portion of that data with the host publishers. Despite this unequal relationship, publishers will be jointly liable—particularly as the consumer-facing collection mechanism—and can be fined under GDPR for the personal data they collect whether they know about it or not.
What’s the plan? – Like any good relationship the key is to talk openly with your partner, discuss the new rules and agree to how, if any, data can be collected. For any partner that doesn’t seem to understand the seriousness of the situation or leaves you uneasy, consider the value of their functionality to your overall operation. It just might not be worth the risk. “We’re actively communicating with our partners like Facebook and Twitter as well as our technology vendors.” Says Alexandre Atvan, director of technologies at LeMonde, “Most of our integrations are from large providers who are already making themselves compliant. Those that aren’t will have to be replaced or terminated.”
What are they? These are the cookies dropped by vendors or publishers physically located outside of the EU, yet leveraging the global nature of business can easily operate on EU-based publications. As a result, they may be designed to operate under a different set of privacy rules, i.e., those of its HQ country.
What’s the problem? The territorial scope of the GDPR means that the new rules will apply to companies targeting their goods or services at EU individuals and/or monitoring any individual’s behavior – regardless of the company’s location. While many US-based publishers and tech vendors explicitly ask users to accept cookies, these disclosures often don’t go far enough. Under GDPR disclosures need to detail the type of data processing these cookies will perform, what entities have access to the cookie-collected information and how the data is being secured.
What’s the plan? Documenting non-EU partners and understanding their data privacy requirements is a good first step. “We’re looking at updating our internal consent guidelines for any cookies that we’re serving in the EU,” said Mike Collis, digital product manager. “We operate different sites in the US and in Europe so a lot of that is just more localizing. We’re also looking for new vendors to make sure that our European sites are fully compliant. Some of our US partners aren’t prepared to make the shift so we’ll be modifying those relationships and finding new partners who are ready for the changeover.”
What are they? These cookies are used by publishers to monitor readers’ actions on publishers’ sites rather than follow them after they leave. They can capture which articles they read, where they comment, and how they move from page to page giving publishers a clearer idea of how audiences are interacting with their content.
What’s the problem? GDPR will potentially curtail user data collection even if the data is being used for internal purposes like UX design, rather than being fed to advertisers. In most cases, publishers will need to scale back these data collection operations leaving them more in the dark about their user’s preferences and behavior, data many publishers have been using to improve their product.
What’s the plan? For now, most publishers are planning to live with their new blind spot. “We’re going to have to make inferences based on site traffic,” says Atvan. “It’s a step back in some ways, but we can still learn much from traffic numbers, bounce rates, and time on-page even if we are not able to track individual users.”
Ultimately most publishers are confident that they can get their cookie culture reigned in in time for the GDPR transition but they emphasized that preparation has been time-consuming. Most began assessing their readiness shortly after the GDRP measure was adopted in April of 2016, and started taking active steps to prepare in the later part of last year.
The key aspect of GDPR compliance is knowing WHO is executing on your site, WHAT activities they are performing and WHETHER you approve these actions. This means publishers need to start speaking with partners, analyzing their cookie ecosystem, and making the necessary changes to internal technologies and external partners now if they don’t want to face steep fines when the GDPR clock runs out in May of 2018. Tick, tick, tick.