The European Commission passed a new law Thursday after four years of discussion. While the law gives European citizens more control over what happens to their data, it also means headaches for publishers and advertisers, who are increasingly relying on data for ad targeting.
Under the General Data Protection Regulation (GDPR), all companies will be required to gain consent from individuals before collecting their data. Users will be notified that the company wants to use their data and what they want to use it for. They will be told that they have the right to refuse parting with their personal information.
The new laws will go into effect in 2018, and companies that fail to comply will face eye-watering fines of €20 million ($28.4 million) or up to 4 percent of global revenues.
The Association of Online Publisher (AOP) led a forum, chaired by Nick Stringer, former head of public policy at the IAB U.K. on what the new data rules means for publishers. Hearst, Time Inc., The BBC, Dennis, Telegraph, ESI Media, The Guardian and Condé Nast were all on hand. Many in the room in London’s Courthouse Hotel were just taking the first steps toward understanding the minutiae of the law.
Simon Morrissey, partner at law firm Lewis Silkin, provided some comfort to the publishers who were in attendance. “If you’re complying with current guidance, you’re in a pretty good place,” he said. Morrissey and others urged publishers to understand what data they already have and keep up to speed with national data protection body, in the U.K. the Information Commissioner’s Office (ICO).
Here are some other key takeaways for publishers:
Publishers could block content from people who don’t give up their data
Geoff Richards, head of data analytics and insight at Condé Nast, asked the experts whether there’s limitation on what leverage a publisher could give should users refuse to part with data. “Can I say, ‘Sorry you can’t view my website if you don’t agree’?”
While Morrissey said that consent must be freely given, not coerced, this wasn’t a breach of the rules. “But I would say that it wouldn’t make business sense.” Instead he suggested offering a tiered approach, a light service for less valuable data, so as to be “pro-actively encouraging the data exchange.”
“This will be an area of dispute — the freedom of choice versus getting things your want,” added Iain Bourne, group manager at the ICO.
Companies need historic consent
Not only will publishers need to get permission from readers starting in 2018, but companies will need to get renewed permission from people they already have profiles on.
“Don’t fear it,” said Morrissey. “Re-permissioning is a good thing; it’s how you do it. The best execution I’ve seen is by Lords MCC [Marylebone Cricket Club]. It’s very granular, and goes down to a lot of detail.” Privacy notices must be concise, transparent, intelligible, easily accessible and in plain language, he said.
This has international jurisdiction
It may be a European law but it has global impact, said Bourne. “It’s who you are processing data on, not where you are situated,” he added.
“If companies are funnelling any activity into Europe aimed at monitoring European residents, they are caught by these regulations,” said Morrissey, explaining that Google, Facebook and other corporations won’t be immune. However, if the U.K. leaves the European Union, then the law will still apply to British publishers. They’ll only have little to no influence on how the laws are interpreted or enforced.
Expect more publisher co-ops
Dominic Perkins, commercial development director at Time Inc., asked if it makes more sense for publishers to create data co-ops, creating a single identifier in order to be more transparent, and sharing that among them.
Probably, answered Yves Schwarzbart, acting head of policy and regulatory affairs at the IAB U.K. “Simplifying the data processes is in everyone’s interests,” he said. “It needs to start with someone.”