Navigating the Changing Landscape of Data Privacy Post GDPR

Nov 22, 2019


BEST PRACTICES SERIES

Article ImageWith the advent of the EU’s General Data Protection Regulation (GDPR) and scandals like Cambridge Analytica, data privacy has entered the mainstream conversation, resulting in new laws and regulations that have major business implications for digital publishers. Post-GDPR publishers have seen issues around data collection and processing grow as a result. This new regulatory reality coupled with strong consumer sentiment for data protection and privacy is driving publishers to adapt their data management strategies.

The current alphabet soup of legislation – GDPR and CCPA (California Consumer Privacy Act) – is just the tip of the iceberg when it comes to the landscape of data laws in the U.S. and abroad.  Maine and Nevada recently enacted data privacy laws, and other states including Colorado, New York, North Dakota, Hawaii, Maryland, Massachusetts, Mississippi, and New Mexico have introduced privacy legislation. Also looming on the horizon are several proposed federal regulations aimed at protecting consumer privacy. 

Publishers that collect consumer data have skin in the game and will need to ensure that their data collection and security measures align with these emerging regulations. However, this may be easier said than done because each of these regulations contains their own nuances. For example, the GDPR addresses personal information related to an identified or identifiable individual, while the CCPA seems to have a slightly broader application by including information that could also be linked to a household.

While publishers have been dealing with the impact of GDPR for more than a year, many in the industry will, therefore, need to evolve their data protection and security to comply with the regulations of the CCPA, which goes into effect in January 2020. Under CCPA, a publisher does not need to be located in California for the law to apply to them. The law extends to any for-profit entities doing business in California that:

  • Realize annual revenues of over $25 million,
  • Receive information of over 50,000 (California) consumers, households, or devices annually, or
  • Obtain half of their annual revenue from selling personal information.

Publishers meeting any or all of these criteria will be affected by the law. Specifically, publishers that collect data to track ad performance will be required to reveal the type of data being collected, how it’s being used, and how it’s being stored. Complying with CCPA will also require publishers to provide consumers with an opt-out to withdraw consent from having their data collected, used, sold, or stored.

Industry reaction to CCPA and the changing landscape of data privacy and security regulations will likely vary as it did with GDPR. Some publishers reacted to GDPR by using paywalls, while others took an entirely different approach. Two months after GDPR became effective in May 2018, more than 1,000 U.S. publishers and websites blocked European traffic to avoid the risk of fines. But with more governments moving toward enacting privacy legislation, blocking users is clearly not a sustainable solution.

Indeed, the conversation around data privacy is just getting louder. According to a study last year by GlobalWebIndex, 62% of consumers surveyed in North America are concerned about the internet eroding their personal privacy and 65% are worried about how their personal data is being used by companies.

A survey by Akamai Research found that 66% of those surveyed would support “GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security, and control of their personal data.” Policymakers, aware of growing consumer sentiment on privacy, are responding by continuing to enact data protection measures.

What can publishers do in this environment of increasing regulation and consumer privacy concerns?

Implementing consent programs is a good starting point for publishers to build trust with audiences and deal with the regulatory landscape. As part of obtaining this consent, and in order to help consumers make informed decisions, publishers should share how reader data is collected and used and then make it easy for readers to set data preferences. It is also important for publishers to ensure they have strong processes in place for tracking data use, deleting consumer data, and fulfilling opt-out requests. Publishers that meet the more demanding consumer expectations for transparency around the collection and use of their data will be in the best position to sustain long-term relationships with their readers.

Once proper consents are obtained, publishers can then better leverage their special brand relationships with readers by directly asking for and collecting first-party information relevant to serving up appropriate and perhaps even personalized content. This can even be done using artificial intelligence and machine learning. Rather than relying on second- or third-party data or unique ad identifiers, first-party data is more reliable and safer to handle from a data privacy standpoint.

Finally, publishers should shift from simply trying to grow their reader base at any cost to instead developing more meaningful, controlled relationships. The future of publishing is high quality, low but regular quantity, and personal engagement. In this future, the reader’s experience matters, more is not necessarily better, and engagement is the relationship.  Shifting this focus to readers who care will make it easier to adapt data management strategies and stay in compliance with privacy regulations.   

GDPR and new laws like CCPA and other state regulations under consideration present major compliance challenges and business impacts for the publishing industry. For publishers to thrive in this post-GDPR world, they will need to shift control of the data they collect so that it resides more in the hands of their readers. While regulatory compliance is driving more and more companies to update their processes on the collection and use of data, publishers should also consider consumer goodwill and brand trust as two very compelling reasons for taking privacy seriously and allowing readers to ultimately have more control over the collection and use of their personal data.


Related Articles

Many companies still aren't in full compliance with GDPR, meanwhile, some are calling for a federal U.S. data privacy law. Those who continue to dismiss the regulations do so at increasing peril to their business.
We are still in the early days of privacy regulations. It is unclear how these new rules will be interpreted and enforced, but brands may have more to fear from the CCPA and an upcoming New York bill.
Popular headlines would lead us to believe that cyberattacks are the most prevalent security-related threat. However, companies are actually 50% more likely to suffer a business loss from inadequate document governance than a digital data breach.