Nieman Foundation at Harvard
The maximum penalty for breaking Europe’s coming General Data Protection Regulation laws — a massive revamp of the EU’s data privacy requirements, with a worldwide impact — is the higher of the following two options: €20 million, or 4 percent of a company’s worldwide annual revenue.
Do the math: That would mean fines of more than €3.6 billion for Google’s parent company Alphabet, €5.9 billion for Amazon, and €1.3 billion for Facebook. (A law that states “the processing of personal data should be designed to serve mankind” in its introduction isn’t kidding around. You can read the full text here.)
GDPR will take effect May 25, and it will apply most directly to companies based in the 28 member states of the European Union and the three additional countries in the European Single Market. But they’re also written to cover European users of companies not based in Europe (so yes, that means you, U.S.-based website with any audience at all coming to you from inside Europe).
And wherever you are, if you’ve ever signed up for a publisher’s newsletter and gotten a spate of “please confirm again that you really want this newsletter now” and “please see how our privacy policies have changed” emails lately, GDPR is why (some organizations may have collected your information in not-necessarily-GDPR-compliant ways in the past, so you’ll need to give your informed consent this time around).
Digital news organizations collect and store the personal information of readers, and they have contracts with vendors who do the same — so they’ll need to follow the new rules, too, or face the same potential financial punishment. At the gravest level, for instance, a hypothetical GDPR violation by The New York Times might result in a fine of more than €56 million, far more than the amount it’s investing in growing its digital audience and revenue from outside the U.S.
The complexity of the new rules — all 260 pages (in English) and 99 articles of them — has spawned an entire new industry of GDPR consultants. But boiled down into (oversimplified) buckets that relevant to news organizations, GDPR asks organizations to:
Threaded throughout GDPR are principles of data minimization (processing the least amount of data necessary to complete a task) and accountability (companies need to report any data breach, including the nature and scope of the breach, within 72 hours of discovering it).
If fairly and evenly enforced, applied in good faith (no GDPR trolls following the blueprint of patent trolls), and interpreted in a way that isn’t just businesses hiring lawyers to find loopholes to maintain the status quo, GDPR seems, well, reasonable!
“You have a golden necklace as a user, and I’m allowed to borrow that necklace, and I’m allowed to use it for a party. But then you’re then allowed to ask me what I’m using the necklace for, and where I’m going with it. When are you going to wear it, and why do you need it for so long?” Han-Menno Depeweg, digital director of NRC Handelsblad, a national subscription daily newspaper in the Netherlands, told me when I tossed a bunch of my own metaphors at him. “If you use that as a comparison to data from the user, then you have a feeling of what the law might mean.”
Still, publishers have granular questions over interpreting parts of the law and around how rigorously the EU will enforce these rules come May. (In GDPR’s crosshairs are advertising giants like Google and Facebook, as well as the adtech industry.) There’s also a less covered, but also consequential ePrivacy law in the works in the EU which will work alongside GDPR, but which hasn’t been finalized yet, with EU member states and relevant interest groups tussling over how the two sets of regulations would interact. (A German magazine trade group argued earlier this year that what it requires would cripple the publications’ ability to make money on digital ads.)
For these publishers, a massive amount of compliance work is happening behind the scenes that won’t be discernible to the public come May 25.
“Right now, it’s quite a huge effort internally,” Ingvild Næss, Schibsted Media Group’s chief privacy officer, told me. Schibsted is the parent company of several news organizations in Sweden, which is a European Union member, as well as in Norway, which is not an EU member but is part of the single market. Schibsted is also a more-than-7,000-employee media giant with a global presence, though its primary editorial products are newspapers in Sweden and Norway. “That is of course because now we are not only looking forward and doing what we need to do going forward on May 25, but it’s also been necessary to clean up our older stuff to make sure that lives up to GDPR standards as well.”
Næss said Schibsted’s work falls into three main categories: legal and compliance, product and UX, and everything that needs to be done relating to the tech stack.
“We definitely have dedicated projects ongoing. We have a central privacy product team, we have a central privacy engineering team, and so forth. On all these dimensions, we see that GDPR will now require us to work differently,” she said. “We are moving away from just relying on traditional, needlessly long privacy policies written by lawyers. This will be up to your clever UX people to figure out the most efficient ways to communicate with end users; it’s not lawyers who are the best people to do that. The communication around user data must be in the flow of the product itself. It cannot be hidden somewhere, at the bottom of a page.”
Schibsted is playing with new elements for its sites, such as a simple animated figure that will explain to users about how their data will be used. The company currently has a single login system (called SpID) across all its properties, where users of any of its services can manage preferences in a centralized place, from notifications to newsletter subscriptions.
“Going forward, what we will see is our users will be able to have dashboard control centers where it’ll be possible to see information about what data we have on them, with options to ask for deletion, to ask us to take out data, to control the way we use data,” Næss said.
GDPR (and ePrivacy, when passed) will have impacts continent-wide, but some countries have already been operating under similar laws. The Netherlands, for instance, has a Personal Data Protection Act in place (it will be replaced by GDPR come May 25) which is similar in spirit to many of GDPR’s specifications, such as requiring quick turnaround when an organization discovers a data breach.
“In the Netherlands, there’s already a law, so for us it’s a fine-tuning of what’s already in place. One of the things we’re working on is that we need to use clearer language. Our privacy policies need to be plain language, which is doable, but it’s more work,” Depeweg of NRC Handelsblad said. “So we need to get privacy statements 100 percent compliant, we need to run data security checks, we need to work on data minimization, we need to get everyone training. It’s a 100 percent effort by the whole company, and we have to get it from the person at the front desk to the person in IT — everybody has to understand what this law entails.”
64 percent of newsroom leaders recently surveyed by the Reuters Institute said they were “confident” their company was ready for GDPR. But a full third are on shakier ground: 17 percent said they were not confident, 15 percent said they weren’t sure, and 4 percent said they didn’t know what GDPR was (oops).
“If somebody is telling you they’re 100 percent GDPR-ready already, I just don’t know if that can be true. Everybody is working toward this deadline — at least every company I know,” Oliver von Wersch, CEO and founder of a digital media consultancy, whose work on GDPR compliance came up in a few conversations I had with publishers. “The sheer mass of things to be done before May 25 is significant and is taking up a lot of resources inside the company.”
von Wersch said his three-person team also works with media companies on problems around platform strategy and monetization, but because of the May 25 deadline, about 80 percent of the projects they’re working on with his European clients are GDPR related. (You can witness the general frenzy in the posting activity of all the GDPR groups that have mushroomed on Facebook.)
“You need lawyers, data security people, IT people for figuring out where you’re storing the personal data of your readers, which system it’s going into, how you’re going to handle backups. A normal news website will have processes around their user registration, content management, business intelligence, analytics, and you have to be able to describe these,” he said. “It’s not that this is killing publishers, it’s just that it’s a lot of homework to be done, because they hadn’t done any of it.”
You know that feeling when, you’ve had a busy week, so instead of putting away your clothes, you leave them all over the place, and when you’re late to your doctor’s appointment at the end of the week, you can’t find your wallet or keys, which are probably buried somewhere under a week’s worth of pants? Except, the messy clothes = disorganized data collection practices and the bloat of various trackers on a news site; and the wallet and keys = what you need the reader data for and where and how all that’s being collected. When a news organization loads an ad on its site for audiences, it might not be aware what else is loading, including, say, tracking pixels advertisers use to verify the impressions they’re getting on that ad — these practices can get identifiable information about people into the hands of dozens, even hundreds of other companies.
GiveMeSport, for instance, ran an analysis of its site and found as many as 500 companies who were processing its readers’ personal data, likely in ways not compliant with GDPR, the sports publisher said at a Digiday summit in London on Tuesday. It didn’t even recognize most of them. Finding out details leads to this weird dance: X company asks Y vendor if they are GDPR compliant, but Y vendor has a contract with Z vendor, so needs to know if Z vendor is compliant before it can confirm with X company.
“This is the hot potato. From our side, we’ve done technical due diligence with all our key suppliers, and we’ve gone into real detail as to how they use data,” Anthony Hitchings, digital advertising operations director at the Financial Times, said at an Advertising Week Europe event in March (the FT declined my interview request). “One bit of due diligence took us over a year. Another vendor, we went down the path of trying to understand what they did. We started to understand they were capturing IP details in full, which then meant they could build a complete browsing picture of user on the web, then we went, this is not a partner we’re comfortable dealing with.”
Going through contracts with each individual vendor is time-consuming, though von Wersch said the assumption from many publishers has been that as long as they’re on track in negotiating with all their vendors, even if not every one of them is settled by May 25, they’ll still be OK. Some Dutch lawmakers have expressed leniency from the first few months the law is enacted, Depeweg said, with a focus on educating companies not fully compliant rather than jumping to fines (except in blatant cases of violation). The French data protection authority CNIL also suggested they would give a grace period.
“One uncertainty is what the local data security authorities, who are in charge of monitoring the fulfillment of GDPR, will do after May 25. Will they look at the big picture, will they focus on the transparency element, will they look at supplier contracts?” von Wersch said. “Nobody knows exactly, so we’re driving in a tunnel, and you don’t know how long this tunnel is, what comes out at the end. Will they see some things as more important than others? That’s also different in different European countries: We Germans, for example, like to look at contracts. I’ve heard U.K. authorities may be looking closely at privacy policies.”
Publishers will take different approaches to obtaining consent from readers for different products, and making sure readers know what they’re consenting to and what they will or won’t get if they opt out.
Some of Schibsted’s offerings, like personalized Swedish news app Omni, Næss said, won’t work as they should if they can’t collect reader data.
“Here there are a lot of questions remaining still on the user experience of someone who is opting out,” she said. “With the product range we have, we are amongst the ones that argue we do have some particular services where we see it doesn’t really make sense to offer it for users not willing to share data. For such services, the main thing is that a user understands what kind of service it is, and how data are used to show you content that you may be interested in. If you have that information from the start, you can make an informed choice whether to use the service or not.” (“As a starting point,” users who opt out of everything will still see ads when they visit Schibsted properties, but will just get non-targeted ads, either contextual or totally random.)
What about outlets that use reader data strategically to target offers? Publishers have talked about adding a popup on pages asking for some of their information, in exchange for reading a story, according to Dow Jones Media Group publisher Latour, who spoke to Adweek.
“There are elements of the regulation that make certain publishers uncomfortable, the ones that are either are overly dependent on adtech, third-party behavioral tracking,” he added. “There’re nuances to whether or not they need to get consent for things that, in many ways, even the user doesn’t want to have to deal with. When a user visits a website, the idea of having to get notifications for things like just personalizing the page for them is kind of outside consumer expectations, whereas tracking somebody across the entire web, most users would have a significant issue with.”
There’s one big elephant in the room that needs addressing. Google’s take on GDPR is that it’s asking publishers who use its ad products to obtain consent from users of that site running the ads, saying that Google will be “co-controller” of the data that’s collected — a strategy the Wall Street Journal first reported back in March. (A “controller” is the company responsible for how personal data is processed and used; a “processor” under GDPR processes data as instructed by the controller, and still has legal obligations under GDPR. Google, for instance, classifies Google Analytics as a “processor.”)
“We don’t want to stand between publishers and their users,” Carlo D’Asaro Biondo, president of partnerships at Google for Europe, the Middle East and Africa, told the Journal in a statement. “That’s why we are asking our partners to get consent for the way they use our services on their sites.”
“We have always asked publishers to get consent for the use of our ad tech on their sites, and now we’re simply updating that requirement in line with the GDPR,” a spokesperson told the UK’s Press Gazette. Google pointed to tools it’s offering publishers to help with consent-gathering.
But a plan communicated fully to publishers two short months before the May 25 deadline, when Google had several years, hasn’t inspired confidence that this is a GDPR compliance strategy executed in good faith. On the other hand, it’s going to be tough for publishers to turn down Google’s proposal and risk losing access to all that ad revenue.
Publishing trade groups like Digital Content Next have shouted at Google about it, most recently with a fiery open letter last week representing about 4,000 publishers worldwide.
“If you show up, like, six weeks before GDPR comes into place with a completely different understanding of the law, this is far too short a timeframe for publishers to implement anything in the direction that’s required,” von Wersch said. “In the Google approach, you would need to actively provide consent by the user, and it takes time to collect the consent from your userbase. You need not weeks, but months, maybe years.” (DCN’s Kint had an even more succinct response: Hell no.)
Well, now we’re counting down to May 25 not with weeks, but with days. Good luck, everybody.
