On May 25, 2018, the new EU General Data Protection Regulation (better known as GDPR) comes into effect, and I'm quite worried about how this will impact publishers because most don't seem to be even close to compliant.
The problem with GDPR is that most publishers see it as an IT/administrative burden. They think the only thing they need to do is set up some databases and do some other IT things ... and then redesign their privacy page.
What I'm not seeing, however, is any real change to the way publishers use data, the business models they have that rely on data, or any consideration as to what impact this will have on their editorial strategies.
So, in this article, I'm going to talk about GDPR as a concept in relation to media trends, and consider what this means for your editorial strategies. I hope I can help you realize just how big a change this actually is.
Mind you, I'm not a lawyer. I am a media analyst. I do not claim to be an expert in all the nuances of GDPR. My focus is to talk about strategies, user behaviors, business models, etc. But, I am also a publisher, so my knowledge of GDPR is based on the work that I have put into making sure that my site will be compliant (which I'm still in the process of doing).
If you want to get legal advice on how to be compliant, you need to get in contact with a lawyer or a consultant with a specific focus on the legal aspects of this.
For now, let's talk about this from a strategy perspective.
When I hear people discuss GDPR I have noticed that almost everyone talks about it in the legal sense. What I mean is that people are discussing what the technicalities of the law are, what exceptions or loopholes it has, and how you could get away with using these exceptions to continue to do the things you have always done.
And sure enough, there may be ways to classify some data as 'legitimate interest' so that you don't have to ask people whether you can collect their data or not, and there may be ways that you can designate the 3rd party services that you use as co-controllers, or some other workarounds.
Legally, you may be able to find enough exceptions and loopholes to do all of this.
However, there are two major reasons why thinking about GDPR this way is the wrong strategy to have.
The first major reason is the overall trend about privacy.
If you look at what is happening around us, you can see very clear signals that the public has had enough.
Today, for instance, we see that a majority of people who install an ad blocker don't actually do it to block ads (that's just an added bonus). They are actually doing it to block tracking.
What people are reacting to is not just what Facebook is doing, but how every publisher is using a very large number of 3rd party trackers, where neither the publisher or the reader has any control over what is actually happening with this data.
We also see this trend in many other aspects of online behavior. Think about how many people have locked and set their social profiles to 'private'. Think about how people are using services like Snapchat, Instagram Stories, or Twitch live streaming ... all services that, by default, delete what you have posted so that it can't be turned into a privacy violation later.
The trend here is really clear.
If you then, as a publisher, just implement GDPR by taking advantage of all the exceptions or loopholes, so that you continue to load 38 trackers into your site and do it like it's all 'business as usual', you will be fighting against this trend.
In other words, you become the bad guy.
The other very important factor here is to look at big tech companies.
Companies like Google and Facebook are perhaps those who have benefited the most from being able to collect data from multiple sources, so you would think that they would do everything they can to try to use every loophole GDPR has.
What we are seeing, however, is a very different outcome.
Let me just remind you of the basic principles of GDPR in a simplified way:
Obviously, there are a lot of exceptions here, and different ways of defining things. For instance, the definition of consent is not necessarily a 'direct consent'.
If a person visits a web shop to buy a product, they will enter their home address so that you can send it to them. This is considered to be a form of consent. So you don't have to ask people for consent separately to save their address.
There is also the question about the right for people to delete their data. This is not actually possible in many cases, because other laws require publishers to keep the data. One example is that publishers are required to keep data related to accounting and taxes. So, there is a lot of data that you can't delete.
But think about this in relation to a new visitor. Someone that you have no prior relationship with (a first time visitor). What data can you actually collect and use for that person?
The answer is ... nothing!
You cannot use any personal identifying data from any visitor who is a one-time visitor. You cannot load any 3rd party service, because by doing that you would be sending personally identifying data to those services (like people's IP address). You cannot even do personally identifying internal analytics.
The reason is that a first time visitor hasn't done anything that could be considered consent, so you have nothing to work with.
I don't think publishers realize just what this means.
Essentially, it means that you can't load any 3rd party service into your site. You can't load advertising from your ad partners (via their scripts), you can't add social widgets, you can't add a quiz to your articles that is using some 3rd party service.
Or put it simply, you can't do any of this:
At this point, you are probably thinking that I'm being overly dramatic, and that I should just calm down because this is not really what this means. And, again, you might argue that there are ways around this.
But this is where the actions of Google and Facebook come into play.
Google is obviously one of the companies the EU will watch the most, so when Google looked at GDPR they basically came to the conclusion that there was no way around it without resulting in lengthy and likely very expensive legal fights. Fights that they would be attacked with in the press, that would also cause a drop in trust from their users.
So, Google has come to the same conclusion that I have, which is that they can't do anything until you have given them consent. And, as a result, Google has now implemented a system so that when you visit them, you are presented with a box that looks like this:
With this box, Google is explicitly and openly asking you for consent to how Google is tracking you.
This also extends beyond Google's own sites.
For instance, when publishers are using Google Adsense, it used to be that this interaction would track people across the web. But now, because of GDPR, Google has announced that it will no longer be based on any personally identifying data.
The reason is, again, that Google can't be sure that publishers have obtained the correct level of consent before the ads are shown. So, Google is trying to get ahead of this by just getting rid of the problem altogether.
It's the same with Facebook. They too are moving to a consent based baseline for how they do everything. And, they are also stopping their practice of buying personal data from data brokers.
As someone living in Europe, this has always been a huge violation of privacy. But what Facebook has now realized is that, with GDPR, doing something like this would be in direct violation of the law. Specifically, it's a violation because people have not given their consent for their data to be used this way. And on top of this, the rule that you can only collect data relevant to the service you offer is incompatible with the practice of buying up vast amounts of random data about people from data brokers.
So Facebook is ending this instead of trying to fight it (which would only result in more negative press, loss of trust by its users, and penalties from the EU).
My point here is that the tech companies have decided to rethink the way they are doing privacy. Obviously there are a ton of things that still need to be done, neither Facebook or Google is in the clear. But when we combine what Google and Facebook are now saying with the overall trend of what the public demands, it's pretty clear to see where this is heading.
And this brings us back to publishers.
I have yet to see any publisher who is actually changing what they are doing. Every single media site that I visit is still loading tons of 3rd party trackers. They are still not asking people for consent, in fact most seem to think they already have people's consent, and when questioned about trackers, they can just say: "We use 3rd party services, and we refer to their privacy statements."
This doesn't work under GDPR, because, as a publisher you are a data-controller, whereas all the 3rd party tools you use are the data-processors. And it's the data-controller who is responsible for obtaining consent, for providing transparency, for giving people access to their data, and to make sure that all the data, regardless of where it is stored, is under your control.
So, this is a whole new reality.
Basically, what publishers need to do is think about their audience in four different segments:
And the way to think of each is like this:
One-time users includes all one-time visits and all the visits where people have not done anything to give you their consent. This means you cannot load any 3rd party tools. All your ads have to be delivered via 1st party means (so no 3rd party ad code) and it cannot contain any personally identifying information. You cannot automatically load embedded content (because then you are sending data to those sites), you can't load social widgets, etc. And for your own sites, you can only do non-identifying analytics.
Essentially, you need to do this:
Of course, making this change will have a dramatic impact on your revenue for single-visit traffic, because you basically have to design your ad model to work completely differently from how it works today.
Limited interaction users are those who have signed up for a limited part of your site. Like when people have signed up for a newsletter, or when they have bought access to one of your guides, but haven't yet become a full subscriber.
In this you have an implied consent, but it's limited to that specific service that you provide. For instance, if people sign up to your newsletter, you cannot claim that they have also given you consent to load a ton of 3rd party trackers that do many other things.
Remember, GDPR limits your data to only what is relevant for what people have requested.
Again, this is a pretty big deal for publishers, because this too dramatically changes how we think about data. In the past, we considered all data to be 'fair game' as long as people had done anything on our site. In the future, this argument will no longer work.
Your use of data has to be specific, limited, and relevant.
Full interaction users are people who have signed up for a full account, and with that agreed to have everything you offer available to them.
In this, you have a much wider scope to work with, but it still doesn't give you free reign to just add a ton of 3rd party tracking scripts to your site. Each has to be relevant to what you offer. Each one has to be limited to only collect what is relevant to each individual publisher, and you are still responsible for transparency, data control, and everything else.
What full interaction does give you is the ability to use data across what you do. With limited interaction, you can only use the data in relation to that one thing that people have signed up for, but full subscribers are people who expect things to work as a whole.
With cancelled users, we are basically back to where we started. With this, I mean that as soon as people cancel their accounts, you have to delete their information (except the data that you are legally required to keep, like accounting data).
So, all your personally identifying analytics for that person; all their personal settings; your advertising profiling data, and so forth ... all that has to be deleted when people cancel their subscriptions.
Again, this is a pretty big shift in how things used to be done, and it impacts things that we don't even consider today.
As I said in the beginning, this article is not supposed to be a legal guide to help you navigate GDPR. What I have done is take an overview of the concept of GDPR, in relation to the trend of privacy, and with the behavior that we see from major tech companies. I have also considered what it is that our readers actually expect.
And it's pretty clear that our readers don't expect us to just continue with what we have always done.
True, you may be able to find loopholes and exceptions that may allow you to legally do something, but do you really want be that company?
My advice to you is rethink your approach to GDPR. This is your chance to be a part of the solution, rather than being part of the problem.
We can embrace this trend to build trust and to show our readers that we respect them. We can use this to build services that have privacy built in as a feature, as a way to give people better use of data by giving them better control.
Think of this as the turning point of privacy.
So publishers have to rethink technical platforms and their business and editorial platforms. Your advertising models have to be more 1st party focused, where the focus is on the context rather than personal profiling, simply because first-time visitors see the most advertising.
This requires a change in the business models and the partners you work with, but it also requires a different focus editorially. We are so used to just publishing random content at scale, because that's the way the old ad models were optimized. The new ad models place more emphasis on context, so we need to raise our contextual editorial focus.
More importantly, though, the future of data will shift more towards owned relationships, like what you offer for your full subscribers, which again changes the way you think about data and editorial strategies.
Data suddenly becomes a subscriber feature, because those are the only times where you have full consent.
This is a big deal.
The media has a long history of not changing in time, and most of those times we could argue that it was because we didn't know what the future would bring.
This time we know. So, my advice to you is to change now. Don't wait to see what happens. Don't try to just do what you have always done.
Founder, media analyst, author, and publisher. Follow on Twitter
"Thomas Baekdal is one of Scandinavia's most sought-after experts in the digitization of media companies. He has made himself known for his analysis of how digitization has changed the way we consume media."
Swedish business magazine, Resumé