In May, the General Data Protection Regulations—or GDPR—went into effect in the European Union. First approved in April 2016, this new legislation has radically changed how companies can do business online. European authorities gave companies two years to comply with the new sweeping measures that replaced the previous Data Protection Directive in the 28-nation EU bloc.
The goal of the law was to give consumers greater control of their respective personal data that is collected by companies online. This includes organizations that are located within the EU, but also applies to any companies outside the region if they offer goods or services, or even have a digital footprint with consumers in the EU bloc.
Even with two years to understand—and prepare for—the new regulations, the response by some American newspaper publishers was to block all content from the eyes of those in the EU. This included Americans traveling for work and vacation as well as expats.
Other publishers offered a special version for those readers in the EU.
“USA TODAY NETWORK is serving a version of its products to IP addresses in the EU that limits the data processing on the site,” a spokesperson told E&P via email. “The USA TODAY NETWORK EU experience will not include any advertising that collects personal data from EU residents, allowing our European audience to continue to access our award-winning content.”
The reason for this due diligence on the part of publishers is simple. Under GDPR, those companies that are not compliant face serious fines of up to 4 percent of annual global revenue or 20 million euros ($24.6 million), whichever is larger.
“We are going to be watching very closely how this plays out,” said Eric Hodge, director of solutions for security research firm Cyberscout. “That is a hefty fine, and while it is aimed at major tech brands, it could still be used against a small Indiana-based company that might have four European customers in its database.”
This is something businesses in all sectors will have to deal with as well.
“The first thought is something aimed at large tech companies or banking, but this affects all industries,” Hodge said. “Publishing is an interesting part of this because it has become so global. It will be interesting to see how smaller, regional papers may get caught up in this.”
A key part of GDPR is based on companies ensuring that users consent to how their data is used. Companies can’t use vague or confusing statements, nor can consent be bundled within other use agreements. Consumers in the EU will also be entitled to access the personal data that is stored by companies, and most importantly find out how it is being used.
“There will be a sea change in publishing where 80 percent of revenue comes from online advertising and ad-related tracking is part of how organizations make money,” said Alex Calic, strategic technology partnerships officer for digital vendor risk management firm The Media Trust.
This could be bad for the bottom line for those businesses that depend on targeted marketing or advertising.
When in Doubt, Block It
The approach from many publishers has been to completely “geoblock” all users with IP addresses in Europe. This has cut off those traveling as well as expats from their hometown papers, and at best it is a short term solution to what could remain a long term problem.
“Several U.S. news outlets including tronc have geoblocked users because there is the fear they aren’t compliant with GDPR,” said Ryan Radia, research fellow and regulatory counsel for the Competitive Enterprise Institute. “This hasn’t affected regional papers as much, but the larger publishers have taken notice.”
This doesn’t mean it is impossible to see the blocked content, and tech-savvy users could get around the geoblocking via proxy servers or virtual private networks (VPNs). The question is how the use of such tools still relates to GDPR.
“This could result in a game of cat and mouse, where publishers try even harder to block the VPNs because it isn’t clear if a news outlet or publishers could be at risk of violating GDPR if someone went to such measures by using a VPN,” said Radia. “The idea of GDPR is to provide these protections, but if an individual went to such measures it could be argued they (the user of a VPN) are opting out of the very protections that the EU put in place.”
However, publishers that are not yet GDPR compliant could still face issues if a reader were to use a VPN or other tool to access geoblocked content.
“It would come down to how much they know this is happening and what steps are being taken to stop it,” said Bart Lazar, a partner in the Chicago-based Seyfarth Shaw law firm. “Another point to consider is that if you get email from a Gmail account it isn’t actually clear what citizenship that person is, so this puts a lot of responsibility on those receiving the emails.”
While the short term solution for some has been to either block the content or provide an EU-specific version of the site, the long term goal for any company will be meeting and addressing—and when possible exceeding—the privacy concerns of GDPR.
“We’re already seen a massive cascade with many companies changing the privacy settings, and this includes many consumer-focused brands,” said Michael Priem, CEO of Modern Impact, a firm that utilizes real-time analytics and machine learning to improve the performance and ROI of all programmatic advertising. “The thing to remember is that this isn’t about just accessing a site from Europe. As we understand it, even if someone comes to the United States and uses a site and they are an EU citizen, it is expected that GDPR still applies.”
However, the question is if and then how the EU could actually enforce GDPR.
“It would be challenging but not necessarily impossible for a small U.S.-based business to get a fine,” Radia said. “It would probably entail the enforcement agency to go to the United States to work to obtain a judgment, so the more likely response would be to go after business partners in Europe. For the majority of companies that have a major presence in Europe it will likely mean that they’ll behave accordingly.”
Those that don’t comply could be expected to face hefty fines, and the EU has a track record for imposing large fines on businesses. Between 2013 and 2017, the European Union Commission imposed fines totaling 8.472 billion euros ($9.54 billion). That doesn’t include the 1.06 billion euro fine imposed on Intel in May 2009 for abusing its market dominance on central processing units (CPUs), or the 900 million euro fine imposed on Microsoft in February 2008 for “unreasonable” royalty fees.
“We see that the penalties are very stiff, but it is unclear if the EU could actually impose those fines to businesses that are based in the U.S. and accessed outside of Europe,” Priem said. “What this really puts the spotlight on is how data is reaching a level of becoming much like a currency or natural resource. In either case, GDPR is putting restrictions on this resource.”
At the same time, GDPR shouldn’t be seen as something that could be technological evolution or even innovation. As the EU has stated, it is actually a matter of returning the value of one’s data back to the individual and ensuring that privacy is protected.
“In that regard this is simply controlling how ‘big data’ can be leveraged via new technologies such as machine learning, which can be used for such things as more specific ad targeting,” Priem said. “This is about giving the consumer the right to opt in instead of just automatically handing over control of their data to others, and not getting anything for it. So really GDPR is providing the way for users to understand in simple language how their data is used. Past efforts to do this haven’t been done with due diligence and GDPR simply sets the new standard.”
What is also important to note is that for children under 16, a person holding “parental responsibility” must op in to data collection on the minor’s behalf. An additional rule also made it mandatory for companies to notify any respective data protection authority about a data breach within 72 hours of first being made aware of its occurring. Customers must be then notified “without undue delay” following any known breach.
Beyond the issue of consumer privacy, GDPR and similar regulations could change the way reporters do their job.
“Newspapers are still trying to deal with that ‘right to be forgotten’ and with big stories that is difficult enough,” Lazar said. “Then there is the fact that businesses like to contact journalists, so will American journalists object to receiving media pitches from companies based in Europe if it means the journalist needs to worry about GDPR?”
This could also change the way ads—and the revenue that comes with it—are served to users online.
“Do not panic, we’ve seen in the past decade how rapidly revenue has evolved through programmatic ads,” Priem said. “Media budgets won’t stop growing and the technology leaders won’t stop innovating. Ad revenue will not go away because of GDPR.”
The industry will just have to adapt accordingly.
“Maybe in a way this is putting the costs back to where it belongs,” Hodge said. “There is no free lunch, and if money is being made from viewing of the ads, those companies should be held accountable for what they are doing with a person’s private information. But if anything now, the ad companies will have to handle the way these are served more responsibly. You will get to agree to it, and there will be great transparency in what is being done with your data. This could change the whole thing for the better.”
GDPR Won’t Go Away
Europe may not be the largest continent in actual size, but apart from India and China, it has the largest collection of internet users in the world.
“The EU has far more internet users than the United States, and it is also the wealthiest block of users worldwide,” Radia said. “This makes the EU market so large that the truly global companies can’t ignore it. For some companies, the plan may be to step back, but that is a market that can’t be ignored, and if you’re an international company in any way, you ‘can’t not do business’ in Europe and hence you can’t ignore GDPR.”
If anything, GDPR should be seen as portent for other regulations to come.
“For most publishers, the key is to understand what compliance solutions will work so they can serve the EU, as well as other markets like Canada, which will introduce the Personal Information Protection and Electronic Documents Act (PIPEDA) in November, and Japan, whose APPI (Act on the Protection of Personal Information of 2003) tightened up previous privacy laws, or South Korea, whose PIPA is one of the world’s strictest privacy laws,” said Calic. “As consumers around the world rely on their mobile devices for transactions, other markets will follow suit.”
Instead of going away, it is already making headway into America. In June, California enacted what has been seen as one of the most far-reaching consumer protection privacy laws in the nation. The California Consumer Privacy Act, which goes into effect on Jan. 1, 2020, will require data privacy protections and requirements that are already being compared to GDPR. Where it could be different is in enforcement.
“With GDPR, EU regulators will have to resist the urge to go for the jugular,” said Lazar. “We can expect that in the United States regulators would likely take a more measured approach. The utopian in me asks why we can’t have a global privacy standard that could be locally enforced, but that isn’t going to happen.”
Editor’s Note: This article has been edited online to clarify a quote from Bart Lazar.