Privacy Compliance Guidelines

What the GDPR Privacy Law Means for Local US Publishers

When The European Union’s General Data Protection Regulation (GDPR) goes into effect later this month, it could have major implications for local publishers in the US.

Europe’s new privacy law is intended to cover companies located anywhere in the world that offer “goods or services” to European users or monitor the behavior of European data subjects. That means local publishers who generate traffic from visitors living in the European Union could be subject to these new regulations, even if they don’t market their publications to overseas readers.

The GDPR is expected to be transformative for digital advertising companies that traffic in user data, but according to an analysis of the new regulations by the Columbia Journalism Review, the GDPR will also impact media publications that host ads and use data from advertising and social media platforms. Publishers themselves will be held to the same standards as technology giants like Google, Facebook, and the like.

With fines reaching 4% of a company’s annual revenue or €20 million, local publishers have reason to be nervous.

What is the GDPR?

The GDPR was developed to harmonize data privacy laws in Europe, empower ordinary citizens, and change the way companies approach data privacy. New regulations that come out of the implementation of the GDPR will have the greatest impact on technology companies and advertising networks, as well as media organizations that rely on user data directly and indirectly.

Personal data sits at the core of the GDPR, but the GDPR uses a much broader definition of personal data than most people the US realize. As a result, the GDPR limits the types of personal data that publishers can collect without consent.

It should also be noted that under the GDPR, consent can be withdrawn, and companies must give users the ability to access, transfer, correct, and erase their personal data at any point in time.

One thing that’s important to remember is that that GDPR was designed with good intentions. These regulations were initially created to ensure greater data privacy for people living in the EU, even though new burdens on smaller US publishers have become an unintended consequence.

How will the GDPR affect local publishers?

Local publishers in the US will be required to comply with the GDPR if they use tools and host ads that collect data about their readers, even without having any employees, offices, or servers in the EU.

Some analysts argue that widely used internet advertising techniques, like dropping cookies and serving ads based on device identifiers, does not give the EU jurisdiction. According to the News Media Alliance, the GDPR applies when “natural persons” are being tracked or profiled. Relying exclusively on device identifiers, IP addresses, and cookies for targeting would, therefore, allow US publishers to skirt the new regulations. Additionally, the News Media Alliance argues that US publishers who aren’t targeting EU readers specifically, by running ads in foreign languages or using EU domains, can take a more relaxed approach.

Nonetheless, local publishers who use Google advertising networks are already feeling the impact of the GDPR. The technology giant has started asking publishers to collect consents from users with EU IP addresses on its behalf.

Because the GDPR is still so young, a definitive set of best practices has not been developed. However, one popular strategy for collecting consent is by using splash pages or pop-ups to block visitors from viewing pages where ads are being hosted until they’ve consented to having their data collected. This is being advised for any local publisher in the US that runs ads or analytics scripts.

Another solution is to block EU users entirely, or to not serve targeted advertising to users with EU IP addresses.

Updated privacy policies and terms of service should cover all of a publisher’s legal requirements, keeping in mind that the GDPR requires publishers to explain their privacy policies in plain language.

Publishers should also talk to their email service providers, CRM providers, and e-commerce partners to see how they are preparing for the GDPR and whether their own policies or programs will have to change.

Despite the initial challenges of becoming compliant, many experts believe that the GDPR will ultimately benefit hyperlocal publishers. High-quality publications should have no trouble getting consent to collect data from their readers, boosting their positions in the eyes of advertisers.

Still, it will be years before the full impact of the GDPR is truly understood. In the meantime, local publishers should be on heightened alert for new strategies for maintaining compliance.