The General Data Privacy Regulation (GDPR) is a European Union (EU) legislation that will go into effect on May 25th, 2018. It is said to be the most comprehensive data privacy initiative of the past 20 years. Any company currently collecting and storing this data from readers in the European Economic Area (EEA) fall under the purview of the GDPR and consequently, its penalties.
This regulation aims to protect the privacy of the European Economic Area (EEA) including EU citizens by giving more control back to individuals when browsing the internet.
GDPR at a glance
The General Data Privacy Regulation (GDPR) was adopted in April 2016 but becomes enforceable law on May 25th, 2018.
This law binds the EEA’s existing privacy rules into one and expands the potential reach to any and all companies who are collecting Personal Identifiable Information (PII) for their citizens.
Under the GDPR, Personal Identifiable Information has expanded to now include the following pieces of data:
- Computer data (including location data, IP address, cookie data, tracking pixels)
- Name
- Photo
- Email address
- Bank details
- Social media posts
- Medical information
Customer "Consent Pop-up" and Consent Management Platforms
To be in full compliance with the GDPR, businesses must present an option for users to opt-in to each service that collects tracking data during their browsing session; examples include:
- Collecting of email addresses for newsletters
- Cookie/profile information for behavioral content recommendations (DMPs)
- Cookie data for targeted advertising, for every advertiser on your site (AdX, OpenX, IndexExchange, A9, etc.)
The law further dictates certain rights EEA citizens will be required to have when accessing your site including:
- Proof of Consent: The publisher bears the burden of providing proof of consent for all users who have consented to terms of service, privacy policies, and marketing communications. This includes logging dates in which a user agreed to these pieces as well.
- Right to Withdraw Consent: Users must be given permission to withdraw consent at any time for each piece of tracking data, i.e. ad networks, Google Analytics, unsubscribing from emails.
- Minimum Age: The publisher must provide a way for the parent or guardian to provide verifiable consent, taking into consideration available technology. This age can vary but common ones are ages 13 (COPPA) and 16.
- Data Freeze: Users must be able to request that their account be frozen, where they cannot log in to the site and their data is no longer processed.
- Data Deletion: Users can request that their data be deleted, and their account and all of their data will be deleted.
- Right to Data Portability: Users must be able to download their personal data in a legible format.
- Right of Access by Data Subject: Users can see their personal data and what is being collected via user dashboard profile screens.
- Rectification of Data: The user has the right to make changes to their preferences and settings and can easily update information within their profile.
As GDPR has become more widely known in the last year, Consent Management Platforms (CMPs) like Quantcast, Gigya, and Google Funding Choices have become available.
The IAB also announced their Transparency and Consent Framework for other CMPs like Quantcast to integrate with, however, this is still a work in progress.
The fundamental issue with Consent Management Platforms is that it assumes a user will proactively opt-in to each first-party and third-party tracker a site currently utilizes. This on most local media websites can be a large number—in many cases 50 or more—creating a large barrier to entry for users.
TIP: For a quick glance at how many vendors this might be for your site, append "/ads.txt" to your URL. These vendors have permission to sell ads on your site and, if they are in use, may also be collecting personal data from your users. In addition, you can look at a tool like the Ghostery Chrome extension, which shows the number of trackers that are included on your site. Again, these are trackers—most likely loaded through programmatic ads or third-party widgets on your site—that may be collecting data on your users.
Penalties
Each country in the European Union is responsible for assigning their own Data Protection Authorities (DPAs). If a business does not comply with the GDPR, DPAs can issue warnings, suspend the business’s ability to process data, or force hefty fines.
Fines fall into two types:
- For less severe breaches, the maximum fine is €10 million or two percent of the company’s annual revenue, whichever is greater.
- For more severe breaches, the maximum fine is €20 million or four percent of the company’s annual revenue, whichever is greater.
To learn more about what TownNews is doing about the GDPR, click here.