GDPR Compliance Instructions For Digital Publishers
GDPR has been a bit a whirlwind. The European regulatory initiative to provide internet users with greater control over their privacy has left publishers scrambling for answers at the last minute to comply with the new laws — in effect on the 25th of May, 2018.
Let’s be honest, GDPR is a bit of a mess. It’s unnecessarily complicated and disruptive to just about any business or entity with a website. That being said, it’s in your best interest to comply with these laws ASAP or you could face a pretty stiff penalty.
Below, I’ll outline some basic steps, information, and free tools any publisher can use to help with GDPR compliance.
I suppose I probably need a disclaimer here before moving forward:
This post does not constitute legal advice and does not establish an attorney-client relationship. Every industry is different, and every company, website, and legal entity has different data collection requirements under GDPR regulations.
What is GDPR?
It’s a new law from the EU to govern how companies handle personal data privacy. (General Data Protection Regulation).
I’m going to assume you are somewhat familiar with GDPR and its background.
To simplify things quite a bit, GDPR is all about PII (Personally Identifiable Information). Regulators in the EU have determined that all internet users should have the ability to know when their PII is collected, consent to how it is used, and then have the ability to delete any part of it that they wish.
Publishers are now being forced to give all EU visitors these capabilities — or face major financial penalties (although, there is little information out there how strictly this will be enforced early on).
Some industry estimators believe that on May 25th, nearly +90% of the web will be outside GDPR compliance.
Am I affected by GDPR at all, can I skip all of this?
I wish I could tell you “yes”, but probably not.
If you get any EU web traffic to your site (theoretically any at all) you are responsible for delivering PII controls and notifications to those visitors.
All that, plus maybe some other stuff depending on your business. So… it is worth looking into.
Am I in trouble if I do nothing?
No one knows. I’m sorry. Again, I wish I could tell you that this stuff won’t be enforced but no one knows how strictly it will be enforced and when.
The ‘interpretation of the law’ is still a bit vague — because the wording is full of impenetrable jargon / generalized advice. For example, GDPR is outlined in an 88-page document about digital data privacy, that only mentions the word cookie once.
The truth is that if you haven’t done anything to make your site GDPR compliant, you probably aren’t GDPR compliant.
I imagine it will be hard to police so many violations early on. Additionally, I am unsure where the regulators will come from; as the industry as a whole has had a hard time finding experts able to sort through all of this.
Nevertheless, it’s not hard to make your site compliant with the right tools, so you’re definitely much safer complying with the law.
It could end up being an expensive gamble should you ignore it.
How to become GDPR Complaint…
- You’ll need a pop-up or banner consent form.
It’s kind of like the “we use cookies” banner that you might already have for your privacy policy, but instead of users being able to just click “OK” — they have to explicitly say ‘YES’ and also have the opportunity to say “NO”.
Users need to be able to understand what the cookies are for and have options about how or when they may be used.
For publishers, this module will need to ask your site’s visitors if they will allow your vendors (ad networks / exchanges etc) to track them via cookies and then explain what those cookies do.
2. You need to map the IP of the user to know if they are in the EU
If they are indeed in the EU, they must give consent for you to show them interest-based ads (retargeting display ads) ads.
Example: Visitor goes to Nike’s website and looks at shoes. Nike would like to track that visitor and then use that information to show that same visitor an ad for the shoes on your website. GDPR regulations In This Example: If the visitor gives consent to collect and use cookies, then the ad can be shown to that visitor on your website. If they don’t give consent, the publisher CAN NOT show them that retargeted display ad.
When consent is not given, you must only show non-interest based ads (no cookie-based targeting allowed).
This would include things like contextual display ads (an article could have the words, “shoes”, in the body of the article — advertisers then target that page to show ads based on that keyword).
This type of advertising doesn’t require PII.
3. You must keep a log of users who accept or deny cookie permissions
You have to now keep track of all this data for… maybe forever? You’re expected to keep track of these permissions and obey them now and in the future.
That sounds complicated, how do I do this?
Luckily, there has been an influx of technology and ideas that have quickly started to provide the infrastructure needed to manage all of these new regulations.
The concept of a CMP (consent management platform) is a brand new term given to software built exclusively for the purpose of managing visitor privacy permission.
Is there a free consent management platform?
For publishers, the best available is a free app from Ezoic (no cost and no weird strings attached).
The Ezoic consent management platform app is a free application inside the Ezoic app store that gives publishers the ability to configure and setup privacy and cookie permissions for visitors to comply with GDPR regulations; starting with a consent module.
Since most websites lack the ability to map IP’s to locations and switch out ad tags based on a visitors’ consent selections, Ezoic’s Consent Management Platform does this automatically to help publishers establish GDPR compliance. Create a free account and access it now.
Will the Ezoic consent management app work for my website?
Yes. If by work you mean… “gives you an application that allows for you to display pop-ups, manage cookies and permissions, and automatically display ads in accordance with user preferences“.
The app works with all websites. It doesn’t matter what type of CMS or host you have.
The app is downloadable in the Ezoic app store for free.
It provides deep controls over how it is deployed to users too; meaning you won’t have to use it on traffic based in the U.S. unless you want to for some reason.
It also gives publishers the ability to modify and customize the pop-ups and permission requests that visitors see.
Ultimately, the Ezoic consent management app is designed to help publishers become compliant with European GDPR rules by managing the data and permissions set forth in the regulation.
The app has a bunch of custom controls and should allow publishers to manage the most complex parts of GDPR pretty easily.
Every company, website, and legal entity is different and has different data collection requirements under GDPR regulations. Ezoic is simply a tool that publishers can freely use to control user permissions and other important GDPR regulatory statutes.
What about stuff unrelated to ads, like website comments?
Website comments, newsletters — all of this stuff — it falls under these regulations.
This is why we’ve all gotten so many emails letting us know about companies that updated their privacy policy recently.
WordPress users are in a particularly tough spot; as they deal with plugins like Contact Form 7, and other commenting tools, that collect PII from visitors (often emails are required for comments).
Fortunately, there is a swell of new GDPR-based plugins built to help manage permissions for these tools.
While I can’t speak to the legal significance, effectiveness, or practicality of some of any of these plugins, I did find one recently that does seem to have some nice controls for WordPress users concerned about GDPR compliance and managing their comments sections.
As for a newsletter, it will all depend on how you’ve collected the e-mail addresses for the newsletter to begin with.
Did the subscriber agree to terms?
Did the subscriber consent to be contacted in the form that you regularly contact them?
A lot of publishers are asking for subscribers to “re-subscribe”; although I’m sure these conversion rates are low.
It’s really important to ensure that everyone you subscribe to your newsletter now goes through proper protocols. This includes things like double opt-ins, no pre-checked boxes, and a better explanation of how you plan to use their PII (e-mail).
Unfortunately, these rules don’t just apply to new subscribers. It applies to all existing subscribers.
Many email marketing platforms, like MailChimp, will have their own advice and processes that may be able to help with this.
I would recommend starting there for newsletters.
When do I have to be GDPR compliant?
May 25th, 2018 — so …. already.
Bummer, right?
This is sneaking up on a lot of publishers.
It shouldn’t be ignored. You can start taking the right steps today and the process should be relatively painless; especially if you use the Ezoic app.
Was that a full GDPR summary, is that it?
Unfortunately, that’s not everything.
That’s just most of the big stuff for publishers.
It would be really difficult for me to cover every scenario and issue. From a legal standpoint, the thought of that is terrifying.
However, you can use the above info to help make sure your website is doing the things necessary to align with GDPR guidelines.
Questions or concerns? Yeah, you and everyone else.
Leave your comments below and I’ll do my best to provide answers and resources. Unfortunately, I cannot provide legal advice.