On May 25, the General Data Protection Regulation will go into effect. The culmination of years of negotiations and debate, the GDPR will establish a new set of rules regarding the way companies can collect and use data in the European Union.
The idea is to establish a single standard across the EU which will help protect the privacy of consumers and make it easier for companies to do business in the EU market by eliminating the need to deal with different national regulations.
But many publishers worry that the GDPR will actually have the opposite effect.
The GDPR includes a sweeping set of provisions designed to protect consumers and their data. Companies collecting data from people inside the EU will now have to inform anyone accessing their services or website of exactly how they plan to use their data and acquire consent for each specific use.
This is of special concern for publishers, who rely on cookies to gather information for site analytics, reporting, and advertising. According to the GDPR, people accessing a publisher’s website now have more options when it comes to controlling how publishers use their data on their site. In fact, companies won’t even be permitted to use information from people who give their permission unless the data subject also enables cookies in their browser privacy settings.
And the fact is that many people don’t like being repeatedly asked for permission to enable cookies when accessing websites. This might mean that many will disable them in their browser settings, limiting the ability of publishers to compete for advertising.
Not only could the new provisions in the GDPR limit ad revenue, but they could also shift significant cost burdens onto publishers when it comes to how they manage the data they do collect.
Under the GDPR, not only do people have to consent to the use of their data, the data they do give has to be carefully protected. One of the provisions of the GDPR is that data from a subject has to be encrypted and kept separate from any information that might let a third party identify them from that data. In addition, companies have just 72 hours to notify the supervisory authority of any potential breaches of their data.
The GDPR also levies heavy penalties on companies that fail to comply with these regulations. The maximum fine for violations of the GDPR is 20 million euros or 4% of the company’s annual financial turnover, depending on which is larger.
All of this means that Data protection officers will likely become an important position at any publisher who does business in the EU. DPOs will be necessary to ensure that all data collected and the way it is used is in compliance with the new regulations. Of course, hiring a new DPO and a supporting team isn’t cheap, and many publishers have chosen to begin outsourcing the role instead.
In addition to the financial costs, the GDPR may open the door to several unintended side effects.
First, the regulations may give large corporations an advantage over smaller publishers when it comes to competing for advertising. Unlike many publishers, these larger corporations rely less on collecting data through cookies and more on direct login data. And while Google and Facebook will have to abide by the same rules, it likely won’t affect their revenue as much as smaller publishers.
Second, the fact that access to customers will be blocked by browser settings essentially sets up browser providers as gatekeepers. Some have suggested that browser providers may eventually use this to charge publishers for access to visitors to their site.
But for all the doom and gloom predictions surrounding GDPR, many industry experts are predicting that the actual effects won’t really devastate digital media companies. And after a brief period of initial confusion, companies will likely adapt to the new rules.
Regulations regarding data privacy will continue to evolve, and publishers will have to evolve as well.