How one of the world’s biggest news networks handled GDPR
GDPR (General Data Protection Regulation) has invaded the publishing industry, forcing digital cos large and small to rethink user data management practices, and what happens next if the EU’s privacy-shield guidelines expand to markets in other geos.
I’ve spent the past 45 days reviewing GDPR compliance expectations, solution planning, and shipping GDPR-safe user experiences that will ensure we don’t cross any legal lines when the law goes into effect May 25.
There’s more than one way to “comply”
In practice, there are two approaches to handling GDPR:
- Opt-In Compliance
The lift to become opt-in compliant, is significant, and includes (among other things):
Creating a new binary opt-in process for every EU user, that explains in detail every way a site or app is splicing your user data. This includes cookies, newsletter or subscription information, general tracking (critical business information like page views, unique users and time spent on site), and most importantly to publishers and ad networks, all the personal user info that’s ingested to serve relevant ad experiences.
Additionally, digital properties must notify regulators within 72 hours of a possible data breach, support consumer inquiries for access (and copies) of tracked personal data, and offer the right to expunge all collected data at the user’s request.
However, once a user opts in, it’s all gravy, and publishers can operate (more or less) as they did pre-GDPR, ads and all.
OR
2. No-Track Handling
No-track handling centers on killing all tracking/data collection scripts. Anything and everything that can personally identify a user.
Goodbye to all user data (when and who visited your site).
Adios newsletters, browser notifications, comments, forums, and other user engagement tools.
Auf Wiedersehen to all story recirculation modules (these use cookies to personalize content, to improve site experience).
And farewell to all advertisements (revenue).
Restructuring our core content templates — which is what this requires — is a massive undertaking.
But with fines of (up to) 4% of total global revenue (for a company of our size, this is tens of millions of $s) for each infraction, the stakes are high.
Considering the risk, our legal department opted for option #2.
Before and after
On May 25th, we’ll launch a new post template, which will be exclusively delivered to EU users.
Using geo-detection (via IP), we’ll identify a user’s location upon site entry, and exclude all tracking elements and ads from the page delivery.
Here’s a quick side by side, of what EU consumers will receive when browsing one of our properties.
Next up: GDPR & AMP handling