For all the media buzz about the General Data Protection Regulation’s (GDPR) impact on different industries, little has been said about the impact on the news media industry itself.
Maybe it’s because publishers are so sanguine about their own readiness: apparently 64% feel confident in their GDPR preparedness by its enforcement date on the 25th May. This is a staggering proportion considering most other industries report somewhere between 15% and 30%.
Or perhaps both the analytical scarcity and brazen optimism come from a common factor: the perception that nothing is really novel in the way that news organisations collect and use data, and that they fit neither uniquely nor appropriately in the GDPR enforcement model. This would be a big mistake. In fact, most news organisations share a combination of distinctive attributes that put them squarely in the scope of the GDPR and force them to comply with even the more stringent GDPR requirements.
Personal Data Use Cases Within A ‘Typical’ News Organisation
To figure out how the GDPR will affect news organisations, let’s go over some assumptions of how a “typical” publisher might work from a personal data perspective.
On a basic level, most if not all news publishers operate on two main revenue models: subscriptions and/or targeted advertising.¹ Both models involve personal data processing as a core functionality, and both process personal data on a regular basis, typically through automated processes that send marketing emails or decide which ads to display. From a cursory level, these considerations make it likely that publishers will need certain big-ticket GDPR items like a data protection officer and a record of how the company handles user data.
Yet unlike other sectors whose smaller firms are typically exempted from these requirements, even small news organisations run a far higher risk of requiring these items. This is due to the high regional saturation of the personal data they gather, which would allow them (or a savvy data broker) to create rich profiles of small regional demographics.
The European Commission seems to share this concern, as its definition of “large scale” processing can be triggered both by absolute volume of personal data processed and volume as a proportion of a specific population. And if “large scale” processing gets triggered along with regular automated processing of personal data, then even small, local outlets will likely need all the bells and whistles for GDPR compliance.
Collecting, Profiling, Personalizing
Operationally, online news platforms start with the same general procedures regardless of their revenue model. When I click on [newssite.com], the website takes my IP address and creates a unique session ID that follows me as I use the website. Even before I reach the site, it reads my location embedded in my IP address and leads me to a personalised version of the homepage for that region. Then, as I navigate the site, I give the organisation information on my interests which can be used to recommend similar articles, related products, or ambiguously correlated ads.
At this point, the revenue model of the website becomes important to determining which GDPR rabbit holes get triggered. If I make my revenue from targeted ads, then the incoming ePrivacy Regulation will force me to give users the ability to opt-out of all cookies unnecessary to website functionality (i.e. the bulk of my money-making cookies, like Google Analytics, DoubleClick, or Adsense).
If I operate on a subscription-based model, then I’m most likely going to collect more – and more sensitive – types of personal data. The Times and Der Spiegel, for instance, require “special category” data like gender in order to register an account. (Interestingly, the BBC doesn’t.)
Often, personal data gathered via registration (e.g. for a newsletter) gets fed into automated processes that are used to personalise homepages, tailor ads, and send targeted emails. If a news organisation decides to combine automated processing with special category data (e.g. by utilising the seemingly innocuous Title metric as a proxy for gender in its algorithms, see below), then the GDPR steps in.
Rather than allowing six “legitimate grounds for processing”, Article 22(4) of the GDPR funnels news organisations into just one: explicit consent. Not only does explicit consent get a lot harder to obtain under the GDPR, but it also requires that outlets provide some of the trickier rights from an implementation perspective (like deletion).
Reaching For A Better Standard Of Transparency
Looking toward the future based on trends in the industry, publishers are only going to fall more squarely within the scope of the GDPR. As publishers look to break their dependence on ad-based revenue models and the third-party platforms,² they’ll fall more heavily on personalisation and robust profile-gathering to attract and keep users on their own sites. This means that they’re going to have to be a lot more transparent about the types of data they collect and why.
It also means they need to explain the currently opaque algorithms they use to personalise homepages and profile users. Moreover, they’ll need to focus on enabling technical means to provide rights like deletion of user data and cookie opt-out, and determine whether they need a data protection officer or a record of their processing activities.
If these considerations have already been addressed by 64% of the news industry operating in Europe, then my hat’s off to them. Otherwise (and to the other 36%), I’d recommend you get started because you’ve got a lot to do.
¹ According to Newman (2018, p.5), these models, coupled with branded/sponsored content, comprise the most important factors in a news organisation’s revenue stream.
² See Newman (2018), p.5.
Disclaimer: The author works for Sovy, a regulatory technology startup. The author’s views are his alone and do not reflect or represent those of the EJO or Sovy.
Tags: Ads, Advertising, Cookies, Data protection, Eu, European Union, GDPR, General Data Protection Regulation, Google Analytics, Media outlets, news organisations, Personalisation, privacy, Publisher, Targeting