© Screenshot
For all the media buzz about the General Data Protection Regulation’s (GDPR) impact on different industries, little has been said about the impact on the news media industry itself.
Maybe it’s because publishers are so sanguine about their own readiness: apparently 64% feel confident in their GDPR preparedness by its enforcement date on the 25th May. This is a staggering proportion considering most other industries report somewhere between 15% and 30%.
Or perhaps both the analytical scarcity and brazen optimism come from a common factor: the perception that nothing is really novel in the way that news organisations collect and use data, and that they fit neither uniquely nor appropriately in the GDPR enforcement model. This would be a big mistake. In fact, most news organisations share a combination of distinctive attributes that put them squarely in the scope of the GDPR and force them to comply with even the more stringent GDPR requirements.
(For those living under a rock, the GDPR is the European Union’s incoming data protection law that increases the scope, breadth, and depth of rights that businesses need to give to their European customers, along with stricter penalties for noncompliance.)
Personal Data Use Cases Within A ‘Typical’ News Organisation
To figure out how the GDPR will affect news organisations, let’s go over some assumptions of how a “typical” publisher might work from a personal data perspective.
On a basic level, most if not all news publishers operate on two main revenue models: subscriptions and/or targeted advertising.¹ Both models involve personal data processing as a core functionality, and both process personal data on a regular basis, typically through automated processes that send marketing emails or decide which ads to display. From a cursory level, these considerations make it likely that publishers will need certain big-ticket GDPR items like a data protection officer and a record of how the company handles user data.
A “just-in-time” notice, informing users clearly and concisely why each piece of personal data is needed at the time of collection – © Screenshot/BBC
Yet unlike other sectors whose smaller firms are typically exempted from these requirements, even small news organisations run a far higher risk of requiring these items. This is due to the high regional saturation of the personal data they gather, which would allow them (or a savvy data broker) to create rich profiles of small regional demographics.
The European Commission seems to share this concern, as its definition of “large scale” processing can be triggered both by absolute volume of personal data processed and volume as a proportion of a specific population. And if “large scale” processing gets triggered along with regular automated processing of personal data, then even small, local outlets will likely need all the bells and whistles for GDPR compliance.
Collecting, Profiling, Personalizing
Operationally, online news platforms start with the same general procedures regardless of their revenue model. When I click on [newssite.com], the website takes my IP address and creates a unique session ID that follows me as I use the website. Even before I reach the site, it reads my location embedded in my IP address and leads me to a personalised version of the homepage for that region. Then, as I navigate the site, I give the organisation information on my interests which can be used to recommend similar articles, related products, or ambiguously correlated ads.
At this point, the revenue model of the website becomes important to determining which GDPR rabbit holes get triggered. If I make my revenue from targeted ads, then the incoming ePrivacy Regulation will force me to give users the ability to opt-out of all cookies unnecessary to website functionality (i.e. the bulk of my money-making cookies, like Google Analytics, DoubleClick, or Adsense).
If I operate on a subscription-based model, then I’m most likely going to collect more – and more sensitive – types of personal data. The Times and Der Spiegel, for instance, require “special category” data like gender in order to register an account. (Interestingly, the BBC doesn’t.)
A wealth of trackers on the UK website of Business Insider – © Screenshot
Often, personal data gathered via registration (e.g. for a newsletter) gets fed into automated processes that are used to personalise homepages, tailor ads, and send targeted emails. If a news organisation decides to combine automated processing with special category data (e.g. by utilising the seemingly innocuous Title metric as a proxy for gender in its algorithms, see below), then the GDPR steps in.
Rather than allowing six “legitimate grounds for processing”, Article 22(4) of the GDPR funnels news organisations into just one: explicit consent. Not only does explicit consent get a lot harder to obtain under the GDPR, but it also requires that outlets provide some of the trickier rights from an implementation perspective (like deletion).
From the Times registration page (2 May 2018). Note the lack of transparency in describing why they need the information – © Screenshot
Reaching For A Better Standard Of Transparency
Looking toward the future based on trends in the industry, publishers are only going to fall more squarely within the scope of the GDPR. As publishers look to break their dependence on ad-based revenue models and the third-party platforms,² they’ll fall more heavily on personalisation and robust profile-gathering to attract and keep users on their own sites. This means that they’re going to have to be a lot more transparent about the types of data they collect and why.
It also means they need to explain the currently opaque algorithms they use to personalise homepages and profile users. Moreover, they’ll need to focus on enabling technical means to provide rights like deletion of user data and cookie opt-out, and determine whether they need a data protection officer or a record of their processing activities.
If these considerations have already been addressed by 64% of the news industry operating in Europe, then my hat’s off to them. Otherwise (and to the other 36%), I’d recommend you get started because you’ve got a lot to do.
¹ According to Newman (2018, p.5), these models, coupled with branded/sponsored content, comprise the most important factors in a news organisation’s revenue stream.
² See Newman (2018), p.5.
Disclaimer: The author works for Sovy, a regulatory technology startup. The author’s views are his alone and do not reflect or represent those of the EJO or Sovy.
Sign up for the EJO’s regular monthly newsletter or follow us on Twitter.
All the News That’s Fit For GDPR Compliance
May 3, 2018 • Comment, Media Economics, Recent, Specialist Journalism • by Edward Percarpio
© Screenshot
For all the media buzz about the General Data Protection Regulation’s (GDPR) impact on different industries, little has been said about the impact on the news media industry itself.
Maybe it’s because publishers are so sanguine about their own readiness: apparently 64% feel confident in their GDPR preparedness by its enforcement date on the 25th May. This is a staggering proportion considering most other industries report somewhere between 15% and 30%.
Or perhaps both the analytical scarcity and brazen optimism come from a common factor: the perception that nothing is really novel in the way that news organisations collect and use data, and that they fit neither uniquely nor appropriately in the GDPR enforcement model. This would be a big mistake. In fact, most news organisations share a combination of distinctive attributes that put them squarely in the scope of the GDPR and force them to comply with even the more stringent GDPR requirements.
Personal Data Use Cases Within A ‘Typical’ News Organisation
To figure out how the GDPR will affect news organisations, let’s go over some assumptions of how a “typical” publisher might work from a personal data perspective.
On a basic level, most if not all news publishers operate on two main revenue models: subscriptions and/or targeted advertising.¹ Both models involve personal data processing as a core functionality, and both process personal data on a regular basis, typically through automated processes that send marketing emails or decide which ads to display. From a cursory level, these considerations make it likely that publishers will need certain big-ticket GDPR items like a data protection officer and a record of how the company handles user data.
A “just-in-time” notice, informing users clearly and concisely why each piece of personal data is needed at the time of collection – © Screenshot/BBC
Yet unlike other sectors whose smaller firms are typically exempted from these requirements, even small news organisations run a far higher risk of requiring these items. This is due to the high regional saturation of the personal data they gather, which would allow them (or a savvy data broker) to create rich profiles of small regional demographics.
The European Commission seems to share this concern, as its definition of “large scale” processing can be triggered both by absolute volume of personal data processed and volume as a proportion of a specific population. And if “large scale” processing gets triggered along with regular automated processing of personal data, then even small, local outlets will likely need all the bells and whistles for GDPR compliance.
Collecting, Profiling, Personalizing
Operationally, online news platforms start with the same general procedures regardless of their revenue model. When I click on [newssite.com], the website takes my IP address and creates a unique session ID that follows me as I use the website. Even before I reach the site, it reads my location embedded in my IP address and leads me to a personalised version of the homepage for that region. Then, as I navigate the site, I give the organisation information on my interests which can be used to recommend similar articles, related products, or ambiguously correlated ads.
At this point, the revenue model of the website becomes important to determining which GDPR rabbit holes get triggered. If I make my revenue from targeted ads, then the incoming ePrivacy Regulation will force me to give users the ability to opt-out of all cookies unnecessary to website functionality (i.e. the bulk of my money-making cookies, like Google Analytics, DoubleClick, or Adsense).
If I operate on a subscription-based model, then I’m most likely going to collect more – and more sensitive – types of personal data. The Times and Der Spiegel, for instance, require “special category” data like gender in order to register an account. (Interestingly, the BBC doesn’t.)
A wealth of trackers on the UK website of Business Insider – © Screenshot
Often, personal data gathered via registration (e.g. for a newsletter) gets fed into automated processes that are used to personalise homepages, tailor ads, and send targeted emails. If a news organisation decides to combine automated processing with special category data (e.g. by utilising the seemingly innocuous Title metric as a proxy for gender in its algorithms, see below), then the GDPR steps in.
Rather than allowing six “legitimate grounds for processing”, Article 22(4) of the GDPR funnels news organisations into just one: explicit consent. Not only does explicit consent get a lot harder to obtain under the GDPR, but it also requires that outlets provide some of the trickier rights from an implementation perspective (like deletion).
From the Times registration page (2 May 2018). Note the lack of transparency in describing why they need the information – © Screenshot
Reaching For A Better Standard Of Transparency
Looking toward the future based on trends in the industry, publishers are only going to fall more squarely within the scope of the GDPR. As publishers look to break their dependence on ad-based revenue models and the third-party platforms,² they’ll fall more heavily on personalisation and robust profile-gathering to attract and keep users on their own sites. This means that they’re going to have to be a lot more transparent about the types of data they collect and why.
It also means they need to explain the currently opaque algorithms they use to personalise homepages and profile users. Moreover, they’ll need to focus on enabling technical means to provide rights like deletion of user data and cookie opt-out, and determine whether they need a data protection officer or a record of their processing activities.
If these considerations have already been addressed by 64% of the news industry operating in Europe, then my hat’s off to them. Otherwise (and to the other 36%), I’d recommend you get started because you’ve got a lot to do.
¹ According to Newman (2018, p.5), these models, coupled with branded/sponsored content, comprise the most important factors in a news organisation’s revenue stream.
² See Newman (2018), p.5.
Disclaimer: The author works for Sovy, a regulatory technology startup. The author’s views are his alone and do not reflect or represent those of the EJO or Sovy.
Sign up for the EJO’s regular monthly newsletter or follow us on Twitter.
Tags: Ads, Advertising, Cookies, Data protection, Eu, European Union, GDPR, General Data Protection Regulation, Google Analytics, Media outlets, news organisations, Personalisation, privacy, Publisher, Targeting
About the Author
Edward Percarpio
Related Posts
The impact of competing tech regulations in the...
Toxic Europeanisation – coverage of the 2019 EU...
Media pluralism ‘increasingly under threat across Europe’
Sad farewell or new dawn? Europe’s media reflect...
The new tool helping outlets measure the impact of investigative...
October 22, 2023
Audit of British Tory MP demonstrates the power of investigative...
September 13, 2023
The impact of competing tech regulations in the EU, US...
September 12, 2023
Enough ‘doomer’ news! How ‘solutions journalism’ can turn climate anxiety...
August 31, 2023
Student perspective: How Western media embraced TikTok to reach Gen...
August 19, 2023
Lessons from Spain: Why outlets need to unite to make...
July 26, 2023
INTERVIEW: Self-censorship and untold stories in Uganda
June 23, 2023
Student Perspective: Job insecurity at the root of poor mental...
June 9, 2023
The battle against disinformation and Russian propaganda in Central and...
June 1, 2023
Opinion: Why Poland’s rise on the Press Freedom Index is...
May 17, 2023
From ChatGPT to crime: how journalists are shaping the debate...
April 25, 2023
Student perspective: Supporting the journalists who face hopelessness, trauma and...
April 13, 2023
Interview: Why young people in Bosnia and Herzegovina feel they...
March 29, 2023
Humanitarian reporting: Why coverage of the Turkey and Syria earthquakes...
March 8, 2023
How women journalists in Burkina Faso are making a difference...
January 11, 2023
Dispelling the ‘green’ AI myth: the true environmental cost of...
December 29, 2022
New publication highlights the importance of the Black press in...
December 12, 2022
The enduring press freedom challenge: how Japan’s exclusive press clubs...
September 26, 2022
How Journalism is joining forces with AI to fight online...
September 14, 2022
How cash deals between big tech and Australian news outlets...
September 1, 2022
Panel debate: Should journalists be activists?
August 19, 2022
Review: The dynamics of disinformation in developing countries
August 9, 2022
Interview: Are social media platforms helping or hindering the mandate...
July 15, 2022
Policy brief from UNESCO recommends urgent interventions to protect quality...
July 5, 2022
EJO’s statement on Ukraine
February 28, 2022
Study shows European mainstream media ignore humanitarian crises in the...
May 22, 2024
Journalism students see an industry in crisis. It’s time to...
April 18, 2024
Interview: How a summer school is sowing seeds for strong...
March 14, 2024
AI advances have left news publishers fearing for their business...
February 23, 2024
Big comeback for organisation providing invaluable networks to journalism students
January 31, 2024
The new tool helping outlets measure the impact of investigative...
October 22, 2023
Audit of British Tory MP demonstrates the power of investigative...
September 13, 2023
The impact of competing tech regulations in the EU, US...
September 12, 2023
Enough ‘doomer’ news! How ‘solutions journalism’ can turn climate anxiety...
August 31, 2023
Student perspective: How Western media embraced TikTok to reach Gen...
August 19, 2023
Lessons from Spain: Why outlets need to unite to make...
July 26, 2023
INTERVIEW: Self-censorship and untold stories in Uganda
June 23, 2023
Student Perspective: Job insecurity at the root of poor mental...
June 9, 2023
The battle against disinformation and Russian propaganda in Central and...
June 1, 2023
Opinion: Why Poland’s rise on the Press Freedom Index is...
May 17, 2023
From ChatGPT to crime: how journalists are shaping the debate...
April 25, 2023
Student perspective: Supporting the journalists who face hopelessness, trauma and...
April 13, 2023
Interview: Why young people in Bosnia and Herzegovina feel they...
March 29, 2023
Humanitarian reporting: Why coverage of the Turkey and Syria earthquakes...
March 8, 2023
How women journalists in Burkina Faso are making a difference...
January 11, 2023
Dispelling the ‘green’ AI myth: the true environmental cost of...
December 29, 2022
New publication highlights the importance of the Black press in...
December 12, 2022
The enduring press freedom challenge: how Japan’s exclusive press clubs...
September 26, 2022
How Journalism is joining forces with AI to fight online...
September 14, 2022
How cash deals between big tech and Australian news outlets...
September 1, 2022
Panel debate: Should journalists be activists?
August 19, 2022
Review: The dynamics of disinformation in developing countries
August 9, 2022
Interview: Are social media platforms helping or hindering the mandate...
July 15, 2022
Policy brief from UNESCO recommends urgent interventions to protect quality...
July 5, 2022
EJO’s statement on Ukraine
February 28, 2022
13 Things Newspapers Can Learn From Buzzfeed
April 10, 2015
How Data Journalism Is Taught In Europe
January 19, 2016
Why Journalism Needs Scientists (Now)
May 13, 2017
Digitalisation: Changing The Relationship Between Public Relations And Journalism
August 6, 2015
The Lemon Dealers
June 27, 2007
The new tool helping outlets measure the impact of investigative...
October 22, 2023
Audit of British Tory MP demonstrates the power of investigative...
September 13, 2023
The impact of competing tech regulations in the EU, US...
September 12, 2023
Enough ‘doomer’ news! How ‘solutions journalism’ can turn climate anxiety...
August 31, 2023
Student perspective: How Western media embraced TikTok to reach Gen...
August 19, 2023
Lessons from Spain: Why outlets need to unite to make...
July 26, 2023
INTERVIEW: Self-censorship and untold stories in Uganda
June 23, 2023
Student Perspective: Job insecurity at the root of poor mental...
June 9, 2023
The battle against disinformation and Russian propaganda in Central and...
June 1, 2023
Opinion: Why Poland’s rise on the Press Freedom Index is...
May 17, 2023
From ChatGPT to crime: how journalists are shaping the debate...
April 25, 2023
Student perspective: Supporting the journalists who face hopelessness, trauma and...
April 13, 2023
Interview: Why young people in Bosnia and Herzegovina feel they...
March 29, 2023
Humanitarian reporting: Why coverage of the Turkey and Syria earthquakes...
March 8, 2023
How women journalists in Burkina Faso are making a difference...
January 11, 2023
Dispelling the ‘green’ AI myth: the true environmental cost of...
December 29, 2022
New publication highlights the importance of the Black press in...
December 12, 2022
The enduring press freedom challenge: how Japan’s exclusive press clubs...
September 26, 2022
How Journalism is joining forces with AI to fight online...
September 14, 2022
How cash deals between big tech and Australian news outlets...
September 1, 2022
Panel debate: Should journalists be activists?
August 19, 2022
Review: The dynamics of disinformation in developing countries
August 9, 2022
Interview: Are social media platforms helping or hindering the mandate...
July 15, 2022
Policy brief from UNESCO recommends urgent interventions to protect quality...
July 5, 2022
EJO’s statement on Ukraine
February 28, 2022
Africa Stereotypes in the European media
July 25, 2013
Hyperlocal radio puts down roots in Romania
December 11, 2019
Bridging Political Coverage and Cynical News Consumers
June 5, 2014
How Austria’s Tabloids Helped the Far-Right Win the Election
December 7, 2017
Everyone loves well-told stories
October 24, 2006
Operated by
Funded by
Newsletter
Find us on Facebook
Archives
Links