In the last few months, the word “GDPR” has been very popular among digital companies. This acronym stands for General Data Protection Regulation, a new European regulation aimed at protecting the privacy of EU citizens and giving them more control over the usage of their personal data on the internet.

The GDPR has been promoted by the European Union, and it is of enormous interest for the entire digital market. It affects all the companies that use European users’ data for marketing activities. Unfortunately, as it often happens with new laws and regulations, there’s still a lot of confusion around it. Many digital companies are still struggling to understand how to be compliant with GDPR and what effects this regulation may have on their business.

In this post, we will explain what GDPR is and why it is important for publishers.


Summary


 

What GDPR is

Oversimplifying the concept, GDPR is a set of rules that harmonize and strengthen data protection for individuals across Europe. It went into effect on May 25th 2018. Compared to previous European data protection laws, GDPR shows some important differences.

First of all, GDPR expands the definition of personal data to IP addresses, cookies, mobile ad IDs and more. Additionally, GDPR is extra-territorial, meaning that it applies to all companies processing personal data of European Economic Area users, regardless of the companies’ location (for example, it applies to an American publisher in the moment a French user visits its website). Also, it sets higher standards for user consent, which must be “specific, informed, unambiguous, active and freely given” and easy to withdraw at any time. Last but not least, GDPR introduces stiff fines for non-compliance, up to 20 million Euros or 4% of global revenue.

The regulation applies to every company that collects and uses user data for targeting marketing activities, including ads. For this reason, every publisher that serves personalized ads to European users, either directly or by using partners (Google AdSense, Criteo, etc.), is affected by GDPR and must comply with it.

How GDPR has been interpreted in different countries

GDPR is a quite complex regulation. But one of its fundamental points is that publishers and vendors are required to obtain an explicit authorization from users in order to collect and use their data for providing personalized experiences. This requirement was interpreted and implemented in different ways across the globe.   

In some countries, addressing the GDPR issue was relatively easy. In Italy, for example, there already was another privacy regulation that required publishers to inform their users about tracking activities: it’s the national “Cookie Law”, which went into effect in 2015. And according to IAB (the association of the digital advertising companies), the appropriate application of this law is sufficient to meet the privacy requirements of GDPR.

But in countries that did not have such privacy laws, the situation was a little more complex. For the first time, publishers had to ask every tracked user for specific authorizations. And each company did it in a different way. Some showed their users “opt-in” messages (such as: “We ask your authorization to…”), others displayed messages that asked to “opt-in” or “opt-out” (to give or deny consent), others gave the possibility to deny specific kind of cookies or the usage of cookies for specific purposes. There was a group that even settled things once and for all, blocking any tracking and personalized ad serving to every European user (in some cases blocking contents as well).

GDPR according to Google

Among the publishers and vendors that were required to comply with GDPR, there’s obviously Google, which employs users’ insights to render its ads more targeted and effective.

For its own digital properties, such as YouTube or Google.com, Google takes the responsibility of seeking user consent by itself. On the other hand, when a third media owner employs the company’s ad solutions, such as AdSense, Google says the publisher should ask users for authorization. Nevertheless, Google developed some general guidelines to help publishers collect users’ consent, as explained on the site Cookiechoices.org.

According to Google, the most appropriate way to go is by using a series of pop-up messages that appear when a user enters a website. The first pop-up provides a general explanation on how data are handled, with a link to obtain more detailed information (including a list of all the publisher’s partners that could access to the data). This pop-up also has to allow the user to give or deny consent with specific buttons. If the user does not authorize the usage of data, a new pop-up will inform that, because of that choice, only non-personalized ads will be shown and cookies won’t be used for targeting purposes.

GDPR according to IAB

In order to make the GDPR compliance process coherent across the market, IAB Europe developed the “Transparency and Consent Framework”, a standard to easily collect consent from users and share it with the rest of the supply chain.

According to IAB, there are three kinds of companies involved in the process: publishers, vendors (tech providers such as DSPs, SSPs, DMPs, ad servers etc.) and CMPs (Consent Management Provider, i.e. companies that can read and/or set a user’s consent status for the vendors chosen by a website operator, and share those information within the advertising ecosystem).

By applying this framework, publishers can inform their users of what data are being collected, what vendors are going to use them and why. For each one of these items, users can give or deny consent, and their choice could then be shared with the other players of the advertising market.

The adoption of this framework is growing among vendors and CMPs. Google itself should embrace it starting from August 2018.

How GDPR affects publishers and their ads revenues

For publishers, being compliant with GDPR is absolutely required if there are European users within their audience. Otherwise, they could face very hefty fines. But beyond this monetary aspect, there is also another reason why media owners should meet the requirements of this regulation. Giving users more information and control over the usage of their data could improve their relationship with the publishers, and increase trust in digital advertising. Two factors that are really important for the survival of the entire online ecosystem.

Nevertheless, when the market started to tackle the GDPR issue, most of the companies worried that asking users authorizations could negatively affect the advertising ecosystem, thus jeopardizing the possibility of monetizing digital properties. Common questions were: will users be willing to share their data? Will there be a lower number of targeted ads? Will there be any economic damage for publishers?

It turned out that, after a (probably normal) short period of confusion in the first few days after the regulation took effect, during which there actually was a drop in ads buying, the situation then started to normalize. The response from users was not that negative, and the market began to slowly adapt to the new dynamics. Though, it’s still too early to draw any long-term conclusion.

What publishers have to do to be compliant with GDPR

In the end, the GDPR issue is critical for publishers, regardless of whether they are settled inside or outside the EU borders. But, what do publishers have to do to be compliant with this regulation?

Certainly, a good strategy is to adopt a CMP registered at IAB’s framework. Clickio is a IAB-approved partner, and offers its clients a specific tool that allows them to set consent workflows quickly and easily. Let’s take a look at it.

Clickio GDPR Consent Tool

Clickio Consent Tool is a solution that allows publishers to be fully compliant with GDPR in an easy and flexible way. It collects consent and shares it both with IAB Framework vendors and with Google Ads products. Clickio is officially registered as an IAB Consent Management Provider.

Clickio Consent Tool offers full compliance with Google EU user consent policy and with requirements of other demand partners. It provides publishers with great flexibility to make their own choices. You can choose consent flow recommended by Google at Cookiechoices.org, as well as many alternative approaches.

If you want more information about Clickio Consent Tool, check out this website or contact us.