Changes in the GDPR and how it affects digital media
ePrivacy, cookies and advertising revenues
What is ePrivacy and how does it affect the GDPR?
Hello! What's going on?
Now that we are immersed in a series of important and certainly "unfriendly" changes for the world of online advertising, we still come across more news. Between adblockers such as Chrome's native adblocker and the regulations regarding display advertising from the Coalition for Better Ads, we now have to add the changes in the ePrivacy Directive, the European data protection regulation, originally intended to protect the content of electronic communications and privacy on the Internet.
All this will be reflected in the regulations of the RGPD (General Data Protection Regulation) that will come into force on May 25, 2018. Even so, these legislative changes, always require a period of adaptation and many of these measures are a bit ambiguous and therefore, until it is not clear how they are and how they have to be applied, it is considered the responsibility of each one the decision to carry them out, however, it is always better to be safe than sorry and with economic sanctions in between, it is better to be alert.
The new regulation will affect all companies in the digital environment that collect offline and online data, from European citizens inside and outside the EU, as well as existing processes in terms of data processing, management and storage regardless of sector or context.
The sum of all these factors, added to the new habits of information consumption by users, are a perfect storm that invites reflection on the profitability of online advertising in the short term, where digital media will be especially impacted.
What do you need to know regarding the application of the new regulations?
There is less than a month left for the application of the new regulation and it is important that you are clear about a series of considerations. A priori these are the most important ones:
-
Have clear and detailed information on the data processing carried out by your company.
- Inform the person in charge of data management about the new regulation
-
Collects data with explicit and identifiable consent
-
Opt in (e.g.: form that the user voluntarily fills in to receive a newsletter)
- Doble Opt in (e.g.: the double confirmation required to finalize a registration process to a service with an email that includes a confirmation link with a text where you clearly explain the purpose and use of the data and who is responsible for the file).
-
- Prioritize Privacy by Design in your environment, i.e., you have to consider the design, or new implementations, prioritizing data management and privacy regulations before the look & feel or the technical part.
- Prioritizes Privacy by Default, i.e. data protection is automatic and with the maximum level activated, leaving the user free to choose whether to lower the level of protection and without having to read the privacy policies.
What data will be affected?
Initially, the data involved are the most common and are used to gain knowledge and track the preferences and browsing habits of users.
-
Cookies
-
IP Addresses
-
Geolocation data
-
E-mail
-
MAC addresses (device and model)
-
Mobile IMEI
-
Tracking pixels
-
Unwanted commercial communications (automated calls, SMS, or e-mails) will continue to require prior consent, and the right to object (Opt out)
- The processing of explicit user data: personal experiences, health problems, sexual preferences and political opinions.
On the other hand, new concepts such as "electronic communications metadata" are introduced to replace the concept of "traffic data" and it is established that this metadata may be processed for security reasons, to detect technical failures and to prevent fraud or abuse of a service (with the user's prior consent).
How does the new GDPR affect the use of cookies, privacy policy and legal notice?
The RGPD establishes that the media and advertisers must obtain the consent of each user to use their personal data. A consent that cannot be generic, such as "by browsing this website you accept the use of cookies", now the acceptance must be prior and informing each of the purposes separately:
- Mandatory cookies: Secure login, point of purchase navigation...
- Functional Cookies: They remember the login data, the contents of the shopping cart and ensure the formal and structural aspect of the page...
- Advertising Cookies: Allow sharing pages with social networks, post comments and offer the user advertising according to their interests.
- Others...
On the other hand, a distinction is made between first-party and third-party cookies:
If the cookies are your own (such as login cookies) as long as you keep the anonymity of the users, you only need to inform through the legal notice or the privacy policy of your media. Whether they are own or third party cookies, but that identify the user, then you are obliged to inform clearly and request explicit consent from the user.
Despite this, the new ePrivacy regulation proposes a generic consent, which would have to be given through the browser, but without the user being able to know the scope of the installation of cookies and their multiple purposes. One of the points of ambiguity of the new regulation that is still on the table today.
On the other hand, from now on a legal notice must also be included in the footer of the e-mails informing the reason for the communication and the processing of the data.
Finally, you should know that you are also required to send an email to all your mailing lists when you modify the privacy policy and if they do not explicitly accept it, automatically delete them.
How does this data have to be collected and stored?
At this point there are new developments of new implementation where the regulations are tightened and extends the responsibility of your company, as the ultimate manager of the data collected for example in the Opt in or Double Opt in, previously described and makes you responsible for the proper enforcement of the new regulations with the incorporation of the figure of the internal or external DPO (Data Protection Officer), who must be able to certify the correct application of ePrivacy. The AEPD provides you with a guide for the correct treatment of data:
-
You have to ensure full security of data collection, processing and storage in the EU and outside (if set out in specific clauses) and ensure limited and controlled access to them.
-
Information on the use of data must be transparent, clear and accessible
-
The data collected must be relevant and appropriate to the use for which they have been requested and may be used for specific purposes stated in the consent.
-
Mandatory data encryption (depending on the level)
-
Extensions to the right to be forgotten and portability of user data
- The obligation to create a record of data processing and inform the AEPD of possible security breaches. To facilitate and clarify the task you have the online tool Facilita of the AEPD.
What can happen if you do not comply with ePrivacy regulations?
As always, it is a matter of financial penalties that always help to "sensitize" the population to comply with newly implemented regulations. The penalty is doubly detrimental because on the one hand you face a fine of up to 4% of your turnover and the loss of digital reputation and trust from your users.
How can all this affect your advertising revenue?
The impact of the proposal for digital media is evident, as it reduces their ability to offer quality content and services, and also reduces their ability to generate advertising revenue, which is their main source of funding, since it is expected that the large advertising players (Google, Facebook...) will be limited in their ability to offer personalized and targeted advertising, so that users of these platforms will deny their consent to use their personal data for advertising purposes, and as a result, the performance of advertising will be lower.
Do you need an IT-Legal Advisor specialized in IT security and Data Protection Law?
Our partner Seinprodat, led by Patricia, are our consultants specialized in IT security and Data Protection Law. If you would like us to contact them to offer you their services, just let us know, or contact them directly to help you solve your doubts regarding the application of the new RGPD regulations.
If you liked the content, you can share this post on social networks and 1 like will also encourage us to continue... it's free and you know that the best things in life always are.... ?
If you want to suggest a topic that adds value to the day to day of your editorial project you can do it here and if you want to subscribe to our newsletter, just leave a name and an email in the field below, and you will receive the news of our blog before anyone else.
We will continue talking about what we like the most. Will you be there?
See you soon!
And finally, did you know...
In the next posts we will talk about the importance of quality, speed and delivery of content to build loyalty among users of your editorial media, in the current context of maximum competition to be in the top positions of the featured news carousels, and how the giants Google and its AMP (Accelerate Mobile Pages) and Facebook and FIA (Facebook Instant Articles) control the mass distribution of editorial content. We'll talk about it all...
