GDPR Makes Publishers Vulnerable If They Fail To Prepare

“The Sell Sider” is a column written for the sell side of the digital media community.

Today’s column is written by Scott Meyer, founder of Evidon and president of digital governance at Crownpeak.

Concerns around online data collection and how that data fuels the ad economy are hardly new. It’s been nearly a decade since the AdChoices icon became a requirement for any form of cookie-powered online advertising, and it’s been six years since the EU Cookie Law first put the onus on publishers.

Today, the data and advertising industries are looking toward the EU’s coming General Data Protection Regulation (GDPR) and trying to decipher the regulation’s many articles. Some publishers may not be aware of just how important GDPR compliance is to their businesses. Unlike AdChoices or the Cookie Law, the GDPR places liability on the publisher for what happens back in the digital supply chain.

It backs this up with a powerful punch: Fines start at 20 million euros and go up to 4% of global revenue. That could mean lights-out for publishers caught unprepared or unaware, whether they’re based in Europe or here in the US. Fortunately, publishers potentially can avoid catastrophe if they take two actions now.

Examine Their Audience

Disclosures are nothing new to publishers based in the EU – the Cookie Law requires publishers to make it clear the site is collecting data with cookies the instant a consumer lands on the page. The GDPR changes this current policy – now most forms of cookie data can only be collected on an opt-in basis, no matter where a site is based. Any US-based publisher that reaches EU citizens must comply or face those massive penalties.

That is hefty for almost any company, much less money-strapped publishers who must compete against Facebook and Google for ad revenue. Some of the largest US-based online publishers have substantial European audiences that continue to grow. Publishers can’t afford to shut off the ad revenue generated by that audience, nor can they afford the risk of the GDPR’s punitive penalties for serving this audience.

The only way to make an informed decision is by examining their audience makeup to determine the size of their EU audience. Publishers will have to correctly notify European-based readers when they arrive on their sites and offer the proper opt-ins.

But publishers with smaller European audiences will have to decide how important these European consumers are to them. If EU visitors don’t account for a large enough portion of their business, many may simply wait to see how regulators proceed before budgeting for and investing in compliance.

Take Control Of The Data Supply Chain

Beyond having the proper transparency disclosures in place, GDPR compliance will come down to how closely publishers analyze and scrutinize the digital partners they work with. In addition to knowing their audience, publishers must also put effort into knowing who is listening to their audience by dropping cookies and gathering data on their pages.

Because the liability for the digital supply chain falls upon the publishers, they need to ensure that their websites and digital supply chains are locked down and in their control. This starts with knowing which companies are collecting data on sites and apps, what data is being collected and who it’s being shared with.

The GDPR, and its intersection with the Cookie Law, should compel publishers to get a firm grasp on every player that has access to their site, visitor data and ad inventory. Tracker-detecting software can show any consumer that some publishers fire dozens of tags on their pages. Sadly, some publishers don’t seem to be aware of this nor have a clear view into which companies are on their site. This is something many should have done long ago, but the steep GDPR penalties should be the final motivating factor.
If there is a plus for publishers, it’s that the GDPR raises the bar for ad technology. Publishers – both in the US and abroad – can now only afford to work with partners that are GDPR compliant. In all likelihood, vendor contracts will change rapidly. Publishers, tech vendors, agencies and brands will all be adding new language to protect themselves from the huge potential GDPR fines.

As a cost of doing business, anticipate liability and indemnification for regulatory fines to be pushed downstream from the publisher to third-party digital vendors. Publishers will push vendors to represent that they are GDPR compliant in how they control the data. Similarly, ad tech vendors will need to rely on publishers to represent that they have obtained the correct type of consent from users.

By closely examining their audience and taking control over all the technology partners touching their sites, publishers will begin to see that GDPR is as much an issue of consumer experience as it is one of privacy. Yes, the burden is clearly on publishers’ shoulders now, and the consequences could be severe. But removing unwanted third parties and their cookies from their sites will improve load times and on-site performance.

If anything, this should reward loyal consumers who understand the trade-off between anonymous data and free content. Those publishers that take GDPR seriously and get out ahead of the regulations now can reap those rewards.

Follow Evidon (@evidon) and AdExchanger (@adexchanger) on Twitter.

This post was syndicated from Ad Exchanger.