A Publisher’s Guide To GDPR

With Europe’s General Data Protection Regulation (GDPR) set to take effect in a few short months, smart publishers are leaving nothing to chance.

Everyone in the supply chain could be held accountable if they aren’t compliant by May 25, and stakeholders at every level are in a frenzy to renegotiate contracts that protect themselves in case one of their middlemen messes up.

Because of their access to first-party consumer data, publishers in particular need to prove to their clients – and their clients’ agencies – that they’re taking the appropriate steps to comply, or risk losing that business.

Here’s a rundown of what publishers need to do and know.

What Should Publishers Know About GDPR?

GDPR is a regulation intended to give EU citizens more control over their personal data, the definition of which is broadened under the law to include any information that can be used to identify a person, from location data and mobile device IDs to IP addresses, in certain cases. Entities that collect, process and store personal data will become liable for misuse.

[Click here to read our companion “Marketer’s Guide To GDPR,” which has a full definition.]

Publishers should also be mindful of how the regulations apply to two different types of data-facing entity: the controllers that determine how and why personal data should be processed and the processors that do the actual processing on behalf of controllers. Publishers are typically controllers.

Publishers also have to worry about a second body of law called the ePrivacy Directive, aka the cookie law, which handles privacy related to electronic communications, and is in the midst of being revised.

Although the ePrivacy regs would trump GDPR when their respective rules overlap, it’s unlikely that the ePrivacy revision will be completed and codified into law by the time GDPR is implemented, making it difficult for companies to comply with both.

“It’s not that compliance is so complex – it’s the fact that so much is still gray,” said Carola York, managing director of Jellyfish Connect, a UK-based platform that helps publishers drum up digital and print subscriptions.


Bottom line: Publishers should finalize their partner contracts before May.

Because GDPR assigns responsibility for compliance to every member of the supply chain, publishers shouldn’t risk their first-party audience relationships due to a sloppy data partner or ad tech vendor.

The end result will be fewer tags on the page as publishers cut down on the third parties they let into their world.

GDPR compliance is becoming one of the main criteria publishers are using to select the third-party providers they work with, said Matthew Smith, managing director of IDG Connect, a multinational digital media company that owns and operates technology-focused publications, including PCWorld, Computerworld and Macworld.

“In the data space, third-party providers will have to prove the data they are selling is GDPR-compliant,” Smith said, noting that publishers should also have higher standards if they buy data from third-party providers.

But publishers will also need to renegotiate most of their third-party vendor agreements, a process that’s both necessary and a time-consuming administrative headache.

“Not every contract needs to be changed, but they all have to be examined,” said Stefan Benndorf, COO of app marketing platform AppLift. “It’s a lot of relationships and everyone is obviously conducting their own assessments, which means there’s going to be some redundancy.”

Third-party vendor contracts should be revisited even if they’re already compliant under the current privacy regime, because GDPR brings new requirements and considerations that need to be codified, including:

Definitions: Contracts should be updated to reflect the new terminology in use under GDPR, such as the expanded definition of personal data.

Notifications: Vendors are required to help controllers comply with their obligations, including data breach notifications. In the case of a breach, third parties will need to notify the controller as quickly as possible and cooperate with any investigation.

Collaboration: Third parties must help enable controllers to honor the rights of data subjects under GDPR.

Security: Vendors will need to guarantee that the processing methodologies they use are secure and compliant and that anyone involved in the processing of personal data is committed to confidentiality.

Record-keeping: Processors are contractually obligated to keep written records of all processing done on the controller’s behalf and be able to provide documentation of GDPR compliance upon request.

Because shoring up contracts is a ton of work, publishers should work with an independent accounting firm to help audit their partners’ data privacy practices to ensure full compliance.


In addition to getting their contracts in order, publishers will need to be abundantly clear about exactly what they’re collecting and what they plan to do with it, said Julian Morelis, chief commercial officer at subscription management platform MPP Global.

Consent is one of the main legal bases for processing data under GDPR, and consumers must be told exactly what’s going to be done with their data before they can give informed consent.

“Most data processing is outsourced to a third party that collects, stores and manages data on behalf of a data controller, like a publisher,” Morelis said. “The challenge for controllers is ensuring that every contract they have with their processors is solid. This also makes the processor’s life easier when it comes to handling data subject rights, like the right to be forgotten, the right to object to data collection, the right to access and others.”

Data Leakage

When publishers make their inventory available through RTB exchanges, they expose themselves to unauthorized buyers that can exploit their data for audience modeling, insights and retargeting via programmatic bid requests and code inside ads.

Publishers generally rely on their exchange partners to manage data leakage. Contracts with demand-side and supply-side platforms usually include clauses that restrict the usage of bid-stream data. But those contracts are often unclear and leave lots of wiggle room for shady buyers to take advantage.

That setup is not going to fly under GDPR. Until publishers “stop all data leakage, consent has no value to them,” said Johnny Ryan, head of ecosystem at PageFair.

GDPR’s transparency principles mean people must be able to easily learn who has their personal data and what those parties are going to do with it, he said.

“Equally importantly, people must have surety that no other parties receive these data,” Ryan said. “Consent is therefore meaningless unless the data is protected – because unless a website prevents all data leakage, a visitor who gives consent cannot know where their data may end up.”

The potential for data leakage is yet another motivator for publishers to shore up their supply chain.

“If there’s a problem, the first call a data protection authority makes will be to the publisher or the data controller,” Morelis said. “That’s the point at which the publisher will produce its contract with the data processor.”

Companies like Mezzobit (which was recently acquired by OpenX) provide tools that help publishers manage their data collection tags. Consumer-facing tools like the Ghostery browser extension give users the ability to view and block trackers on the sites they visit.

Tech players, including PageFair, Evidon and Tealium, are also proffering privacy tech solutions to help publishers and advertisers get a handle on GDPR compliance.

Is GDPR Good For Publishers?

Despite fear mongering about fantastic fines and the backbreaking back-end work, GDPR is a positive development for publishers, which are in a good position to obtain consent.

“GDPR is just changing how the game is played,” said Dylan Collins, CEO of kid-safe ad platform SuperAwesome. “And that’s going to force the publishers that maybe didn’t have enough respect for their audience before to have respect now.”

It’s also a chance to clean house, said PageFair’s Ryan.

“The GDPR forces publishers to take back control of what happens on their sites,” Ryan said. “This is enormously important for publisher power.”

Enjoying this content?

Sign up to be an AdExchanger Member today and get unlimited access to articles like this, plus proprietary data and research, conference discounts, on-demand access to event content, and more!

Join Today!