New interpretations of privacy within the Cookie Act and GDPR will trigger a wave of tighter scrutiny of how newsrooms analyze editorial data. European authorities already require media companies to ask for consent before tracking website visitors. Here’s what you need to do to be compliant if you have readers in Europe.
Over the summer, the Swedish government clarified its interpretation of the General Data Protection Regulation (GDPR) guidelines and cookie statements.
“For years it was a bit unclear what we could track without the consent of the visitors,” says Magnus Wahlberg, head of data analysis at VK Media.
“As long as we were collecting data to improve our product, the authorities weren’t very strict. But now we need to implement a cookie statement that asks permission to even know that someone is on our website. But in order to improve our journalism, it is important that we know how our audience is behaving. The new interpretations prevent us from doing exactly that.”
This development will affect all online media within the European Union, warns Rob van Eijk. As Managing Director for Europe at the Future of Privacy Forum, he oversees where governments and businesses are moving in terms of data processing. “Unless it is strictly necessary for the website to function, you need user consent. Regardless of whether it is personal data or not,” he says.
What is First Party Data?
“Definitions are sometimes confused, but in general first-party data is the information a website collects for its own purposes and through its own channels,” explains Erik van Heeswijk, CEO of European editorial analytics tool smartocto.
“Third-party data is information that websites share with third parties, such as advertising networks, for their benefit. This has already been controversial in the media, but stricter legal interpretations of first-party data are now a major concern for our customers. It’s important for media to protect the privacy of their visitors while also focusing on and making clear what collecting data is all about: maximizing product relevance.”
Van Eijk believes that media companies are right to be concerned about the issues with first-party data, as civil rights organizations like NOYB (The European Center for Digital Rights) are having success with enforcement requests across Europe. A key reason is that the Court sees the export of data to companies in the United States as problematic, as they consider the data processed by many companies to be less secure.
“Civil rights organizations can use this as a crowbar to file a complaint on top of Europe’s cookie restrictions. The data protection authorities united in the European Data Protection Board have formed a task force to coordinate the processing of enforcement requests. They went from a wait mode to a coordinated enforcement mode and we’re even starting to see fines being imposed.”
For VK in Sweden, a newspaper with 50,000 subscribers (online and offline), this warning is their alarm bell to act quickly. This fall they will implement stricter cookie popups.
“We have to obey the law,” says Wahlberg.
“But it will be a challenge to make sure we keep improving our site for our visitors. We cannot and do not want to let our audience manipulatively say yes with dark patterns to stalk them on our site. But we also know that most visitors simply click “No” when you ask them for permission. We need to make it clear that it’s in their interest to click “yes” to create relevant content for them. Without proper tracking, we cannot segment visitors into age groups and, for example, offer younger people a product that better suits their needs.”
Luckily, there’s more to do than just trying to trick visitors into clicking “yes.” Here are four steps to take:
- Ask a lawyer to help you formulate your goals if you want to avoid fines, advises Rob van Eijk. “Don’t use common terms like ‘first-party tracking’, but explain which data you need for which purpose. In some cases, you may not need to ask for consent. You just have to inform, for example with a banner at the end of the website. A lawyer should clarify to what extent the collection of the data is strictly necessary and has little impact on the privacy of the website visitor.” Here is an example (in Dutch).
- Be vigilant and respect GDPR data processing agreements. “Most websites don’t collect their data. They use third-party providers such as Google Analytics or smartocto to process their data. You must agree that these companies only process the data on your behalf and do not use it for their purpose.” Here is a template.
- Observe the legal obligations when working with processors outside the EU. “The United States is a leading provider of technology, but the required level of data protection has a complex history.” Media could also focus on working with local parties, suggests Van Eijk.
- Explore contextual advertising. “The Dutch public broadcaster NPO has switched to contextual advertising instead of targeted advertising. With machine learning, they can now sell ads that are very well connected to the topic of their editorial content. For the NPO it is even more lucrative than using targeted advertising.”
Media companies sometimes consider consent part of the contract for premium members. But that could be a risky business, concludes Van Eijk. “You still have to ask for consent to use personal data for advertising. Let’s not forget that data protection is a fundamental right within the EU. But if you have the right intentions, it is possible to work with lawyers to finalize the contract with premium members in a way that could be used to improve the journalistic product.”
Stefan ten Teije is a journalist and former editor of AD.nl and NU.nl, two major news websites in the Netherlands. He specialized in the housing market. He recently changed jobs and became smartocto‘s first senior content editor. He writes about the challenges (and solutions) facing news media around the world.
Free daily newsletter
If you like our news and feature articles, you can sign up for our free daily (Mon-Fri) mobile-friendly email newsletter.