[Note: For this blog I’m going to focus on US-based ‘content’ providers (e.g. newspapers) as these folks seem to be the ones hit particularly hard by EU legislation.]
From May 25th 2018, we have all likely encountered at least one of these notices when browsing US-based websites:
These are the organisations I called out in GDPR: Now We Know Who the Muppets Are, and quite a few of them have still not found a workable solution. Some have seem to chosen this as an indefinite course of action (like the Chicago Tribune) as opposed to making the effort to comply. These are the true muppets.
So what was the problem then, and why are some organisations either still unable, or unwilling to comply with the GDPR in order to access the EU market. A market that is only just shy of the US in terms of GDP, and 1/3 the size again in terms of population?
I can [almost] understand organisations like the Chicago Tribune who provide content for ‘free’ – as long as you allow ‘personalised ads’ – from balking at the requirements. The problem is that these ads also involve giving their third parties access your personal data AND the ability to profile you with it. This brings up issues with not only GDPR, but the e-Privacy Directive which will only get more restrictive under the upcoming e-Privacy Regulation.
The issue faced by the Chicago Tribune and their like is that they will not just give away their content. And nor should they. But what they cannot do now is use your personal data without your consent, there is no other lawful basis for processing that applies. But not just implied consent, or assumed consent, and not consent hidden in a 500 page T&C document written in legalese. Consent must be (amongst other things):
- freely given, and with genuine choice;
- involve a clear affirmative action (i.e. opt-in);
- unbundled, in that distinct processing operations require separate consent;
- maintained in clear records and as easily withdrawn as it was to provide;
The provision of this functionality alone is clearly enough for some organisations to just block access from the EU, and if the cost of compliance outweighs the line of profit, who can blame them?
But what are the alternatives if you actually want to do something?
If there is one thing that you can reasonably assume is that businesses will find a way to do business. The options currently seem to be:
- Provide only non-personal ads (NPAs) so that GDPR does not apply – though this is not really an option as NPAs are only a fraction as effective as personalised ads and would likely not support a reasonable profit;
- Provide a subscription-only model – e.g. pay-per-article, monthly subscriptions etc., where you pay with hard cash instead of your personal data. Again, unless you are a highly sought-after provider of content, this will likely kill your readership/web hits;
- Provide a hybrid of 1. and 2. above – I think this one makes the most sense, but it does involve making a ‘GDPR compliant’ option available. Basically you scale the access from free + personal data, to subscription. Here is an example from the Washington Post:
Which means that they have actually put a monetary value on your personal data; $30 / year, but at least it’s up to you whether or not you want to ‘pay the price’. They have also implied, without actually saying as much, that you need to pay in some way or you get no access at all.
It is still uncertain, whether or not this combination cookie-wall / pay-wall will be deemed compliant. Supervisory authorities across the EU seem to be a little divided on the subject (see Carl Gottlieb’s article; Cookie-or-Pay Walls), despite the fact that one of GDPR’s fundamental goals was to ‘harmonise’ these decisions across the Member States.
And under some interpretations of the GDPR, the so-called ‘cookie wall’ (i.e. agree to our terms or no access) is also not permissible as it goes against one of the primary aspects of consent; that it’s freely given.
What these organisations are failing to realise is that no one is saying that you can’t get paid, or even that you can’t take personal data as ‘payment’, it’s that you can’t do things in the same way anymore. This is not anti-business, this is anti-exploitation, privacy is a human right after all.
Why the unwillingness to comply is so short-sighted is that it’s not just the EU that’s clamping down on the privacy of those under their legal umbrellas (data subjects ‘in the Union’), this is happening world-wide. While not all data protection laws are exactly the same, the fundamentals of those laws are, and if you pick the most restrictive one you’ll be [mostly] compliant with them all. The GDPR is by far the most comprehensive and mature regulation, and it (and its predecessor, the Data Protection Direction) has be used as a template for the vast majority of data protection legislation across the globe.
So in terms of preventing international business, this will really only affect those unprepared to give the control of data-use back to the individual. If meeting regulations like the GDPR is ‘unprofitable’, then by all means don’t do it, but the only ‘right’ they have to complain is granted by the freedom of speech.
[If you liked this article, please share! Want more like it, subscribe!]