Top 10 Things Publishers Need to Know About the Upcoming GDPR Compliance Deadline

Europe’s General Data Protection Regulation (GDPR) is fast approaching – and below are the top 10 things that publishers should consider to prepare for the upcoming deadline.

1. The deadline is almost here. May 25, 2018. That’s the date that all publishers need to be in compliance with the law that was initially approved in April 2016.

2. In a nutshell, GDPR is about disclosure and consent. As a publisher, you will be required to provide adequate disclosure about data collection, and receive and pass along consent, prior to collecting any data about the users in your audience.

3. Users are in control. You must keep a record of such consent and provide users the ability to revoke consent at any time. You must also allow users to access, correct, or completely erase all the data you keep about them.

4. Personal data is more than you think. Any information that can be used to directly or indirectly identify the user — whether personally identifiable information (PII) or not. Personal data in this context includes names, email addresses, photos, bank or purchasing details, posts on social networking websites, medical information, a computer IP address, anonymous cookie or any other digital fingerprinting.

5. Brexit doesn’t matter. Regardless of Brexit, the GDPR will apply to users in the UK along with the rest of the European Union (EU).

6. But I don’t have a major audience or presence in Europe. Large national and international publishers are certainly more at risk of being out of compliance. However, someone in your audience could simply be traveling in the EU when they access your content for you to be considered out of compliance. Statistically, almost all publishers have some European web traffic, and US-based companies could be subject to class action lawsuits from Europe related to GDPR. These infractions could be very costly — see the next item!

7. Being out of compliance could be very costly. Fines for violating GDPR can run up to 20 million euro or 4% of your company’s global revenue, whichever is higher. And the risk to your business doesn’t stop there. Advertisers may withhold campaigns if you are not in compliance, or you may lose other partners who want to avert putting themselves at risk.

8. Won’t ad companies make sure we’re in compliance? RhythmOne is working with brands and publishers that use our products to make sure they are GDPR compliant. In addition, we are taking close steps to ensure all the publishers, brands, and partners we work with that gather data to obtain user insights, or as part of an advertising transaction, are also GDPR compliant. It is important to remember that everyone in the publishing and advertising ecosystem — any organization that collects, processes, or stores personal data — will be held responsible for misuse. Publishers should ensure that all data partners and ad tech vendors comply — which means renegotiating partner contracts in most cases.

9. The existing EU cookie law remains in effect. While the EU’s ePrivacy Directive — known as the cookie law — will likely be reformed over the next year, the current law remains in effect. It is still unclear how cases of overlap between these laws will be enforced or how the cookie law will be reformed. The key thing to know is that according to EU regulators, GDPR’s conditions for obtaining consent apply to cookies as well as all other personal data.

10. You are not alone. RhythmOne is committed to compliance and working with our publishers to assist them however we can. In addition to all that we’re doing, there are great resources for publishers through industry organizations such as the IAB, NAI and DAA. The technical specifications for IAB Europe’s Transparency & Consent Framework were released just this week (April 25th), and offer critical tools to help publishers, technology vendors, agencies, and advertisers meet the transparency and user choice requirements of GDPR.

For more about GDPR and how RhythmOne is leading the way, visit