Online, it can seem like the geographic borders of information and e-commerce are becoming more and more blurred. But as a digital publisher, if you’re serving ads to audiences in the US, Canada, or the European Economic Area (EEA), it’s good to be aware of regional privacy and data collection, processing, and disclosure laws, and how each change with different countries.
According to our data, publishers are seeing an average split of 40% US, 15% EEA, and 8% Canada traffic. So we’ve rounded up some information privacy laws and personal information-handling practices that you should keep in mind, whether you’re based in those countries, see visitors from them, or want to to grow your traffic from these regions.
On a serious note, complying with privacy laws and understanding the impending updates could help protect you from everything from fines and class action lawsuits to protecting your consumer confidence from a damaged brand reputation.
1. EEA: General Data Protection Regulation (GDPR) for Publishers
What is it?
GDPR came into effect May 25, 2018 and applies across the EEA. GDPR is considered the data processing standard. It takes a proactive, consent-first approach to the collection of data and analytics.
Why should it matter to publishers?
GDPR ensures that companies can’t collect data without a lawful basis and a reason for processing. GDPR has the broadest definition of the personal data that it protects of any major privacy law. So, if you collect any information from EEA-based users, GDPR should be on your mind. Sites offering goods or services to EEA buyers, or tracking their online activities, are now required to obtain consent from users on the data they collect and with whom they share it with. Consent Management Platforms, or CMPs, are used by many publishers to manage consent. (View trends in publisher decisions when it came time to implement GDPR).
If you’re found to be in breach of GDPR, you could see big fines, between 2 to 4% of your annual global revenue, in addition to €10 million to 20 million, depending on the severity of the offense. You can be found to be non-compliant with GDPR if you use data in a way that you do not have consent for, or in the event of data breaches—losing consumer information in a cyber attack.
2. US: California Consumer Privacy Act for Publishers
What is it?
Scheduled to come into effect in January 2020, California’s new privacy law AB 375 was signed in by unanimous votes in the summer of 2018. As the world’s fifth largest economy at $2.7 trillion GDP, it’s likely that businesses targeting US visitors will encounter California residents. Consequently, California could become the de facto approach for the US. While California’s privacy law has passed, the Internet Association (a lobbying group that represents companies like Facebook, Google, Uber, Amazon, and Microsoft), the US Chamber of Commerce (the country’s largest lobbying organization), and the Interactive Advertising Bureau (IAB) are encouraging US federal lawmakers to enact a federal privacy law. They want to avoid the confusion and complications of having to navigate a separate privacy law for every state in the US.
Why should it matter to publishers?
The California Act gives consumers the right to decide which personal data is collected and for what purpose. It also allows them to opt out of having their data sold.
Personal information as defined by the California Act are standard identifiers in the physical world (like driver’s license or social security numbers), digital identifiers (like email addresses or demographic data), online behaviors (like IP, search, browsing history, purchases, and interactions), and any inferred data.
The California Act isn’t quite as rigorous as GDPR. The California Act doesn’t require consent or permissions in the first place, instead focusing on a consumer’s control of who sees their data. Where it significantly differs from GDPR is the lack of a stop mechanism—companies can still collect information—and no initial consent is required.
Publishers who use ad tech that track visitors around the web with cookies and mobile advertising IDs should be aware that the California Act requires that publishers have an option to give people a way to ask for deletion of the information collected. If that personal information is sold or shared, the company must disclose the purpose.
3. Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) for Publishers
What is it?
Canada’s PIPEDA came into effect in June 2015, with updates scheduled for January 2019. PIPEDA protects personal information entrusted to commercial organizations. Personal information includes a person’s age, name, ID numbers, income, ethnicity, blood type, comments, opinions, and employee records.
Why should it matter to publishers?
Targeting Canadians? Publishers will need to obtain their consent when they collect, use, or disclose the Canadian individual’s personal information in the course of any commercial activity. The federal-level PIPEDA gives the user the right to access any personal information gathered, and be informed if that information is used for any other purpose than the original communicated intent.
Like GDPR and the California Act, PIPEDA charges the publisher with protecting the personal information gathered, regardless of whether that is handled directly or by third parties. Interestingly, PIPEDA doesn’t cover any business contact information that an organization collects, uses, or discloses for the purpose of communicating. Note that PIPEDA is one of several laws in Canada that relate to privacy rights.
There are 10 principles for publishers to follow, which outline: accountability: identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.
Any publisher that breaches PIPEDA could face fines of up to $100,000 CAD.
Privacy Matters
There you have it, three major privacy acts you need to know about as a publisher in high economic demand areas. Privacy laws are complex and this article is meant as an overview, not a replacement for legal advice. The reality is that with increasing legislative and consumer focus on data breaches and digital privacy and protection, scrutiny and guidance is likely to increase. As such, we plan to keep a close eye on these important issues and think you should too.
About the Author
Trish Manrique is a Content Marketing Partner at Sortable, a Canadian customer-focused, data-driven ad tech company.
Footnote: What is the European Union (EU) and the European Economic Area (EEA)?
There’s some confusion as to what the EEA is, versus the EU. The European Union (EU) is a union of 28 member countries and both a political and economic grouping. (Source: https://www.gov.uk/eu-eea)
The European Economic Area includes EU member countries and includes countries from the Scandinavian region. We’ve listed it in a handy table below.
The European Economic Area (EEA) includes EU countries and also: |
|
Iceland |
(IS) |
Liechtenstein |
(LI) |
Norway |
(NO) |
**Switzerland (Confederation of Helvetia) - Swiss nationals living in the UK are applicable |
(CH) |
The 28 EU countries and their country codes are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK. |
|
Austria |
(AT) |
Belgium |
(BE) |
Bulgaria |
(BG) |
Croatia (Hrvatska) |
(HR) |
Republic of Cyprus |
(CY) |
Czech Republic |
(CZ) |
Denmark |
(DK) |
Estonia |
(EE) |
Finland |
(FI) |
France |
(FR) |
Germany |
(DE) |
Greece |
(GR) |
Hungary |
(HU) |
Ireland |
(IE) |
Italy |
(IT) |
Latvia |
(LV) |
Lithuania |
(LT) |
Luxembourg |
(LU) |
Malta |
(MT) |
Netherlands |
(NL) |
Poland |
(PL) |
Portugal |
(PT) |
Romania |
(RO) |
Slovakia (Slovak Republic) |
(SK) |
Slovenia |
(SI) |
Spain |
(ES) |
Sweden |
(SE) |
The United Kingdom |
(UK) |
**though neither an EU nor EEA member, Swiss citizens may reside and work in the UK, like other EEA nations.