Law School Up Close

GDPR - When Worlds Collide

The EU General Data Protection Regulation (GDPR) is the most significant law in history regarding online data collection. After heated debate, it was approved by the EU parliament on April 14, 2016. The regulation mandates privacy to PII (personally identifiable information) to all web users located in the EU. This means that even if a person with an EU IP address visits an American website, the site could be fined (4% annual revenue or 20M Euro, whichever is higher) if it collected data about that user for any reason.

“But this only affects the big guys like Facebook right? Everybody remembers the Mark Zuckerberg testimony.”

The truth is quite contradictory to what you may think. The big guys can advertise massively popular products and brands through what is known as “direct deals”, which require no data collection. They basically say, “hey ESPN, I’m going to serve an ad for this Nike shoe 20 million times this month, here’s a bag of money”. With the reach that an ESPN, or a Washington Post has, companies can feel comfortable selling generally consumable products to a somewhat targeted audience. Smaller websites require a different strategy, because even if you have a targeted audience, an Ad agency doesn’t have the time to make and manage that many direct relationships.

Working at an AdTech company, I have a first-hand perspective of how complicated this law becomes for publishers, whether or not their business, and the bulk of their traffic is in the EU. Let’s take a large online newspaper for instance, that is technically local but has a broader readership. There’s no need to be specific here, just plug in the X for “The X Times”. While 95% percent of this site’s traffic comes from the United States, a small amount of that 5% may be coming from a visitor who resides in the EU. This visitor may be technically savvy enough to see network requests in their browser that are collecting their data to sell targeted ad space. That user can then sue you for damages for violating GDPR, and that $0.002 in ad revenue just cost you your business, to the tune of $23,545, 340.00 (based on current conversion rates).

“Smaller websites require a different strategy, because even if you have a targeted audience, an Ad agency doesn’t have the time to make and manage that many direct relationships.”

The layperson would immediately point out the seemingly obvious, just block the the data collection mechanisms when the user is from the EU. Sure, you lose a small fraction of your revenue, but that is negligible compared to the large majority of consumer-minded Americans visiting the site to gossip about the local happenings. The problem is that an IP address, which would be used to signal the location of the user, is considered to be personally-identifiable information. And it might not be enough to anonymize the last 4 digits on your own after collecting the value, you may need to find a tool that will send it to you that way. Google has released a feature for their popular publishing product, Google Tag Manager, that can handle the IP anonymization.

But even Google, the mastermind of the internet, points to nothing besides legal consolation when it comes to whether you can use their products and know you are compliant with the regulation. Google Analytics, an incredibly popular, almost monolithic tool used by publishers from large to small, does not give you an “Easy Button” for blocking data collection of EU users, or even for all users. In the case of my site, for instance, I have no use for the personal information of my users, but it would at least be nice to see the amount of times each page was visited. Google’s pop-up suggestion for GDPR is to set a time period for your data to be stored in their system, but leaves you wondering how that alleviates the concern of the user noticing the breach in real time.

Since this was a real concern for me with this website that I have recently started and am still getting my feet wet with, I did some research to determine what was necessary for GDPR compliance through Google Analytics. While there were suggestions, recommendations, and interpretations of the law, the common thread of each article, video, tweet, was this.

“You are advised to seek legal counsel that specializes in the GDPR and e-Privacy Regulation”

So I’m a fledgling website grinding it out to generate meaningful content, create a friendly user experience, and fixe bugs, and now I have to consult a legal team to implement the most foundational publisher tool on the internet? This in itself is unsustainable, now think about the popular sites that you visit on the average day. They have targeted ads to the point that it probably creeps you out a bit. These adds come in, typically, from 10-40 different Ad Tech vendors. These companies’ sole purpose is connecting the publisher and the buyer. Many of them conduct auctions for “inventory” on publishers’ sites. To compete in the auction, the buyer is provided with data about the user, which they in turn plug algorithms designed to properly evaluate the inventory.

So as a publisher, you now need to approach each of these companies to determine if they have the technical capabilities to ensure compliance with GDPR on your site(s). But at the end of the day, the publisher carries so much more liability since their article about ‘The Uses of Broccoli In Italian Cooking’, is the initial point of the data breach. And for a lot of the companies doing this service, it is technically impossible to ensure compliance for each and every publisher, because there is such a wide array of possibly unique tech on the page.

So what’s a blogger to do with the regulation rapidly approaching (it goes into effect Friday, May 25th)? My advice is to take cover until the dust clears. Honestly, it is going to be so easy to catch violations when this is rolled out, that there will be people doing it for a living. In fact, this person found a GDPR violation on the EU parliament website in less than 5 minutes.

Take extreme precaution as you prepare for Friday, and expect that things will become much more clear after several precedents are set. I don’t know about you, but I’d rather be the one reading the cases than the one setting the precedent. I think that there is a strong possibility that courts will interpret GDPR drastically differently. Certain articles of GDPR discuss situations in which their is lawful reason to collect the users data. For example, Article 6 1f states

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

A publisher that I often work with and interact with on a professional basis told me that in Germany, this law is being interpreted as to apply to ad revenue, meaning that data for ads to fund the site is considered a “legitimate interest”. Though the person could not cite the source of this information. Another publisher told me that she heard by WOM (Word of Mouth) that they were only going to go after the big guys, and large financial institutions first. I’m not sure about you, but I would feel uncomfortable taking on this mind set. Whether or not they go after the larger companies first, being in violation of such a harsh law seems like a great way to lose sleep at night, if nothing else.

The point of this article is not to point out the shortcomings of this legislation or the failure of an industry to properly prepare for such a massive event, but to illuminate the potentially explosive results of “common-sense” political policy making its way into the law. I think that we can all agree that privacy on the internet is of tantamount importance to its future existence, but that certain things are expected in a public platform. Where we draw the line depends on our own personal philosophies, but often the swiftest approach to actualization of justice is not the wisest.

I predict that because of the way this law has been implemented, it will be impossible to enforce from the beginning. Precedence set in different regions will vary so dramatic as to completely dictate the business dealings of online content creators. Websites will close up shop overnight, and live on in an unmaintained state, while others will risk violations to stay in business. People will become so fatigued by the legalese in the regulation and how it applies to their business, that they will give up on trying to comply. And oh yeah, does it affect the newly booming cryptocurrency industry? You bet.

The whole process reminds me of the prohibition in America, which lasted from 1920 to 1933. I remember learning the history of the brewery in the town I went to college. Good ol’ Coors in Golden, Colorado was just a small, local brewery at the time the prohibition was enacted. Coors and his sons had the ingenuity to convert the whole operation into malted milk and near beer, with one of their largest buyers of malted milk being the Mars candy company. So, how does a publisher continue to make money to survive when their original revenue model gets taken away? I think that we are about to find out.


Ted Rand