3 Publishers on Data Regulation, Cookie Blocking & the New Age of Consumer Privacy

Data protection laws and privacy-minded browser updates are forcing publishers to rethink their digital business strategies and communication with users. At Publishing Executive’s FUSE Media Summit in November – just weeks before the California Consumer Privacy Act (CCPA) took effect at the start of 2020 – we invited media execs on stage to discuss how their organizations are adapting for success in the new age of consumer privacy.

The panel on Nov. 20 included Roberta Muller, SVP of product development at Northstar Travel Group; Kyle Shay, director of digital media at Annex Business Media; and Tony Mamone, COO and co-founder of Granite Media. Below we recap key takeaways from the discussion, including their top CCPA concerns and what they believe cookie blocking will mean for publishers moving forward.

On Navigating New Data Regulation

At Northstar Travel Group, a B2B media company, the audience department handles email governance and data compliance. “We have one person within that department who handles policy and regulation, and we have a law firm that we work with that is our ‘data privacy officer,’” Muller says. “We recently hired a data technology security director, so he is now looking at all of our infrastructure and all of our security and how we transport and move data throughout the organization.”

In preparation for CCPA, Muller said Northstar was planning training sessions with its help desk to ensure employees know how to catalog incoming data inquiries and understand how they will be monitored. “It’s also important that we go back to all of our vendors and make sure they understand we’re documenting requests for deleting data,” she adds, “because I don’t think anybody ever deletes data, which you actually have to now.”

Shay described a similar process at Annex Business Media, a B2B publisher based in Canada. The organization has an internal compliance officer for Canada’s Anti-Spam Law (CASL), and it regularly educates employees on data privacy procedures through video training and PDF manuals.

At Granite Media, a consumer media startup with roughly a dozen full-time staff, Mamone handles most of the company’s data privacy efforts. “My general strategy has been to fast follow,” Mamone says. He talks to fellow publishers, attends training sessions, and works with vendors to respond to regulations such as CCPA, working with his team to implement compliance measures.

“In most cases, if you’re making best efforts at the beginning, you’re fairly protected – at least from government action,” he says. “As long as we’re making efforts up front and we’re in that zone where the legislation is still shaking out, we can follow others and use vendors to help us because we don’t want to be inventing this ourselves. We know California is next, but California is not last.”

On Key Differences between GDPR and CCPA

While both the EU’s General Data Protection Regulation (GDPR) and California’s privacy law aim to give individuals more control over their personal information, the laws have crucial differences, including their consent requirements. GDPR requires opt-in user consent for any personal data collection, while CCPA requires businesses to enable consumer opt-out of personal data sales.

“One of the hardest things for me to get my head wrapped around with the new California law is when someone opts out, they have the ability to ask you to delete their data, but they also have the ability to ask you to see their data,” says Mamone. He points out that if a user is on a mobile phone using an app that is supported by a software development kit (SDK), you collect an anonymized ID, such as a session ID or advertiser ID, that gets passed to programmatic ad buyers. If a user asks to see their data, and the request comes from an email address, you can’t match an email address to those anonymized IDs, says Mamone, “so beyond email it’s going to be very hard to pass any of that data back to a user who requests it.”

Shay chimed in to note that the likelihood of user requests to see their data is probably low. Since GDPR came into effect, he says Annex has only had one person ask to have their data removed, and that person didn’t request to see it. “We’re doing a lot of work for not very much reward, but it’s got to be done,” he says.

Mamone’s major concern with CCPA, however, is with the possibility of statutory damages. Under GDPR, governmental watchdogs are suing big companies (i.e., France’s CNIL fining Google or the UK’s ICO fining British Airways), but CCPA unlocks opportunity for civil action.

“My fear with CCPA is not actually the California Attorney General, and it’s not a person who actually wants to get their data deleted. I think the real fear in California is going to be civil suit,” Mamone says. “A small lawyer could hire someone to crawl websites and find every website that doesn’t have an opt-out, and then create a big list and try to create an action against that big list.”

Mamone stresses that publishers need to protect themselves by putting the right forward-facing policies in place, with clear user opt-out.

On the Impact of Cookie Blocking

Over the past year, Chrome and Safari removed the capability for publishers to identify readers in Incognito and private browsing modes, posing a threat to publisher paywalls. And Big Tech is continuing its movement to prioritize user privacy and eliminate third-party cookies.

“I understand the big three – Google, Facebook, Apple – with their thought of wanting to stay ahead of regulation and giving control to the consumer, and they’re pushing the limits on that,” Muller says. “So the thought of publishers eventually having to push that paywall further and further up the scale is coming.” Northstar doesn’t currently have paywalls or registrations for its properties, though the company experimented with a paywall many years ago, she adds.

Mamone stresses that ad blocking is not a new challenge and that users in private browsing modes are probably not likely to become subscribers or members anyway. He worries more about how cookie blocking impacts businesses running on programmatic ad revenue.

“Rates tend to drop dramatically,” Mamone says. “We’ve now had multiple examples where ecosystems have moved from allowing cookies to heavily restricting cookies. You have Apple’s ITP, which rolled out a couple of years ago and has continued to get more and more restrictive. If you pull up your CPM rates and split that by iOS versus Android on mobile, you will see that there is a dramatic difference.” Firefox’s Enhanced Tracking Protection release in September caused a similar drop in programmatic revenue for publishers.

“Cookies are going to push all of us to think about other formats that we should be in instead of just display,” he says. “I think you’ll see a lot more experimentation over the next year or two to try to find other ways to monetize at high rates that aren’t targeted display ads.”

Shay and Muller both agree there’s a need to experiment with new ways to monetize that aren’t reliant on cookies, including audio, video, and premium content. Annex is investing more in podcasting, Shay says, as well as getting advertisers more involved in content creation and delivery. Muller says Northstar is focusing on site taxonomy and tagging to improve its advertising efforts.

“Not relying on cookies anymore, we can then monitor users as they’re going through the site,” Muller says. “If our content is very well structured and our URLs are very well structured, maybe we can do some more behavioral and intent-based content serving and ad serving on them.”

On Challenges Ahead

As new data privacy laws inevitably pass in the coming months and years, Shay believes executive buy-in must remain an organizational priority.

Leah Wynalek is editor-in-chief of BRAND United. She is passionate about creating content that engages audiences across channels – and delivering insights that help others do the same.