May 25, 2018

U.S. news publishers are reacting to the European Union’s expansive online privacy law in ways that change the free flow of information online.

The General Data Protection Regulation, which goes into effect today, applies to any website that collects personal data or behavioral information from a user in an EU country. Sites and services need permission to collect and use data from users in the EU or risk severe penalties.

NBC’s local Raleigh station, WRAL, found a solution to the issue by simply blocking users with IP addresses based in the EU.

“As you know, the requirements for full compliance can be quite onerous on publishers, especially smaller ones. Out of an abundance of caution, we are temporarily blocking traffic from EU countries until we are confident we can meet all of the requirements of the new privacy regulations,” said John Conway, general manager for, in an email. “We hope to remove the traffic block within a couple weeks.”

WRAL screenshotAffected visitors see a message that says: “Welcome to our website. We are a local media company based in Raleigh, North Carolina, USA. We have detected that you are in one of the member countries of the European Union, which is now subject to the General Data Protection Regulation.”

The message offers a short explanation as to why WRAL is blocking EU traffic and invites users to email them with feedback.

“We believe this is a prudent course for a local media company,” Conway said, noting that EU residents account for about 2 percent of’s visitors in 2018. “Our advertising clients generally have no interest in reaching EU residents. Meanwhile, the risk to our company for not being in compliance is extremely high.”

Websites that run afoul of GDPR risk a maximum fine of 4 percent of the company’s annual revenue.

Other U.S. news organizations such as broadcast giant E.W. Scripps Co., news aggregator Topix and Well+Good, an online wellness publication, are considering or have already made the same gambit.

Nieman Lab’s Shan Wang distilled GDPR’s rules into three simplified buckets that news organizations should consider:

  • Obtain consent from users before collecting information that could identify them, which could include non-identifying data points that taken together might identify a real person (think location, IP address);
  • Present easy-to-find-and-understand explanations for what collected data is being used to do (we retain your email, because you subscribed to us so we could send you our newsletter); and
  • Be able to provide clear information to users about what information is being collected, and be able to delete that information at a user’s request.

Update: Tronc has apparently also blocked EU traffic to its various properties.

The Washington Post is taking a different approach, offering EU audiences a basic subscription in which users consent to cookies and tracking and a "Premium EU Subscription" that promises "no on-site advertising or third-party ad tracking." 

Compare that to what U.S. based users are offered:

wapo gdpr

How is your newsroom handling GDPR? Let us know via email or in the comments below.

More from Poynter:

Learn more about journalism tools with Try This! — Tools for Journalism. Try This! is powered by Google News Lab. It is also supported by the American Press Institute and the John S. and James L. Knight Foundation.

Support high-integrity, independent journalism that serves democracy. Make a gift to Poynter today. The Poynter Institute is a nonpartisan, nonprofit organization, and your gift helps us make good journalism better.
Ren LaForme is the Managing Editor of He was previously Poynter's digital tools reporter, chronicling tools and technology for journalists, and a producer for…
More by Ren LaForme

More News

Back to News