U.S. news publishers are reacting to the European Union’s expansive online privacy law in ways that change the free flow of information online.
The General Data Protection Regulation, which goes into effect today, applies to any website that collects personal data or behavioral information from a user in an EU country. Sites and services need permission to collect and use data from users in the EU or risk severe penalties.
NBC’s local Raleigh station, WRAL, found a solution to the issue by simply blocking users with IP addresses based in the EU.
“As you know, the requirements for full compliance can be quite onerous on publishers, especially smaller ones. Out of an abundance of caution, we are temporarily blocking traffic from EU countries until we are confident we can meet all of the requirements of the new privacy regulations,” said John Conway, general manager for WRAL.com, in an email. “We hope to remove the traffic block within a couple weeks.”
Affected visitors see a message that says: “Welcome to our website. We are a local media company based in Raleigh, North Carolina, USA. We have detected that you are in one of the member countries of the European Union, which is now subject to the General Data Protection Regulation.”
The message offers a short explanation as to why WRAL is blocking EU traffic and invites users to email them with feedback.
“We believe this is a prudent course for a local media company,” Conway said, noting that EU residents account for about 2 percent of WRAL.com’s visitors in 2018. “Our advertising clients generally have no interest in reaching EU residents. Meanwhile, the risk to our company for not being in compliance is extremely high.”
Websites that run afoul of GDPR risk a maximum fine of 4 percent of the company’s annual revenue.
Other U.S. news organizations such as broadcast giant E.W. Scripps Co., news aggregator Topix and Well+Good, an online wellness publication, are considering or have already made the same gambit.
Nieman Lab’s Shan Wang distilled GDPR’s rules into three simplified buckets that news organizations should consider:
- Obtain consent from users before collecting information that could identify them, which could include non-identifying data points that taken together might identify a real person (think location, IP address);
- Present easy-to-find-and-understand explanations for what collected data is being used to do (we retain your email, because you subscribed to us so we could send you our newsletter); and
- Be able to provide clear information to users about what information is being collected, and be able to delete that information at a user’s request.
Update: Tronc has apparently also blocked EU traffic to its various properties.
We've all known about GDPR for more than a year. Tronc apparently didn't get the memo.
I guess they thought all those AI patents would magically automate GDPR compliance? pic.twitter.com/ERZSE4s1XX
— Amy Webb (@amywebb) May 25, 2018
The Washington Post is taking a different approach, offering EU audiences a basic subscription in which users consent to cookies and tracking and a "Premium EU Subscription" that promises "no on-site advertising or third-party ad tracking."
— Adrian Weckler (@adrianweckler) May 25, 2018
Compare that to what U.S. based users are offered:
How is your newsroom handling GDPR? Let us know via email or in the comments below.
More from Poynter:
Learn more about journalism tools with Try This! — Tools for Journalism. Try This! is powered by Google News Lab. It is also supported by the American Press Institute and the John S. and James L. Knight Foundation.