The contortions US media outlets go through, to be able to ignore the inescapable conclusion that adtech isn’t GDPR compatible (adverts are though). After the bluntness of the LA Times and others switching their site off for EU visitors. Aside from the NYT berating me that I have an adblocker when ads are their lifeblood (which must be why they outsource it). Now comes the NPR with a novel twist: they provide a plain text version of their content. It seems to be an interpretation of the GDPR element that you can’t deny basic service to those that refuse permission to collect personal data. Basic service apparently means no CSS files. Although it’s a slightly silly choice, I do appreciate being able to read the articles. It’s not much different from how material is presented in my feed reader, after all. They provide the text version of the site for all, on a separate subdomain, which seems a rendering of their rss feed: text.npr.org
Today is the day that enforcement of the GDPR, the new European data protection regulation starts. A novel part of the GDPR is that the rights of the individual described by the data follows the data. So if a US company collects my data, they are subject to the GDPR.
Compliance with the GDPR is pretty common sense, and not all that far from the data protection regulations that went before. You need to know which data you collect, have a proper reason why you collect it, have determined how long you keep data, and have protections in place to mitigate the risks of data exposure. On top of that you need to be able to demonstrate those points, and people described by your data have rights (to see what you know about them, to correct things or have data deleted, to export their data).
Compliance can be complicated if you don’t have your house fully in order, and need to do a lot of corrective steps to figure out what data you have, why you have it, whether it should be deleted and whether your protection measures are adequate enough.
That is why when the law entered into force on May 4th 2016, 2 years ago, a transition period was created in which no enforcement would take place. Those 2 years gave companies ample time to reach compliance, if they already weren’t.
The GDPR sets a de facto global norm and standard, as EU citizens data always falls under the GDPR, regardless where the data is located. US companies therefore need to comply as well when they have data about European people.
Today at the start of GDPR enforcement it turns out many US press outlets have not put the transition period to good use, although they have reported on the GDPR. They now block European IP addresses, while they ‘look at options’ to be available again to EU audiences.
From the east coast
to the west coast
In both cases the problem likely is how to deal with the 15 or so trackers those sites have that collect visitor data.
The LA Times for instance have previously reported on the GDPR, so they knew it existed.
A few days ago they asked their readers “Is your company ready?”, and last month they asked if the GDPR will help US citizens with their own privacy.
The LA Times own answers to that at the moment are “No” and “Not if you’re reading our newspaper”.