In this edition:
- Machine Learning is like black-magic for publishers
- British parenting app Bounty was fined for sharing 34.4 million records with data brokers
Plus: Machine Learning is like black-magic for publishers
I recently wrote an article about the importance for publishers to measure time in a far more nuanced way, and as part of that article, I talked about how we could use machine learning to create more useful dashboards for it.
However, while machine learning is a powerful tool, we need to think about how can we turn what we learn into actions, and how we can use it to identify what to do next.
In my latest Plus article, I'm taking a much more in-depth look into this, to help you as an editor or a media executive to understand how it actually works.
Read more: Machine Learning is like black-magic for publishers
British parenting site Bounty was fined for sharing 34.4 million records with data brokers
You might remember how I, several months ago, talked about Bounty and GDPR. And the case has now been closed. Bounty has been fined £400,000 for sharing personal data with 3rd parties by UK's Information Commissioner's Office.
This is one of those cases that has a significant impact on publishers and the implications on the future of privacy legislation, because Bounty was doing the same as what most publishers do today.
But let me very quickly summarize the key points.
First of all, Bounty is not a tech company; they are far more like a publisher/ecommerce site, where the way they were dealing with personal data is the same as what we see with every other magazine or newspaper.
In other words, they had included several 3rd party data partners on their site, with the aim of providing more personal advertising and direct marketing.
Secondly, they approached GDPR similar to other publishers also do it today, where they thought that just getting generalized 'consent' was enough.
Specifically, if we go in and read the actual ruling, you will notice a lot of commonalities what you see on most publisher's sites.
- Bounty was identified as a significant supplier of personal data to third parties for direct marketing purposes.
- Bounty [said that] it collected personal data for the purpose of membership registration across a variety of channels.
- Bounty [said that] based upon consent received during the member registration, it shared a total of 35,027,373 personal records with third parties.
- Bounty also confirmed that each data record could be shared on multiple occasions.
- Bounty's data protection policy (privacy notice) states that data is not collected excessively, and only for the specific purposes as explained to the individual. It states that Bounty may share data with 'selected third parties'.
- Individuals using Bounty's app were offered an opt-out to marketing with a 'yes' or 'no' option to the question: "Would you like to receive free samples, offers, promotions by post and email from carefully selected third parties"
- They also offered 'claim cards' with no opt-in option, but instead just had a small piece of text at the bottom of the card that explains: "By providing your email address [...], you consent to be contacted by these channels. We will take great care of the information you have provided, and will use it to fulfill your membership of Bounty".
- Bounty offered a 'unsubscribe link' in their emails, offering people a way to opt-out.
So far this should sound familiar to any publisher because this is almost identical to what we see from most publishers.
However, the UK Information Commissioner's Office (ICO) disagrees. And it has ruled this:
- For the claim cards, "people had no choice but to agree on their personal data being shared with third parties for marketing purposes". This is illegal, and I would add that this is an integrated part of GDPR. As a publisher you cannot say: "By continuing to use this site, you agree to ...". This is not a legal form of consent.
- The ICO has ruled that an unsubscribe link isn't legal, as "fair processing of information should be provided at the point of data collection, not within [...] a period thereafter."
- Based on the information above, ICO said that: "Any 'consent' provided by data subjects was not informed, nor could data subjects have foreseen that their data would be shared with [the third parties it was shared with]"
- "The 'fairness requirement also included a substantive duty to treat individuals fairly when using their personal data. In particular, fairness involves adhering to individual's reasonable expectations of how their data will be used. Bounty failed [to do this]. As indicated above, data subjects registering with a pregnancy and parenting club would not reasonably have expected their personal data to be to the likes of credit references, marketing, and profiling agencies."
- "Bounty had no adequate justification for acting as it did. Its actions appear to have been motivated by financial gain, given that data sharing was an integral part of Bounty's business model, and as confirmed by Bounty, cessation [...] resulted in a significant commercial impact."
- "Bounty sought to justify its disclosure of data to third parties for marketing purposes by referring to the 'consent of data subjects'. Bounty confirmed to ICO [...] that sharing of the personal data [...] was based on consent. The commissioner's assessment is that this condition was not met here. These consents were not specific or informed." ... again, a very important point. It's not good enough to just have consent (like what many publishers do with their consent dialogs), but it needs to be specific.
- "The only potentially applicable condition [...] [would be] 'legitimate interest', [...] however the Commissioner's assessment is that this condition would not have met here either." ... Again, a very important part. If you are a publisher and you think you can get away with just calling upon 'legitimate interest', you absolutely cannot!.
And so the result was this:
- The disclosure was unfair, and data subjects were provided with the correct information.
- The disclosure was unfair because it didn't meet people's reasonable expectations.
- Neither the consent condition, nor the legitimate interest condition, nor any other condition was met.
- ICO also focused on the severity of the offense, both in terms of the amount of people this affected, but also the vulnerability of the type of data.
- And finally, ICO said: Individuals were exposed to a significant loss of control over their data.
So, as you can see, the ICO isn't kidding around here. Every single thing that Bounty did is also what most publishers do, and ICO ruled that all of it was illegal.
It's not legal to tell people that they have to give up their privacy to get access to a service. It's the same as what GDPR is focusing on. It's not legal to turn privacy data into a currency.
When getting consent, it's not legal to just show them a generalized consent dialog. It has to be informed, explicit, minimized ... and ever after all that, live up to what people would reasonably expect.
The ICO does not consider sending personal data to a 3rd party for 'marketing purposes' to be a reasonable expectation.
But most of all. ICO didn't go after these 3rd party marketing companies, they went after Bounty. The reason is that Bounty is the data controller, and as such is the party fully responsible for the data collected for its user/readers.
It's the same with publishers. You cannot just point your fingers at Google and say "but they are the ones doing it". As a publisher, you are the 'data controller' for all the data collected via your sites about your readers. This makes you solely responsible, which also mean you are the one who will get fined.
Google might be fined for other things unrelated to what you do as a publisher (which there are several ongoing cases about), but it doesn't protect or exempt you as a publisher.
And it's only a matter of time before they are going to come after publishers, because every publisher is breaking these rules as well. And even if the EU isn't going to come after publishers directly (at first), I can guarantee you that the many privacy activists will do so instead.
So take note of this. The consent dialogs, privacy notices and third-party integrations that you have today are all fundamentally illegal.