Sorry, we could not find the combination you entered »
Please enter your email and we will send you an email where you can pick a new password.
Reset password:


Plus Report - By Thomas Baekdal - April 2018

Putting GDPR into Action for Publishers

Shared by Plus subscriber
Ivan Recevic
This is Baekdal Plus content. It is shared with you for free by a member. Please reshare it.

Last week I published the article "Publishers Haven't Realized Just How Big a Deal GDPR is", and it caused quite a stir. And, in that article, I illustrated why publishers need to approach GDPR differently, and embrace it rather than trying to fight it.

In this article, we are going to take it a step further and talk about how to actually put this into action.

We will look at this in two parts.

First, we will have a discussion about getting consent, specifically about the IAB's (Interactive Advertising Bureau) new framework, and why this might not be a good idea.

And then we'll move on to more practical examples of how to rethink your approach to advertising, social widgets, embedded content, and finally, analytics.

By the end of this, I hope to illustrate two things to you. First that GDPR is a really big deal, and that you need to take it much more seriously than what I see publishers do today. And secondly, that it's not as scary as it sounds, because the changes we need to make might benefit us in the long run.

The trend is strong with this one

As I mentioned in my previous article, there are two aspects to GDPR. One is the legal aspect, where we have to make sure that we comply with the law. At the same time, there are plenty of exceptions, loopholes, and things that we can do to 'get around it' in a way that would legally still be permissible.

The other is the trend aspect of GDPR, where we look at what people will expect and demand from publishers in the future. And what we see is a very clear trend that people, especially the younger generation, are much more aware of, and active in protecting their privacy.

For instance, we see it with the use of ad blockers:

We asked ad block users their age. A whopping 56% of them were between the ages of 18 and 25 and roughly 17% of them were between the ages of 26 and 35. The remainder were older, with the use by age category continuing to decrease.

My point is that the trend aspect of GDPR is many times more powerful than the legal aspect. Obviously, all companies have to comply with the law, but there are always loopholes that you can take advantage of. But, if you do this, you would be fighting the trend and your own audience. And that is a losing game, because the trend always wins.

So, my advice to you is to look at GDPR from a trend perspective, rather than from a legal perspective. And from a trend perspective, people are demanding an end to non-consensual tracking, especially when it's done by 3rd party trackers, or when the data you are tracking has no relevance to the service you provide.

The question is, how do you get consent?

From a trend perspective, the answer is pretty clear. Consent is a very specific action, where people are willingly giving you permission, for something that they clearly understand.

And we see this all the time. For instance, we recently saw how people were surprised that "Facebook has been collecting call history and SMS data from Android devices."

This is a classic example of how we often get privacy wrong. In this specific case, people had given Facebook permission to collect their call history, in fact, the permission box looks like this:

As you can see, the 'consent' is pretty clear. But because people didn't really understand it, it still turned into a privacy scandal.

We can place the blame for this in many ways. We can blame the people who weren't paying attention to what they agreed to, or we can blame Facebook, but the point is that you can't just claim to have consent.

This creates a big issue, because not only does this change how we define consent, it also changes how we think about collecting data.

Let me show you a very interesting example of this. It's about Garfield (the cat).

In the US there is a law called COPPA, the Children's Online Privacy Protection Act, which in simple terms is described like this:

It's illegal for any online service that is directed to children to use, collect or disclose personal information from children (under the age of 13), without their parent's notice and explicit consent.

It's kind of mini-GDPR, but only for children.

So think about this in relation to data and 3rd party trackers. What can a site like do if a kid visits them?

The answer is simple. They can do nothing ... and you can see this when you visit them.

The first time you visit, you are greeted with this box:

This is a funny message, but there is a very serious purpose to it. You see, if you choose the option "I am a human KID", Garfield will not load any third party trackers (well almost).

In fact, here is the result from Ghostery when visiting as a kid. As you can see, there are no 3rd party trackers, except for FB (which is a bit of a problem here) and Google Analytics (which is less of a problem).

In comparison, here is the same Garfield page when I visit it as an adult. Now look at how many 3rd party trackers it loads.

So, in Garfield's case, this is a great example of how to get consent in relation to COPPA, but what you also see is that when you don't have consent (in the case of a kid), Garfield can't do any of the things that it can do with adults.

This is a taste of what GDPR is like, because the concept is the same.

What's different with GDPR is that it applies to everyone. So unlike with, you can't just ask people for their age, you have to look at every person as an individual, and give them a different experience based on the exact type of consent that you have from each one.

This is a big shift away from how we used to do things.

In the past, publishers would collect and use data (applying 3rd party trackers) from any visitor the same way. We didn't distinguish between our relationship with each person. Everyone was tracked the same way.

But now you have to design your pages so that the data about each person is handled on an individual level, which means that a lot of things that you do by default today no longer work.

And, just like with, if people haven't given you their consent, you can't load 3rd party trackers at all. At least not in the way it works today.

So, let's talk about the solution IAB Europe has come up with.

IAB's delusion

The IAB, which develops standards for the advertising industry, has come up with a solution that they think will solve the problem with GDPR for publishers and advertising companies. The solution is to create a shared platform across all partners, which will allow everyone to continue doing everything they do today.

The way it works is that they have created a new industry-wide "Transparency and Consent Framework". This framework handles all the technical aspects of getting consent across all the partners in the system.

The important part here are the orange boxes, where you have a shared platform that contains three key elements. The 'Fully customizable consent UI' to get people's consent; an automatically updated and managed industry vendor list; and a database where both publishers and 3rd party ad companies can look up the specific level of consent each person has given for each situation.

This is how it works...

First, when you visit a newspaper or some other site, you will be greeted with a box that could look like this (see below). Keep in mind, this is a fully customizable UI, so you can make it look any way you want.

Note: The use of the word 'cookie' here is a bit misleading, because this is about much more than cookies.

What we have is the basic principle of consent, where you explain in general terms what you plan to do with this data (in this case, "personalize content and ads, provide social media features, and analyze our traffic").

If people want to know the specifics, they can click on the 'Show purposes' link, which will look at the vendor database to create a page that looks like this.

Here, you can see a list of every 3rd party tracker and why they have been added, and people can then choose which ones to allow and which ones to reject.

So, is this a good solution to managing GDPR?

Well, legally... kind of, yes. Mind you, I'm not a lawyer, so I'm talking about it conceptually.

You have all the elements you need. You have explicit consent, you have transparency and people are in control. The only thing really missing is the ability to see the data and to delete it, but that could be handled separately.

Legally, this might work... although, it is at the very edge of the law.

But this is also a really terrible thing to do, because it doesn't change anything, nor does it solve any problems. All it does is keep the status quo for the ad industry.

There are two vital reasons why you wouldn't want to do this as a publisher.

It's a deception

The first reason is that it's a deception. Even though the above dialog seems pretty straightforward, do you really think that anyone agreeing to this knows what they have just done?

This is exactly the same problem that we have been writing about in relation to Facebook. Technically, Facebook can also claim to have people's consent, but do people really know what they have done?

What is really happening is what Commitstrip illustrates so perfectly here.

Asking people for consent this way is not really consent, because the only people who would ever agree to "accept all cookies" are those who haven't really understood what they agreed to.

For instance, in the dialog, one of the trackers is called LiveFLamp. Do you think anyone actually understands what that is and what it does?

So, this is not a solution to GDPR. This is not how you build trust. This is not how you create long-term loyal readers.

This is crap!

People would just leave

A much bigger problem, however, is that IAB seems to have no idea about how people actually use the internet, because they haven't taken people's behaviors into account at all.

Think again about this dialog box. What do you think people would actually do when they see this?

Well, we have four different groups of people: Those who accept tracking, those who create specific settings, those who reject cookies, and those who just leave.

This is insane.

For the people who do accept all cookies, you can still do all the things you have always done, but only a few people will do this.

For the small group of people who take the trouble to define their individual permissions, we know that they are highly likely to disable advertising, because no sane person would say "yes, I will allow 3rd party trackers to show me these really annoying autoplaying ads that interrupt my experience and slow down my browser".

Nobody will do that. So, already with group 2, you can no longer show ads the way you do today. You have already killed your revenue potential.

And it's also questionable whether they are going to allow other forms of 3rd party scripts, like analytics and social. The only thing you can really do is to show the basic page with nothing extra loaded into it.

And of course, for those who reject all cookies, you can't load anything at all. So that's zero revenue.

But, even worse, is what happens for the 4th group, where people just leave. Now, you don't get to show your article, which means you get no audience, no momentum, no build-up of loyalty ... and these are absolutely critical elements for being able to make money via other means (like subscriptions).

What IAB Europe is suggesting here is literally the worst thing possible. All it does is to minimize your revenue potential and damage your ability to do anything else.

This is not a solution.

So, what is a solution? Well, it's simple. You need to do this:

But, "wait a minute", you say. "How can we do this? Didn't you just tell us that we couldn't load 3rd party trackers if we didn't have consent?"

Yes, I did. But what I'm saying is that we can never solve this problem by pretending that we don't have to change. The problem that we have today is that the system is broken.

We need to rethink the way we do everything, so that we end up with a new reality where we can do all of these things.

The first step is to make sure that people don't leave our sites. So, how do we do this?

Well, it's simple. Don't do anything that tracks people personally. Think about If you don't have consent, don't load 3rd party scripts!

Because, if you don't track people, there is nothing for people to consent to, which means that you can just show people the article instead of an annoying dialog box.

So, ask yourself, what would it take to make that happen?

Well, first of all, we have the problem with advertising. How do you show people ads if you don't track them? Well, that's simple. You shift your model to 'intent and contextual-based' advertising, instead of personally targeted advertising.

Think about something like Google Search. When you search 'mountain bike', Google will show you ads for mountain bike related things. They don't really need to know who you are to do this, because they have a much stronger and more valuable signal to work with. They look at what you specifically searched for (combined with things like area, which you can detect without tracking people individually).

This is intent and contextual targeting.

So, the way to fix this is to provide first-time users with this really awesome form of intent and contextual based advertising, without ever tracking any personally identifying data.

It's the same with 3rd party trackers. The reason they are a problem today is because, as a publisher, you are just dumping their scripts onto your page, which causes them to be loaded in people's browsers.

The way to fix that is to stop doing it. Move your 3rd party services to your server.

Think about it like this.

The way advertising works today is that the ad scripts are loaded directly from people's browsers, essentially bypassing the publisher completely. This means that the publisher has no control or even access to the data.

Think about how strange a concept this is. We would never allow this anywhere else. Can you imagine a physical shop that worked in this way? One of their largest sources of revenue is not actually happening through them. It's like some vendor has set up a stand that intercepts people as they walk into your store.

As a media analyst, I consider this to be the biggest mistake that publishers ever made. We gave away control over the most important asset that we had, which was the ability to connect people and brands through us.

The way advertising works online is that it treats publishers as an optional extra. How the heck did we ever allow that to happen?

So, the model that we want to have instead is this one:

Here, the reader only has a relationship with us, and we, as publishers, tell the ad server what targeting data we want them to give an ad for.

The way this works is that, for people that you have no relationship with, aka first-time visitors, the only data that you send to the ad server is the non-personally identifying metadata, like "give me an ad that relates to this topic and this type of intent, for an audience in this general area".

But, as your relationship grows, and you get consent to do more things, you can start to enhance the ad targeting to create even more value.

For instance, you might also have behavioral targeting and many other things, but you keep that data for yourself as a publisher, while just enhancing the non-personally identifying targeting data sent to the ad server.

Wouldn't this be a much better model? Not just for you as a publisher, who is now in control of each relationship, but also for our readers who no longer have to be violated by this really crappy 3rd party ad system that we have today?

Obviously, not everything can be done this way.

For instance, if you switch to this ad model, ad companies can't track people across different sites, but nobody wants that anyway.

If a young woman suddenly starts reading articles about pregnancy, do you think she wants some 3rd party ad company to build a profile that identifies her as 'probably in a stage of early pregnancy'?

People want relevant advertising, which you can (in large part) give them by focusing on intent and contextual signals. But people don't want to be stalked across the web, having their personal browsing history end up with a bunch of secretive ad networks.

Another thing we can't do is 'remarketing'. Remarketing is when you visit a brand's web shop site to buy a new pair of shoes, and you suddenly start to see ads from that brand everywhere you go.

This concept is fundamentally violating people's privacy, because it's taking what you did in one place, and moving it to another place without your consent. And people are really annoyed about it.

But this is the whole point. Because of GDPR, we are now moving into a new reality where we have to come up with new solutions.

My advice to you is to be a part of this trend, not just because it protects our readers' privacy, but also because it actually benefits us as publishers. By changing this model, we get back the control over the relationships we have with our readers.

Right now, this seems like a really scary and challenging thing, but, from a trend perspective, this is an exciting change.

Of course, advertising is only one part of this, so what about all the other things that use tracking?

Social without tracking

One example is the way every single publisher has implemented social widgets. In the early days, we did this because it would drive more traffic, but a lot of things have changed since then.

Facebook has made many changes that have caused the effect of having a social widget to be much less appealing to publishers, even to the point where it could be considered a distraction.

More to the point, the way the media is talking about Facebook and what we are doing ourselves is hypocritical.

For instance, The Guardian is one of many newspapers which has been very critical of Facebook, but when you read their articles about it, they are loading the Facebook Pixel (their tracking script) with the article ...along with about 50 other things.

This just illustrates the absurdity of what is happening today.

GDPR is going to put a stop to this because, with it, you can't load the Facebook Pixel without first getting people's consent. But, the real question is, why are publishers in this position anyway?

You don't need to add the Facebook Pixel to your articles to allow people to share them to Facebook. If you want to allow people to share an article, you can just do it with a link.

Here is an example:

In fact, if you look at how The Guardian has implemented social sharing, they are doing the same as I did above.

This is not using Facebook's tracking code at all. It's just an icon (a picture) with a link. You could block Facebook scripts from loading, and it wouldn't make any difference. The Guardian would still work just fine, the sharing button would still allow people to share their articles, and they could still display things like sharing counts (which are handled by the server).

So... why the heck are they loading Facebook's tracking scripts at all? They don't need it. It has no value for The Guardian. All it does is to send a complete browsing history to Facebook for everyone coming to their site.

If The Guardian wanted to become GDPR compliant, they could just delete the Facebook scripts from their site, and everything would work just fine.

What's happening here is web developer laziness. Where, because nobody was really focusing on privacy in the past, developers have just added tons of scripts from all types of sources, without really considering what they did, or even if they had any real use at all.

And, of course, this isn't unique to The Guardian. Almost every publisher is doing this, because this was 'normal'.

You can solve around 95% of your problems with data and privacy just by cleaning up your code, and it wouldn't make any real difference to what you could give to people.

Embedded content

One area where things do get a bit tricky, is when we start to talk about embedded content.

Legally, you can't take other people's content and just publish it on your site without their permission, which today often also means you need to license and pay for republishing rights ... but you can embed it.

This is often used for things like YouTube videos.

Many publishers, including me, are embedding YouTube videos to supplement the articles we write, and it's a great way to add value to a story.

But with GDPR, as soon as you load a YouTube video into people's browsers, you are also loading all of Google's tracking code and DoubleClick ads, which they haven't given consent to.

So, how do we solve this?

Well, here we need to be a bit more creative, and one way to do that is to only embed content when people explicitly request it.

Let me illustrate how this works. Below is a video from YouTube (just a random video), but what's special about it is that it isn't actually loaded yet.

All you see here is a picture of the video with a message on top asking you if you want to "Play this video from YouTube".

So, right now, as you are reading this, nothing has been loaded from YouTube. In fact, you can check this yourself with a tool like Ghostery, where you will find that this site is loading zero trackers of any kind.

What happens then is that, when you explicitly click on the video, the image is replaced and the video will start playing. This way, the video (and Google's code) is only loaded into your browser when you explicitly request it.


I call this concept, contextual consent.

So, instead of having to ask people to give me consent when they first visit this site, which would be really annoying and turn people away, I can make the consent an explicit part of a very specific moment where people want something from another place.

In other words, people are giving me consent on a per video basis, but it's done in such a way that it never feels like an interruption. And if people don't click on the video, nothing is loaded from or sent to Google at all.

This can then be applied to a lot of other things. For instance, if you are doing a live stream, where you are using an outside service, you could use contextual consent to load it only when people explicitly request it.

If you are using Facebook comments, you can load them the same way, so the comment box isn't actually loaded unless people specifically ask for it.

And every time you can then make it clear, like I'm doing here, that this is content that is handled by an outside service.


Analytics is slightly trickier to handle, because you always want to have the best and most accurate data, and being able to track people is an important part of this.

However, if you start exploring analytics more deeply, you realize that if you have multiple metrics available to you, you don't necessarily need the 'user' metric in every case.

Let me give you an example.

Imagine you have these three articles, which is the best one?

Well, the answer is the first two because they created the biggest long-term financial result, whereas the 3rd one had a lot of traffic, but with very little effect (it probably went viral, but reached an audience that wasn't valuable to you).

Now, imagine if we then do the same analytics, but without personally identifying metrics. What we then get is this:

Does this change anything for you?

No, not really, because today we have come up with far better metrics to define our success. In this site, those metrics are reads, new trials, and new subscribers (and also things like churn).

Keep in mind, when people signed up for a free trial, they explicitly gave you their consent to create an account. So that doesn't go away. That's data that people told you to keep.

So, the only data you don't get is the most basic of defining a user.

As a data geek, I would love to have that data, but I don't really need it. As a publisher, my success depends on other metrics that I do have, and that people have chosen to provide.

But let me give you an example that we might miss.

Take the example from above and let's look at 'article 3' with two very different scenarios: Here is the same article, with the only difference being the number of users.

In this scenario, you have the normal pattern that we see almost everywhere, where the number of users is trailing only slightly behind the number of pageviews.

This is the normal way people behave. They see the article, and then they move on.

But in the second scenario we see something really strange, because here the number of users is substantially lower than the number of pageviews.

This is a pattern that we sometimes see with articles that have a high level of 'use'. For instance, you might see this in a fitness magazine, where people continually come back to the same fitness guide as part of their exercise routine.

In this case we are faced with a dilemma, because now we have to decide how important knowing this would be for us.

In other words, would you be willing to risk the outcome, by interrupting people and asking them for consent on the first visit, just to get this data?

Would you go back to this?

My answer to this is: No.

As a data geek, I really hate not having that type of data, but this is the whole point of GDPR and privacy. It's now up to our readers to decide what they want to share, and it's up to us as publishers to figure out when it's worth asking for data or not.

But, there is also a third way.

If you are a publisher that expects your audience to come back often to the same content (like a fitness publisher), you shouldn't really be thinking about this as an analytics problem. Instead, you should think of it as an audience development problem.

Could you change your editorial focus and approach so you encouraged people to create an account? Could you use your content, and mix that with data, in a way that would create a service for people to sign-up for?

If you could give people a better reason to give you their data, because it helps them and they get something out of it in return, we suddenly have a very different reality, where asking people for consent is much more relevant.

The worst thing you can do is to just ask people for personal data without giving anything in return. We all love analytics, but if you ask people for data, you should do something good with that data for your readers.

So, instead of thinking about analytics in terms of consent, think about it in terms of giving people reasons to connect.

Another example of when things get tricky is when you have a metered paywall.

The problem with metered paywalls is that they only work if you can track people without their consent. Because if you ask people if you can track them, they will just say no, and then you would be forced either to not allow them to see anything (which would prevent you from converting them to subscribers later), or just give them everything for free... forever.

How do we solve this?

Well, it's simple. The key element of GDPR is that it only applies to data that is personally identifiable. It does not apply to anything else.

The way most publishers have implemented their paywalls today is that they are tracking people individually, and through this, they try to determine how many articles people have seen over a given time (as well as many other things).

With GDPR you can't do that anymore, but that doesn't mean you can't track non-personally identifying factors. You can still track 'time'. For instance, you can set a cookie like "no_article = [num]" that simply counts how many times each browser has seen an article.

This way, you can't track an individual person, but you would still know when to limit your metered paywall.

GDPR = change

The examples I have highlighted in this article are just some of the many considerations we have to make. But what I hope you have realized now is that implementing GDPR is not just about updating your privacy page and adding a consent box. This is not like the cookie law.

What every publisher needs to do is go through every single thing that you do and make the changes necessary to be part of the trend of privacy, rather than trying to fight it.

Specifically, publishers need to do four things:

First, you need to stop thinking about data and people as just one big mass-market group. With GDPR, you need to think about every person as an individual, and create a type of 'layered approach' to how you provide that person with the most optimal experience. You need to take into account that you are going to have different levels of consent at different stages, and that this will cause a dramatic change to your technical implementations and your editorial approach.

Secondly, we need to have a fight with the advertising industry, because it's pretty clear that they have no intention of giving up their power and they are dumping all the problems with GDPR and getting consent onto publishers.

We see ad companies and the industry as a whole say that "publishers should just make sure they get consent", but they are not realizing how incredibly damaging this will be to us.

As a publisher, you don't want to ask people for consent unless you absolutely have to, and even then, you want to do it in a way so that you can turn it into a benefit for your readers. The ad companies completely ignore this and are just trying to force you into getting full consent for everything up front.

This is not going to work.

Thirdly, publishers need to seriously clean up their acts. As illustrated earlier with how The Guardian has implemented Facebook, we have created so many problems for ourselves that there are no need for. We need to get much smarter about this.

The days of just copy/pasting some scripts into our sites because that is quick and easy are over.

Finally, we need to flip this entire discussion upside down, and start to think about privacy and data as an opportunity rather than a risk.

Today, almost all publishers collect data entirely for their own benefit (or even more so for the benefit of 3rd parties), but the only thing we provide in return to the reader is a random article.

We need to rethink this.

Whenever our readers give us data, we need to give the readers something specific in return. But on top of that, we also need to rethink what data is really valuable to us to begin with. If we are to create news services, we need better data than just the basic stuff that we (or the 3rd parties) are getting today.

So, GDPR is a pretty big deal. But, again, my concern here isn't the legal aspect, it's the trend aspect of what the readers expect from future publishers. As I wrote in "Publishers Haven't Realized Just How Big a Deal GDPR is", you need to be a part of this trend from the start.


The Baekdal Plus Newsletter is the best way to be notified about the latest media reports, but it also comes with extra insights.

Get the newsletter

Thomas Baekdal

Founder, media analyst, author, and publisher. Follow on Twitter

"Thomas Baekdal is one of Scandinavia's most sought-after experts in the digitization of media companies. He has made ​​himself known for his analysis of how digitization has changed the way we consume media."
Swedish business magazine, Resumé


—   strategy   —


A guide to using AI for publishers


How to fix people's perception that climate news is not useful?


A conversion that (never) ends. Mapping publisher funnels


Addressing news avoidance will help every other element of publishing


Managing churn from start to finish


What to consider before switching from subscriptions to memberships