Professional Documents
Culture Documents
DATA PRIVACY
An issue for our time
Access
WAN-IFRA members and subscribers with a VALID
LOG-IN can download all WAN-IFRA Reports and
World News Publishing Focus for free. Asian
Newspaper Focus is free for everyone.
For more details, visit:
www.wan-ifra.org/app-support
Or email: anton.jolkovski@wan-ifra.org
n the hyper-competitive digital publishing ecosystem, where content is ubiquitous and successful business models are scarce, newspapers
historically have tried to stand out from the crowd by
trumpeting their trust mantra: Trust our quality
journalism. Trust our quality brands.
Their USP. Their competitive advantage. Trust.
And increasingly over the last few years, consumers are
being asked by those same trusted brands to take an
even bigger leap of faith in their historical relationship
by registering/subscribing/paying for an array of new
digital products or services handing over precious
(first-party) personal data in the process.
As a result, and through other means of gathering
data, publishers have more information on their users
than ever before. Ultimately, that allows publishers
to become more intimate with their users wants and
needs and provide better-targeted content and, yes,
advertising.
But also more than ever, consumers are aware of data
collection and wary about what companies are doing
with their information.
Trust.
Dean Roper
Director of Publications
WAN-IFRA
a very competitive market like ours, and when, as for
The Globe, one of your top brand values is trust and integrity, you have to really walk the talk. Its all sort of a
perfect storm of reasons to focus on how you collect, use
and safeguard your data not just to fulfil legal requirements but also to make the process very transparent to
your users.
That is why WAN-IFRA commissioned this report, to
help publishers weather this perfect storm around
data privacy. The report serves as a primer on this
delicate topic, and is intended to raise awareness and
kickstart the discussion.
Today, data privacy protection must be a top-of-themind issue for news publishers, to keep their crucial
competitive advantage intact. Their longstanding
customers demand it. Their potential new users, many
of them Millennials, demand it. Emerging regulations
demand it.
IMPRINT
DATA PRIVACY: AN ISSUE FOR OUR TIME
PUBLISHED BY:
WAN-IFRA
Rotfeder-Ring 11
60327 Frankfurt, Germany
CEO:
Vincent Peyrgne
DIRECTOR OF PUBLICATIONS:
Dean Roper
AUTHORS:
Cecilia Campbell, Kris Vann
EDITING:
Anton Jolkovski, Brian Veseling, Dean Roper
DESIGN/LAYOUT:
Ivan Cosic & Snezana Vukmirovic, Plain&Hill
Christian Pradel
CONTACT INFO:
dean.roper@wan-ifra.org
+49.69.2400 630
WAN-IFRA REPORT
CONTENT:
CHAPTER 1: INTRODUCTION
Proactive practice builds trust and
business advantages
11
17
23
29
34
39
45
CHAPTER 6: RECOMMENDATIONS
What publishers should do now
55
61
CHAPTER 1: INTRODUCTION
PROACTIVE PRACTICE
BUILDS TRUST AND
BUSINESS ADVANTAGES
BOTH AS MEDIA AUDIENCES AND CONSUMERS OF
SERVICES, SUCH AS DISTRIBUTION AND E-COMMERCE,
CONSUMERS MUST BE ABLE TO RELY ON THEIR
PRIVACY IN ORDER TO REMAIN AS CUSTOMERS. THAT
TRUST, ONCE LOST, IS EXTREMELY DIFFICULT TO
REGAIN. IT IS THEREFORE OF GREAT COMMERCIAL
IMPORTANCE AS WELL AS BEING IN THE BEST
INTEREST OF OUR CUSTOMERS [THAT WE PROTECT
THEIR DATA PRIVACY].
INTRODUCTION
WAN-IFRA REPORT
ata privacy/protection is
an increasingly important
issue for anyone doing
business online. According to Digiday, this years SXSW conference
included more than 100 sessions
that had data privacy in their
title, illustrating how top of mind
this issue is for the digital community.
Its a multi-faceted challenge,
but one that can be turned into a
competitive advantage by publishers who identify data privacy
as a business priority. At the most
fundamental level as has been
reiterated by many industry representatives interviewed for this report its about a need to self-regulate or be regulated. Publishers
proving and communicating to
consumers that data privacy is top
priority may not only moderate
the need for further legal controls,
but also earn consumers trust and
willingness to share their private
information and online behaviour.
Ashoek Adikari, Chief (in-house)
Legal Council at Media24 in South
Africa, explains why consumer
and data privacy is a business
The Economist lets users set cookie preference using a three-step slider.
INTRODUCTION
10
WAN-IFRA REPORT
Keeping track
One of the key challenges is a
technical one. Data is collected
through websites and mobile apps,
and the publisher has to be in
control and understand how that
data is used, stored, transferred
and shared. Says Marc Groman,
President and CEO of the Network Advertising Initiative and a
member of the board of directors of
IAPP (International Association of
Privacy Professionals): This is not
an easy undertaking today. Data
is collected through registration
forms, surveys, subscriptions, and
purchases. Web viewing data is
collected by first and third parties
through cookies, pixels, HTML 5,
statistical identifiers, IP addresses, SDKs, mobile identifiers and
an increasing array of tracking
technologies. Location data can
be revealed through IP addresses,
GPS coordinates, cellphone data
and more. Data may also be purchased from offline data sources
or public records and merged with
online data. None of this is inherently problematic and it indeed
may be beneficial to the consumer
but a publisher must understand
what is collected, how it is used and
by whom, to ensure that the data is
not used inappropriately, in ways
not contemplated by the publisher
or in violation of laws.
Legislation
With online privacy concerns
growing among the public, politicians respond by regularly introducing new legislation, which the
online industry must conform
with. There are five key privacy ar-
Competing with
the data giants
In our Publisher Survey (see Chapter 4), 75 percent of responding
publishers said they believe their
online brand is more trustworthy
than global tech, e.g. Twitter,
Facebook, or Google in terms of
protecting users data. The challenge is to persuade consumers of
that as well.
As a consumer today, you have very
little control over how the Big Guys
track you. Heres an illuminating
snippet from the Facebook Atlas
Privacy Policy: Note: Even if you
choose not to receive personalised
advertising, Atlas will continue to
collect the same information when
you browse the Web, see or click on
an advertisement that we deliver or measure, or use one of our
advertisers apps. Users can be
forgiven for feeling powerless.
The importance of (personal and
aggregate) data to digital media
businesses, be they large social
platforms or small local players, is
indisputable. Consumers need to
understand and accept the trade
they make between information
about themselves (and their online
behaviour) and the content and services they consume. Trusted news
brands can only gain from engaging with their customers about data
collection/privacy, involving them
and educating them about what
they get in return. Get your users
on side. Its time to get proactive.
GUARDIAN NEWS
& MEDIA
11
GOLDEN BENCHMARK
Tim Gough
The Guardians Head of Data Protection has set up a
London-based Media Data Protection Forum, which
includes his peers from e.g. the BBC, ITV, Warner Bros,
The Telegraph, and Red Bull Media.
FACT BOX
THE GUARDIAN PRIVACY
STAFF BENCHMARK
12
WAN-IFRA REPORT
Training includes
business case workshops
At The Guardian, the data protection team (the legal side of privacy) works across the whole organisation to ensure cohesion and
understanding across all teams.
In addition to the data protection
team, there are privacy champions throughout the commercial
and operations departments.
The Guardian also has developed
bespoke training modules on the
different aspects of data protection, which all staff can participate
in. Each module concludes with a
practical workshop where an imaginary business has been created
and the participants go through
the processes of managing data
collection, hosting, transfer, etc.,
involved in running that business.
Eventually and this is, of course,
the goal staff start thinking like
data protection officers. All staff
are required to complete an online
training module on information se-
13
GOLDEN BENCHMARK
MORE INFORMATION
TO VIEW ALL ANIMATIONS AND THE
INFOGRAPHICS ON COOKIES AND TOP 10 TIPS
FOR STAYING SAFE ONLINE, PLEASE VISIT:
WWW.THEGUARDIAN.COM/INFO/PRIVACY
14
WAN-IFRA REPORT
15
17
CONSUMER CONCERNS
ur connectivity brings
extraordinary benefits to
our daily lives, but it also
brings risks, U.S. President Barack
Obama said in a recent speech at
the White House Summit on Cybersecurity and Consumer Protection.1 That captures the zeitgeist
of our modern millennial age, that
18
WAN-IFRA REPORT
Consumers in both the USA and the U.K. are increasingly worried about what companies do with the data they collect.
19
CONSUMER CONCERNS
3% 4%
27%
27%
26%
Very concerned
28%
Fairly concerned
Not very concerned
Not at all concerned
Dont know
39%
42%
2%
19%
23%
31%
32%
Yes fully aware
Yes aware but not in detail
Not not aware of
Dont know
39%
47%
48%
50%
45%
40%
35%
30%
25%
20%
19%
14%
15%
14%
11%
10%
13%
9%
5%
6%
6%
5%
4%
4%
3%
3%
2%
2%
2%
2%
2%
0%
My gender
My name
My email address(es)
My exact age
My date of birth
General details of where I have been (collected via geo-locaon data / IP address)
My IP address
My mobile number
Some of my photographs
Some of my videos
Precise details of where I have been (collected via geo-locaon data / IP address)
Nothing
Dont know
Awareness and concern among consumers is particularly strong when it comes to online behavioural advertising (OBA).
Source: TRUSTe Consumer Privacy Index.
20
WAN-IFRA REPORT
Whats driving
this concern?
Consumers are worried most
about what companies do with
the data they collect. The TRUSTe
survey results show 38percent are
most concerned about companies
collecting peoples personal data
online and sharing it with other
companies. This ranked higher
than any other activity, including
security threats to personal data or
government surveillance of online
21
CONSUMER CONCERNS
Consumers are
worried about online
behavioural advertising
There is a particularly high awareness of and concern about online
behavioural advertising (OBA).
OBA encompasses a broad set of
activities that companies engage
in to collect information about
consumer online activity (such as
web pages visited) and use the data
to show relevant ads or content.
TRUSTes survey results show
75percent are aware of and 66percent are concerned about OBA
on websites (USA). Additionally,
79percent are aware of and 69percent are concerned about OBA on
smartphones.
22
WAN-IFRA REPORT
If publishers want to gain or maintain consumer trust, it is imperative to build privacy programmes
including practices that give consumers transparency, notice and
choice (see box).
23
GOLDEN BENCHMARK
FACT BOX
THE GLOBE AND MAIL
PRIVACY STAFF
BENCHMARK
24
WAN-IFRA REPORT
Our customers expect high standards from The Globe both in our
journalism and with our business
practices.
Company-wide
privacy structure
As part of the effort to make data
protection everyones business
and focus in the organisation, last
summer The Globe put in place a
formal privacy structure:
The Chief Privacy Officer
(CPO), Sue Gaudi, reports
directly to the publisher. The CPO
has overall responsibility for privacy governance, including advising
stakeholders (departments), maintaining the privacy programme, responding to data breaches, vendor
management, and responding to
inquiries and complaints.
Theres a Privacy Oversight
Committee (POC), which
reports to the CPO. This is a
cross-functional oversight committee, with representatives from
Finance, Research & Analytics,
IT, Customer Care, Advertising
and Marketing departments. The
POC is responsible for planning
and overseeing the implementation
of privacy management activities. These include tasks such as
establishing and maintaining a
data inventory, developing best
25
GOLDEN BENCHMARK
26
WAN-IFRA REPORT
27
29
Shifting definitions
of personal information
30
WAN-IFRA REPORT
COLLECTION LIMITATION. Make sure to limit the collection of personal data and
provide consumers notice and a way to provide consent where appropriate.
DATA QUALITY, ACCESS AND ACCURACY. Personal data should be used only
for stated purposes and should be accurate, complete and up-to-date.
USE LIMITATION. Personal data shouldnt be used or disclosed for any purpose other
than what was stated, except if the consumer consents or if the law requires it.
31
2 U.S. President Barack Obama recently proposed the Consumer Privacy Bill of Rights for
U.S. federal legislation encompassing these
same privacy principles. At the time of this
publication, the proposed legislation was still
in debate.
WAN-IFRA REPORT
Privacy-related communications
Privacy-related web certification
and seals
Privacy-related investigations
Privacy audits
Vendor management
Privacy monitoring
Privacy software tools
Redress and consumer outreach
Privacy-related government
affairs
Data inventory and mapping
10 Id. at 50.
33
SANOMA
34
WAN-IFRA REPORT
PRIVACY IS
A BUSINESS FUNCTION,
NOT JUST A LEGAL ONE
At Sanoma, data privacy is built into all business
development a privacy by design approach. In
FACT BOX
SANOMA PRIVACY
STAFF BENCHMARK
35
GOLDEN BENCHMARK
How important is
the balance between
protecting users privacy
on the one hand and
using their data for
advertising and marketing
on the other and how
do you handle it?
Its very important, because data
and analytics are increasingly
becoming an integral part of the
products themselves in the digital
environment helping people find
the content and contextual services
that are most relevant for them. In
addition, data is a relevant part of
the funding model for publishers.
So data is really an asset for us.
And if youre going to optimally use
your asset, you have to make sure
youre able to do that. So we work
through a consistent roadmap to
deal with potential privacy bottlenecks in advance, and find the
mechanisms to be able to use data
in a compliant manner. However,
36
WAN-IFRA REPORT
37
Moving on to the
complexity and
difficulty of monitoring
unauthorised thirdparty cookies how do
you deal with this?
This is certainly a challenge.
Tracking or auditing what cookies are collected on sites is one
thing there are commercially
available tools to help you do that.
Its also important that the roles
and relationships between the
different players in the ecosystem
are well understood. I dont like to
38
WAN-IFRA REPORT
WHAT PUBLISHERS
BELIEVE AND DO
39
PUBLISHER SURVEY
o ascertain how people in the publishing industry think about and manage data privacy, in
February we sent a survey to some 5,000 people
in our member database, including CIOs, HR, advertising managers, editors and IT managers, all at news
publishing organisations. Forty-five people answered
the survey. Interestingly, that was only about a third
of the number who responded to our Big Data survey a
few weeks later, which may be indicative of the importance our industry affords the respective topics.
The survey respondents were spread across four
continents; Europe, Asia (including the Middle East),
South and North America. Europe provided the most
answers (24).
10,0
Online adversers
10,0
40
WAN-IFRA REPORT
Publishers/website owners
9,4
Individuals themselves
13,3
0%
Wholly responsible
33,3
17,2
10,3
6,7
30,0
17,2
26,7
13,8
Browsers
36,7
24,1
10,0
Search engines
26,7
46,7
27,6
Social networks
26,7
13,3
30,0
37,9
31,0
31,0
31,0
13,3
31,0
27,6
56,7
9,4
23,3
53,1
10,0
20%
A lot resonsible
28,1
70,0
40%
60%
Somewhat responsible
6,7
80%
100%
67,9
IT
71,4
InfoSec
10,7
Operaons
32,1
Product Managers
46,4
Markeng
35,7
Editorial
32,1
Senior Management
42,9
HR
28,6
Legal/Compliance
17,9
3,6
0%
20%
40%
60%
80%
involved in privacy protection initiatives, but between 28percent and 40percent of respondents also
mention product management, marketing, editorial,
operations, senior management and HR.
41
PUBLISHER SURVEY
80%
20%
Yes
No
Cookie statements. In the European Union, websites are required by law to get visitor consent before
serving cookies and similar tracking devices to users
computers. In other parts of the world, there are no
legal requirements regarding cookies. Judging from
our survey results, publishers who are not required to
serve notice and obtain consent tend not to do so voluntarily. That included one respondent in Switzerland,
which is not part of the EU but is culturally similar to
neighbouring countries. Only 48.3percent of respondents said their company displays a cookie statement
to consumers visiting their digital properties.
11,1%
88,9%
Yes
No
51,7%
Yes
No
48,3%
42
WAN-IFRA REPORT
Tracking by third parties. All the experts we interviewed for this report have testified to the complexity
of monitoring third-party cookies and trackers being
dropped onto users browsers via publishers websites.
Our survey confirms that picture. While 33.3percent
of respondents answered yes to the question Do you
monitor your website to see if unauthorised third parties are tracking consumers (e.g., via cookies, beacons,
Do you monitor your website to see if
unauthorised third parties are t racking
consumers (e.g., via cookies, beacons,
fingerprinting)?
48,1%
18,5%
Yes
33,3%
No
Not sure
37,0%
40,7%
7,4%
Very valuable
Valuable
Somewhat valuable
Not valuable
10
84,6
Two-factor authenficaon
(requires two different ID components)
19,2
38,5
Automated alerts/blocking
of personal data transfer
23,1
53,8
30,8
Not sure
19,2
0%
20%
40%
60%
80%
100%
14,8%
Conclusion
Data security
12
43
LESSONS FROM
RECENT CASES
45
46
WAN-IFRA REPORT
PRIVACY
PROGRAMMES
1 Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy
Promises, FTC Press Release, November
29, 2011, https://www.ftc.gov/news-events/
press-releases/2011/11/facebook-settles-ftccharges-it-deceived-consumers-failing-keep
Maintaining a comprehensive
privacy by design programme
to address privacy risks associated with the development and
management of new and existing
products and services.
Submitting to independent
third-party audits certifying
that its privacy programme
meets the requirements in the
FTCs order every two years over
the course of the next 20 years.
COOKIE
CONSENT
47
48
WAN-IFRA REPORT
ONLINE
BEHAVIOURAL
ADVERTISING
49
50
WAN-IFRA REPORT
MONITORING &
CONTROL OF
THIRD PARTIES
AND SERVICE
PROVIDERS
A high PSIdoesnt necessarily mean a third party is bad and must be removed from
your site, but is rather intended as an indication that the party could pose a higher
risk to your site and that you should ensure they are authorised to be there.
51
517
25.85
70
3.5 (= 13 %)
Scan Stats
8.35 (= 32 %)
1.94 (= 7.5 %)
10.29 (= 39.5 %)
4,335
216.75
35,798
1,789.9
40,133
2,006
524
26.2
5,543
277.15
6,067
303
52
WAN-IFRA REPORT
companies include data aggregators that build customer profiles based on collected data and sell the
information on the market. The nature of publisher
business models may account for the high percentage of ads-related and retargeting companies.
Cookies and Cookie-Less Trackers. On average, the top 20 publishing sites had about 216 thirdparty cookies. Interestingly, there were on average
1,800 cookie-less tracker technologies per site.
Publishers must also be aware of these cookie-less
tracker technologies being used to track users, including web beacons or web bugs, flash cookies or
local shared objects (LSOs), JavaScript, e-tags, and
device fingerprinting.
CROSS-BORDER
DATA TRANSFER
Insurance sites
Shopping sites
Gross
Average
per site
(20 sites)
Gross
Average
per site
(20 sites)
Gross
Average
per site
(20 sites)
Number of
third parties
517
25.85
170
8.5
320
16
3rd cookies
4,335
216.75
978
48.9
2,394
119.7
3rd LSO
100
0,1
15
0.75
3rd LS
142
7.1
13
0.65
49
2.45
3rd beacons
17,014
850.7
4,361
218.05
9142
457.1
3rd JS
10,386
519.3
2,077
103.85
7,395
369.75
3rd e-tags
8,156
407.8
1,241
62.05
8,584
429.2
1st cookies
524
26.2
378
18.9
661
33.05
0.3
527
26.35
13
0.65
114
5.7
1st beacons
1,653
82.65
1,314
65.7
1,002
50.1
1st JS
1,893
94.65
961
48.05
878
43.9
1st e-tags
1,464
73.2
2,724
136.2
2,725
136.25
High PSI
70
3.5
16
0.8
41
2.05
32.29
14.12
0.706
38.12
1.906
7.54
7.64
0.382
9.06
0.453
Scan Stats
1st LSO
1st LS
% Ads-related
third parties
% Targetingrelated third
parties
53
54
WAN-IFRA REPORT
CHAPTER 6: RECOMMENDATIONS
WHAT PUBLISHERS
SHOULD DO NOW
55
RECOMMENDATIONS
Now that we have examined not only the legal requirements but,
more importantly, how a) strong data protection and privacy practices
can work in favour of proactive publishers, and b) consumers are
growing increasingly concerned about their online data privacy, we
have designed this chapter essentially as a checklist. It is intended
to help publishers take ownership of their data protection and
privacy practices, understand
their significance, and build
stronger trust and
understanding
with readers.
56
WAN-IFRA REPORT
BE CLEAR AND
TRANSPARENT
WITH YOUR
USERS
KEEP TRACK
OF YOUR
PROCESSES
Privacy audits. When your company decides that privacy protectionmust be given higher priority, the
first step is to take accurate stock
of where your privacy programme
currently stands against where you
want it to be. This is especially true
where privacy is a nascent area of
investment for the organisation and
you need greater strategic clarity on
the most effective way to allocate
time andresources.
A privacy audit can provide a dashboard view of your current privacy
programme and recommend immediate priorities and long-range
plans.
Data discovery and classification. Getting a clear picture of
the complete data lifecycle across
57
RECOMMENDATIONS
WAN-IFRA REPORT
KEEP TRACK
OF THIRD
PARTIES
INTERNAL ORGANISATION
Theres no getting away from it:
taking ownership of your data
protection requires investment. Of
course, as we have seen in our bestin-class case studies, probably only
larger publishers can contemplate
employing full-time data protection
officer(s). However, irrespective of
your size, establishing data privacy
awareness in-house is fundamental
to being able to leverage the data
you collect and to build trust with
your users.
Sanomas Director Data Protection
& Privacy Riikka Turunen explains
why they consider data protection
a business function, rather than
just a compliance one: Data
is an asset, and if youre going to
optimally use your asset you have
to make sure youre able to do that.
We have privacy champions across
the organisation who are like
antennae for the business. They
are employees who understand
the business, know the roadmap
of the operations, and have also
been trained in the area of privacy
to identify potential issues that
they might detect from the future
roadmap.
So what are your options?
APPOINT A
DATA PRIVACY
LEAD
59
RECOMMENDATIONS
APPOINT DATA
PROTECTION
CHAMPIONS
ACROSS THE
COMPANY
ESTABLISH
PRIVACY
AWARENESS
AMONG ALL
STAFF
CONCLUSION BE PROACTIVE!
Whether your organisation has full privacy programmes in place or is just setting out
to create a formal structure for data privacy protection, we would urge you to treat
this important area as an absolute business priority. Data is a key business asset,
and the more robust your privacy programmes and processes are, the better you
can leverage the data you collect. As Tim Gough at The Guardian points out, good
data protection normally enables you to do more things with data, not less.
Data privacy also speaks to the trust your customers place in your news brand.
The more open and transparent you are regarding your data collection and use,
the more likely your users are to understand and accept it. Theres an opportunity
now to turn data privacy into a competitive advantage. Be the publisher that is one step
ahead when it comes to communicating your privacy policy with consumers and
earn their trust.
60
WAN-IFRA REPORT
61
RECOMMENDATIONS
From a publishers
point of view, what are
the main challenges
with data protection in
digital advertising?
One challenge is controlling publisher audience data and preventing
that data from being used against
your usage guidelines. Its easy
for any technology vendor working with a publisher to pixel any
site (drop a cookie) and use the
info obtained with that cookie to
create look-alike audiences. These
companies can drop a cookie and
find that audience elsewhere for a
third of the cost. Publishers need to
know how to set rules so that they
are limiting use of any data picked
up when partners run campaigns
on their sites.
A second challenge is getting the
consumer to understand the rules
WAN-IFRA REPORT
63