WAN-IFRA Data Privacy

In association with
DATA PRIVACY
An issue for our time
WAN-IFRA tablet app
Read the report on tablet!

Download the app today!
WAN-IFRA members and subscribers to our publications can read this report and other WAN-IFRA
reports for free on our new tablet app. The WANIFRA app (free to download) is available on iOS
and Android.
Simply search for WAN-IFRA in the stores.
Whats in the app

WAN-IFRA Reports
Targeted topical, global reports on the latest and
emerging trends in the business
World News Publishing Focus
The bi-monthly magazine for the global industrys
top executives, featuring best-practise examples,
profiles, case studies, interviews, technology and
investment developments
Asian Newspaper Focus
The bi-monthly magazine focused on the
developments of news publishing in the
Asian-Pacific region, featuring CEO profiles,
trade news, publisher visits and more
World News Publishing Focus Blog
The latest updates on the news publishing
industry, focused on editorial, digital media,
business strategy, productions and press freedom
WAN-IFRA video
The most recent video coverage of our events,
executive interviews and more
Access
WAN-IFRA members and subscribers with a VALID
LOG-IN can download all WAN-IFRA Reports and
World News Publishing Focus for free. Asian
Newspaper Focus is free for everyone.
For more details, visit:
www.wan-ifra.org/app-support
Or email: anton.jolkovski@wan-ifra.org
ABOUT THE REPORT

I
n the hyper-competitive digital publishing ecosystem, where content is ubiquitous and successful business models are scarce, newspapers
historically have tried to stand out from the crowd by
trumpeting their trust mantra: Trust our quality
journalism. Trust our quality brands.
Their USP. Their competitive advantage. Trust.
And increasingly over the last few years, consumers are
being asked by those same trusted brands to take an
even bigger leap of faith in their historical relationship
by registering/subscribing/paying for an array of new
digital products or services handing over precious
(first-party) personal data in the process.
As a result, and through other means of gathering
data, publishers have more information on their users
than ever before. Ultimately, that allows publishers
to become more intimate with their users wants and
needs and provide better-targeted content and, yes,
advertising.
But also more than ever, consumers are aware of data
collection and wary about what companies are doing
with their information.
Trust.
Dean Roper
Director of Publications
WAN-IFRA
a very competitive market like ours, and when, as for
The Globe, one of your top brand values is trust and integrity, you have to really walk the talk. Its all sort of a
perfect storm of reasons to focus on how you collect, use
and safeguard your data not just to fulfil legal requirements but also to make the process very transparent to
your users.
That is why WAN-IFRA commissioned this report, to
help publishers weather this perfect storm around
data privacy. The report serves as a primer on this
delicate topic, and is intended to raise awareness and
kickstart the discussion.
Today, data privacy protection must be a top-of-themind issue for news publishers, to keep their crucial
competitive advantage intact. Their longstanding
customers demand it. Their potential new users, many
of them Millennials, demand it. Emerging regulations
demand it.
We partnered with TRUSTe, a leading global data

privacy management company, to help create a report
that showcases best-practice policies and practices as
well as presenting the benefits and consequences of
them. TRUSTes consumer research, insights into global
regulatory issues, recommendations, and overall input
proved invaluable in shaping this report.
As in many aspects of digital publishing, there are

numerous gray areas; challenges abound. But what is
crystal clear is that transparency and forthright communication of data privacy policies and practices are an
absolute must today.
We are especially grateful to The Globe and Mail, The

Guardian and Sanoma for sharing their data privacy
strategies, and to the numerous respondents of our survey, who openly engaged with us and opened our eyes to
some of the critical issues to cover.
Sounds reasonable in theory. In practice its clearly

a different story. But on this issue, publishers cannot
afford to talk the talk and not walk the walk.
We truly believe that data privacy protection is an issue

for our time. We all have to get this one right.
Were asking more of our customers in terms of data,

says Sue Gaudi, Chief Privacy Officer at The Globe and
Mail in Canada. And when you do that, especially in
Lets preserve our trust and our tradition.
Shaping the Future of News Publishing
IMPRINT
DATA PRIVACY: AN ISSUE FOR OUR TIME
PUBLISHED BY:
WAN-IFRA
Rotfeder-Ring 11
60327 Frankfurt, Germany
CEO:
Vincent Peyrgne
DIRECTOR OF PUBLICATIONS:
Dean Roper
AUTHORS:
Cecilia Campbell, Kris Vann
EDITING:
Anton Jolkovski, Brian Veseling, Dean Roper
DESIGN/LAYOUT:
Ivan Cosic & Snezana Vukmirovic, Plain&Hill
Christian Pradel
CONTACT INFO:
dean.roper@wan-ifra.org
+49.69.2400 630
WAN-IFRA REPORT
CONTENT:
CHAPTER 1: INTRODUCTION
Proactive practice builds trust and
business advantages
CASE STUDY: GOLDEN BENCHMARK
11
The Guardian: Focus Groups invited

to give feedback on privacy policy
CHAPTER 2: CONSUMER ATTITUDES
Trust comes only from transparency
17
23
Globe and Mail: Transparency and

opt-outs serve as top priorities
CHAPTER 3: KEY CONCEPTS & TRENDS
The broader picture
29
34
Sanoma: Privacy is a business function,

not just a legal one
CHAPTER 4: PUBLISHER SURVEY
What publishers believe and do
39
CHAPTER 5: KEY PRIVACY AREAS

Lessons from recent cases
45
CHAPTER 6: RECOMMENDATIONS
What publishers should do now
55
Advice from the Ad Ecosystem
61
ABOUT THE AUTHORS

Cecilia Campbell, Executive Programmes Editor & Communicator, WAN-IFRA
She holds a BA in journalism from the University of Gothenburg in Sweden. She lives and
works in the UK as a digital media journalist and translator. Cecilia has been part of the core
team for the WAN-IFRA exec programmes on digital revenues and mobile platforms (now
eRev) since the launch in 2006. She has been a correspondent for World News Publishing
Focus for the past 15 years, has been involved in WAN-IFRA research projects and has
written Special Reports, including The Daily Telegraph Convergence Journey. She also leads
Study Tours, with special expertise on digital advertising.
Kris Vann, J.D., Senior Product Marketing Manager, TRUSTe
TRUSTe is the leading global Data Privacy Management (DPM) company and powers
privacy compliance and trust by enabling businesses to safely collect and use customer
data across their customer, employee, and vendor channels. Its SaaS-based DPM Platform
gives users control over all phases of data privacy management from conducting
assessments and implementing compliance controls to managing ongoing monitoring. Its
DPM Services, including assessments and certifications, are delivered by an expert team
of privacy professionals. Thousands of companies worldwide rely on TRUSTe to minimise
compliance risk and protect their brand. See http://www.truste.com.
CHAPTER 1: INTRODUCTION
PROACTIVE PRACTICE
BUILDS TRUST AND
BUSINESS ADVANTAGES
BOTH AS MEDIA AUDIENCES AND CONSUMERS OF
SERVICES, SUCH AS DISTRIBUTION AND E-COMMERCE,
CONSUMERS MUST BE ABLE TO RELY ON THEIR
PRIVACY IN ORDER TO REMAIN AS CUSTOMERS. THAT
TRUST, ONCE LOST, IS EXTREMELY DIFFICULT TO
REGAIN. IT IS THEREFORE OF GREAT COMMERCIAL
IMPORTANCE AS WELL AS BEING IN THE BEST
INTEREST OF OUR CUSTOMERS [THAT WE PROTECT
THEIR DATA PRIVACY].
INTRODUCTION
In the digital world, publishers have more information

about their customers than ever before information
they can monetise in various ways. Consumers, in
turn, are becoming ever more aware of the data they
share about themselves. Add the fact that privacy
legislators constantly look at the need for further
regulation, and youve got a situation where its vitally
important for publishers to take ownership of their
data protection and communication around privacy.
WAN-IFRA REPORT
ata privacy/protection is
an increasingly important
issue for anyone doing
business online. According to Digiday, this years SXSW conference
included more than 100 sessions
that had data privacy in their
title, illustrating how top of mind
this issue is for the digital community.
Its a multi-faceted challenge,
but one that can be turned into a
competitive advantage by publishers who identify data privacy
as a business priority. At the most
fundamental level as has been
reiterated by many industry representatives interviewed for this report its about a need to self-regulate or be regulated. Publishers
proving and communicating to
consumers that data privacy is top
priority may not only moderate
the need for further legal controls,
but also earn consumers trust and
willingness to share their private
information and online behaviour.
Ashoek Adikari, Chief (in-house)
Legal Council at Media24 in South
Africa, explains why consumer
and data privacy is a business
priority at Media24: Privacy is at

the heart of consumer trust and
consumption, particularly in an
online environment. Media24 has
a portfolio of brands that is very
interactive with consumers. Both
as media audiences and consumers
of services such as distribution and
e-commerce, consumers must be
able to rely on their privacy in order
to remain as customers. That trust,
once lost, is extremely difficult
to regain. It is therefore of great
commercial importance as well
as being in the best interest of our
customers [that we protect their
data privacy].
So what are the challenges and
opportunities the news publishing industry faces in connection
with data privacy/protection?
See things from your

users perspective
Users are willing to share
data. While consumers are
becoming increasingly concerned
about their online data privacy,
there is also a willingness to share
information in return for content
and services but only with those
companies deemed trustworthy.

In an annual U.K. study (Ofcoms
Adults Media Use and Attitudes
2015), 68 percent of respondents
said they are happy to provide
personal information online to
companies as long as they get what
they want. Engaging with your
users, educating them about the
data you collect, how its used, and
how it can benefit their experience
will build trust in your brand and
business. This may in turn increase
users willingness to share information.
l. The data publishers collect
through cookies and non-cookie
trackers is absolutely key for the
creation of added value in advertising products, and an important
business asset. At the same time,
being as transparent as possible
and making it easy for users to
control to what extent cookies are
served may increase trust and
their willingness to share. That is
a difficult balance for a publisher.
The Guardians approach (see page
11) is to actually consult with users,
to gauge where the line between
simplicity for customers and not
enough data collected may lie.
The Economist lets users set cookie preference using a three-step slider.
INTRODUCTION
Most publisher websites send

users to external sites such as
the Digital Advertising Alliances
www.aboutads.info/choices to
set their cookie preferences. Here
the consumer is shown a list of
companies (in this case only firms
participating in DAAs self-regulatory Ad Choices programme) who
have enabled interest-based ads for
the users individual web browser.
The user then opts out by ticking
individual companies or selecting
all. Some publishers make it more
straightforward for the consumer,
allowing cookie preferences to be
set within their own web properties
see stories on Sanoma (page 34)
and The Globe and Mail (page 23).
The Economist provides customers with a three-step slider to set
their cookie preference, clearly
showing how each setting affects
the functionality of the website (see
screenshot on previous page).
Time to start worrying about
ad blockers. A sub-plot to the
larger trust issue is the annoyance
some users, particularly in Europe, feel about online advertising.
This is specifically about adverts
flooding and, in some cases, taking
over websites rather than about
the data collection per se. According to a recent report from Adobe
andPageFair, the global ad-blocker
user base is now at 144 million
monthly active users. At an informal meeting in May between some
European publishers and German
software company Eyeo, maker of
Adblocker Plus, some publishers
expressed frustration at the impact
that ad blocking is having on their
businesses. Others pointed out that
if users are sufficiently annoyed
by website experiences to resort
to ad-blocking software, that is a
problem the publisher must tackle.
Again, communicating with users
may bring about change. Recently in Denmark two publishers,
Egmont and Bonnier, introduced a
10
WAN-IFRA REPORT
pop-up message that appears when

the site detects that a user has an
ad blocker. The message asks the
visitor to switch off the blocker,
briefly explaining why. So far, half
of users shown the message do just
that.
Keeping track
One of the key challenges is a
technical one. Data is collected
through websites and mobile apps,
and the publisher has to be in
control and understand how that
data is used, stored, transferred
and shared. Says Marc Groman,
President and CEO of the Network Advertising Initiative and a
member of the board of directors of
IAPP (International Association of
Privacy Professionals): This is not
an easy undertaking today. Data
is collected through registration
forms, surveys, subscriptions, and
purchases. Web viewing data is
collected by first and third parties
through cookies, pixels, HTML 5,
statistical identifiers, IP addresses, SDKs, mobile identifiers and
an increasing array of tracking
technologies. Location data can
be revealed through IP addresses,
GPS coordinates, cellphone data
and more. Data may also be purchased from offline data sources
or public records and merged with
online data. None of this is inherently problematic and it indeed
may be beneficial to the consumer
but a publisher must understand
what is collected, how it is used and
by whom, to ensure that the data is
not used inappropriately, in ways
not contemplated by the publisher
or in violation of laws.
Legislation
With online privacy concerns
growing among the public, politicians respond by regularly introducing new legislation, which the
online industry must conform
with. There are five key privacy ar-
eas that are critical for companies

to manage: privacy programmes,
cookie consent, online behavioural
advertising, third-party monitoring, and cross-border data
transfers. Chapter 5 covers recent
enforcement cases in each of those
areas and discusses current and
coming legislation.
Competing with
the data giants
In our Publisher Survey (see Chapter 4), 75 percent of responding
publishers said they believe their
online brand is more trustworthy
than global tech, e.g. Twitter,
Facebook, or Google in terms of
protecting users data. The challenge is to persuade consumers of
that as well.
As a consumer today, you have very
little control over how the Big Guys
track you. Heres an illuminating
snippet from the Facebook Atlas
Privacy Policy: Note: Even if you
choose not to receive personalised
advertising, Atlas will continue to
collect the same information when
you browse the Web, see or click on
an advertisement that we deliver or measure, or use one of our
advertisers apps. Users can be
forgiven for feeling powerless.
The importance of (personal and
aggregate) data to digital media
businesses, be they large social
platforms or small local players, is
indisputable. Consumers need to
understand and accept the trade
they make between information
about themselves (and their online
behaviour) and the content and services they consume. Trusted news
brands can only gain from engaging with their customers about data
collection/privacy, involving them
and educating them about what
they get in return. Get your users
on side. Its time to get proactive.
CASE STUDIES: THE GOLDEN BENCHMARKS
GUARDIAN NEWS
& MEDIA
WE HIGHLIGHT THREE NEWS MEDIA COMPANIES

THROUGHOUT THE REPORT THAT HAVE IMPLEMENTED
OUTSTANDING DATA PRIVACY POLICIES AND
PROCEDURES: GUARDIAN NEWS & MEDIA (UK), THE
GLOBE AND MAIL (CANADA), AND SANOMA (FINLAND).
11
GOLDEN BENCHMARK
Tim Gough
The Guardians Head of Data Protection has set up a
London-based Media Data Protection Forum, which
includes his peers from e.g. the BBC, ITV, Warner Bros,
The Telegraph, and Red Bull Media.
THE GUARDIAN REACHES

OUT TO FOCUS GROUPS
FOR FEEDBACK ON PRIVACY
In the autumn of 2014, alongside a written privacy
policy, The Guardian published short animations
explaining the policy and its use of cookies. The
films came about as a response to feedback from
focus groups. The group members had been asked
to read the publishers privacy policy and then
FACT BOX
THE GUARDIAN PRIVACY
STAFF BENCHMARK
discuss what they thought its purpose was, what

they didnt understand, and what they wanted more
information about. The desire for a simpler message
was one of the things The Guardian acted on.
12
WAN-IFRA REPORT
Total number of staff at

The Guardian: 1,656 (U.K.)
Number of staff working
full-time in data protection
and privacy: 2
Number of privacy
champions across the
organisation: 20 now,
soon to be 30
eing transparent about its

privacy policy and use of
data is fundamental to The
Guardian. The papers website and
apps are free and open to all, which
means it is particularly dependent
on its user data for its advertising business as well as for creating
the best possible experience for its
readers.
According to Tim Gough, The
Guardians head of data protection,
there was a clear message from the
focus groups: Most participants
said they would not normally read
a written privacy policy. Nonetheless, having done so for the purpose
of the focus group session, many
said they found it interesting and
felt better for having read it. We
were amazed at how often the word
trust came up in those sessions in
relation to us. Its a lovely place to
be, for a brand, says Gough.
Another thing that came out of the
focus sessions was that users really
dont understand cookies very well,
despite all the information provided. Were very keen to let people
know what they can do to control
cookies for themselves, that there
are choices available, and that if

it seems a bit difficult, our role is
to help and educate, says Gough.
To this end, the data protection
information for readers has been
certified by the Plain English Campaign.
To help readers understand the importance of data to The Guardian,
the paper recently ran a campaign,
Why your data matters to us,
which was supported by a landing
page and another brilliant 90-second animation. The film focuses
on why The Guardian collects data
and how it uses it to support the
ad business, keep the website open
and free, and make The Guardian
better for its readers. It explains
passive data collection, including
cookies, as well as how users can
actively provide data and how The
Guardian gains more insight from
readers who have user accounts
and log in to them. It also explains
how data improves the experience
of the website for each individual
visitor, and how users can stay in
control of the data they provide and
manage their preferences. The film
and its landing page were promoted with an e-mail campaign to
2 million contacts. It was also advertised online, and theres now a

link to it from the registration page.
Training includes
business case workshops
At The Guardian, the data protection team (the legal side of privacy) works across the whole organisation to ensure cohesion and
understanding across all teams.
In addition to the data protection
team, there are privacy champions throughout the commercial
and operations departments.
The Guardian also has developed
bespoke training modules on the
different aspects of data protection, which all staff can participate
in. Each module concludes with a
practical workshop where an imaginary business has been created
and the participants go through
the processes of managing data
collection, hosting, transfer, etc.,
involved in running that business.
Eventually and this is, of course,
the goal staff start thinking like
data protection officers. All staff
are required to complete an online
training module on information se-
Were very keen to let people know what they

can do to control cookies for themselves, that
there are choices available, and that if it seems
a bit difficult, our role is to help and educate.
Tim Gough, Head of Data Protection, Guardian News & Media
13
GOLDEN BENCHMARK
In the autumn of 2014, alongside

the written privacy policy, The
Guardian published short animations explaining its privacy policy
and its use of cookies.
MORE INFORMATION
TO VIEW ALL ANIMATIONS AND THE
INFOGRAPHICS ON COOKIES AND TOP 10 TIPS
FOR STAYING SAFE ONLINE, PLEASE VISIT:
WWW.THEGUARDIAN.COM/INFO/PRIVACY
14
WAN-IFRA REPORT
Good data protection normally enables you

to do more things with data, not less.
Tim Gough
curity and data protection training.

The face-to-face modules are all
entirely optional and are aimed at
commercial and operations staff.
Review identifies all

processes involving
personal data
For the past couple of years, The
Guardian has carried out a data
processing activities review. The
review, which covers all departments, identifies every activity that
involves personal data whether
it is sensitive personal data as
defined in the Data Protection Act
of 1998, and whether it relates to
employees, customers or contractors. Information is gathered about
how the personal data is then used
shared internally, with other
companies working on The Guardians behalf, and with third parties.
The review looks at what categories
of data are collected/transferred,
who is responsible for it, and so
on with sense-checking along the
way: Are we collecting too much
data or not enough? Under data
protection law, what makes this
data processing lawful? And if this

process is reliant on consent, does
true consent exist? and so on. The
benefits of the review, according to
Gough, have been great. It engages all departments in thinking
about data processing, and a lot of
management information can be
extracted from it, such as which department processes the most personal data, or which one processes
the most based on consent.
For The Guardian, the data processing activities review has been
a worthwhile investment in time
and resources and has enabled a
better understanding of data management across the organisation
good data protection normally
enables you to do more things with
data, not less, says Gough.
Staff need to be fully trained and
aware that good data protection
starts with telling people what you
will do with their data before they
give it to you, so they can make
a decision whether or not to go
ahead. If you neglect to inform,
and when necessary get consent,
what you can do with the data col-
lected is limited, says Gough.

As The Guardian has expanded its
presence internationally during
the past few years, it has put in
place privacy policies for the USA
and more recently for Australia.
It has further developed its stance
on data protection and has set
up soon-to-be-introduced Global
Data Protection Standards, which
will gold-plate and standardise
a number of codes and practices
above and beyond what is required
by law.
Gough says as the data protection
officer, he has a unique and, to
some extent, independent position
in the company, sitting between the
users from whom The Guardian
collects data and the organisation.
I have to look both ways, working
like a set of scales, almost. Typically people charged with protecting
privacy are like this; we will challenge the organisation whilst at the
same time enabling them to use the
data we collect in ways that benefit
the company.
15
CHAPTER 2: CONSUMER ATTITUDES
TRUST COMES ONLY

FROM TRANSPARENCY
IF PUBLISHERS WANT TO GAIN OR MAINTAIN

CONSUMER TRUST, IT IS IMPERATIVE TO
BUILD PRIVACY PROGRAMMES THAT MAKE
SURE PRACTICES THAT GIVE CONSUMERS
TRANSPARENCY, NOTICE AND CHOICE ARE
CONTINUALLY DEPLOYED.
17
CONSUMER CONCERNS
Consumers concern about data privacy is rising,

their trust is falling, and the impact on publishers is
potentially high. A recent survey shows that 90percent
of consumers in the USA and U.K. avoid companies
that they dont believe protect their data privacy. But
consumers are willing to trade some level of privacy for
personalisation or free services as long as publishers are
transparent about how and why they collect user data.
ur connectivity brings
extraordinary benefits to
our daily lives, but it also
brings risks, U.S. President Barack
Obama said in a recent speech at
the White House Summit on Cybersecurity and Consumer Protection.1 That captures the zeitgeist
of our modern millennial age, that
1 David Hudson, President Obama Speaks at

the White House Summit on Cybersecurity
and Consumer Protection, The White House
Blog, February 13, 2015, https://www.
whitehouse.gov/blog/2015/02/13/presidentobama-speaks-white-house-summitcybersecurity-and-consumer-protection .
18
WAN-IFRA REPORT
is, the constant penetration of the

digital public realm Internet,
social networks, mobile, and smart
devices into our personal lives.
According to the Pew Research
Center in a recent poll2, more than
87percent of American adults now
use the Internet, with near-saturation usage at 99percent among
those living in households earn-
2 Susannah Fox and Lee Rainie, The Web at

25 in the U.S., Pew Research Center Report,
February 27, 2014, http://www.
pewinternet.org/files/2014/02/PIP_25thanniversary-of-the-Web_022714_pdf.pdf .
ing US$ 75,000 or more. Adult

cell phone ownership has also
risen from 53percent in 2000 to
90percent now. According to a
2014 worldwide mobile phone user
report from eMarketer, mobile
phone penetration will rise to
69.4 percent of the global population by 2017. But 91percent of
those surveyed in the Pew Research Center poll said they felt
people had lost control of how
personal information is collected
and used by companies.
Every indicator shows that consumers are growing increasingly
Ninety-onepercent of U.S. Internet users and

89percent of U.K. Internet users report that they
avoid companies that do not protect their privacy.
Consumers in both the USA and the U.K. are increasingly worried about what companies do with the data they collect.
19
CONSUMER CONCERNS
ADVERTISING AND TRACKING

Online Behavioral Adversing
Concerned net = 66%
Smartphone Behavior Tracking

Concerned net = 69%
3%3%
3% 4%
27%
27%
26%
Very concerned
28%
Fairly concerned
Not very concerned
Not at all concerned
Dont know
39%
42%
Online Behavioral Adversing

Aware net = 75%
Smartphone Behavior Tracking

Aware net = 79%
2%
2%
19%
23%
31%
32%
Yes fully aware
Yes aware but not in detail
Not not aware of
Dont know
39%
47%
48%
50%
45%
40%
35%
30%
25%
20%
19%
14%
15%
14%
11%
10%
13%
9%
5%
6%
6%
5%
4%
4%
3%
3%
2%
2%
2%
2%
2%
0%
My gender
My name
My email address(es)
My exact age
My city / town / village where I live
My date of birth
My wbsite surfing behaviour
General details of where I have been (collected via geo-locaon data / IP address)
The name of the street on which I live
My IP address
The exact address of where I live
Personal informaon (e.g. age, gender) about my children /grandchildren
My mobile number
Some of my photographs
Some of my videos
My list of social media friends / contacts
Precise details of where I have been (collected via geo-locaon data / IP address)
Nothing
Dont know
Awareness and concern among consumers is particularly strong when it comes to online behavioural advertising (OBA).
Source: TRUSTe Consumer Privacy Index.
20
WAN-IFRA REPORT
TRANSPARENCY IN EXCHANGE FOR TRUST WHAT PUBLISHERS CAN DO

The TRUSTe survey results show there are specific actions that publishing
companies can take in exchange for consumer trust. These include the following:
Provide clear procedures for consumers to remove personal information (47percent)

Ask for permission before using cookies (31percent)
Offer notice of, and the ability to opt out of, targeted ads (31percent)
Provide information on how the personal information collected is used (30percent)
Provide easy opportunities to stop being contacted by third parties (30percent)
Write privacy policies in easy to understand language (21percent)
Provide an easy way to file a privacy complaint (15percent)
Ensure that privacy policies are read and understood (21percent)
Gain certification from an independent third party (8percent)
concerned about their online

privacy. The Snowden affair gave
the world a wake-up call, and we
suddenly live in a very different
reality where people know that
strangers be they the government, corporations, or individual
hackers have the capacity to
infiltrate every corner of the digital
universe and exploit personal information. Recent significant data
breaches in the USA at the Target
chain of department stores and
Anthem health insurance company, compromising the credit card
numbers and health information
of hundreds of millions of people,
have helped fuel concerns.
Publishers should not underestimate the emotional intensity
of data privacy. Professor Aaron
Ben-ZeEv says, The unapproved
disclosure of information that we
feel is private can leave us hurt,
angry, and feeling exposed.3 This
emotional aspect of data privacy
3 Aaron Ben-ZeEv, The Subtlety of Emotions,

Cambridge, MA: MIT Press (A Bradford Book,
2001).
makes it all the more important for

the business of publishing.
So what are consumers

fearful of, and what does
it mean for the
publishing industry?
The 2015 TRUSTe Privacy Index,
Consumer Confidence Edition,
carried out by Ipsos among 1,000
consumers in the USA and the
same number in the U.K., provides statistics that help paint the
picture.4
Of those surveyed in both countries, 92percent worry about
privacy in general when using the
Internet. Forty-twopercent of
Americans say they are more concerned about their online privacy
compared to a year ago. In the
U.K., that figure is 33percent.
4 TRUSTe Consumer Confidence Index - US,

2015, http://www.truste.com/resources/privacy-research/us-consumer-confidenceindex-2015/; TRUSTe Consumer Confidence
Index GB, 2015, http://www.truste.com/
resources/privacy-research/uk-consumerconfidence-index-2015/.
While consumer concern has

risen, consumer trust has fallen.
Fifty-fivepercent of U.S. Internet
users and 51percent of U.K. users
trust business with their personal
information. That figure remains
at the lowest point for three years
in the U.S. and falls to the lowest
point in four years in the U.K.
The business impact for companies
that dont seriously address data
privacy concerns is high. Ninety-onepercent of U.S. Internet
users and 89percent of U.K. users
report that they avoid companies
that do not protect their privacy.
Whats driving
this concern?
Consumers are worried most
about what companies do with
the data they collect. The TRUSTe
survey results show 38percent are
most concerned about companies
collecting peoples personal data
online and sharing it with other
companies. This ranked higher
than any other activity, including
security threats to personal data or
government surveillance of online
21
CONSUMER CONCERNS
activities through programmes

such as the U.S. National Security
Agencys PRISM.
Consumers are
worried about online
behavioural advertising
There is a particularly high awareness of and concern about online
behavioural advertising (OBA).
OBA encompasses a broad set of
activities that companies engage
in to collect information about
consumer online activity (such as
web pages visited) and use the data
to show relevant ads or content.
TRUSTes survey results show
75percent are aware of and 66percent are concerned about OBA
on websites (USA). Additionally,
79percent are aware of and 69percent are concerned about OBA on
smartphones.
22
WAN-IFRA REPORT
Consumers are willing

to trade some level of
privacy for personalisation
or free services
but very few

want to share web
surfing behaviour
and geolocation
Even with self-reported trepidation, consumers have grown

increasingly dependent on technology for convenience and have
mixed feelings as to whether they
are willing to trade privacy for certain benefits. The TRUSTe Privacy
Index shows that 48percent would
not be willing to share any personal
information in order to receive advertising tailored to their interests.
However, 39percent were willing
to do so.
Fewer respondents (USA) say they

are willing to share date of birth
(6percent), website surfing behaviour (6percent), general details of
geolocation (5percent), name of
residential street (4percent), specific IP address (4percent), exact
residential address (3percent), personal information about children/
grandchildren (3percent), mobile
number (2percent), photographs
(2percent), videos (2percent), list
of social media friends/contacts
(2percent), and precise details on
geolocation (2percent).
It then becomes an issue of what

types of personal information
consumers are willing to trade
for benefits. Indeed, this will be a
continuum that shifts. The 2015
TRUSTe Privacy Index (USA)
shows that more consumers are
willing to share gender (19percent),
name (14percent), e-mail address
(14percent), exact age (11percent),
and city/town/village of residence
(9percent).
If publishers want to gain or maintain consumer trust, it is imperative to build privacy programmes
including practices that give consumers transparency, notice and
choice (see box).
THE GLOBE AND MAIL
WE RECENTLY REVISED OUR PRIVACY POLICY TO

MAKE IT EASIER FOR CUSTOMERS TO UNDERSTAND
OUR BUSINESS PRACTICES AND TO HIGHLIGHT THE
CHOICES THEY HAVE WHEN IT COMES TO THEIR DATA.
OUR CUSTOMERS EXPECT HIGH STANDARDS FROM
THE GLOBE BOTH IN OUR JOURNALISM AND WITH
OUR BUSINESS PRACTICES.
23
GOLDEN BENCHMARK
THE GLOBE AND MAIL MAKE

TRANSPARENCY AND
OPT-OUTS TOP PRIORITIES
As Canadas leading news organisation, The
Globe and Mail is keenly aware of the importance
of active and transparent management of data
protection in order to maintain consumers trust in
its publishing brand. In August 2014, the company
FACT BOX
THE GLOBE AND MAIL
PRIVACY STAFF
BENCHMARK
set up a formal privacy structure beyond the chief
privacy officer. Since then, the privacy policy has
been completely rewritten to explain data privacy

in the context of The Globe and Mails business. In
addition, this winter an AdChoices opt-out tool for

The Globe and Mail: 688
Number of staff working in
Data Protection & Privacy:
CPO (not full-time)
Number of Privacy
Advocates across the
organisation: 11 (not full-time)
consumers was set up on the papers website.
ith the business moving

onto digital platforms,
like many media companies, Toronto-based The Globe
and Mail has made a shift in recent
years to becoming more customer-centric. The Globe relies on both
subscription fees and advertising
revenue to support the business,
which means the balance between
the advertising business and data
protection is vital to the success of
24
WAN-IFRA REPORT
the company. Says Chief Privacy

Officer Sue Gaudi: Were asking
more of our customers in terms
of data. And when you do that,
especially in a very competitive
market like ours, and when, like for
The Globe, one of your top brand
values is trust and integrity, you
have to really walk the talk. Its all
sort of a perfect storm of reasons to
focus on how you collect, use and
safeguard your data not just to
fulfil legal requirements but also to

make the process very transparent
to your users.
Gaudi emphasises the strong link
between that transparency and the
trust of The Globes customers. We
recently revised our privacy policy
to make it easier for customers to
understand our business practices
and to highlight the choices they
have when it comes to their data.
We see that more and more, readers

want greater control over their data,
and we are responding to this as
quickly as we can with new tools, such
as AdChoices, says Sue Gaudi, Chief
Privacy Officer, The Globe and Mail.
Our customers expect high standards from The Globe both in our
journalism and with our business
practices.
Opt-out tool within

The Globe and
Mail website
The Globe and Mail was one of
the first Canadian media companies to sign up to AdChoices, the
DAAs (Digital Advertising Alliance) self-regulatory programme
for online behavioural targeting.
AdChoices allows readers to opt
out of ad targeting based on their
online behaviour across two or
more websites.
Andree Gosselin OMeara, Director Customer Service & Privacy
Advocate, explains how The Globe
has implemented the AdChoices opt-out tool to offer as much
transparency as possible into
the actions of all the advertisers
they work with: Most AdChoices
participants send their readers to
the AdChoices website to opt out.
However, that tool only displays
programme participants. A reader
is left in the dark as to all the other
advertising he sees. The Globes
execution of the opt-out tool offers

full transparency on all advertisers
of our websites that may use ads for
collecting behavioural data. This
tool gives our readers both more
visibility and more control over
interest-based advertising. There
are multiple points of entry to the
AdChoices tool, but the two most
obvious places are on the ad itself
or via a link at the webpage footer.
We see that more and more,
readers want greater control over
their data, and we are responding
to this as quickly as we can with
new tools, such as AdChoices, or
later this spring, a new customer
preference centre that will allow
users to manage more of their data
online, says Gaudi.
We recognise the limitations of
AdChoices [only dealing with OBA
online behavioural advertising],
but we believe that the bar will
only be raised as more advertising
companies, and publishers such as
ourselves, actively participate in
this relatively new programme and
share reader feedback. Participation starts to raise consciousness in
organisations of what happens with
personal information.
Company-wide
privacy structure
As part of the effort to make data
protection everyones business
and focus in the organisation, last
summer The Globe put in place a
formal privacy structure:
The Chief Privacy Officer
(CPO), Sue Gaudi, reports
directly to the publisher. The CPO
has overall responsibility for privacy governance, including advising
stakeholders (departments), maintaining the privacy programme, responding to data breaches, vendor
management, and responding to
inquiries and complaints.
Theres a Privacy Oversight
Committee (POC), which
reports to the CPO. This is a
cross-functional oversight committee, with representatives from
Finance, Research & Analytics,
IT, Customer Care, Advertising
and Marketing departments. The
POC is responsible for planning
and overseeing the implementation
of privacy management activities. These include tasks such as
establishing and maintaining a
data inventory, developing best
25
GOLDEN BENCHMARK
There are multiple points of entry to The Globe

AdChoices tool, but the two most obvious places are
on the ad itself or via a link at the webpage footer.
Were asking more of our customers in terms of data.

And when you do that, especially in a very competitive
market like ours, and when, as for The Globe, one of
your top brand values is trust and integrity, you have
to really walk the talk. Its all sort of a perfect storm of
reasons to focus on how you collect, use and safeguard
your data not just to fulfil legal requirements but also
to make the process very transparent to your users.
Sue Gaudi
26
WAN-IFRA REPORT
practices and vendor management

guidelines, and creating processes
around business needs such as
incident response and new product
development.
Departmental Privacy
Advocates (PAs) support the
initiatives of the POC. PAs act as
departmental liaisons on issues relating to data and privacy. Working
with the POC, they are responsible
for raising awareness of privacy
developments within their departments, providing guidance on
issues relating to data and privacy,
and assisting the POC with privacy
documentation, processes and, in
the future, compliance audits.
Departments with Privacy Advocates are: Logistics, Digital,
Advertising, Customer Care,
Consumer Sales, Research & Analytics, Finance, HR, IT, Consumer
Marketing and Editorial.
Departmental staff receive training throughout the year. Specific

instructions and coaching are also
given when governmental policies
are changed or updated. The POC
members meet once a week to keep
themselves informed of privacy
initiatives in a more granular way
as well as manage the many privacy
initiatives of the company. POC
members also attend additional
training generally from external
sources.
OMeara adds that all members
of the Customer Care team
she leads constantly interact with
readers and subscribers alike.
Although many readers are well
aware of the information we have
pertaining to their subscription
and/or online information, everyone wants to ensure it is safely
guarded and protected. Our department has a central role in not
only safeguarding the information
we have but also helping readers
understand how they can, if they

wish, manage their online personal
information, their profile settings
as well as guiding them to manage
their options for online behavioural
targeting.
For The Globe and Mail, the open
dialogue with users around the
importance and use of data is a
business critical issue. As the CPO,
Sue Gaudi manages that relationship. The advertising department
beats the drum of more first-party
data please. As CPO, I look out
for our customers and help determine how we get that data, how we
safeguard it and how we collect it
in a usable way and in a way that
doesnt negatively impact our brand
value. At The Globe, experience
tells us that if we do this correctly
and in a way that people understand, our customers become our
family in a way, and well have a lot
more valuable information to use in
our business.
27
CHAPTER 3: KEY CONCEPTS AND TRENDS
THE BROADER PICTURE
ONE OF THE FIRST STEPS IN PRIVACY

MANAGEMENT IS TO ASSESS WHERE
SENSITIVE PERSONAL INFORMATION OR
SPECIAL CATEGORIES OF DATA MIGHT
BE STORED IN YOUR ORGANISATIONS
BUSINESS PROCESSES AND PLATFORMS.
29
CONCEPTS AND TRENDS
This chapter deals with the concept of privacy in

the online world as well as what actually constitutes
personal information. It also takes a look at how
other industries are managing data privacy, which
provides a useful benchmark for publishers.
Shifting definitions
of personal information
as personally identifiable information or PII.
In managing privacy for your

organisation, its important to
first understand what types of
data must be protected in order to
comply with privacy frameworks in
various countries.
Though dependent on jurisdiction,

PII can include name, gender,
age, date of birth, marital status,
citizenship, languages spoken,
veteran status, disabled status,
or IP address. It may also include
organisation information such as
business and personal addresses,
phone numbers, e-mail addresses,
internal identification numbers,
government-issued identification
Personal information is generally

defined as any information related
to an identified or identifiable individual. Thus it is often referred to
30
WAN-IFRA REPORT
numbers and identity verification

information. However, in Canada,
PII does not include certain business contact information.
There is also a category of personal
information that varies widely by
jurisdiction and is very much a
reflection of cultural expectations
of privacy. In the USA, it is referred
to as sensitive personal information and includes Social Security
numbers, financial information,
drivers license numbers, and med-
THE 8 KEY PRIVACY PRINCIPLES

Although there are some key jurisdictional differences, the privacy frameworks all share eight key privacy principles
derived from the foundational OECD (Organisation for Economic Co-operation and Development) guidelines.
COLLECTION LIMITATION. Make sure to limit the collection of personal data and
provide consumers notice and a way to provide consent where appropriate.
DATA QUALITY, ACCESS AND ACCURACY. Personal data should be used only
for stated purposes and should be accurate, complete and up-to-date.
PURPOSE SPECIFICATION, NOTICE AND RESPECT FOR CONTEXT.

The purposes for the use of personal data should be stated at the time of
data collection. The use must be limited only to the purposes stated. If you
change purpose of the use, make sure to state the new purpose. Remember
you cannot change the purpose after youve collected the data.
USE LIMITATION. Personal data shouldnt be used or disclosed for any purpose other
than what was stated, except if the consumer consents or if the law requires it.
SECURITY SAFEGUARDS. You should use reasonable security safeguards to

protect personal data against risks such as unauthorised access to the data.
OPENNESS AND TRANSPARENCY. A general policy of openness should be deployed

to share practices and policies regarding personal data. Implement transparent
ways to communicate the use of personal data and the identity and contact
information of any parties in control of the data through the business process.
INDIVIDUAL PARTICIPATION, CONTROL AND CHOICE.

Individuals should have the right to receive:
a. Confirmation of whether an organisation has their personal data;
b. Access to their personal data in an easily readable form and reasonable
manner (within a reasonable time, and NOT for an excessive charge);
c. Reasons and the ability to appeal if one of the requests above is denied; and
d. Means to challenge the data relating to him/her and, if successful,
to have the data erased, rectified, completed or amended.
ACCOUNTABILITY. Organisations in control of personal data should be

accountable for complying with measures that align with these principles.
31
CONCEPTS AND TRENDS
ical records. The definition tends to

be driven by the notion of privacy
in the context of commerce and fair
information practices.
Eight key privacy

principles
In Europe, the Data Protection

Directive identifies certain special
categories of data as sensitive
personal data, which is afforded a
high standard of protection. This
includes data revealing racial or
ethnic origin, political opinions,
religious or philosophic beliefs,
trade union membership, health or
sex life.1
The history of globally recognised

privacy principles started in the
1970s with the U.S. Fair Information Practices, then evolved with
the Organisation for Economic
Co-operation and Development
(OECD) Guidelines in 1980, to
the Convention for the Protection
of Individuals with regard to the
Automatic Processing of Personal
Data, passed in 1981 by the Council
of Europe.
One of the first steps in privacy

management is to assess where PII,
sensitive personal information, or
special categories of data might
be stored in your organisations
business processes and platforms.
Via this data inventory, you can
understand where you need to apply practices to protect your users
personal information.
In 1995, the European Union

passed the Data Protection Directive, which went into effect in 1998.
The Asia-Pacific Economic Cooperation (APEC) Privacy Framework,
approved in 2004, offers a non-legally-binding framework to foster
consistent privacy standards and
cross-border data transfer among
member nations.2
1 Peter P. Swire, CIPP/US and Kenesa Ahmad,

CIPP/US, IAPP Foundations of Information
Privacy and Data Protection, A Survey of
Global Concepts ad Practices, International
Association of Privacy Professionals (IAPP),
2013.
2 U.S. President Barack Obama recently proposed the Consumer Privacy Bill of Rights for
U.S. federal legislation encompassing these
same privacy principles. At the time of this
publication, the proposed legislation was still
in debate.
Although there are some key jurisdictional differences,3 the privacy

frameworks all share eight key
privacy principles derived from the
foundational OECD guidelines.4
(See box on preceding page.)
To mitigate privacy risk, publishers should assess whether current
business processes are compliant
with those eight key privacy principles and plan for any necessary
adjustments. Furthermore, future
product and process developments
should be planned against those
principles to ensure privacy by
design from the outset.
How the Fortune 1000

manage data privacy
The publishing industry can learn a
lot from the experiences of organisations in other industries. The
number of privacy professionals
continues to grow, with the International Association of Privacy
Professionals (IAPP) reporting an
increase from 10,000 members in
2012 to more than 20,000 members worldwide currently.
3 For example, APEC also includes the principle

of Preventing Harm. Note that a detailed
list of jurisdictional differences is not within
the scope of this publication.
4 The OECD Privacy Framework, 2013,
http://oecd.org/sti/ieconomy/oecd_
privacy_framework.pdf
In managing privacy for your organisation,

its important to first understand what types
of data must be protected in order to comply
with privacy frameworks in various countries.
32
WAN-IFRA REPORT
A general policy of openness should

be deployed to share practices and
policies regarding personal data.
While most companies may have a

CTO (chief technology officer), CSO
(chief security officer) and/or CISO
(chief information security officer),
the CPO (chief privacy officer) or
chief privacy lead is now on the
rise. This is a senior executive
who is responsible for managing
the risks and business impacts of
privacy laws and policies. It is his
or her role to advocate, and help
the company build and maintain,
programmes for customer and
employee data protection.
In 2014 the IAPP published a report, Benchmarking Privacy Management and Investments of Privacy Leaders in the Fortune 1000,
based on surveys and interviews
with 275 privacy leaders in Fortune
1000 organisations.5 A brief examination of the reports findings can
provide publishers with a valuable
benchmark of where their privacy programmes currently stand.
The results can also help identify
potential areas of immediate and
long-term development necessary
for privacy compliance.
Privacy operations at the organisations surveyed vary in terms
of privacy maturity.6 The largest
grouping, 42 percent, are in the
pre, early or middle stage, with an

average of 3.3 full-time privacy
employees. The next group, at 33
percent, are in the middle stage
with an average of 5.9 full-time privacy employees. The mature stage
organisations made up 25 percent,
with an average of 25 full-time
privacy employees.
6 Id., page 16.
Across all organisations surveyed,

the average privacy budget was
US$ 2.4 million.7 That equated to
$ 76.24 per employee or $ 204 per
$1M in revenue. Thirty-eightpercent say their budget will increase,
and expect it to grow by over a
third.
The top industries investing in
privacy were financial services
($ 3.1M), consumer products ($
2.85M), retailing ($ 2.6M), internet services ($ 2.5 M), and hospitality & leisure ($ 2 M).8 The news
media were not mentioned as an
industry in the report.
Privacy-related communications
Privacy-related web certification
and seals
Privacy-related investigations
Privacy audits
Vendor management
Privacy monitoring
Privacy software tools
Redress and consumer outreach
Privacy-related government
affairs
Data inventory and mapping
Privacy leaders cited the importance of collaboration among a

companys various functional
areas, especially these: information security, legal, information
technology, regulatory compliance,
government affairs, marketing,
corporate ethics, and human resources.10
In addition to internal staff, privacy

investments included:9
5 Benchmarking Privacy Management and Investments of the Fortune 1000, International

Association of Privacy Professionals, 2014 Report, https://privacyassociation.org/resources/
article/benchmarking-privacy-managementand-investments-of-the-fortune-1000-2/
Hiring privacy legal counsel

Hiring consultants for privacy
policies, procedures and governance
Hiring consultants for privacy
assessments
Training
7 Id., page 26.

8 Id., page 30.
9 Id., page 34 35.
10 Id. at 50.
33
SANOMA
WE CONSIDER PRIVACY TO BE MORE THAN

JUST COMPLIANCE; IT IS A CRUCIAL ELEMENT IN
SUSTAINING AND IMPROVING OUR CUSTOMER
RELATIONSHIP AND INSTILLING TRUST AS A BRAND
VALUE. HENCE PRIVACY IS VERY IMPORTANT FOR OUR
BRAND.
34
WAN-IFRA REPORT
PRIVACY IS
A BUSINESS FUNCTION,
NOT JUST A LEGAL ONE
At Sanoma, data privacy is built into all business
development a privacy by design approach. In
FACT BOX
practice, that means privacy champions working

throughout the organisation whose job is to spot
any potential privacy issues in the roadmap for
the future. Because they know the business well,
they suggest ways of solving the issues, or, in more
complex cases, call the team of privacy experts
in. There are also common privacy-enhancing
deployed across organisations in a scalable way.
technologies and frameworks that can be
anoma, with businesses in

Finland and the Netherlands, hired its first director
data protection & privacy in 2013.
Riikka Turunen joined the company as its big data project was
being implemented. The head of
consumer insights and analytics
knew from past experience that if
you dont try to be proactive, from
an operational and policy management point of view, when you are
ramping up your data capabilities,
SANOMA PRIVACY
STAFF BENCHMARK
you are going to run into problems.

So Turunen was hired, and data
protection became a project in the
organisation, above and beyond the
support that the legal department
had thus far provided. Privacy is
a key consideration at Sanoma,
says Turunen. Our privacy policy
has been formally approved by our
board and executive management
group. We consider privacy to be
more than just compliance; it is a
crucial element in sustaining and

Sanoma Corporation: 7,583
Number of staff working
full-time in data protection
and privacy: 3
Number of privacy champions
across the organisation:
about 40 (not full-time)
improving our customer relationship and instilling trust as a

brand value. Hence privacy is very
important for our brand.
Today, in addition to the privacy officer, theres a privacy team
within the legal department, to
support privacy implementation.
In addition, there are designated privacy champions across all
relevant business operations. They
work as business partners to help
35
GOLDEN BENCHMARK
We know that users dont often yet

understand how their data is collected. If you
dont define an accountability framework
of who is responsible for what type of data
collection and for different uses, its impossible
to make it more transparent for end users,
and potentially also give them more control, says Riikka
Turunen, Director Data Protection & Privacy at Sanoma.
the privacy team drive principles

into practical implementation
the privacy by design approach.
Theres also a separate information
security team, which works closely
with the privacy team.
How important is
the balance between
protecting users privacy
on the one hand and
using their data for
advertising and marketing
on the other and how
do you handle it?
Its very important, because data
and analytics are increasingly
becoming an integral part of the
products themselves in the digital
environment helping people find
the content and contextual services
that are most relevant for them. In
addition, data is a relevant part of
the funding model for publishers.
So data is really an asset for us.
And if youre going to optimally use
your asset, you have to make sure
youre able to do that. So we work
through a consistent roadmap to
deal with potential privacy bottlenecks in advance, and find the
mechanisms to be able to use data
in a compliant manner. However,
36
WAN-IFRA REPORT
the approach is very different from

more traditional compliance management, where you might audit
the operations [afterwards]. Thats
not our approach. For Sanoma,
privacy is very much part of the
business functions, enabling data
use.
What is the biggest

challenge in data privacy
for your organisation?
Perhaps the main challenge regarding privacy has to do with the fast
pace of business. Business models,
technologies and industry best practices are continuously evolving. Our
product and service development
teams are also working increasingly
in an agile mode. The old-fashioned
compliance management approach
no longer works as a means to
ensure privacy. Privacy needs to be
embedded into common technologies, and into the competences of
our development teams.
Can you explain the role

of the privacy champion
in, lets say, the newsroom
of Helsingin Sanomat?
The privacy champions are like
antennas for the business. He or

she is a person who knows the business, knows the roadmap of the operations, and has also been trained
in the area of privacy to identify
potential issues that they might
detect from the future roadmap.
Because they know the business
they will then, first of all, indicate
how to solve the issues. In more
complex cases they will contact
the expert privacy team and start
to resolve the potential problems
as they are being designed into
product, so that we find a solution
early enough. If you put business
experts, privacy experts and tech
experts together, they can come up
with the right solutions.
When you talk about

privacy-enhancing
technology, what
does that mean?
A concrete example is a harmonised privacy policy statement with
a standardised content management system to publish it across
different channels and products.
Within a big company like Sanoma,
our many different products are
published under a harmonised privacy policy (and cookie) statement.
The Dutch cookie consent management solution is planned for roll-out

in other Sanoma markets. On the
publishers own website, the user can
choose to accept standard cookies
or a customised setting, with a list
of what is included.
As a platform provider who has an interface to the

end users, we feel that publishers are also accountable
for transparency about online data collection. It needs
to be agreed contractually how data can be captured
from our site and who can use it for what purpose.
Riikka Turunen, Director Data Protection & Privacy, Sanoma
37
If you havent harmonised the

content and the publishing logic of
those statements, you may actually
be communicating mismatching
messages or restricting yourself in
how you are able to use the data. So
in order to be able to be consistent,
you need to make sure you have
a content management system in
place where you can ensure you
can manage the content coherently.
Thats a really simple example of a
privacy-enhancing technology it
doesnt have to be complicated.
However, in order to run it, you
have to have a product manager for
it and you have to have a budget.
To what extent are staff

in general trained in
data privacy issues?
We are ramping up a training
programme so that everyone gets
a generic privacy awareness
knowledge about the existence of
the policy, where you can find more
information and what the basic
dos and donts are. And then weve
identified different operational areas where staff need to be aware as
part of their roles. Those teams are
specifically trained in their area of
operation. And again the privacy
champions have helped us identify
what the most relevant roles and
teams are in the different operational areas.
Moving on to the
complexity and
difficulty of monitoring
unauthorised thirdparty cookies how do
you deal with this?
This is certainly a challenge.
Tracking or auditing what cookies are collected on sites is one
thing there are commercially
available tools to help you do that.
Its also important that the roles
and relationships between the
different players in the ecosystem
are well understood. I dont like to
38
WAN-IFRA REPORT
talk about data ownership, because

thats always a road to conflicting opinions, but we do have to
determine who is responsible and
accountable for online data, which
many authorities consider personal
data. As a platform provider who
has an interface to the end users,
we feel that publishers are also
accountable for transparency about
online data collection. It needs to
be agreed contractually how data
can be captured from our site and
who can use it for what purpose.
We know that users often yet
dont understand how their data
is collected. If you dont define an
accountability framework of who
is responsible for what type of data
collection and for different uses, its
impossible to make it more transparent for end users, and potentially also give them more control.
You have to get your house and the
ecosystem in order, to be able to
also support end users.
How do you enforce

all these contracts?
Enforcing them is very difficult,
because nobody has the ability to
track how in fact data based on
cookies is used and re-used and reused across the ecosystem there
is no single technical mechanism
to monitor it. Of course advertisers
are important partners, and in the
end, we all have the same targets
to help customers find and access
relevant content, products and
services in the online world. Its
possible to find win-win solutions,
but it requires a lot of time to
determine the roles and responsibilities with the advertisers, the
media agencies and other partners.
But we are all working in the same
complex ecosystem, and I do feel
theres a general will to make it
work; building trust frameworks
requires a lot of time.
Are you encouraging

users to register?
Yes, for some of our services its
possible to create a digital account
and use some subscription-related
services and additional features using your account. Digital accounts
are an important mechanism to
deliver a seamless user experience
for content delivery across different devices (web, mobile, etc.). In
addition, it enables more coherent
preference management for consumers, e.g. for e-mail marketing.
We typically ask for consent for
marketing at the point of registration, thats the most logical place.
Is that data only used

in direct contact with
users, or is it also used
for targeted advertising,
for example?
It depends if users have provided their consent to do so, we may
use it for advertising. We have a
consent-based approach where we
want to make sure we ask people
for their permission to enable e.g.
targeted digital advertising, and
then they have the opportunity
to opt out. Of course, this also
requires investment in the corresponding technologies, the user
experience design, and all the way
to the back end with data analytics
capabilities.
Are you privacy-certified,

and if so, whats the value
of that certification?
Were committed to the EDAA
and IAB frameworks, as well as
to some self-certification frameworks for marketing and research
purposes locally as well. With the
complex technology and business
ecosystem, certifications do help in
building trust and awareness with
consumers.
CHAPTER 4: PUBLISHER SURVEY
WHAT PUBLISHERS
BELIEVE AND DO
WHILE THERE IS BROAD CONSENSUS

ON THE IMPORTANCE OF TRUST TO
PUBLISHING BRANDS, OUR INDUSTRY
HAS YET TO TURN DATA PRIVACY
PROTECTION INTO A COMPETITIVE
ADVANTAGE.
39
PUBLISHER SURVEY
PUBLISHER UNDERSTANDING AND CURRENT

APPROACHES TO DATA PRIVACY
Where does the news publishing industry stand when
it comes to managing data privacy and protection?
We conducted a survey among our members to find
out. While everybody believes trust is a key issue
for their brands, not all have translated that belief
into transparency and choice for consumers when it
comes to how their data is collected and used.
o ascertain how people in the publishing industry think about and manage data privacy, in
February we sent a survey to some 5,000 people
in our member database, including CIOs, HR, advertising managers, editors and IT managers, all at news
publishing organisations. Forty-five people answered
the survey. Interestingly, that was only about a third
of the number who responded to our Big Data survey a
few weeks later, which may be indicative of the importance our industry affords the respective topics.
The survey respondents were spread across four
continents; Europe, Asia (including the Middle East),
South and North America. Europe provided the most
answers (24).
Publishing industry views

on data privacy
The initial section of the survey covered publishing
industry views on data privacy. The answers show that
people in the industry strongly believe consumers
trust is key to their business; all respondents consider
trust to be part of their organisations brand building
efforts. Eighty-eightpercent said that data privacy
is either very important (67percent) or important
(21percent) to their business.
of a consensus. The picture is similarly split when it

comes to attitudes about who is really responsible for
protecting consumer data privacy. Eighty-onepercent
of respondents said publishers are largely or wholly responsible for protecting consumers data privacy. That
figure is 80percent for social networks and 76.7percent for online advertisers. The same percentage (76.7)
of respondents said individual consumers are largely
or wholly responsible for their own data privacy.
However you look at it (responses shown in full in
chart below), it is clear that many publishers believe
responsibility for data protection lies with multiple
parties: the ones mentioned above, plus governments,
Internet service providers and search engines. That
is, of course, partly because of the issues complexity.
It is also most likely one reason why practices vary so
much as we shall see.
Who should be responsible for
protecting consumer data privacy?
Governments/regulaon
10,0
Online adversers
10,0
Indepent privacy organisaon
When asked Do you consider your online brand more

trustworthy than global tech, e.g. Twitter, Facebook,
and Google, in terms of protecting users data?
25percent of respondents said no, indicating less
40
WAN-IFRA REPORT
Publishers/website owners
9,4
Individuals themselves
13,3
0%
Wholly responsible
33,3
17,2
10,3
6,7
30,0
17,2
26,7
13,8
Browsers
36,7
24,1
10,0
Search engines
26,7
46,7
27,6
Internet service providers
Social networks
26,7
13,3
30,0
37,9
31,0
31,0
31,0
13,3
31,0
27,6
56,7
9,4
23,3
53,1
10,0
20%
A lot resonsible
28,1
70,0
40%
60%
Somewhat responsible
6,7
80%
100%
Not at all responsible
Roles and organisational structure

It appears that while publishers consider data privacy important, actual investments in data protection
in many cases do not reflect that. Only 50percent of
respondents said their organisations employ a designated privacy officer, or indeed a privacy team. Just
under 25percent said their organisation buys privacy
services and technology, although more publishers
may be doing it 41.4percent of respondents were not
sure whether such investments are going on at their
workplace.
Only a third of respondents said their organisation has
a data breach incident response team, while as many
as 43percent are unsure whether such a team exists.
Unsurprisingly, IT (71.4percent) and legal (67.9percent) are the top two departments mentioned as being
Who in your organisation is involved in
consumer privacy protection initiatives?
Legal
67,9
IT
71,4
InfoSec
10,7
Operaons
32,1
Product Managers
46,4
Markeng
35,7
Editorial
32,1
Senior Management
42,9
HR
28,6
Legal/Compliance
17,9
All Other Responses
3,6
0%
20%
40%
60%
80%
involved in privacy protection initiatives, but between 28percent and 40percent of respondents also
mention product management, marketing, editorial,
operations, senior management and HR.
Privacy policies, advertising and cookies

PRIVACY POLICIES. Transparency is key to the
trust consumers will place in news publishers the
interviewees for this report are unequivocal on that
point. Consumers expect to be told what personally
identifiable as well as behavioural information about
them is being collected and how its being used. That
is the function of a well-written privacy policy. And
yet privacy policies on websites and/or apps are still
not ubiquitous in our industry 80percent of respondents said their company provides them, but 20percent do not.
Of the ones that do publish a privacy policy, 83.3percent answered yes to the question Is it easy for your
audience to read and understand? The rest do not
believe the privacy policy provided on their digital
properties is particularly accessible to consumers.
In 2014, The Guardian ran focus groups where users
were asked to read the publishers privacy policy
beforehand. The groups said the message needed to be
simplified, and as a result, The Guardian produced a
short animated film to explain its privacy policy and
one covering its use of cookies. It has also published
easily digestible infographics on cookies and how to
stay safe on the web (see full story on page 11).
41
PUBLISHER SURVEY
Publishing readily accessible and understandable

information for consumers about the data you collect
and use is fundamental to the trust you can hope
to earn from them. Those consumers, as shown by
TRUSTes research, are becoming more and more concerned about their data privacy see Chapter 2.
Do you have a privacy statement
on your websites and/or apps?
80%
20%
Yes
No
Cookie statements. In the European Union, websites are required by law to get visitor consent before
serving cookies and similar tracking devices to users
computers. In other parts of the world, there are no
legal requirements regarding cookies. Judging from
our survey results, publishers who are not required to
serve notice and obtain consent tend not to do so voluntarily. That included one respondent in Switzerland,
which is not part of the EU but is culturally similar to
neighbouring countries. Only 48.3percent of respondents said their company displays a cookie statement
to consumers visiting their digital properties.
interpreted as meaning its possible for users to opt

out of cookies, but not necessarily that the action is
available within the publishers website.
Online behavioural advertising. Some 72.4percent of
respondents said they offer advertising products that
include behavioural targeting. Of those, 44.8percent
said they provide consumers with notice of the targeting and 51.7percent offer the possibility to opt out of it.
Registrations. Publishers see the great value of
building personal relationships with consumers in
the digital era. Nearly 89percent of respondents said
their company encourages users to register on their
website(s), thus enabling the publisher to establish a
dialogue with the consumer and obtain permission to
market to him or her in a more personal way. However,
many publishers are careful with how they use the registration data 40.7percent of the respondents who
said they encourage registrations also said they do not
use that information for targeting purposes.
Do you encourage consumers to register
on your site?
11,1%
88,9%
Yes
No
Do you display a cookie statement to

consumers visiting your digital properties?
51,7%
Yes
No
48,3%
As discussed in the introductory chapter, how easy

you should make it for consumers to opt out of cookies
and other tracking methods is a matter of debate.
The majority of publishers whose privacy and cookie
statements weve read link users who want to opt out
of cookies to external websites such as www.youronlinechoices.com, rather than provide opt-out mechanisms on their own properties. Our survey shows a
slightly different picture: 55percent of respondents
answered yes to the question Do you deploy a way
for consumers to opt out of cookies or choose privacy preferences on your websites? In hindsight, its
difficult to know whether this question may have been
42
WAN-IFRA REPORT
Tracking by third parties. All the experts we interviewed for this report have testified to the complexity
of monitoring third-party cookies and trackers being
dropped onto users browsers via publishers websites.
Our survey confirms that picture. While 33.3percent
of respondents answered yes to the question Do you
monitor your website to see if unauthorised third parties are tracking consumers (e.g., via cookies, beacons,
Do you monitor your website to see if
unauthorised third parties are t racking
consumers (e.g., via cookies, beacons,
fingerprinting)?
48,1%
18,5%
Yes
33,3%
No
Not sure
Some 48 percent of respondents were not sure whether their

company monitors their website to see if unauthorised third
parties are tracking consumers. That could partly be due to the
fact that such monitoring is a specialised technical function.
Nevertheless, its not unreasonable to expect staff members
with titles such as CIO, HR manager, advertising manager,
editor or IT manager to be aware of this issue in 2015.
fingerprinting) on your website? a full 48.1percent

were unsure whether their company does such monitoring. We should note, though, that this could partly
be due to the fact that such monitoring is a specialised
technical function. Nevertheless, its not unreasonable
to expect staff members with titles such as CIO, HR
manager, advertising manager, editor or IT manager to
be aware of this issue in 2015.
Self-regulation. There appears to be no real consensus
among publishers about the value, in terms of consumer trust, of displaying icons on their website(s)
of self-regulatory bodies such as the EDAA, DAA, or
DAAC. Only 48.1percent of respondents said that
practice is valuable or very valuable. It will be interesting to see how that evolves in the coming years. Sue
Gaudi, Chief Privacy Officer at The Globe and Mail in
Canada, says adhering to self-regulatory programmes
such as AdChoices and displaying the icons is
something all publishers should seriously consider
(See story on The Globe and Mail on page 23).
37,0%
40,7%
7,4%
Very valuable
Valuable
Somewhat valuable
Not valuable
10
What security safeguards are in place

to protect online personal data?
Log-in credenals (requires
username and password)
84,6
Two-factor authenficaon
(requires two different ID components)
19,2
Limit access (permit/block access

to systems or physical resources)
38,5
Automated alerts/blocking
of personal data transfer
23,1
Monitor and protect systems from

vulnerabilies (e.g. phishing, spa
53,8
Use encrypon methods (such as

Secure Socket Layer) for transmission
30,8
Not sure
19,2
0%
20%
40%
60%
80%
100%
Our survey results paint a picture of an industry that

remains undecided on how to handle the relatively
new issue of data privacy protection. So far, it seems
that practices tend to follow legislation, rather than
publishers working proactively to establish consumer
trust via transparency regarding the data they collect
and why they collect it.
14,8%
While data security is not the topic of this report we

are considering it a given for any publisher with
digital operations we did include a question about
security safeguards, to get a picture of practices in our
industry.
Conclusion
How valuable do you think displaying

icons on your website(s) of selfregulatory bodies such as the EDAA,
DAA, or DAAC is to consumer trust?
Data security
12
While there is broad consensus on the importance of

trust to publishing brands, our industry has yet to turn
data privacy protection into a competitive advantage.
We will run a data privacy survey among our members
again in 2016 and inform you of the results.
43
CHAPTER 5: KEY PRIVACY AREAS
LESSONS FROM
RECENT CASES
NEWS PUBLISHERS SHOULD SERIOUSLY

TAKE NOTE OF THE KEY AREAS TO
FORMULATE THEIR DATA PRIVACY POLICIES
AND THE MANY LESSONS LEARNED (SOME
HARD ONES) REGARDING REGULATION.
45
KEY PRIVACY AREAS
There are five

key privacy areas
that are critical for
companies to manage:
privacy programmes, cookie consent,
online behavioural advertising, third-party
monitoring, and cross-border data transfers. There are lessons to
be learned from recent enforcement cases in each of those areas.
Here we cover some that are particularly pertinent to publishers.
ases pertaining to online

data privacy are brought
forward on the regulatory
front by agencies such as the U.S.
Federal Trade Commission (FTC).
In the EU, the Data Protection Directive is transposed into national
law, from which the data protection
authorities derive their power. In
general, these regulatory agencies
derive authority from regional legislation and have legal jurisdiction.
In addition, there are self-regulatory agencies that enforce industry
principles and guidelines, e.g., the
Council of Better Business Bureaus (CBBB), Digital Advertising
Alliance (DAA), Digital Advertising
Alliance of Canada (DAAC), and
46
WAN-IFRA REPORT
the European Interactive Digital

Advertising Alliance (EDAA).
These self-regulatory agencies can
bring enforcement actions and
report violations to the regulatory
authorities.
PRIVACY
PROGRAMMES
The seminal U.S. Federal Trade

Commission (FTC) cases against
Facebook, Myspace and Snapchat
show how diligent you have to
be about building privacy programmes with integrity. In particular, privacy statements made
to consumers should be accurate
and actual practices must contin-
ually be monitored and assessed

to ensure the integrity of those
statements.
Lesson from the Facebook
case: Have clear privacy statements, keep your promises,
obtain consent, and build a
programme with integrity. In
2011, the FTC charged Facebook
with unfair and deceptive practices
by failing to keep privacy promises.1
1 Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy
Promises, FTC Press Release, November
29, 2011, https://www.ftc.gov/news-events/
press-releases/2011/11/facebook-settles-ftccharges-it-deceived-consumers-failing-keep
In particular, Facebook was

charged with representing to consumers that they could keep their
information on Facebook private,
but the company repeatedly allowed consumer data to be shared
and made public. Among many
other violations, Facebook:
Promised users that it would not

share their personal information
with advertisers but did so
anyway.
Changed its website so certain
information that users designated as private such as
their Friends List was made
public. However, they failed to
warn users that this change was
coming or to get their approval
in advance.
Represented that third-party
apps users installed would have
access only to user information
necessary to operate the app. In
fact, the apps could access almost all personal data, including
data that was unnecessary for
the apps functionality.
Facebook settled with the FTC and

is required to take specific steps to
make sure it lives up to its privacy
promises in the future, including:
Giving consumers clear and

prominent notice.
Obtaining consumers express
consent before sharing their

information beyond the privacy
settings they have established.
Maintaining a comprehensive
privacy by design programme
to address privacy risks associated with the development and
management of new and existing
products and services.
Submitting to independent
third-party audits certifying
that its privacy programme
meets the requirements in the
FTCs order every two years over
the course of the next 20 years.
Lesson from the Myspace

case: Designate a privacy
executive. The FTC similarly
charged Myspace with misrepresenting its protection of
users personal information. In
addition to the privacy programme
and 20-year audit requirements,
the FTC settlement ordered
Myspace to designate a person
responsible for implementing and
carrying out the mandated privacy
programme.2
Lesson from the Snapchat
case: Build programmes for
your mobile apps too. Snapchat
settled FTC charges that it deceived

consumers with promises about the
disappearing nature of messages
sent via its mobile app service. The
charges alleged that the company deceived consumers as to the
amount of personal data it collected and the security measures taken
to protect that data. Failure to secure its Find Friends feature resulted in a security breach that enabled
attackers to compile a database of
4.6 million Snapchat user names
and phone numbers. This case is
part of a mobile app privacy sweep
by the Global Privacy Enforcement
Network, a multi-national coalition
of privacy enforcement authorities.3
COOKIE
CONSENT
In 2009, the ePrivacy Directive

(also known as the EU Cookie
Directive) was amended with the requirement that companies provide
clear and comprehensive information to users about the use of cookies, including an option for users
to consent (or not) to any cookies
that are not strictly necessary for
the delivery of an online service. 4
3 Global Privacy Enforcement Network,

https://www.privacyenforcement.net/
2 Lesley Fair, A Closer Look at the Myspace
Order, FTC Business Blog, May 10, 2012,
https://www.ftc.gov/news-events/blogs/
business-blog/2012/05/closer-look-myspaceorder-part-2
4 Lesley Fair, A Closer Look at the Myspace

Order, FTC Business Blog, May 10, 2012,
https://www.ftc.gov/news-events/blogs/
business-blog/2012/05/closer-look-myspaceorder-part-2
Lesson from the Facebook case:

Have clear privacy statements, keep
your promises, obtain consent, and
build a programme with integrity.
47
KEY PRIVACY AREAS
Lessons from the EU Cookie

Sweep: Implement a cookie
policy and tools to obtain
express or implied consent. In
2014, EU data protection authorities across member states increased
the cookie crackdown, beginning
in Spain, where regulators fined
two jewelry companies for failing
to provide clear and comprehensive
notice about their use of cookies on
promotional websites.
Then in the Netherlands, enforcement actions were taken against
both a website publisher and a
third-party vendor providing
services to a publisher. The former
was a case against the Dutch Public
Broadcasting Service in which the
company failed to obtain express
consent, otherwise known as
opt-in consent, which is the legal
standard in the Netherlands. In
the case of ad network YD Benelux,
the Dutch authorities found that
the company failed to obtain prior
consent from website visitors for
the use of its cookies, and failed to
inform them about the purposes
for which its cookies were used.
Thus opt-out alone was deemed not
sufficient.
In September 2014, the CNIL (the
French data protection authority)
led EU data protection authorities
in conducting a cookie sweep to
assess the current levels of compliance with the directive on top

websites.
The sweep was conducted by
data protection authorities in the
U.K., Denmark, Czech Republic,
France, Greece, the Netherlands,
Spain and Slovenia to determine
how many popular websites are
compliant with the EU Cookie
Directive. Thedata protection
authoritiescompleted the review
of 478 popular websites and found
widespread insufficient noticeand
a lack of options for consent.
The sweep, led by the U.K.s Information Commissioners Office
(ICO), found that U.K. websites
place 44 cookies on a first visit,
higher than any other country
surveyed (the average is 34).
The sweepalso found that:
Twenty-six percent of websites

provide no notification that
cookies are implemented. Of
those that do provide notification, 50 percent merely inform
users that cookies are in use
without requesting consent.
Only 16 percent of the sites give
users a granular level of control
over cookie choices and the option to refuse the use of cookies.
The expiry dates for cookies are

often excessive; the investigation detected some that will not
expire until 31 December 9999
(8,000 years in the future!).
InFrance, the Netherlands and

other European countries, companies are rushing to comply with
the Cookie Directive, since regulatory agencies have shown they are
willing tofine companiesthat dont
abide by the rules.
The Italian authorities have published new guidance that comes
into force in June 2015. Cookie
consent laws have also recently
been passed and enforced in Brazil
and other jurisdictions outside of
the EU.
Though specific cookie consent
requirements vary from country
to country,5 regulations can be put
into two very broad categories:
Express Consent those that
require strict opt-in consent, i.e.,
individuals must expressly consent
to cookies before the cookies are
served to the users device.
5 Id. and Hazel Grant and Phil Lee, EU Cookie

Consent September Update, September
9, 2014, http://www.fieldfisher.com/publications/2014/09/eu-cookie-consent-september-update#sthash.qxbZhkXY.dpbs
Companies are rushing to comply with

the Cookie Directive, since regulatory
agencies have shown they are willing to fine
companies that dont abide by the rules.
48
WAN-IFRA REPORT
Implied Consent those that

tolerate the use of cookies on an
implied consent basis. This is the
more popular model, where cookies
are often served at the same time
as delivery of the notice.
ONLINE
BEHAVIOURAL
ADVERTISING
data for OBA and publishers on

whose digital platforms the data is
collected and used.
The DAA, DAAC, and EDAA take
the enhanced notice approach,
in which links to consumer notices
must be clear and prominent and
provide controls for consumer
choice. Such enhanced notice must
website that contains mechanisms

for choosing whether each participating entity may collect and use
data for OBA purposes.
In the USA, there are self-regulatory bodies, such as the Council of
Better Business Bureaus (CBBB) or
the Direct Marketing Association
(DMA) that seek to enforce the
Online behavioural advertising

(OBA) encompasses a broad set of
activities that companies engage
in to collect information about
consumer online activity (e.g., web
pages visited, mobile app downloads) and use the data to show
relevant ads or content. Lessons
learned from enforcement actions
demonstrate the importance of
building specific privacy programmes, policies and practices
that ensure privacy compliance in
desktop and mobile advertising.
At the core are requirements to
provide consumers with notice,
consent, and the possibility to opt
out.
Lessons from the DAA, DAAC,
EDAA: Implement icons/
tools on your websites and
in ads to provide users with
enhanced notice and control.
The DAA, DAAC, and the EDAA all
establish and provide guidance on
responsible privacy principles and
practices across online advertising,
providing consumers with enhanced transparency and control.6
Although the three self-regulatory
bodys principles may have some
regional differences (see below),
the core principles of transparency
and consumer control are similar.
These principles govern practices
implemented by entities that collect
6 Self-Regulatory Principles for Online Behavioral Advertising, July 1, 2009, http://www.

aboutads.info/resource/download/seven-principles-07-01-09.pdf
be available through links located

in the advertisements themselves
or on the web page where data is
collected for OBA.
Enhanced notice mechanisms must
be provided at the time of data
collection and their use delivered
via the AdChoices icon with standardised language for consumers to
recognise. When a user clicks on the
icon, a disclosure window appears
describing the companys OBA practices along with a mechanism for
exercising choice over those practices, i.e., opt-out or preferences.
For publishers, the disclosure must
include either: (1) a list of entities
that collect data on that website
or mobile app for OBA purposes,
with links to each entitys online
consumer notice and choice; or (2)
a link to an industry-developed
DAA principles through their OBA

accountability programmes. They
will investigate, provide warning
notices, and bring action against
companies that are not in compliance.
In Canada, the Advertising
Standards Canada (ASC) is the
independent national advertising
self-regulatory body responsible
for the accountability component
ofCanadas self-regulatory programme for OBA compliance.
In Europe, the EDAA is the body
responsible for delivering the EU
self-regulatory programme for OBA
compliance along with the granting
of the EDAA TRUST Seal for companies that self-certify under an
independent certification process.
The self-regulatory programme is
enforced by the SROs (self-regula-
49
KEY PRIVACY AREAS
tory organisations) in each country,

e.g., the Advertising Standards
Agency (ASA) in the U.K.
Lessons from the Brightest
Flashlight case: Implement
tools/icons in your mobile
web browsers and in mobile
ads to provide users with
enhanced notice and control.
The FTC charged that the company
that created the popular Brightest
Flashlight app deceived consumers
and presented consumers with a
false choice on whether to share
their information.7 While the
app was running on a consumers
smartphone, it allowed the transmission of data from the mobile device to third parties such as advertising networks. The data included
precise geolocation and persistent
device identifiers used to track
a consumers location over time.
The FTC alleged that the company
failed to disclose this practice to
consumers in the privacy policy.
The settlement order required the
company to provide a just-intime disclosure that fully informs
consumers when, how, and why
their geolocation information is
being collected, used and shared,
and requires defendants to obtain
consumers affirmative express
consent before doing so.8
The DAA and DAAC principles of
OBA compliance apply also in the
mobile context, and the self-regulatory bodies have issued guidance
in this realm.9 Similar to website
implementations described above,
7 FTC Approves Final Order Settling Charges

Against Flashlight App Creator, FTC Press
Release, April 9, 2014, https://www.ftc.gov/
news-events/press-releases/2014/04/ftc-approves-final-order-settling-charges-againstflashlight-app
8 Id.
9 Application of Self-Regulatory Principles to
the Mobile Environment, Digital Advertising
Alliance (DAA), July 2013, http://www.aboutads.info/DAA_Mobile_Guidance.pdf
50
WAN-IFRA REPORT
mobile web browsers and mobile

advertisements should use the
AdChoices icon, OBA practice disclosure language, and a mechanism
for exercising choice, i.e., opt-out or
preferences. In the EU, a cross-industry working group has been established and mobile guidelines are
expected in the first half of 2015.
MONITORING &
CONTROL OF
THIRD PARTIES
AND SERVICE
PROVIDERS
Publishers also have the responsibility to continually monitor all of

their digital properties websites,
mobile web browsers, and mobile
apps so they are aware of all
third-party tracking and adjust
privacy practices accordingly. This
obligation arises from both the EU
Cookie Directive and from OBA
compliance.
Lessons from Article 29: The
EU Cookie Directive applies
to all methods of tracking. In
response to reports that companies
were exploring evolving technologies such as device fingerprinting
in an attempt to avoid the consent requirements under the EU
Cookie Directive, European data
protection authorities, via the
Article 29 Data Protection Working
Party, confirmed last November
that the cookie directive applies to
all methods of tracking.10
Publishers must keep abreast of
the latest tracker technologies
being used by third parties and
must continually monitor them to
10 Article 29 Data Protection Working Party,

Opinion 9/2014 on the application of
Directive 2002/58/EC to device fingerprinting,
November 25, 2014, http://ec.europa.eu/
justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/
wp224_en.pdf.
ensure that their cookie consent

management processes account for
all forms of tracker technologies, be
they cookie-based or not.
Lessons from the CBBBs
Compliance Warning: Publishers must monitor third parties
on their websites and mobile
apps and provide enhanced
notice of third-party OBA. In
October 2013, the Council of Better
Business Bureaus (CBBB) issued
an accountability programme
compliance warning explaining the
responsibilities of first parties (e.g.,
website publishers) to provide enhanced notice on every page where
they permit third parties to collect
information for interest-based advertising or when they themselves
transfer such data to unrelated
third parties.11 The self-regulatory
body warned that it would begin
enforcement on 1 January 2014.
SunTrust Case. In May 2014, the
CBBB referred SunTrust Bank to
the Consumer Financial Protection
Bureau after SunTrust refused
to participate in the advertising
industrys self-regulatory process.12
The initial investigation sought
SunTrusts cooperation in determining whether they provided
the required real-time notice to
consumers of third-party OBA
data collection that links to an
explanation of this activity and
further links to any easy-to-use
opt-out mechanism. SunTrust
repeatedly declined to participate
in the accountability programmes
11 Compliance Warning: Responsibilities of

First Parties for Notice of Third-Party Data
Collection for Online Behavioral Advertising
on Their Websites, The Accountability Program, http://www.bbb.org/us/Storage/113/
Documents/First-Party-Compliance-Warning-20131008.pdf
12 SunTrust Bank Referred to the CFPB for
Refusal to Participate in Self-Regulation,
The Accountability Program, http://www.
asrcreviews.org/2014/05/suntrust-bank-referred-to-the-cfpb-for-refusal-to-participatein-self-regulation/
TRACK YOUR WEBSITE

TRUSTe PROVIDES FREE TRACKER SCANS OF UP TO
100 PAGES TO WAN-IFRA MEMBERS. PLEASE VISIT:
WWW.TRUSTE.COM/PUBLISHER-WEBSITE-SCANS
inquiry, and the case is now before

the Consumer Financial Protection
Bureau.
Answers Corp., Best Buy,
BuzzFeed, Go.com, and Yelp.
In October 2014 the CBBB continued its third-party enhanced notice
sweep and released five decisions
and settlements in which Answers
Corporation,Best Buy,BuzzFeed,
Go.com, andYelpagreed to provide
real-time, enhanced notice and
choice to website visitors whenever
third parties collect their information for personalising ads. These
decisions remind website publish-
ers that they must shoulder their

responsibility to ensure that the
delivery of enhanced notice is just
as ubiquitous when third-parties
are collecting data for OBA on their
websites, wrote the CBBB.13
13 Compliance Warning Enforcement Rollout

Begins, Websites Must Give Consumers
Real Time Notice When Third Parties Are
Collecting Their Data for Personalized Ads,
TheAccountability Program,
http://www.asrcreviews.org/2014/10/
compliance-warning-enforcement-rolloutbegins-websites-must-give-consumersreal-time-notice-when-third-parties-arecollecting-their-data-for-personalized-ads/
Sometimes first and third parties

do not work together sufficiently
to ensure that this requirement is
fully met. Publishers must continually monitor their websites and
mobile apps so that they are aware
of all third parties who are tracking
and serving OBA on their digital
properties. It is important to shut
out any unauthorised parties. In
addition, the proper enhanced notice mechanisms described above
must be in place to provide consumers with notice and choice over
the OBA practices of the authorised
parties on your sites or apps.
The TRUSTe Website Monitoring
Service recently performed a scan
of the top 20 publishing sites on the
Alexa.com rankings. The results
from the TRUSTe Tracker Report
are on page 52 of this chapter.
HOW TRUSTeS PRIVACY SENSITIVITY INDEX IS SCORED

TRUSTes Privacy Sensitivity Index (PSI) is a tool intended to help companies
manage the third parties that are authorised to be on their site. The index is
aTRUSTe assessment of third parties based ona number of factors, including:
likelihood to engage in online behavioural advertising (OBA);

privacy policies;
workingconsent and opt-out mechanisms;
honouring consumers preferences;
business category, e.g., a service provider would have a lower risk score;
industry oversight, e.g., membership in industry oversight bodies such as the IAB, DAA, NAI, etc.
TRUSTe certification data collectors who have satisfied TRUSTes
rigorous program requirements to have a much lower risk profile
A high PSIdoesnt necessarily mean a third party is bad and must be removed from
your site, but is rather intended as an indication that the party could pose a higher
risk to your site and that you should ensure they are authorised to be there.
51
KEY PRIVACY AREAS
TRUSTE TRACKER REPORT: TOP 20 PUBLISHING SITES

Gross
Average Per Site

(20 Sites)
Number of Third Parties
517
25.85
Number of Third Parties at High PSI

(Privacy Sensitivity Index, see fact box)
70
3.5 (= 13 %)
Scan Stats
% Ads-Related Third Parties
8.35 (= 32 %)
% Retargeting Third Parties
1.94 (= 7.5 %)
TOTAL ADS/RETARGETING THIRD PARTIES
10.29 (= 39.5 %)
Third Party Cookies
4,335
216.75
Third Party Cookie-Less Trackers
35,798
1,789.9
TOTAL THIRD-PARTY TRACKERS
40,133
2,006
524
26.2
First Party Cookie-Less Trackers
5,543
277.15
TOTAL FIRST-PARTY TRACKERS
6,067
303
First Party Cookies
SUMMARY OF FINDINGS FOR NEWS SITES
52
Trackers With Higher Privacy Risk. On

average, the top 20 publishing sites had 25.85 third
parties tracking on their websites. Roughly 13 percent of those third parties were considered to have
a high Privacy Sensitivity Index (PSI), indicating
areas of potential privacy risk where there is not a
proper opt-out mechanism or other required privacy practice in place to bring the score down.
Ads-Related and Retargeting Trackers. Out
of the third parties tracking on the top 20 publishing sites, about 40 percent were specifically ads-related and retargeting companies. Ads-related
companies include the agencies and ads platforms
serving up interest-based ads. The retargeting
WAN-IFRA REPORT
companies include data aggregators that build customer profiles based on collected data and sell the
information on the market. The nature of publisher
business models may account for the high percentage of ads-related and retargeting companies.
Cookies and Cookie-Less Trackers. On average, the top 20 publishing sites had about 216 thirdparty cookies. Interestingly, there were on average
1,800 cookie-less tracker technologies per site.
Publishers must also be aware of these cookie-less
tracker technologies being used to track users, including web beacons or web bugs, flash cookies or
local shared objects (LSOs), JavaScript, e-tags, and
device fingerprinting.
CROSS-BORDER
DATA TRANSFER
regional privacy laws before any

personal data is transferred across
borders.
Since growth and international

expansion are priorities for many
publishers, assessing privacy
risk around the global transfer of
personal data becomes critical.
Mechanisms must be in place to
ensure compliance with local and
Legal and regulatory complexities

come into play when marketing,
HR, and other business stakeholders need to have customer or employee data sent to headquarters.
Inconsistent privacy laws across
countries, sometimes with conflict-
ing obligations, make it difficult

to stay compliant while enabling
cross-border data transfer necessary for business operations.
Some countries have sector-specific laws, others fall under general
data protection frameworks, some
require comparable or sufficient
privacy protections as required
in the host jurisdiction without
BENCHMARKING OTHER INDUSTRIES

TRUSTes Website Monitoring Service performed a scan of 20 sites across different industries
News sites
Insurance sites
Shopping sites
Gross
Average
per site
(20 sites)
Gross
Average
per site
(20 sites)
Gross
Average
per site
(20 sites)
Number of
third parties
517
25.85
170
8.5
320
16
3rd cookies
4,335
216.75
978
48.9
2,394
119.7
3rd LSO
100
0,1
15
0.75
3rd LS
142
7.1
13
0.65
49
2.45
3rd beacons
17,014
850.7
4,361
218.05
9142
457.1
3rd JS
10,386
519.3
2,077
103.85
7,395
369.75
3rd e-tags
8,156
407.8
1,241
62.05
8,584
429.2
1st cookies
524
26.2
378
18.9
661
33.05
0.3
527
26.35
13
0.65
114
5.7
1st beacons
1,653
82.65
1,314
65.7
1,002
50.1
1st JS
1,893
94.65
961
48.05
878
43.9
1st e-tags
1,464
73.2
2,724
136.2
2,725
136.25
High PSI
70
3.5
16
0.8
41
2.05
32.29
14.12
0.706
38.12
1.906
7.54
7.64
0.382
9.06
0.453
Scan Stats
1st LSO
1st LS
% Ads-related
third parties
% Targetingrelated third
parties
53
KEY PRIVACY AREAS
providing greater guidance, while

others require prior consent by the
customer or employee before data
transfer is allowed.
To enable safe cross-border data
transfers, businesses need to have
the controls in place to stay compliant with the laws. Several privacy
compliance mechanisms are available and should be used depending
on the situation.
USA-EU and USA-Swiss Safe
Harbor. Under the EU Data
Protection Directive, personal data
can be transferred outside of the
European Economic Area (EEA)
only when the recipient country
provides an adequate level of protection for the data. The European
Commission has deemed only a
handful of countries to meet that
requirement. The USA is not on
that list. Instead, U.S. companies
can work with independent certifying organisations to prepare for
self-certification with the USA-EU
Safe Harbor programme to meet
the adequacy standard. By doing
so, companies can have confidence
that they are in privacy compliance
54
WAN-IFRA REPORT
and can transfer data across and

outside of the EU to the USA.
APEC privacy framework. The
Asia-Pacific Economic Cooperation
(APEC) Cross Border Privacy Rules
(CBPR) is the first framework approved for the transfer of personal
data among all 21 APEC member
countries, with the USA being the
first formal participant and the
Federal Trade Commission serving
as the first enforcementauthority.
It is a voluntary self-regulatory
initiative designed to ensure the
continued free flow of personal
information across borders, within
the APEC membership, while
establishing meaningful protection for the privacy and security of
personal information. By gaining
APEC certification through the
assessment of an independent
accountability agent, companies
can have greater confidence that
they meet APEC CBPR standards
and can transfer data between any
of the APEC member countries,
including the USA.
Binding corporate rules.
Binding corporate rules (BCRs) are
designed to allow multinational

companies to transfer personal
data from the EEA to their affiliates located outside of the EEA in
compliance with the EU Data Directive. This mechanism requires
an application for authorization
by the data protection authority
to use BCRs for international data
transfers and self-certification to
on-going compliance through the
BCR programme.
Model clauses. The most popular
alternative to BCRs is the use of
the model contractual clauses
approved by the European Commission. However, in multinational
companies with complex structures, there are drawbacks where
hundreds of contracts may be
required to cover transfers between
all affiliates, and keeping those
contracts up to date can be difficult
and time-consuming.
Personal data should not be
transferred across borders unless
at least one of the above privacy
compliance mechanisms is in place
to mitigate risk.
CHAPTER 6: RECOMMENDATIONS
WHAT PUBLISHERS
SHOULD DO NOW
IT IS CRITICAL TODAY FOR EVERY PUBLISHER TO

HAVE A PERSON WHO IS RESPONSIBLE FOR DATA
PRIVACY. WHETHER OR NOT THAT PERSON IS THE
CHIEF PRIVACY OFFICER OR HOLDS A DIFFERENT
TITLE IS LESS IMPORTANT. THE KEY IS TO HAVE AN
EXPERIENCED AND SENIOR PERSON WHO LOOKS AT
DATA COLLECTION AND USE STRATEGICALLY AND
TAKES PROACTIVE STEPS TO ENSURE THAT DATA IS
MANAGED RESPONSIBLY ACROSS THE ENTERPRISE.
- MARC GROMAN, PRESIDENT AND CEO OF THE
NETWORK ADVERTISING INITIATIVE
55
RECOMMENDATIONS
Now that we have examined not only the legal requirements but,
more importantly, how a) strong data protection and privacy practices
can work in favour of proactive publishers, and b) consumers are
growing increasingly concerned about their online data privacy, we
have designed this chapter essentially as a checklist. It is intended
to help publishers take ownership of their data protection and
privacy practices, understand
their significance, and build
stronger trust and
understanding
with readers.
BUILDING PRIVACY PROGRAMMES

The first step is to establish data
privacy programmes for your
organisation, to deal with everything from understanding what
data youre collecting and how its
being used to being transparent
with your users and ensuring regulatory compliance. And because
this exercise cuts across so many
business functions, its important
that someone in-house be designat-
56
WAN-IFRA REPORT
ed privacy lead. More about this in

the Internal Organisation section
below.
BE CLEAR AND
TRANSPARENT
WITH YOUR
USERS
Privacy Statement. Your privacy

policy is an internal document that
sets out how your organisation
applies data protection principles
throughout the business. It probably is a complex legal document.
The privacy statement on your
website is your chance to explain
to your users how you collect
and manage their data and why.
Although you can, of course, write
it in the context of legal requirements, it might be better to express

it in the context of your business,
thereby creating a better understanding among your customers
about why you collect user data,
and what they gain by providing
it. Together with how you manage
communication and user options
around cookies and online behavioural targeting, your privacy
statement is at the core of the trust
you can earn from users.
The Guardian recently conducted
focus groups, and participating users were asked to read the privacy
statement before attending (see
page 11). Most of them said they
would never normally read privacy
statements, but that they were glad
they had done so. Their message
to The Guardian was clear: Please
simplify how the policy is communicated. The Guardians response
was to create a short animation
explaining what data is collected,
how its used and how users can
contact The Guardian.
Cookies: notice, consent.
In Europe, under changes to
the ePrivacy Directive in 2009,
businesses are required to inform
online visitors about any cookies
or other tracking technologies they
use on the website, and they must
also provide a way for users to consent to any cookies or trackers that
are not strictly necessary for the
delivery of an online service (see
more in Chapter 5). Some countries
in the Americas, Asia, and other
regions have similar data privacy
legislation in place, so its a good
idea to be as transparent as possible about your use of cookies.
Although specifics on cookie consent vary from country to country,
notably whether express consent
is required or implied consent
suffices, in order to make sure you
are compliant, we recommend that
publishers take the following steps:
1. Assess the countries in which

you operate and understand
whether you face express consent or implied consent requirements.
2. Conduct an audit of cookies
and other tracking technologies deployed on your websites
and mobile applications, and
ensure they reflect the relevant
express-consent or implied-consent requirements.
3. Use cookie consent management
solutions to implement a consent
approach and provide users
with:
notice of the cookies served;
purposes for which the cookies
are used;
direction on where they can
find further details of the cookie
information, e.g., the cookie
policy or privacy policy; and
means to accept or decline the
cookies and other trackers.
4. Check your cookie policy statement and make sure it is accurate and easily understandable
to your users.
Online behavioural advertising: notice, consent. Requirements to provide consumers with
notice, consent, and the choice
to opt out of OBA fall under the
principles of the self-regulating
body: the DAA in the USA, EDAA
in Europe, and DAAC in Canada.
The basic requirement is to provide
consumers with either a list of entities that collect data on the website/mobile app for OBA purposes,
with links to each entitys consumer notice and choice, or provide
a link to an industry-developed
website, like www.youradchoices.
com, which has mechanisms for
the consumer to tick/untick each of
the entities ability to collect data.
However, you can choose to enable
opt-outs, through a control centre
on your own website. Andree

Gosselin OMeara, Director Customer Service & Privacy Advocate
explains how The Globe and Mail
in Toronto has implemented the
AdChoices opt-out tool to offer as
much transparency as possible into
the actions of all the advertisers
they work with (see page 23): Most
AdChoices participants send their
readers to the AdChoices website
to opt out. However, this tool only
displays programme participants.
A reader is left in the dark as to all
the other advertising he sees. The
Globes execution of the opt-out
tool offers full transparency on all
advertisers of our websites that
may use ads for collecting behavioural data. This tool gives our
readers both more visibility and
more control over interest-based
advertising. There are multiple
points of entry to the AdChoices
tool, but the two most obvious places are on the ad itself or via a link
at the webpage footer.
KEEP TRACK
OF YOUR
PROCESSES
Privacy audits. When your company decides that privacy protectionmust be given higher priority, the
first step is to take accurate stock
of where your privacy programme
currently stands against where you
want it to be. This is especially true
where privacy is a nascent area of
investment for the organisation and
you need greater strategic clarity on
the most effective way to allocate
time andresources.
A privacy audit can provide a dashboard view of your current privacy
programme and recommend immediate priorities and long-range
plans.
Data discovery and classification. Getting a clear picture of
the complete data lifecycle across
57
RECOMMENDATIONS
the organisation or a particular

product or business operation
is critical. Data discovery and
classification is often the first step,
providing you with transparency
on how personal information is
collected, used, stored and transferred, both your the organisation
and with third parties. This assessment is designed to provide you
with a comprehensive view of your
datalandscape.
Privacy certifications. Convincing potential customers and business partners that they can trust
you with their data is now more
important than ever in a world of
heightened data privacyawareness.
Once you have good data privacy
management practices in place,
you can demonstrate that through
a privacy certification or seal.
The benefits of certification include:
1. Reduced risk, and ensurance of
global compliance with emerging international requirements,
enabling cross-border transfers
necessary to support businessgrowth.
2. Greater trust and increased
engagement with users, clients,
business partners, and regulators by demonstrating your

commitment to protecting customer and employee data across
theenterprise.
3. Protection of your brand from
negative media coverage over
privacyissues.
For the past couple of years, The
Guardian has carried out a data
processing activities review. The
review, which covers all departments, identifies every activity that
involves personal data whether
it is sensitive personal data as
defined in the Data Protection Act
of 1998, and whether it relates to
employees, customers or contractors. Information is gathered about
how the personal data is then used
shared internally, with other
companies working on The Guardians behalf, and with third parties.
The review looks at what categories
of data are collected/transferred,
who is responsible for it, and so
on with sense-checking along the
way: Are we collecting too much
data or not enough? Under data
protection law, what makes this
data processing lawful? And if this
process is reliant on consent, does
true consent exist? and so on.
The benefits of the review, according to Head of Data Protection Tim

Gough, have been great. It engages all departments in thinking
about data processing, and a lot of
management information can be
extracted from it. Good data protection normally enables you to do
more things with data, not less, he
says. Staff need to be fully trained
and aware that good data protection starts with telling people what
you will do with their data before
they give it to you, so they can
make a decision whether or not to
go ahead. If you neglect to inform,
and when necessary get consent,
what you can do with the data collected is limited, says Gough.
Geographical transfer of data.
Dont transfer data across international borders without ensuring
that you have a mechanism to
comply with the privacy requirements for data protection in all
relevant jurisidictions. To enable
safe cross-border data transfers,
you need to have the controls in
place to stay compliant with the
laws. If you are transferring data
across national borders, make sure
mechanisms are in place to cover
privacy compliance, e.g. US-EU
Safe Harbor, APEC Cross Border
Privacy Rules, BCRs or Model Con-
Without a data privacy officer or

similar executive, companies run the
risk of failing to protect data until
its too late, says Marc Groman,
CEO of the Network Advertising Initiative.
58
WAN-IFRA REPORT
tract Clauses. Please see Chapter

5 for a full list of these compliance
mechanisms and when to use them.
KEEP TRACK
OF THIRD
PARTIES
In the EU and North America,

theres a legal requirement for publishers to keep up with the latest
tracker technologies being used on
the market by third parties and to

continually monitor to ensure that
your cookie consent management
processes account for all forms
of tracker technologies, whether
cookies or cookie-less. Please see
Chapter 5 for more detail.
We talked to Gunnard Johnson,
SVP Data & Analytics at Centro,
a leading digital media software
specialist in the USA, who provides
advice on how you can control
third-party data collection and

much more. Please see separate
article.
ADVICE FROM THE

AD ECOSYSTEM
Please read the interview with
Gunnard Johnson, SVP Data &
Analytics at Centro, on page 61
INTERNAL ORGANISATION
Theres no getting away from it:
taking ownership of your data
protection requires investment. Of
course, as we have seen in our bestin-class case studies, probably only
larger publishers can contemplate
employing full-time data protection
officer(s). However, irrespective of
your size, establishing data privacy
awareness in-house is fundamental
to being able to leverage the data
you collect and to build trust with
your users.
Sanomas Director Data Protection
& Privacy Riikka Turunen explains
why they consider data protection
a business function, rather than
just a compliance one: Data
is an asset, and if youre going to
optimally use your asset you have
to make sure youre able to do that.
We have privacy champions across
the organisation who are like
antennae for the business. They
are employees who understand
the business, know the roadmap
of the operations, and have also
been trained in the area of privacy
to identify potential issues that
they might detect from the future
roadmap.
So what are your options?
APPOINT A
DATA PRIVACY
LEAD
While many large publishers employ a full-time data privacy officer,

that is clearly not financially viable
for smaller ones. However, you may
still want to consider appointing
someone in-house as data privacy
lead in the audience, advertising,
information or other department,
thus establishing privacy as a
priority. And once its a priority,
a strategy can follow, driven by a
member of staff committed to your
business success.
At The Globe and Mail in Toronto,
the privacy lead is Sue Gaudi, who
is also VP General Counsel. She
says a privacy lead has a unique
role in that they look after both the
interests of the business and the
consumer: The advertising department beats the drum of more
first-party data please. As CPO, I
look out for our customers and help
determine how we get that data,
how we safeguard it and how we
collect it in a usable way and in a
way that doesnt negatively impact
our brand value. At The Globe,

experience tells us that if we do this
correctly and in a way that people
understand, our customers become
our family in a way, and well have
a lot more valuable information to
use in our business.
Marc Groman, President and CEO
of the Network Advertising Initiative, and a member of the board of
directors of IAPP (International
Association of Privacy Professionals) has years of experience as a
CPO and explains why its key to
have appoint a privacy lead:
It is critical today for every
publisher to have a person who
is responsible for data privacy.
Whether or not that person is the
chief privacy officer or holds a
different title is less important. The
key is to have an experienced and
senior person who looks at data
collection and use strategically and
takes proactive steps to ensure that
data is managed responsibly across
the enterprise. Without a data
privacy officer or similar executive,
companies run the risk of failing
to protect data until its too late a
law has been broken, a breach has
occurred, consumers have been
59
RECOMMENDATIONS
harmed, or the publishers reputation has been tarnished. The key

functions of a data privacy officer
are to develop, manage and routinely update an enterprise-wide
privacy programme to ensure that
data is protected from cradle to
grave and that privacy by design is
baked into every line of business
and project as early as possible.
Other tasks include employee
education and training, advising
company leadership on strategy
and risks, staying on top of legal
and policy developments across the
globe, working with vendors and
third party partners, and drafting
corporate privacy policies. A data
privacy officer together with legal
counsel may also be required to
respond to data requests from government agencies and law enforcement. I was a chief privacy officer
for several years and I can confirm
that it is a challenging but fascinating position and a critical one.
APPOINT DATA
PROTECTION
CHAMPIONS
ACROSS THE
COMPANY
If you want to be able to fully

leverage the data you collect as a
business, the recommended strategy for data protection is privacy
by design. That approach involves
building data protection into all
business services and products,
rather than treating it as an addon after a new product has been
launched. And to make privacy
by design work, you need to put
in place privacy owners across
the organisation, so that you dont
rely on product managers, editors
and marketers to make the right
choices about sensitive customer
and personal identifiable information (PII) as business development
goes on.
As Sanomas Riikka Turunen said
above, the privacy champions are
like antennae for the business:
Because they know the business
they will then, first of all, indicate
how to solve any privacy issue
thats arisen. In more complex cases, they contact the expert privacy
team and start to resolve the potential problems as they are being designed into product, so that we find
a solution early enough. If you put
business experts, privacy experts
and tech experts together, they can
come up with the right solutions.
ESTABLISH
PRIVACY
AWARENESS
AMONG ALL
STAFF
As with all business-critical issues,

in order for the entire organisation
to move as one in data protection,
you should provide training for
all employees, to create at least a
fundamental awareness of the law,
internal policies, processes and pitfalls. That can be done in different
ways.
The Guardian has developed
bespoke training modules on the
different aspects of data protection, which all staff can participate
in. Each module concludes with
a practical workshop where an
imaginary Guardian business has
been created and the participants
go through the process of managing the data collection, hosting,
transfer, etc., involved in running
that business. Eventually and
this is of course the goal staff
start thinking like data protection
officers. While the face-to-face
modules are all entirely optional and are aimed at commercial
CONCLUSION BE PROACTIVE!
Whether your organisation has full privacy programmes in place or is just setting out
to create a formal structure for data privacy protection, we would urge you to treat
this important area as an absolute business priority. Data is a key business asset,
and the more robust your privacy programmes and processes are, the better you
can leverage the data you collect. As Tim Gough at The Guardian points out, good
data protection normally enables you to do more things with data, not less.
Data privacy also speaks to the trust your customers place in your news brand.
The more open and transparent you are regarding your data collection and use,
the more likely your users are to understand and accept it. Theres an opportunity
now to turn data privacy into a competitive advantage. Be the publisher that is one step
ahead when it comes to communicating your privacy policy with consumers and
earn their trust.
60
WAN-IFRA REPORT
and operations staff, all staff are

required to complete an online
training module on information
security and data protection.
Sanoma is ramping up a training
programme so that everyone gets
basic privacy awareness knowledge about the existence of the
policy, where they can find more

information, and what the basic
dos and donts are. In addition,
operational areas have been identified where staff need to be aware as
part of their roles. These teams are
specifically trained in their respective area of operation. And again
the privacy champions have helped
us identify what the most relevant

roles and teams are in the different
operational areas, says Turunen.
Some companies specialise in

privacy training for staff, such
as Teach Privacy (https://
www.teachprivacy.com).
ADVICE FROM THE

AD ECOSYSTEM
Publishers who allow ads to be
served from anywhere other than
their own ad servers the vast
majority, that is need to get
their house in order to protect
and leverage user data. Work with
trusted partners, set clear rules
on what is permissible, and be
creative about how you monetise
Gunnard Johnson
your own first-party data.
SVP Data & Analytics at Centro, USA
61
RECOMMENDATIONS
entro is a leading digital advertising player in the USA,

with a platform that centralises, organises and automates
digital media campaigns across all
channels. We asked their SVP Data
& Analytics, Gunnard Johnson, for
advice to publishers on how to protect their data, and what the trends
are in the ad industry around data
privacy.
From a publishers
point of view, what are
the main challenges
with data protection in
digital advertising?
One challenge is controlling publisher audience data and preventing
that data from being used against
your usage guidelines. Its easy
for any technology vendor working with a publisher to pixel any
site (drop a cookie) and use the
info obtained with that cookie to
create look-alike audiences. These
companies can drop a cookie and
find that audience elsewhere for a
third of the cost. Publishers need to
know how to set rules so that they
are limiting use of any data picked
up when partners run campaigns
on their sites.
A second challenge is getting the
consumer to understand the rules
governing their privacy and how

their data is being used there is a
huge gap here. If I go to a site and
I look for information on credit
cards, I should know that the site
can use this data to create a profile
of me that can be used by other
vendors. Consumers need to understand that trade-off.
What are your top pieces

of advice to publishers
regarding data protection
and collection/use?
Set tight controls on what is

and isnt permissible by technology partners ad tags, surveys,
measurement, collection tags.
Publishers can set the rules on
what the vendors can extract
from a site and use for themselves. Limiting data management platform (DMP) tags from
non-partners would take care of
data leakage.
Instead of allowing advertisers to
pixel your pages, create ways
to monetise data yourself
and push it out there are new
opportunities here. A travel site
can use their data to work directly with agencies and advertisers
to create custom segments. The
publisher can also help marketers
find targeted audiences not only
on their owned properties but

also on other non-competitive
sites on the marketers behalf,
thereby capturing budgets that
may have been earmarked for a
network or ad exchange buy.
Publishers also need to create

simple and clear consumer
understanding and promotions of how the publisher is using data on its audience. Google
Play is an example where users
who download an app receive
clear notification on how Google will use their information.
Publishers should share the same
type of statement.
How difficult is it for

publishers to enforce
the guidelines they
have on third-party
data collection?
There are definitely challenges
here. Even if a publisher doesnt
allow DMP tags, for instance, an
advertiser could still collect cookie
data, which can then be used to
glean audience data, although not
as much as if it was done real-time.
But if a consumer visits Autotrader.
com, you can probably infer that
they are shopping for a new car. By
capturing the cookies, an advertiser could do some type of re-mar-
All publishers need to be better at

communicating what data is being used and
how it is collected, says Gunnard Johnson,
SVP Data & Analytics at Centro, USA.
62
WAN-IFRA REPORT
keting to those individuals when

theyre found elsewhere on the web.
Protecting your own data is a
complex endeavour, which demonstrates the need for in-house expertise on data management. It also
requires trusted partners, because
some tasks can be easier to manage
using technology.
What are the

particular pitfalls and
opportunities on mobile,
in your opinion?
Because mobile phones have Device IDs rather than using cookies,
from a privacy standpoint its easier
to match a mobile to an actual
person, and once you do that the
anonymity of the Internet is gone.
By the same token, Device IDs
improve data accuracy and data
targeting, so that better ads are
shown, and when that happens its
usually a good thing for consumers.
Theres definitely an opportunity
to improve advertising in mobile
devices, though, and theres also a
need for much greater education
and awareness. The choices consumers have when they download
apps, in terms of the permissions

they are asked to set, is a great
example of communicating with
users. But I think theres a need to
go one step further in explaining
what then happens with the data
collected here.
Do you see brands/

advertisers taking
adequate responsibility
for protecting consumers
data privacy?
I see the increasing need for data
privacy experts. The challenge is
the management of data used in
ad buys. How does an agency or
marketer combine multiple sites
together while maintaining a standard of how they are protecting
consumer information and notifying them about it? If you are a
marketer using a demand-side platform that combines different data
sources (such as open data marketplaces, publishers direct, your own
first-party data), do you have a least
a common denominator strategy,
where all the publishers sites you
buy on have data protection and
notification measures that meet
your standards? Data usage isnt
adequately explained by many pub-
lishers, much less with agencies. It

must be explained if the ecosystem
wants consumer trust.
Do you see publishers

taking adequate
responsibility for
protecting consumers
data privacy?
I see most publishers taking responsibility for protecting the data
privacy of consumers. However,
all publishers need to be better at
communicating what data is being
used and how it is collected.
Finally do you see

the data protection
issue pushing the
ad ecosystem in any
particular direction?
I see a lot more regulation around
targeting and measurement. Regulating this aspect of online advertising a bit more, and making sure
there is more consumer protection,
will have the biggest impact on
the ecosystem. Consumers dont
understand this, and there is less
guidance and regulation around
how to educate and inform them.
WAN-IFRA WELCOMES YOUR INPUT ON PRIVACY

WAN-IFRA is keen to get your input on our activities on data
privacy. We have committed to revisit our survey in 2016 and
welcome ideas on a possible joint (opt-in) commitment to core
privacy principles. Contact nick.tjaardstra@wan-ifra.org.
63
WAN-IFRA The World Association of Newspapers and News Publishers

WAN-IFRA Data Privacy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAN-IFRA Data Privacy

Uploaded by

Copyright:

Available Formats

In association with

WAN-IFRA tablet app

Read the report on tablet!

Whats in the app

ABOUT THE REPORT

We partnered with TRUSTe, a leading global data

As in many aspects of digital publishing, there are

We are especially grateful to The Globe and Mail, The

Sounds reasonable in theory. In practice its clearly

We truly believe that data privacy protection is an issue

Were asking more of our customers in terms of data,

Lets preserve our trust and our tradition.

Shaping the Future of News Publishing

CASE STUDY: GOLDEN BENCHMARK

The Guardian: Focus Groups invited

CASE STUDY: GOLDEN BENCHMARK

Globe and Mail: Transparency and

CASE STUDY: GOLDEN BENCHMARK

Sanoma: Privacy is a business function,

CHAPTER 5: KEY PRIVACY AREAS

Advice from the Ad Ecosystem

Shaping the Future of News Publishing

ABOUT THE AUTHORS

Shaping the Future of News Publishing

In the digital world, publishers have more information

priority at Media24: Privacy is at

See things from your

companies deemed trustworthy.

Shaping the Future of News Publishing

Most publisher websites send

pop-up message that appears when

eas that are critical for companies

CASE STUDIES: THE GOLDEN BENCHMARKS

WE HIGHLIGHT THREE NEWS MEDIA COMPANIES

Shaping the Future of News Publishing

THE GUARDIAN REACHES

discuss what they thought its purpose was, what

Total number of staff at

eing transparent about its

are choices available, and that if

2 million contacts. It was also advertised online, and theres now a

Were very keen to let people know what they

Shaping the Future of News Publishing

In the autumn of 2014, alongside

Good data protection normally enables you

curity and data protection training.

Review identifies all

data processing lawful? And if this

lected is limited, says Gough.

Shaping the Future of News Publishing

CHAPTER 2: CONSUMER ATTITUDES

TRUST COMES ONLY

IF PUBLISHERS WANT TO GAIN OR MAINTAIN

Shaping the Future of News Publishing

Consumers concern about data privacy is rising,

1 David Hudson, President Obama Speaks at

is, the constant penetration of the

2 Susannah Fox and Lee Rainie, The Web at

ing US$ 75,000 or more. Adult

Ninety-onepercent of U.S. Internet users and

Shaping the Future of News Publishing

ADVERTISING AND TRACKING

Smartphone Behavior Tracking

Online Behavioral Adversing

Advice from the Ad Ecosystem

Online Behavioral Adversing

Personal informaon (e.g. age, gender) about my children /grandchildren