A Guide to Privacy Laws for Publishers in 2023

Updated on: December 20, 2023
Privacy. You've got questions; we've got answers. Find the answers to your questions and information about various privacy practices here.

Did you know 137 out of 194 countries have implemented laws to protect data and privacy? It’s no secret that there have been some recent changes to privacy laws for publishers. Your readers’ information — including IP address, location, and any cookies on their browser — is now considered their data and must be protected.

Understanding privacy laws for publishers is critically important. Your organization can be fined or closed down when you don’t implement the right tactics on your website. You want to protect users and your business, don’t you?

Of course, you do, or you wouldn’t be reading this.

So to help with this, we’ve created this privacy law hub for publishers. You’ll learn about the most important laws for publishing and what to keep in mind so that you don’t violate them.

What Is the ePrivacy Directive?

The ePrivacy Directive came into force in 2002 and focuses on protecting personal information privacy and security in the digital world. It requires the publishers and advertisers operating in European Union countries to obtain consent from European users before dropping cookies in web browsers to capture their data. So yes, the ePrivacy Directive started the cookie banners across the sites.

In 2017, the ePrivacy Directive was revised, giving online consumers more control over their data. With the revised version, the users could select cookies and for what purpose and to what extent they would let themselves be tracked. They might allow all the cookies, just some, or reject all.

So, What Is the ePrivacy Regulation?

2009 the ePrivacy Directive was amended and became the ePrivacy Regulation (The Cookie Law). To comply with ePrivacy Regulation, you must:

  • Obtain users’ consent before using any cookies (except strictly necessary).
  • Tell users about each data the cookies track and their purpose in plain language.
  • Give users the option to access your content and services even if they refuse to allow certain cookies.
  • Enable the users to withdraw their consent at any time.

Difference Between ePrivacy Directive and ePrivacy Regulation

The ePrivacy Directive is a more flexible legislative instrument than the ePrivacy Regulation. Because it allows the Member States to add new rights to the existing law, create a new law under the ePrivacy Directive or adapt an existing one.

On the other hand, ePrivacy Regulation is robust, self-executing, binds all Member States and comes into effect immediately on the set date. With the Regulation, once the negotiation and discussion amongst EU institutions concluded, it became law at the set time across the EU States.

What Is General Data Protection Regulation (GDPR)?

General Data Protection Regulation (GDPR) is a European Economic Area (EEA) data protection framework declared on April 14th, 2016, and came into force on May 25th, 2018. The law takes proactive measures and a consent-first approach to collect users’ data and analytics.

It ensures that the companies should not collect data without a lawful basis and a valid reason for processing. GDPR has the broadest definition of personal data compared to other privacy laws. If your website offers goods or services to EEA users, then GDPR should be in your mind.

While doing business in EEA, you might track their activities. But with GDPR, you need to obtain consent from the users on the data and tell them with whom you will share that data. In accordance with GDPR, the following types of data are covered:

  • Personally Identifiable Information (name, address, date of birth, social security number, etc.)
  • Web-based data (IP addresses, cookies, etc.)
  • Genetic and health-based data
  • Ethnic and racial data
  • Biometric data and sexual orientation, and
  • Political opinion

How does GDPR differ from ePrivacy Regulation?

Though GDPR and ePrivacy Regulation are intrinsically linked to each other by a few common factors, there are a few differences that you should know:

  1. GDPR was introduced in the EU to control personal data usage across every sector, including finance, healthcare, medical, advertisers, marketers, and publishers. Whereas the ePrivacy Directive specifically addresses cookie usage.
  2. GDPR is based on Article 8 of the European Charter of Human Rights, while the ePrivacy Directive is based on Article 7. Moreover, the ePrivacy Directive guarantees the right to privacy in the electronic communication sector, including services like WhatsApp, Skype, and Facebook Messenger.
  3. Under GDPR, publishers, advertisers, and any business having direct access to the users can control the consent-process request. That means they can select how they communicate their consent with the users. However, under the ePrivacy Directive, users must set their cookie preferences in the browser setting.

What happens if you don’t follow GDPR?

You may end up paying fines between 2% to 4% of your annual global revenue and €10 million to 20 million, depending on the extent to which you violated the law.

In the same week that GDPR getting introduced, U.S. Senators Edward J. Markey and Richard Blumenthal introduced The CONSENT (Customer Online Notification for Shopping Edge-provider Network Transgressions) Act.

What is it? It is a bill aimed at protecting the US-based user’s information from the edge providers that collect, use, and share the data. Here’s a deep dive for you.

What Is the California Consumer Privacy Act for Publishers?

California Consumer Privacy Act (CCPA) came into effect in January 2020 and was signed unanimously in the summer of 2018. The California data privacy law gives consumers the right to decide what kind of personal data is getting collected by the users and for what purpose. It also allows users to opt out of the data if they want.

As defined by CCPA, personal data are the standard identifiers used in the physical world, e.g., driver’s license and social security numbers, etc.; digital identifiers, e.g., email addresses, demographic information, etc.; online behavior data, e.g., browsing history, IP addresses, interactions, purchases, and so on.

Unlike GDPR, CCPA doesn’t require the user’s consent or permission in the first place. Instead, it focuses on controlling who sees the user’s data. It lags behind GDPR because it doesn’t require consent, so companies can still collect users’ data.

Publishers who display ads, collect users’ data, and share it with their ad-tech partners should disclose this purpose to their users and allow them to delete the information collected.

What happens if you don’t follow CCPA?

For intentional violations, publishers can face penalties of up to $7500. For unintentional violations, they can face up to $2500 if not cured within 30 days of being notified of such violation. To avoid penalties, read our detailed guide on CCPA here.

What Is the Personal Information Protection and Electronic Document Act (PIPEDA)?

Personal Information Protection and Electronic Document Act (PIPEDA) is Canada’s data privacy law that took effect in June 2015 and got the latest update in January 2019. The law protects users’ personal information such as age, name, ID number, occupation, income, and more. So, if you’re dealing with Canadians, you must obtain their consent for data collection and usage.

The law gives the users the right to access the gathered information by the companies and be informed about if the data will be used for any other purpose than originally mentioned. Like GDPR and CCPA, PIPEDA holds the publishers responsible for protecting the users’ data regardless of whether they handle it directly or via third-party companies.

Under PIPEDA, the following information is addressed and covered:

  • User name, age, income, ID numbers, blood type or ethnic origin,
  • Comments, social status, opinions, evaluations, disciplinary actions,
  • Users’ credit records, loan records, medical records, etc.

What happens if you don’t follow PIPEDA?

Any publisher violating the law could end up paying a fine of up to CAD 100,000.

What Is Lei Geral de Proteção de Dados (LGPD)?

Lei Geral de Proteção de Dados (LGPD) is a new data privacy law passed in 2018 and enacted on August 16th, 2020. The law applies to businesses processing users’ data in Brazil. Brazilian law shares many concepts with the European GDPR. Under LGPD, the publishers should assess how each user’s data is collected, stored, used, and retained within their organization.

What happens if you don’t follow LGPD?

The fines under LGPD aren’t as severe as GDPR. A publisher may have to pay 2% of total revenue, excluding taxes that can be up to 50 million reals (€11 million). How can you comply with LGPD? Read this article to learn about the steps.

What Is the Personal Data Protection Act (PDPA)?

The Personal Data Protection Act (PDPA) is Thailand’s law heavily based on GDPR and came into force on May 27th, 2020. The law covers any publisher who processes the personal data of Thailand’s citizens, whether the publisher is located inside Thailand or not.

The PDPA 9 data protection obligations, i.e.,

  1. Consent
  2. Purpose limitation
  3. Notification
  4. Access and Correction
  5. Accuracy
  6. Protection
  7. Retention limitation
  8. Transfer limitation
  9. Openness

Learn more about the obligations and how to comply with PDPA in detail here.

What happens if you don’t follow PDPA?

If you violate the PDPA, you’re liable to:

  • Pay a fine up to $10,000 or imprisonment for up to 12 months (in the case of an individual)
  • Pay a fine up to $100,000 (in any other case)

What Is the Children Online Privacy Protection Act (COPPA)?

Children Online Privacy Protection Act (COPPA) is a United States federal law enacted in April 2000. Under COPPA, the publishers are limited to collecting and using personal information about children. Specifically, the law intends to protect the data of children under the age of 13.

In 2013, the FTC revised COPPA as the previous version of the law excluded the businesses involved in advertising or collecting users’ data by any other means (plugins). With the revised law, the publishers and other ad-tech ad networks were made to comply with the law.

What happens if you don’t follow COPPA?

According to the FTC, if you don’t comply with COPPA and violate the terms and conditions, you may have to pay up to $43,280 for each violation. How to make sure that you’re complying with COPPA? Here’s an article that will help you.

What Is the California Privacy Rights Act (CPRA) for publishers?

California Privacy Right Act (CPRA or California Privacy Law) is the new privacy law that took effect on January 1, 2023, and would become enforceable on July 1, 2023. Also known as CCPA 2.0, the CPRA will introduce the following six rights:

  • Sensitive personal information
  • Right to correct inaccurate personal information
  • Children’s data under CPRA
  • Security audit
  • Automated decision making
  • Data retention

We’ve explained all the new data rights in detail to understand the law better. The council will adjudicate the fines soon after the law is passed.

How Can Publishers Invest in Privacy-Driven Advertising?

To ensure your website complies with the growing data privacy laws, follow the suggestions below:

Integrate Customer Data Platform (CDP)

To comply with data privacy laws, you need to double down on the efforts when you collect and store user data. Though you can be an expert in siloed data, you need advanced technologies to gain a complete 360-degree view of the user’s data. Said that you need a customer data platform that can do more than sort and store the information.

A CDP can help you scrub the data and create a unified record of users to understand how your marketing or advertising partners use users’ data. Only collect the data that you need.

One of the most important aspects is understanding why you need data and what kind of data will be relevant to your business. Various publishers are capturing all kinds of available data without knowing for what purpose they will use it and if they need it.

Integrate a Consent Management Platform (CMP)

To tie your policies to all the data privacy regulations, ‘ask for permission,’ i.e., getting consent, is mandatory. It is important to ask for consent to use the data and provide transparency of data usage. Onboard a consent management platform (CMP) so that you can:

  • Collect the consent of your website visitors and ensure that the third-party trackers don’t collect the data if the visitors refuse,
  • Provide an easy mechanism for the opt-out to comply with online privacy laws,
  • Give your visitors a choice to withdraw their data when they want and more.

Many publishers are already using CMPs to gather consent and provide control to make it easier to adapt to privacy laws in the future. Not sure which CMP to choose for your business? We’ve curated a list of the top CMPs available in the industry.

Stay apprised of significant data privacy updates

Attention to data regulations and adapting to the new updates is crucial for every publisher. Dealing with new privacy policies and introducing the changes can be tough. But it’s something that you cannot miss or delay.

However, advanced Artificial Intelligence (AI) or Machine Learning (ML) tools can keep you updated with the latest changes in existing laws or upcoming laws. Further, you can subscribe to blogs, e.g., Chromium blog or other ad-tech blogs, to stay tuned.

Follow the guidelines defined by IAB

Interactive Advertising Bureau (IAB) organization has released a set of guidelines known as the Transparency and Consent Framework (TCF) to help publishers comply with Europe’s data privacy regulations while providing interest-based targeted advertising.

Simply put, the framework aims to simplify the communication process among publishers, ad-tech companies, and advertisers. Many organizations already use TCF as the foundation for users’ data safety. So ensure you’ve implemented the latest version of the TCF framework. Don’t know what’s up with the new version. Read our comprehensive guide on this framework.

What’s Next?

Consumers’ privacy laws in the United States and overseas have mandated how the data is collected and used. Though each privacy law varies in specifics and fines, harnessing the control of your website and providing a privacy shield to your users is a must.

Think about where your website visitors reside and what law could apply to them. Cleanse their data and ensure you’ve strictly adhered to procedures and policies.

News and Tips for Publishers

Get the inside scoop on publishing and programmatic with our 5-minute newsletter.