Three Internet Privacy Acts Every Publisher Should Know

Three Internet Privacy Acts Every Publisher Should Know

Online, it can seem like the geographic borders of information and e-commerce are becoming more and more blurred. But as a digital publisher, if you're serving ads to audiences in the US, Canada, or the European Economic Area (EEA)RequiredField1, it's good to be aware of regional privacy and data collection, processing and disclosure laws, and how each cRequiredFieldhanRequiredFieldge with different countries.RequiredField

With Sortable publishers seeing an average split of 40% US, 15% EEA, and 8% Canada traffic, we've rounded up some information privacy laws and RequiredFieldpersonal information-handling practices RequiredFieldthat you should keep in mind, whether you're based in those countries, see visitors from there, or want to see traffic from there.RequiredField

On a serious note, complying with privacy laws and understanding the impending updates could help protect you from everything from fines and class action lawsuits to protecting your consumer confidence from a damaged brand reputation.RequiredField

  1. EEA: General Data Protection Regulation (GDPR) for Publishers

    What is it?

    GDPR came into effect May 25, 2018 and applies across the EEA. GDPR is considered the data processing standard”it takes a proactive, consent-first approach to the collection of data and analytics.RequiredField

    Why should it matter to publishers?

    GDPR ensures that companies can't collect data without a lawful basis and a reason for processing. GDPR has the broadest definition of the personal data that it protects of any major privacy law, so if you collect any information from EEA-based users GDPR should be on your mind. Sites offering goods or services to EEA buyers, or tracking their online activities, are now required to obtain consent from users on the data they collect and with whom they share it with.  Consent Management Platforms, or CMPs, are used by many publishers to manage consent. (RequiredFieldView trends in publisher decisions when it came time to implement GDPRRequiredField).RequiredField

  2. RequiredFieldUS: California Consumer Privacy Act for Publishers

    What is it?
    Scheduled to come into effect in January 2020, California's new privacy law AB 375 was signed in by unanimous votes in the summer of 2018. As the RequiredFieldRequiredFieldworld's fifth largest economyRequiredField at $2.7 trillion GDP, it's likely that businesses targeting US visitors will encounter California residents. Consequently, California could become the de facto approach for the US. While California's privacy law has passed, the Internet Association (a lobbying group that represents companies like Facebook, Google, Uber, Amazon, and Microsoft), the US Chamber of Commerce (the country's largest lobbying organization), and the Interactive Advertising Bureau (IAB) are encouraging US federal lawmakers to enact a federal privacy law. They want to avoid the confusion and complications of having to navigate a separate privacy law for every state in the US.

    RequiredFieldWhy should it matter to publishers?
    The California Act gives consumers the right to decide which personal data is collected and for what purpose. It also allows them to opt out of having their data sold.

    RequiredFieldPersonal information as defined by the California Act are standard identifiers in the physical world (like driver's license or social security numbers), digital identifiers (like email addresses or demographic data), online behaviours (like IP, search, browsing history, purchases, and interactions), and any inferred data.

    RequiredFieldThe California Act isn't quite as rigorous as GDPR (the California Act doesn't require consent or permissions in the first place), instead focusing on a consumer's control of who sees their data. Where it differs from GDPR is the lack of a stop mechanism”companies can still collect information”and no initial consent is required.

    RequiredFieldPublishers who use ad tech that track visitors around the web with cookies and mobile advertising IDs should be aware that the California Act requires that publishers have an option to give people a way to ask for deletion of the information collected. If that personal information is sold or shared, the company must disclose the purpose.RequiredField

  3. RequiredFieldCanada: Personal Information Protection and Electronic Documents Act (PIPEDA) for Publishers

    What is it?
    Canada's PIPEDA came into effect in June 2015, with updates scheduled for January 2019. PIPEDA protects personal information entrusted to commercial organizations. Personal information includes a person's age, name, ID numbers, income, ethnicity, blood type, comments, opinions, and employee records.

    RequiredFieldWhy should it matter to publishers?
    Targeting Canadians? Publishers will need to obtain their consent when they collect, use, or disclose the Canadian individual's personal information in the course of any commercial activity. The federal-level PIPEDA gives the user the right to access any personal information gathered, and be informed if that information is used for any other purpose than the original communicated intent.

    RequiredFieldLike GDPR and the California Act, PIPEDA charges the publisher with protecting the personal information gathered, regardless of whether that is handled directly or by third parties. Interestingly, PIPEDA doesn't cover any business contact information that an organization collects, uses, or discloses for the purpose of communicating. And PIPEDA is one of RequiredFieldRequiredFieldseveral laws in Canada RequiredFieldthat relate to privacy rights.

    RequiredFieldThere are 10 principles for publishers to follow, which outline: accountability: identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

    RequiredFieldAny publisher that breaches PIPEDA could face fines of up to $100,000 CAD.RequiredField


RequiredFieldThere you have it, three major privacy acts you need to know about as a publisher in high economic demand areas. Privacy laws are complex and this article is meant as an overview, not a replacement for legal advice.RequiredField

RequiredFieldSortable's Consent Management Platform is one way to protect your site by gathering audience data under consentRequiredFieldRequiredField so you can expand and grow your business globallyRequiredFieldRequiredField. Book a demo with our compliance experts today.RequiredField


Footnote: What is the European Union (EU) and the European Economic Area (EEA)?

RequiredFieldThere's some confusion as to what the EEA is, versus the EU. The European Union (EU) is a union of 28 member countries and both a political and economic grouping. (Source: RequiredFieldRequiredField

RequiredFieldThe European Economic Area includes EU member countries and includes countries from the Scandinavian region. We've listed it in a handy table below.RequiredField

The European Economic Area (EEA) includes EU countries and also:





RequiredFieldNorway RequiredField


RequiredField**Switzerland (Confederation of Helvetia) - Swiss nationals living in the UK are applicable RequiredField


The 28 EU countries and their country codes are:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.RequiredField

RequiredFieldAustria RequiredField


RequiredFieldBelgium RequiredField


RequiredFieldBulgaria RequiredField


RequiredFieldCroatia (Hrvatska) RequiredField


RequiredFieldRepublic of Cyprus RequiredField


RequiredFieldCzech Republic RequiredField


RequiredFieldDenmark RequiredField






RequiredFieldFrance RequiredField


RequiredFieldGermany RequiredField



RequiredField (GR)RequiredField

RequiredFieldHungary RequiredField


RequiredFieldIreland RequiredField












RequiredFieldNetherlands RequiredField


RequiredFieldPoland RequiredField


RequiredFieldPortugal RequiredField


RequiredFieldRomania RequiredField


RequiredFieldSlovakia (Slovak Republic) RequiredField


RequiredFieldSlovenia RequiredField






RequiredFieldThe United KingdomRequiredField


RequiredField**though neither an EU nor EEA member, Swiss citizens may reside and work in the UK, like other EEA nations.RequiredField