GDPR, PR, and Journalist Databases: Is this okay?

I wrote previously about the GDPR not being a solution to all of the privacy problems (link). And while I think selling your online behaviour in exchange for the free use of a product you love is a fundamental to how the internet we enjoy today is built... there is a line.

That line gets crossed when anonymised browsing data is replaced with your actual contact information...when you did not give your consent...

...and especially, when you get nothing in exchange.

Unfortunately, this is the reality for the world of public relations. Journalists are spammed by huge amounts of unsolicited content from all sides. Their contact information has become a commodity because a few companies support a business model that involves selling their contact information as part of their product offering. And those journalists never gave consent.

But maybe they get something in exchange, you might think. I mean, their jobs rely on getting the latest news right? So why wouldn’t they want their contact information shared?

Because it is abused.

Many think GDPR changed all of this, when in fact, this is not the case.

GDPR does not change anything. It is building up on the Data Protection Directive (aka the ‘Cookie law’), that has been valid in Europe for over 20 years. The most dramatic change is the major increase in penalties for breaking your privacy rights.

So that means all of these companies will be scared and change their behaviour, right? Again, not really. You might have noticed around May 2018 that every online service you use was sending you updates to their privacy policy. Most of these changes are implementing legal defence against GDPR. And some companies count on the fact that most people do not read these policies before agreeing.

So back to our specific case of contact information reselling in public relations business. I have taken the time to read through the new privacy policies of the biggest players in the PR space and will try to point out the specific clauses that concern the contact information.

Cision

We will start with Cision, as it is probably the biggest PR software company out there. They have recently released their new data privacy document, specifically published on the gdpr subdomain of their page:

We process your personal data in order to provide our services to our customers. We believe that it is in our legitimate business interests to do so. Processing your data in this way also benefits you as an influencer and also our customers. You will receive focused information from our customers, often ahead of general release, giving you material to write about that is relevant to you and your audience. Our customers are able to communicate more efficiently to influencers who are likely to want to hear what they have to say. We consider and balance any potential negative impact on you and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where we believe that our interests are overridden by any unwarranted adverse impact on you.

The need for consent is bypassed neatly here by claim of ‘legitimate interest’...(more on that later). While being completely legal, it is a legal workaround as there is fuzzy definition of what it means. It is however, in this case, to make money.

Furthermore, it would be very interesting to know who is evaluating the levels of adverse impact, as there is a clear conflict of interest on the side of Cision. In any case, it is not left up to the contacts themselves to decide.

Meltwater

A very similar case goes for Meltwater and their new update privacy policy. Taken from the document itself:

We also may collect data from third party sources (such as contact information) as well as on behalf of our customers and at their direction. If we do so, we collect this information from publicly available third party sources.

Even though information is publicly available, a business still requires consent to send electronic communication to those contacts. And once again, the explanation of how this intent is verified is missing.

MyNewsdesk

MyNewsdesk also recently updated their privacy policy and address the ‘contacts’ very specifically. The quote from the policy goes as follow:

Your personal data is imported into Contacts by:
Customers uploading your contact information and other information about you to Contacts (such information is only accessed via their user accounts); or
us providing your contact information and other information about you to Contacts, ourselves or via our third party suppliers, such information having been published by you or others in publicly accessible sources such as social media and other media channels online, and researched and collected by us or our third party suppliers.

There it is plainly stated, that contact information collected by their research team or their partners is shared with their clients without the consent of the owner of the information. Their PR guide for GDPR compliance actually addresses the issue with following:

Sharing data with a client is also allowed as it is covered under the “third party” umbrella, but the same considerations must be made. Does the client have a legitimate interest to contact the individual and does this balance with the individual’s wishes to be contacted by the client?

The question remains, however, how are these criteria evaluated when sharing the information? And while this certainly moves the responsibility for consent/legitimate reasons to the clients of MyNewsdesk, it does not explain how the legitimacy of their interests is evaluated before sharing the data. I have reached out to the MyNewsdesk to ask them and received following in response:

Q: How are you going to make sure that the third party has a legitimate interest when sharing personal data with [the clients]?
A: Since we are no [sic] lawyers it is very difficult to give hands on advise. At times there might be a needed B2B interest. But defining the lawfulness and purpose is something each company has to define for themselves

These are just a few examples of what is, as of now, a fairly common practice.

It is a working business model as it enables mass communication instead of a proper targeting. What we all don’t realize is that it is detrimental to all of us. The journalist are overwhelmed by a huge quantity of useless content and the brands have a harder time getting their story out there.

Legitimate Interest

This beautiful little loophole called "legitimate interest" is where a lot of PR agencies and database providers hang their hats when it comes to GDPR. For an explanation on what it is, the Information Commissioners Office (ICO) does a pretty decent job making it understandable:

 Source: ICO - Legitimate Interests
Source: ICO - Legitimate Interests

What is clear about legitimate interest is that it is a blurry, grey area. This is unlikely to stand the test of time if journalists continue to get the barrage of irrelevant pitches they currently get today.

Daryl Willcox, Founder of ResponseSource put it best when he said:

Under GDPR lazy, scatter-gun PR – launching long-winded generic pitches at thousands of journalists – is likely to chip away at the foundations of using legitimate interests to process data and could bring the ICO under pressure to use its enhanced powers to reign-in our industry, with potentially negative consequences for PR, journalism and society as a whole.

What can you do?

To put it simply - take care of your own privacy. And try to respect the privacy of others the best you can.

That is what we all should be doing. The GDPR gives us tools to have a solid ground when being concerned that our data is being misused or abused. But the action itself needs to come from each one of us.

PRs

Being GDPR compliant is something everyone has to actively do. Just because you hire a database that claims to be GDPR compliant doesn't mean you are by default. And like I mentioned, legitimate interest is a good loophole for now, but if it gets abused there might be pushback. So the best things you can do is this:

  • Actually provide interesting and relevant stories to journalists that care
  • Take the time to build relationships with journalists so that there is no doubt you are doing the right thing
  • Do not "spray and pray" by spamming journalists and bloggers

Journalists & Bloggers

If you are a journalist or blogger and don’t want your contact information to be sold around, a good start is to write to the email addresses below and request the deletion of your information:

Here is a simple email you can use, sending from the affected email address.

Dear team,

My name is ______ and I am the owner of this email address. I would like to request a copy and a deletion of all the personal information you store about me.

Thank you!

Please let us know if you know of any other communications related services that are selling contact information of journalists, so we can include them in the list.