Three Internet Privacy Acts Every Publisher Should Know

By Sortable |
October 11, 2018

Ad Ops & Digital Publishing News - Sortable

Online, it can seem like the geographic borders of information and e-commerce are becoming more and more blurred. But as a digital publisher, if you’re serving ads to audiences in the US, Canada, or the European Economic Area (EEA)1, it’s good to be aware of regional privacy and data collection, processing and disclosure laws, and how each change with different countries.

With Sortable publishers seeing an average split of 40% US, 15% EEA, and 8% Canada traffic, we’ve rounded up some information privacy laws and personal information-handling practices that you should keep in mind, whether you’re based in those countries, see visitors from there, or want to see traffic from there.

On a serious note, complying with privacy laws and understanding the impending updates could help protect you from everything from fines and class action lawsuits to protecting your consumer confidence from a damaged brand reputation.

  1. EEA: General Data Protection Regulation (GDPR) for Publishers

    What is it?

    GDPR came into effect May 25, 2018 and applies across the EEA. GDPR is considered the data processing standard—it takes a proactive, consent-first approach to the collection of data and analytics.

    Why should it matter to publishers?

    GDPR ensures that companies can’t collect data without a lawful basis and a reason for processing. GDPR has the broadest definition of the personal data that it protects of any major privacy law, so if you collect any information from EEA-based users GDPR should be on your mind. Sites offering goods or services to EEA buyers, or tracking their online activities, are now required to obtain consent from users on the data they collect and with whom they share it with.  Consent Management Platforms, or CMPs, are used by many publishers to manage consent. (View trends in publisher decisions when it came time to implement GDPR).

  2. US: California Consumer Privacy Act for Publishers

    What is it?
    Scheduled to come into effect in January 2020, California’s new privacy law AB 375 was signed in by unanimous votes in the summer of 2018. As the world’s fifth largest economy at $2.7 trillion GDP, it’s likely that businesses targeting US visitors will encounter California residents. Consequently, California could become the de facto approach for the US. While California’s privacy law has passed, the Internet Association (a lobbying group that represents companies like Facebook, Google, Uber, Amazon, and Microsoft), the US Chamber of Commerce (the country's largest lobbying organization), and the Interactive Advertising Bureau (IAB) are encouraging US federal lawmakers to enact a federal privacy law. They want to avoid the confusion and complications of having to navigate a separate privacy law for every state in the US.

    Why should it matter to publishers?
    The California Act gives consumers the right to decide which personal data is collected and for what purpose. It also allows them to opt out of having their data sold.

    Personal information as defined by the California Act are standard identifiers in the physical world (like driver’s license or social security numbers), digital identifiers (like email addresses or demographic data), online behaviours (like IP, search, browsing history, purchases, and interactions), and any inferred data.

    The California Act isn’t quite as rigorous as GDPR (the California Act doesn’t require consent or permissions in the first place), instead focusing on a consumer’s control of who sees their data. Where it differs from GDPR is the lack of a stop mechanism—companies can still collect information—and no initial consent is required.

    Publishers who use ad tech that track visitors around the web with cookies and mobile advertising IDs should be aware that the California Act requires that publishers have an option to give people a way to ask for deletion of the information collected. If that personal information is sold or shared, the company must disclose the purpose.

  3. Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) for Publishers

    What is it?
    Canada’s PIPEDA came into effect in June 2015, with updates scheduled for January 2019. PIPEDA protects personal information entrusted to commercial organizations. Personal information includes a person’s age, name, ID numbers, income, ethnicity, blood type, comments, opinions, and employee records.

    Why should it matter to publishers?
    Targeting Canadians? Publishers will need to obtain their consent when they collect, use, or disclose the Canadian individual’s personal information in the course of any commercial activity. The federal-level PIPEDA gives the user the right to access any personal information gathered, and be informed if that information is used for any other purpose than the original communicated intent.

    Like GDPR and the California Act, PIPEDA charges the publisher with protecting the personal information gathered, regardless of whether that is handled directly or by third parties. Interestingly, PIPEDA doesn’t cover any business contact information that an organization collects, uses, or discloses for the purpose of communicating. And PIPEDA is one of several laws in Canada that relate to privacy rights.

    There are 10 principles for publishers to follow, which outline: accountability: identifying purposes; consent; limiting collection; limiting use, disclosure, and retention; accuracy; safeguards; openness; individual access; and challenging compliance.

    Any publisher that breaches PIPEDA could face fines of up to $100,000 CAD.


There you have it, three major privacy acts you need to know about as a publisher in high economic demand areas. Privacy laws are complex and this article is meant as an overview, not a replacement for legal advice.

Sortable’s Consent Management Platform is one way to protect your site by gathering audience data under consent so you can expand and grow your business globally. Book a demo with our compliance experts today.

Get Started

Footnote: What is the European Union (EU) and the European Economic Area (EEA)?

There’s some confusion as to what the EEA is, versus the EU. The European Union (EU) is a union of 28 member countries and both a political and economic grouping. (Source:

The European Economic Area includes EU member countries and includes countries from the Scandinavian region. We’ve listed it in a handy table below.

The European Economic Area (EEA) includes EU countries and also:







**Switzerland (Confederation of Helvetia) - Swiss nationals living in the UK are applicable


The 28 EU countries and their country codes are:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.







Croatia (Hrvatska)


Republic of Cyprus


Czech Republic




































Slovakia (Slovak Republic)








The United Kingdom


**though neither an EU nor EEA member, Swiss citizens may reside and work in the UK, like other EEA nations.

Contact Us

Subscribe to our newsletter! Get free tips and tricks delivered directly to your email.

Recent Posts