Subscriber data, journalist sources, and audience analytics - media companies have unique GDPR obligations that go beyond standard business compliance.
Media companies occupy a genuinely unusual position under GDPR. Unlike a SaaS company or an e-commerce store, a publisher simultaneously operates as a commercial business (selling subscriptions, running ads, collecting reader data) and as a protected journalistic institution (with special exemptions for editorial activity).
1. Why Media Companies Have Unique GDPR Obligations
Most businesses have a relatively simple GDPR profile. Media companies are different in two important ways:
First, they often claim the journalism exemption (Article 85) for their editorial activities - investigating, reporting, and publishing stories that may involve personal data about individuals who have not consented to that coverage.
Second, they run substantial commercial data operations - subscriber databases, audience analytics platforms, programmatic advertising ecosystems, and email marketing systems - that receive no special treatment under GDPR and must comply in full.
2. The Journalism Exemption (Article 85)
Article 85 of GDPR requires EU member states to provide exemptions for processing carried out for journalistic, academic, artistic, or literary purposes.
What the exemption covers:
- Processing personal data in the course of investigating and reporting news stories
- Publishing information about individuals in the public interest, even without their consent
- Retaining source materials, interview notes, and unpublished research for journalistic purposes
- Archiving published stories that contain personal information
What the exemption does not cover:
- Commercial activities - advertising sales, subscription management, audience analytics
- Publishing personal information that serves no genuine public interest
- Automated profiling of readers or subscribers
3. Subscriber Data: Email Lists, Paywalls, and Billing
Subscriber management is one of the highest-risk areas for media company GDPR compliance. For the core subscription relationship you can rely on contract performance. For marketing communications you need explicit consent - subscribers who pay for access have not automatically consented to marketing.
4. Audience Analytics: Consent Requirements
Most audience analytics involves placing cookies on readers' devices. Under GDPR and the ePrivacy Directive, non-essential cookies require prior, informed consent. Google Analytics, Chartbeat, Piano, and similar tools require consent before firing.
Some publishers have moved to privacy-preserving analytics tools (Plausible, Fathom, Matomo) that collect aggregated data without cookies, which can often operate without consent under legitimate interest.
5. Programmatic Advertising and the TCF
The IAB's Transparency and Consent Framework (TCF) is the industry's attempt to operationalise GDPR consent across the ad tech ecosystem. Publishers must work with a certified CMP that implements the TCF and maintain records of consent signals.
6. Journalist Source Protection
Information that could identify a source may be protected under the journalism exemption and need not be disclosed in response to a DSAR if disclosure would undermine source confidentiality.
7. Press Photography and Video
The journalism exemption applies to photography captured in the course of legitimate news reporting. What is not covered: background figures with no public role, images of children, and news images repurposed for commercial advertising.
8. Comments Sections and UGC
Reader comments fall outside any journalism exemption. Users have the right to delete their comments and associated account data. Third-party comment tools are data processors requiring DPAs.
9. DSARs from Subjects of News Stories
The journalism exemption permits publishers to withhold information that would reveal a journalistic source or compromise ongoing investigations - but must be applied case by case. DSAR responses are still required within 30 days.
10. Compliance Checklist
Small publishers:
- Run a privacy scan to identify all third-party cookies and trackers
- Implement a GDPR-compliant consent banner
- Write an accurate privacy policy
- Obtain DPAs from email marketing tools
- Set data retention periods
Larger media groups:
- Establish a cross-functional privacy team
- Audit all ad tech vendors in your programmatic stack
- Ensure your CMP is TCF-certified
- Implement a formal DSAR handling procedure with editorial escalation path
- Appoint a Data Protection Officer if required
The fastest way to understand your compliance position is to see what your website is actually collecting. Custodia's free scan shows you every tracker, cookie, and third-party connection on your site within 60 seconds - no account required.
Top comments (0)