A Guide to Understanding GDPR Implications For Subscription Businesses

By Catherine Moore, President and Managing Director for J.P. Morgan Merchant Services Europe and William Long, Partner and head of the European Data Protection Practice at Sidley Austin LLP.

In the Subscription Economy, millions of people work, shop and play online every day, leaving behind volumes of data that can include sensitive information. A study by IDC estimates that by 2020 there will be 5,200GB of data for every consumer on earth. In total, that works out at 40 zettabytes, or 57 times more than every grain of sand on every beach.

Regulators have increasingly become concerned with how companies capture, manage and protect the swathes of data they hold on their customers. Within the European Union (EU), these concerns have resulted in the General Data Protection Regulation (GDPR), a new regulation which aims to give consumers greater rights and security over how their data is used.

GDPR is the most comprehensive framework of its kind in the world and will have profound implications not just for businesses operating in the EU, but any that hold data on EU citizens. Companies in breach of GDPR could face severe fines, and with an implementation date of 25 May 2018, time is running out to ensure compliance.

Subscription businesses, which frequently come into contact with sensitive customer information like payment details, will have to be especially ready.


GDPR will effectively replace the EU Data Directive, which was established in 1995, during the early days of the internet, but is now considered inadequate to deal with current challenges. This is understandable considering the average smartphone today has 10x more processing power than a PC in 1995, while eCommerce sales are over €500 billion a year in Europe alone.

The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. It also attempts to offer a unified standard of operating across Europe so that companies do not have to deal with several regulatory environments.

For the first time, obligations will be placed on data controllers and data processors. In other words, GDPR will affect not just an organisation (the controller) but also its outsourcing provider (e.g., a cloud computing company, or a third-party payment provider). Previous legislation placed responsibility solely on the controller.

GDPR also addresses the export of personal data outside the EU. The legislation makes it clear that it does not just apply for European companies, but any business processing the data of EU citizens, even if not based in the EU.


At the heart of GDPR are a number of changes to the way that customer data is handled. Under the legislation, customers will have to give explicit permission for companies to hold data about them. But that’s not all, companies must also provide evidence that this consent has been given. One potential implication is that companies may have to alter their auto-renewal and subscription payment processes.

Companies can no longer store a customer’s personal data simply because it may prove useful in the future, or so they can pass it on to another provider. From now on, the responsibility will be on businesses to justify why they’re retaining customer information, otherwise it may have to be erased.

Subscription businesses will particularly be impacted by this since they store a variety of data that helps them gain insights into customer behaviour such as usage, profile, etc.


  • Consent: Companies will have to actively get consent to store a customer’s personal data.
  • Customer profiling: New restrictions on using data for customer profiling
  • Security and data breaches Data breaches have to be reported within 72 hours of discovery.
  • Data portability: Consumer has right to request transfer of personal data in certain circumstances.
  • Data transfer: Prohibitions on transferring data to non-EEA* countries without adequate safeguards.* The EEA includes EU countries and also Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market.
  • Right to be forgotten: A business must erase an individual’s personal data in certain circumstances.
  • Security: Businesses must have security systems that are appropriate to the level of risk.

Businesses will need to implement new policies on data retention and deletion, particularly when customers do not give them permission to store data about them. The “right to be forgotten” is a particular challenge for organisations because of the rich web of information that’s held in databases. Whereas companies may have previously been concerned about how to store and archive information, now the focus is turning to what information is held and how they can access it. For example, a merchant may have to remove someone’s personal information from all of their payment transaction record histories; if they so request.

It’s also important to realise that data does not just mean information held on a database. GDPR makes no distinction between physical and digital data: it could be customer details held on paper, or in old files at a warehouse, for example. This would now have to be made available in the event of a consumer request.


Given that GDPR becomes law in May 2018, businesses should already be looking at how GDPR will have an impact on their procedures. Under the regulation, firms can face fines of €20 million or 4 percent of global revenues, whichever is greater. And that’s just for ‘serious breaches’. Such things as failing to keep proper breach logs, or failing to report a breach within a set timescale, will carry fines of up to €10 million or 2 percent of global revenue.

GDPR also allows individuals to make a claim for damages for non-financial loss. Companies, and third party payment providers, who may unknowingly store credit card details, are frequent targets for attacks by cyber-criminals so they will have to ensure especially tight protocols in this regard. Payment providers may also start offering value-added data protection services as a means of reducing the investment required by businesses, and helping them win more business.

One area that will also be changing is the credit card authentication standard PCI DSS. Although this is unconnected to GDPR, a new standard, PCI DSS 3.2 is set to become operational in February 2018. Companies who implement this standard will be some way to becoming GDPR compliant, at least as far as payments are concerned. For example, multi-factor authentication (MFA) becomes mandatory in PCI DSS 3.2, offering retailers a way of protecting customer personal details.


Companies are going to have to radically rethink the way they do business. There are obvious ways in which organisations will have to change, e.g., in obtaining customer consent and shifting data retention policies. But there are more subtle changes too: there will need to be a shift in company thinking, to ensure that customer concerns are at the heart of company policy.

GDPR could entail huge volumes of work: from amending contracts to make them compliant, changing privacy policies and notices, and altering company procedures to deal with data subject rights.

The organisational changes will mean greater transparency and will also offer more security for customers. Companies that act quickly and robustly in implementing these changes may also find they will benefit from a greater degree of trust from their customers.

In short, implementing GDPR may mean major changes but it should benefit businesses and customers alike. Don’t delay, however, the time for action is now: companies who haven’t started thinking about it, may find it’s already too late.

Torstar to move to a subscription model, charge readers for online news

Excerpts from the article by Emily Jackson on Financial Post

Torstar to move to a subscription model, charge readers for online news

Torstar Corp. plans to charge readers for online news once more in its latest strategy to recover after the internet disrupted the newspaper industry.

Chief executive John Boynton announced Wednesday that the media company, owner of the Toronto Star and dozens of other publications, will move to a digital subscription business model, emulating recurring revenue models in industries such as music and entertainment.

“In some cases, it turned around entire industries,” Boynton said at the annual general meeting in Toronto, pointing to Spotify and Netflix as success stories.

Boynton did not reveal details on the subscription model, including when it will launch or how much it will cost, but said it will apply to the Toronto Star and StarMetro brands. The Globe and Mail and the National Post already use online subscription models.

This marks the Star’s second foray into charging for access to online content. In August 2013, it launched a paywall that asked readers to subscribe for $9.99 per month. It dumped the paywall less than two years later because it couldn’t get enough people to sign up. It subsequently launched subscriptions for Star Touch, a tablet app, but axed that product after sinking $23 million into the experiment.

But Boynton, who was hired last spring to help the company transition to digital, is convinced it will work this time thanks to better technology, shifting attitudes and leadership changes.

Read the full article on Financial Post

Apple will reportedly sell streaming video subscriptions through its TV app

Excerpts from the article by Chris Welch on The Verge

Apple will reportedly sell streaming video subscriptions through its TV app

Apple will follow the path of Amazon this year and offer customers the ability to subscribe to popular streaming services from its TV app, according to a new report from Bloomberg. Normally, consumers must download and subscribe to services like Netflix, Prime Video, HBO Now, Showtime, and others on an individual basis. But just as Amazon has done with its Prime Video Channel subscriptions, Apple is aiming to centralize those options and have its TV app become the place that iOS and Apple TV owners visit to subscribe to them.

The TV app already acts as a hub where users can universally search for and browse shows and movies from numerous service; once they’ve chosen something, the associated streaming app opens up and immediately starts playing.

Bloomberg doesn’t specify which companies Apple is talking to or planning to partner with. Amazon’s Prime Video Channels include HBO, Showtime, Starz, Cinemax, CBS All Access, and a bunch of smaller, more niche services. It’s a nice convenience for Prime customers, but plenty of people still subscribe the traditional way with each separate app. But offering subscriptions would be yet another way for Apple’s services division to bring in more money. This could be an announcement that Apple makes at its WWDC keynote next month when it unveils the next versions of iOS, macOS, tvOS, and watchOS.

Nintendo drops Virtual Console model in favor of subscriptions

Excerpts from the article by Rebekah Valentine on gamesindustry.biz

Nintendo drops Virtual Console model in favor of subscriptions

In a post on the official Nintendo website last night detailing the Nintendo Switch Online service, the name "Virtual Console" was conspicuous only by its absence.

Upon reaching out to Nintendo, Kotaku learned that this omission may be a permanent one, as the spokesperson replied via email: "There are currently no plans to bring classic games together under the Virtual Console banner as has been done on other Nintendo systems."

The Nintendo Switch Online service debuts this September. Last night's announcement included pricing, feature, and membership details as well as how its classic game service will work. Subscribers will be able to download and play 20 total classic NES games at launch (including Super Mario Bros. 3, Donkey Kong, and The Legend of Zelda) with more games promised later on.

Virtual Console has been a popular request for the Switch since the system was announced. As a doubly effective approach to combating software piracy and monetizing old games, its presence on the Wii, Wii U, and Nintendo 3DS systems earned Nintendo a reputation for keeping its classics alive. Since launch, Virtual Console kept titles from the NES, SNES, Game Boy, Game Boy Color, Nintendo 64, and many other systems affordable and easy to acquire where original copies would typically fetch high prices at used game stores or online.

Nintendo's statement closes the door on further Virtual Console speculation as it continues to emphasize its new model for releasing classic titles. By shedding the Virtual Console label, Nintendo reserves the right to recreate audience expectations for such releases. With Nintendo Switch Online subscription games, Nintendo commits to at least a console-worth of the more popular titles in a subscription-based model. While there has also been word the company was planning to add GameCube games to the Switch's offerings, that report emerged months before the system's launch, and has not been corroborated since.

Nintendo Switch Online isn't Nintendo's only plan of attack, nor are other publishers ignoring the shift. For Nintendo's part, it has the NES Classic and SNES Classic retro consoles and Arcade Archive games such as Punch-Out!! Then there's Hamster's growing library of classic Neo Geo titles on the Switch and upcoming collections such as Sega Ages and Capcom's Mega Man X Legacy Collection keeping old games selling on modern systems.

MoviePass competitor Sinemia launches $4.99 per month subscriptions

Excerpts from the article by Megan Rose Dickey on TechCrunch


MoviePass competitor Sinemia launches $4.99 per month subscriptions

Sinemia, a MoviePass competitor that launched four years ago in Europe, has introduced some super-duper low-cost plans for seeing movies in theaters. Here’s the breakdown:

  • $4.99 per month: one ticket per month
  • $6.99 per month: two tickets per month
  • $9.99 per month: two tickets per month including 3D, 4D and IMAX
  • $14.99 per month: three tickets per month including 3D, 4D and IMAX

Now, I know what you’re thinking, and it’s true. MoviePass’s $9.99 per month subscription lets you see nearly an unlimited number of movies every month (one per day).

But there’s no way I would take full advantage of the “unlimited” offering. And Sinemia  CEO Rifat Oguz recognizes that I’m not the only person like that.

“Not everyone really needs an unlimited moviegoing experience,” Oguz told me. “The average in the U.S. is four movies per year.”

For me, at least, Sinemia is a more attractive offer because of one simple feature: advanced online ticketing. MoviePass  requires you to be physically at the movie theater to purchase the tickets, and homie just can’t play that. There’s also the fact that Sinemia lets you see 3D, 4D and IMAX. That’s not the case with MoviePass.

While Sinemia pays full price to movie theaters for every ticket purchased through its platform, Sinemia makes up for that via advertising deals with studios and restaurants. For example, when you open up the Sinemia app, the three movies you see featured at the top are paid for by studios wanting to promote their movies. As of right now, 85 percent of the company’s revenue comes from subscriptions with just 15 percent coming from advertising.

In the next 12 months, Sinemia hopes to launch its services in countries throughout Asia. Sinemia doesn’t disclose monthly subscriber numbers, but says it’s growing more than 50 percent every month.

Earlier this year, MoviePass sued Sinemia for copyright infringement, alleging Sinemia copied many of MoviePass’s features. Specifically, MoviePass alleges Sinemia violated a patent pertaining to automatic authentication and one pertaining to a ticketing system. The litigation is ongoing, but Oguz said he generally likes competition and appreciates how MoviePass made this model popular.