VentureBeat presents: AI Unleashed - An exclusive executive event for enterprise data leaders. Network and learn with industry peers. Learn More

If you’ve visited any website lately, you’ve noticed a pop-up that asks you to grant permission to collect data and notify you by email about updated privacy policies. That’s because of a new privacy and data protection regulation in Europe.

The European Union has always taken a stricter view of privacy than the U.S., and it recently introduced a law dubbed the General Data Protection Regulation (GDPR) that harmonizes data protection across Europe and gives people control of their personal data. It also imposes strict rules on those who host and process this data, no matter where in the world they’re based.

The regulation called for companies to comply with its requirements by May 25, but roughly 80 percent of companies aren’t yet ready to do that, according to a report by compliance firm TrustArc. I recently visited Barcelona and moderated a panel at Marfeel, a mobile web optimization, engagement, and monetization company based in Spain. We talked about GDPR and how publishers and advertisers can balance privacy and monetization.

Our panelists included Xavi Beumala, CEO of Marfeel; Rithesh Menon, vice president of monetization and account management at Good Media Group (which includes Good and Upworthy); Tony Farrelly, owner of Farrelly Atkinson and publisher of, which is a British based cycling website; and David Webb, CEO of Timera Media, which publishes history sites such as Vintage News and World History Online.

Here’s an edited transcript of our panel.

Above: Left to right: Dean Takahashi of VentureBeat, Rithesh Menon of Good Media Group, Tony Farrelly of Farrelly Atkinson, and David Webb of Timera Media.

Image Credit: Marfeel

Dean Takahashi: I am not an expert on this subject, but these people are more expert than I am so that’s a good thing. I’ll just be asking some of the questions. And Rithesh, you wanna introduce yourself and what you guys do?

Rithesh Menon: I work for Good and Upworthy, and I lead all our firm’s monetization and account management affairs, and I’m based in New York, but I’m happy to be here. Good and Upworthy are focused on basically uplifting content for the last four to five years. We are also a social-first publisher, so we were one of the publishers that blew up with the growth of Facebook in the last few years. But we are also one of these publishers that is also actively trying to figure out how to live in a post-Facebook world, and by that I mean Cambridge Analytica and everything else. So this is a great discussion to be a part of.

Xavi Beumala: I’m the CEO of Marfeel and what we do is mobile web and 360 mobile solutions.

Tony Farrelly: I’m the publisher of, which is a British-based cycling website. I’m from an editorial background. I’m probably about as GDPR-savvy in some aspects as Dean — but … our task is really grappling with the consequences of GDPR, which at the moment are irritating pop-ups, ironically.

David Webb: I run Timera media. We also are a social first publisher, and we specialize in popular history and military history. Our biggest sites are the Vintage News and World History Online.

VentureBeat: So does anybody wanna take a crack at the GDPR, explaining this, why we care about this enough to talk about this on here?

Farrelly: It’s something that has been building for years through the European Commission, which — the way the European Commission works is a slow gradual pace, and because possibly it’s been building for years, it took us all by surprise because it’s been going on for so long we forgot about it. And the aim is a laudable one, that people should have control over the data that is stored by publishers, probably more, really, advertisers than publishers, I would say, but we didn’t think it through. So at the end of the day, the digital landscape is changing so fast that actually — and the pace that they create law is so slow — there is a disconnect between the law’s intention and its application. Yeah.

VentureBeat: David? 

Webb: I think that the best sort of explanation of GDPR in a nutshell … it was actually a sign outside a butcher’s shop in Italy, and the sign read, “Warning: If you enter this shop, we may remember your face or your name and your meat preferences. If you don’t agree, walk through the door and shout out I agree, in which case we’ll serve you chicken.” I think probably that’s about the letter of that law. (laughter).

Beumala: The funny thing about GDPR is that it is a law that was built to protect citizens from companies like Amazon, Google, or Facebook, and the reality and the recent achievement of the law is that those companies are being more empowered. Because actually, they are the only ones that will be able to get more data and be allowed to use it and use the network potential that they have, that the rest of the world cannot have.

VentureBeat: Xavi, can you explain that a little?

Beumala: So in the end, GDPR, the way it’s set up and the way it’s written down — Google is all over the place and Facebook is the same, so it gets in as a habit. So as soon as they have an entry point like Amazon, Facebook, or Google, Gmail,, or world maps, they have first-party data. This data — they can have a lot of the consent from users to go and use it, [which means] allowing them to use this data elsewhere on the internet. Whereas, in the rest of the world we ask for consent on a smaller site to our users, and we don’t get that consent. The big guys have the consent, so it’s the big versus the small. It’s a big advantage. It’s the network advantage, and they have services which all of us would accept and opt in to use, right? So I think that the law was trying to be like a tax or something like this for those companies, and the law has not achieved that. Actually, it’s the opposite.

Menon: I think what I like about what Xavi and Tony have said is that, in theory, GDPR should have given publishers, and ultimately readers, users, some sort of leverage. I can argue that, I think in the long run perhaps, that might happen to some extent, but I don’t think it took away any kind of leverage or advantage [from] the big players, mainly the ones that they were trying to deal with. I don’t think that actually worked. So the end result is that, from our perspective, at least as publishers, these [platforms] still have leverage. What’s really changed is, from Tony’s point, I mean, you are putting up with a lot of annoying pop-up things. It’s actually making it a little harder, and in fact, in some cases, a lot harder. So it’s very interesting. I think in theory it means to do well, but I don’t think it was quite thought out, actually.

Beumala: Even the execution — because when we think about GDPR, why didn’t they enforce browser levels to do that? I mean instead of doing it on a one-by-one site, why don’t they put it on the browser level or even at the operating system level? Because again it’s two big ones, Android and IOS, and you have finished them all. They promised that, and it didn’t happen like that — instead we are getting the pop-up war. You say the GDPR shouldn’t have pop-ups. We have the GDPR pop-ups, and we have the cookie policy pop-up, which still exists.

Menon: People like us, trying to get email, that’s not a pop-up.


Above: Timera runs sites such as Vintage News.

Image Credit: Timera

Beumala: News and subscription. They don’t just show up as a display in the body, so it’s a pop-up actually.

VentureBeat: So everybody’s first reaction is “I don’t need to know about this, or I should pass this to my lawyer or completely ignore it.” But it has floated up to your level. It’s on your radar, to your awareness at some point. What brought it there? Why? Does it have something to do with the $27 million fine for violations or four percent of your annual global revenues?

Menon: So I think for us, at least, what brought it to our attention — again, ironically — was not the readers themselves. It was actually the agencies. So we were meeting a lot of agencies and brands. They started talking about it, and everyone was like, “You’ve got to be GDPR-compliant,” and it was asked in a way where they were not quite sure what that means, but they know that whoever they work with has to be. So, essentially, it was like, “We are not quite sure what this is, but you guys should figure it out. If not, we are not gonna give you the very little money we are giving you already.” So that’s how it came to our attention. So for us, part of the impetus behind this has been really to ensure that, initially, it was basically to make sure that we were in the good graces of these guys.