Privacy vs Podcasting


(By Rob Walch) 
There is no opt-in for podcast listeners when it comes to tracking.


When someone visits a website or blog where an ad is being displayed, there is typically an option on that page to ask the visitor if they want to opt-in to being tracked and their personal data collected and shared (okay it is not worded exactly like that, but that’s what they are agreeing to when they say yes). Remember that little thing called GDPR from 2018? Yeah it was kinda at the heart of those changes. Part of GDPR basically said you have to get people to opt-in to such tracking activities — as it should be. If you don’t remember it and are in the U.S., stick around for a bit, CCPA is coming your way in California on January 1, 2020 and it is like GDPR but even a little stricter on data collection and what constitutes personal data.

In podcasting, those listening to your episodes for the most part do so from a service/site that is not yours. Apple Podcasts is the biggest of said services — with over 60% of the market share for consumption. There is, for most listeners of podcasts, just no opportunity to ask them if they want to opt-in to being tracked and their personal data being shared with third parties.

I don’t think anyone who covers the podcasting space, or knows anything about it, would argue that your RSS feed via an aggregator app is by far the number one way content is consumed. At Libsyn, it has been over 90% of consumption from the RSS feed and aggregator apps for quite some time. And that >90% of consumption does not offer any way for people to opt-in to anything.

So given all that, I want to share some quotes I found or received from a few different services that claim they are for the podcasting space. To protect the guilty, names have been changed.

First up, this is from an email from Mr. Blue:

“When our tag fires, we are hoping to get the listener IP address as well as the listener UserAgent. We use the IP address to match to our U.S. residential device graph in order to match the exposure to a conversion coming through via a pixel or other 3rd party data.“

Per GDPR, you cannot collect personal data and share it with a third party without the person opting into such activities — and we already established there is no opt-in. Per what is “personal data”:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as Internet protocol (IP) addresses, cookie identifiers or other identifiers.”

Yeah, so Mr. Blue checks off those boxes on doing everything you are not allowed to do with GDPR and also CCPA. Brilliant!

Next, this is from Mr. Brown’s site:

“We collect behavioral and performance metrics that podcasters and advertisers need to make informed decisions. Mr. Brown gives you unprecedented detailed audience data including who, what, when, where, and how they’re listening to your podcast. Get an unfair advantage with the ultimate in podcast analytics. Data can be a beautiful thing.”

Here is a quick definition of “stalking” from Wikipedia: “Stalking is unwanted and/or repeated surveillance by an individual or group towards another person” — and that is exactly what Mr. Brown just described. There is nothing “beautiful” about letting your listeners be stalked, and when they figure it out – and figure it out they will (podcast listeners are a highly educated group) — your listeners are not going to be happy with those that set them up for said stalking.

From Mr. Blonde’s press release:

“Mr. Blonde is committed to consumer privacy, making consumers aware of how their data is being used, and providing the ability to opt-out of targeted advertising. Consumers will receive notice and have the ability to opt out of targeted advertising via a link included in the descriptions of podcasts the user downloads.”

Wait, let me get this right: their service is opt-out! Okay, tone deafness aside, that is not how the laws work, and is simply unethical (or so say 83% of people). And do you think any listeners would even see that link in the description of the podcast they download? Which means, I guess, digging into the ID3 tags if it is downloading. Yeah, that is what the average podcast consumer will do — I’ll buy that for a dollar.

And finally from Mr. Pink’s site they said the following:

“Mr. Pink’s Analytics is the first product to connect podcast downloads with on-site activity. We do this by determining who downloads via an RSS integration and matching them with onsite activity via JavaScript integration.”

Whenever a podcast analytics or hosting company use the word “who,” it is the same as saying we stalk your users and they have no idea.

It is one thing to offer up an ad in your episode — the listener can always choose to skip through it. (By the way, most listeners do not skip ads on podcasts). But it is completely different now that your listener requested an episode from your show and were opted into a third-party database and stalked online.

There is no option for your audience to opt-in to this type of activity — that is just how podcasting works. I tried explaining how podcasting works to one of the companies above, and they said, “If that is how it really works and it will not change, we might as well throw in the towel.” Yes — yes you should!

These companies, and the others that will follow, do not at all care about the podcasting space, and their actions will result in a blemish on this industry if they are adopted and used by podcasters. And the worst part about all of this is that recent reports show that targeted ads do not work any better than non-targeted ads.

So all this stalking going on is not even going to be effective.

If a service says they can tell you the who, what, when, where, and how of your listeners, it is not just creepy it is against GDPR and CCPA.

Run away. Run away.

Rob Walch is on the editorial board of Podcast Business Journal, and VP of Podcaster Relations with Libsyn. He hosts the podCast411 podcast/blog, the Today in iOS podcast/blog, co-hosts the Today in Podcasting podcast and The Feed podcast, and hosts the KC Startup 411 podcast. He is the co-author of the book Tricks of the Podcasting Masters. You can reach Rob by e-mail [email protected]


  1. Not for nothing, I’ve helped engineer and implement two GDPR roll-outs at enterprise scale in the last 18-months, I’m familiar with the rules and being familiar with those rules I am concerned about the difficulties that the American version of GDPR (whatever it winds up being called and which CCPA will likely be the blueprint for) will bring to independent creators so long as we’re relying on a free model delivered over RSS. If RSS isn’t the way podcasting will be done in 50 years, then we may as well start talking about how it will be done and get to cracking on towards that new method. We’re running on ~20-year old rails, it’s time to advance the delivery method to something more robust. I don’t have the answer but I’m confident RSS isn’t how audio entertainment will be delivered in another few decades.

    • One of the cheapest and most efficient methods of moving cargo in the US is he Railway system – and it runs on 150 year old technology. 20 year old tech does not mean it is not efficient in what it does. There is a very high probability 20 years from now podcasting will still be mostly powered by RSS. At least from what we see RSS feeds for percentage of downloads is going up – not down.

  2. The RSS feed will remain the distribution method of choice for forever more. No one is going to go back and re-work their infrastructure as there is no incentive for the aggregators to do so. Sadly most podcast hosts are not even GDPR compliant. My team at Blubrry took GDPR very seriously and expended significant capital to become GDPR compliant across our entire enterprise.

    Let’s be frank as content creators we know the demo of our audience. We interact with them every single day, sure we run demographic surveys annually to back up that knowledge but if you are a serious podcaster you know your audience and you know what advertising would best fit in your show.

    Podcasting is a medium that allows our listeners a level of privacy they do not get anywhere else which is something that should be celebrated versus exploited. All it will take is one lawsuit from an EU listener or the EU themselves from a podcast using one of the above services to make podcast hosts and podcast creators wake up to the fact that you just cannot collect identifying data.

    GDPR and CCA are serious laws with serious penalties for abusers.

  3. What you’re talking about is the possible blacking out of the podcast hosting provider’s ability to provide metrics to their customers. In order to check a GDPR or CCPA affirmation box you need to be presented with one. If the app is tracking for its own purposes, that’s fine, bake it into the TOS, no problem. But the app only allows you access the feed, the tracking is done by the host. The app can’t offer a GDPR/CCPA opt-in on behalf of the hosting provider (they aren’t sharing data with a 3rd party they’re just directing traffic) and the host has no way to present a GDPR popup within all the hundreds of listening apps. This harkens back to the conversation we had about locking down truly locking down RSS and securing it for monetization / controlled access purposes. RSS is too old to address these issues and it cannot be updated as you and I both know. It is time for RSS to die, we need another way to deliver our content – one which is more readily able to meet the expectations of this century.

    • Tanner – RSS is not going anywhere – and definitely not time for it to die. It provides a great method for easy distribution. GDPR and CCPA do NOT restrict a podcast host from providing data to the podcast hosted – as long as it is aggregated data and no info about specific IP addresses. The issue comes if anyone tries to share individual IP address info – which is what is needed to track that who, what, where, when type data that ad networks use to stalk IP addresses / user agents to build up a demographic profile. Again RSS will be hear for a long time – it is a great delivery method – and it actually provides privacy to the listeners or is supposed to.

        • Put it out – lay it on the ground and smother it with a blanket of reality. RSS is not going anywhere anytime soon. It works for consumers, it works for producers, it works for aggregators. The ones that don’t like it are the ones that want to stalk the users.

Comments are closed.