You’ve Probably Received a Ton of Privacy Policy Emails This Week. Here’s What’s Changing
If it seems like every tech company—Instagram, Venmo, Apple, and Twitter, to name a few—has been sending you emails about updated terms of service, you’re not imagining it. Hundreds of companies are scrambling to update their data privacy policies ahead of a new European Union law that takes effect on Friday.
And while the new rule — officially known as General Data Protection Regulation (GDPR) — may stem from Europe, its effects are a bit more global. In theory, the GDPR going into effect means it will no longer be acceptable for a business operating in Europe to have a click-to-approve policy that’s dozens of scrolls long and littered with legalese — they will be required to explain their privacy policies in clear and concise ways every ordinary consumer can understand.
That's why even if you live in the U.S., you may be fielding an onslaught of notifications. The new regulations affect not only companies located in the European Union, but also all those that have customers or any sort of operations in an E.U. member country. That includes most of the popular tech companies like Facebook, Twitter and Spotify, as well as many other consumer-facing and non consumer-facing businesses.
“U.S. consumers will benefit in a knock-off kind of way,” says Matthew Lewis, head of the Global Regulatory Practice at Axiom Law.
The E.U. isn’t joking around. The GDPR carries hefty penalties in order to ensure compliance. The most egregious offenders could face fines up to 20 million euros, or 4% of their annual revenue—whichever is higher. The 10 biggest tech companies, if found in violation, could accumulate fines that top $50 billion, according to Axiom's research.
"There's a real need [for these companies] to act, which is why you're seeing your inbox fill up," Lewis says.
He added, "This is really prompted by not just giving you more visibility into your data, but more control of it."
Twitter was one of the major companies to roll out a new privacy policy early, announcing the changes in April, saying its new easy-to-understand policy would apply worldwide.
“We believe you should know the types of data you share with us and how we use it,” the company said on a blog post. "Most importantly, you should have meaningful control over both. We want to empower you to make the best decisions about the information that you share with us and to ensure you feel confident that your data is protected and secure."
The U.S. does not have any such similar laws in place or soon to be in place to protect American consumers. While there are some efforts at the state level to give ordinary consumers more control over their data, such as The California Consumer Privacy Act of 2018, a federal framework for any kind of data privacy regulation is virtually non-existent. It remains to be seen whether the GDPR will prompt the U.S. to take action, but the fact that major companies like Facebook and Spotify are extending their updated privacy policies to protect Americans is a step in the right direction.
These are three of the main changes GDPR requires companies to make:
Consent
Before the GDPR, implied consent was allowed, meaning that companies could add you to their email lists without directly asking you to opt-in, whether you wanted to be on those lists or not.
Now, companies must explicitly gain approval prior to collecting any personal data for anyone in the E.U.— things like name and home address, IP address, location, credit card numbers, age and gender, and more— as well as spelling out what info they're collecting, how they’re storing it, who has access to it, and how it will be used. Plus, that consent must be easy to withdraw or change. Companies are also required to maintain documentation of your obtained consent.
Had regulation like the GDPR existed before, Facebook users in the E.U. would have had legal recourse to pushback against the social media network in the wake of Cambridge Analytica scandal, which led to more than 90 million Facebook users' data being compromised.
Transparency
GDPR also aims to protect consumers even if their data is compromised. Any companies that suffer a data breach must now notify authorities within 72 hours of first becoming aware of it—and notify consumers "without undue delay.”
The 72-hour limit would have helped protect consumers in massive data breaches such as Uber's 2016 hack, in which 57 million customers' personal information was stolen. Uber waited more than a year to admit it had been breached, paying the hackers $100,000 to delete the data and keep what happened under wraps.
There's still an open question on whether companies will notify U.S. customers of any breaches, Lewis says. But news travels — so if a company announces a breach in Europe, U.S. consumers will get the message.
Another benefit for consumers? Companies are now also required to employ a data protection officer, a staff expert who can investigate any customer's claim of data misuse or abuse.
Data Portability
Companies must also give users the right to easily access their data, correct it if necessary, and even delete all of it — otherwise known as the right to be forgotten. Companies now have to offer you the option of downloading all of your data, just like Facebook did after the Cambridge Analytica scandal came to a head.
Another right users will now have is the right to anonymity. Companies will be required to randomize their data so individual data sets do not give away which customer is which.