What’s Behind All of Those Privacy Emails?
A sweeping new European regulation affects us all, and it highlights just how much of your personal data companies are storing.
The occasional update to terms of service is normal. We generally scroll right past them in our inboxes. But if you have the feeling that, this week in particular, your email has been flooded with privacy update notifications from all your favorite websites — and plenty of websites you’d forgotten about, too —you’re not imagining it.
What’s behind all the updates to terms of service? Is this a scam?
No, this is real. It’s a result of the General Data Protection Regulation (GDPR), a set of regulations that restricts how companies handle your personal data and gives citizens more control over how their information is used. It’s causing a stir.
GDPR was put in place by the European Union and goes into effect today, which means companies all over the world were scrambling to update their policies in time. The legislation was actually introduced about two years ago, but the transition hasn’t always been smooth, which is why all the notices you received came within the last week or so.
If it’s a European law, why does it affect us in the United States?
Technically, GDPR only covers EU citizens, but the impact and ramifications are global because any company that collects data from someone living in the EU will be held accountable, which is why everyone from AirBnB to Spotify to Etsy is emailing you here, in the States.
While tech companies have been the focus because they’re seen as the culprits collecting the most data on us, the sweeping scope of the regulations will have a massive effect on all industries, not just tech.
How do the new laws protect privacy?
GDPR will more thoroughly govern the access to personal information and private data granted to companies and social media platforms. It’s a complex set of laws, but at its core, the EU is trying to ensure that your data is being used responsibly.
According to Mashable, the main provisions of GDPR are:
- The right to know what data a given company has about you, and how it is using that data
- The right to know if your data is being shared with third parties
- The right to access your data and take it somewhere else (called “data portability”)
The right to, at least in some situations, have your data erased
If you want to go into more depth, Mashable examined the GDPR and put together this guide, including news clips and explanatory videos.
What happens if a company doesn’t play by the rules?
GDPR outlines penalties from a slap on the wrist via a written warning to hefty fines — for the worst offenses, up to €20 million (about $23 million) or 4 percent of the company’s total revenue, whichever is higher — depending on the severity of the violation.
For example, Facebook, which pulled in $40.7 billion in revenue last year alone, would face a staggering $1.6 billion penalty if found in violation of GDPR. In fact, they already have. The company has already been hit with lawsuits alleging violations on policy’s first day in effect. Facebook says it has been working to comply with GDPR for the past 18 months.
So this is a good thing for privacy and data security, right?
After so many headlines about breaches and leaks, it’s nice to see a story about how the state of privacy may be improving. At the moment, some American websites, including a number of major newspapers, are not available to European users, at least not until they update their policies. Some companies worry the restrictions it will negatively impact business — compliance laws always create more work in adhering to them — but privacy also has a place in that conversation.
Does this affect me if I don’t live in Europe?
Yes. If you own or operate a business with clients or customers in Europe, you’ll have to comply with GDPR, even if your operations are based in the United States.
Even if it doesn’t apply to your business, you may notice international companies making their privacy settings more visible and available to you. Take Apple, for example, which now lets you download every piece of data it has ever collected from you and correct what appears to be wrong.
That sheer volume of the data you can find there should teach us one thing — companies don’t part with a single scrap of our data once they obtain it, so privacy regulations are more important than ever. The fact that you received so many emails this week is proof that even those sites you’d forgotten about hadn’t forgotten you.
While GDPR is an EU regulation for now — the United States does not have a similar plan in the works, so things won’t change dramatically — it’s good to know GDPR may start more conversations about just how seriously we should be taking online privacy.