Chances are you’ve received multiple emails in the past few weeks from social networks and other popular online services informing you about updates to their terms of service and privacy policies.
This is no coincidence. Companies are frantically readying their sites for the European Union’s forthcoming privacy legislation called the General Data Protection Regulation, or GDPR. This strict set of rules was designed to give online privacy rights back to users and ensure social networks and third-parties don’t take advantage of them. The biggest change in European data security in decades, the GDPR will fundamentally overhaul how companies and organizations handle data.
What is the GDPR?
Replacing the European Data Protection Derivative from 1995, the GDPR provides a framework for data protection that applies equally to all 28 member states of the EU. Its core rules revolve around consent. Companies must gain consent from users before they can collect their data and cannot use vague, confusing wording or legal jargon to trick them into agreeing. The subject whose data is being gathered can revoke their consent at any time, and the process of withdrawing consent must be as easy as permitting it.
Firms will also need to fess up to data breaches within 72 hours of first becoming aware of them. So, for example, Equifax would have been in violation of the law last year when it finally told 148 million affected customers of a data breach weeks after it happened.
Other privacy rules under the GDPR give users the right to access their “personal data”—a term that has been extended to include IP addresses, location data, and web browsing cookies—and find out how it’s being used. There is also a “right to erasure” provision people can deploy to have their data deleted “without undue delay.”
Companies will no longer be allowed to collect every possible form of data as the GDPR requires an “explicit and legitimate” purpose for processing information. The vague phrasing gives lawmakers leeway to enforce the rule, but also opens the door for companies to lump information under broad topics like “advertising” or to “enhance the user experience.”
What about U.S. companies?
You may be wondering why companies based in the U.S. and other non-European countries are among those updating their terms. Arguably the biggest change from previous regulation is that the GDPR extends its jurisdiction to all companies who have a presence in the EU, even if the company is based elsewhere and the processing of data occurs outside of Europe. That means the major U.S. social networks—Twitter, Facebook, Linkedin, Reddit, etc.—will all have to comply.
What happens if someone breaks the rules?
If a company fails to enforce the rules, the EU can slap them with a hefty fine in the amount of 20 million euros or 4 percent of their annual global turnover, whichever is greater. Penalties are tiered so a company can be fined 2 percent for lighter offenses, though large firms like Facebook would still owe millions of dollars.
Am I covered by the GDPR?
The GDPR does not apply to users outside of the EU. Therefore, companies have no obligation to extend their expanded privacy rights to users living in other countries. This results in companies offering some users more privacy protection than others. Facebook, which has been criticized lately for failing to protect user data, is a great example. It has failed to promise GDPR regulation to U.S. users despite CEO Mark Zuckerberg saying upcoming privacy changes would be “in spirit” of the GDPR. It went so far as to shift governance for users in Africa, Asia, Australia, and Latin America away from Ireland to avoid having to enforce GDPR regulations for an additional 1.9 billion users.
It’s not just social networks that are updating their policies. Any firm that collects information about its users must comply with the regulation, including sites like Venmo, Airbnb, and Roku. If you’re in the EU, these updates will strengthen your online privacy rights. For everyone else, we suggest reading through the documents to see what terms apply to you. Note: You can find updated terms of service for popular online services at MailCharts.
The GDPR will go into effect on May 25; expect to see more terms of service and privacy update emails between then and now.