- How to watch tonight’s fire Clippers vs. Rockets matchup online 2 Years Ago
- Ilhan Omar says Stephen Miller emails prove he’s a ‘white nationalist 2 Years Ago
- YouTubers Trisha Paytas and Gabbie Hanna are feuding—and it’s gotten nasty Today 8:40 AM
- Can buttoned-up Elizabeth Warren memes bring order to a chaotic 2020 election? Today 8:17 AM
- Best CBD edibles: Tried and true favorites from a girl who is obsessed with CBD Today 7:59 AM
- ‘High School Musical: The Musical: The Series’ is a note-perfect Gen Z spin-off Today 7:51 AM
- ‘Ford v Ferrari’ strains credulity to make Ford Motors an underdog hero Today 7:00 AM
- How to watch the Trump impeachment hearings Today 6:00 AM
- Smoke ’em, pass ’em Week 11: The Packer trip Today 6:00 AM
- What is ‘TikTok including Musical.ly’? Tuesday 8:48 PM
- Video shows driver yelling N-word at Black woman in road rage incident Tuesday 7:40 PM
- A fan gifted Billie Eilish a jacket–it ended up in a thrift store for another fan to find Tuesday 6:49 PM
- Fans are surprisingly hyping Moby up for his new vegan tattoo Tuesday 6:13 PM
- Suspicionless searches of travelers’ electronics ruled unconstitutional Tuesday 5:22 PM
- Facebook testing TikTok clone within Instagram called Reels Tuesday 5:11 PM
This is no coincidence. Companies are frantically readying their sites for the European Union’s forthcoming privacy legislation called the General Data Protection Regulation, or GDPR. This strict set of rules was designed to give online privacy rights back to users and ensure social networks and third-parties don’t take advantage of them. The biggest change in European data security in decades, the GDPR will fundamentally overhaul how companies and organizations handle data.
What is the GDPR?
Replacing the European Data Protection Derivative from 1995, the GDPR provides a framework for data protection that applies equally to all 28 member states of the EU. Its core rules revolve around consent. Companies must gain consent from users before they can collect their data and cannot use vague, confusing wording or legal jargon to trick them into agreeing. The subject whose data is being gathered can revoke their consent at any time, and the process of withdrawing consent must be as easy as permitting it.
Firms will also need to fess up to data breaches within 72 hours of first becoming aware of them. So, for example, Equifax would have been in violation of the law last year when it finally told 148 million affected customers of a data breach weeks after it happened.
Other privacy rules under the GDPR give users the right to access their “personal data”—a term that has been extended to include IP addresses, location data, and web browsing cookies—and find out how it’s being used. There is also a “right to erasure” provision people can deploy to have their data deleted “without undue delay.”
Companies will no longer be allowed to collect every possible form of data as the GDPR requires an “explicit and legitimate” purpose for processing information. The vague phrasing gives lawmakers leeway to enforce the rule, but also opens the door for companies to lump information under broad topics like “advertising” or to “enhance the user experience.”
What about U.S. companies?
You may be wondering why companies based in the U.S. and other non-European countries are among those updating their terms. Arguably the biggest change from previous regulation is that the GDPR extends its jurisdiction to all companies who have a presence in the EU, even if the company is based elsewhere and the processing of data occurs outside of Europe. That means the major U.S. social networks—Twitter, Facebook, Linkedin, Reddit, etc.—will all have to comply.
What happens if someone breaks the rules?
If a company fails to enforce the rules, the EU can slap them with a hefty fine in the amount of 20 million euros or 4 percent of their annual global turnover, whichever is greater. Penalties are tiered so a company can be fined 2 percent for lighter offenses, though large firms like Facebook would still owe millions of dollars.
Am I covered by the GDPR?
The GDPR does not apply to users outside of the EU. Therefore, companies have no obligation to extend their expanded privacy rights to users living in other countries. This results in companies offering some users more privacy protection than others. Facebook, which has been criticized lately for failing to protect user data, is a great example. It has failed to promise GDPR regulation to U.S. users despite CEO Mark Zuckerberg saying upcoming privacy changes would be “in spirit” of the GDPR. It went so far as to shift governance for users in Africa, Asia, Australia, and Latin America away from Ireland to avoid having to enforce GDPR regulations for an additional 1.9 billion users.
It’s not just social networks that are updating their policies. Any firm that collects information about its users must comply with the regulation, including sites like Venmo, Airbnb, and Roku. If you’re in the EU, these updates will strengthen your online privacy rights. For everyone else, we suggest reading through the documents to see what terms apply to you. Note: You can find updated terms of service for popular online services at MailCharts.
The GDPR will go into effect on May 25; expect to see more terms of service and privacy update emails between then and now.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.