Buzz
Recently, privacy policy update emails have been appearing in numerous inboxes. Prasit photo/Getty ImagesBut was that really the right move?
The surge in updates is due to the General Data Protection Regulation (GDPR), a stringent data privacy law that took effect in the European Union on May 25, 2018. This regulation mandates tech companies with E.U. users to follow new guidelines that empower individuals to have more control over their personal data and how it is shared online.
Personal data is a lucrative commodity. Take Facebook, for instance: while its services are free, the company generated $40 billion in 2017 in revenue. Facebook doesn't sell your personal data to others, but it leverages your detailed online profile — such as your gender, education, location, friends, likes, and posts — to serve targeted ads from third-party advertisers.
However, sometimes this data slips out of Facebook's control, as 87 million users discovered when their personal information was shared with the conservative political consulting firm Cambridge Analytica without their consent. This type of data breach, alongside growing public skepticism about how online data is used, is the driving force behind the creation of the GDPR.
The GDPR mandates companies to take specific actions to protect data and grant more control to users in the E.U., including:
- Privacy policies and data usage explanations must be written in simple language, not complex legal jargon
- Companies must obtain explicit consent before collecting and processing a user's data, along with clear, easy options to opt out of some or all data collection
- Allow users to download their personal data and transfer it to another company if desired
- Notify affected users about a data breach within 72 hours of discovery
- Grant users the 'right to be forgotten,' meaning they can permanently delete their account and associated data
- Provide users with an option to opt out of targeted marketing that uses their personal data
- Implement extra protections for sensitive information like health data, race, sexual orientation, religion, and political beliefs
Although the GDPR applies specifically to tech companies dealing with E.U. citizens, some U.S. companies such as Microsoft have broadened their revised policies to global users. Other companies have leveraged their GDPR compliance efforts to clarify their data privacy practices and provide better tools for managing data access. This is the reason behind all the emails you received, even if you're not located in Europe.
What should you do with it? For once, the choice is yours.
Under the new GDPR rules, companies must obtain your consent before adding you to their email list — no more automatic opt-ins, such as when you make a purchase from them online. While this only applies to European users for now, many companies are sending "opt-in" requests to all customers, regardless of where they live.
