If you’ve been receiving a flurry of emails from companies asking you to opt-in to continue receiving their messages, chances are they’re GDPR-related. The European General Data Protection Regulation is a new framework that will require companies to obtain explicit consent to use European Union (EU) customers’ personal data, as well as give EU consumers access and control of their information.
The regulations have been under negotiation for several years and will come into effect today, May 25, 2018.
Though enforced by data regulators in the European Union, these regulations will affect not only Europe-based companies, but any company that collects the data of clients or customers who are in the EU.
Most U.S. companies with a digital service are therefore likely to be affected, as are global firms with international customers – notably, the technology giants where most of us generate vast amounts of data daily, such as Facebook, Google, and Amazon. Even small companies like Techlicious, with a very limited percentage of our readership in the EU, must take measures to be compliant.
The U.S.-based consumer advocacy group, Consumer Action, believes that these tougher regulations on European companies could have a positive ripple effect and offer benefits for people in the U.S. too, as international corporations are unlikely to create multiple systems for handling their users’ data based on location, and would instead apply the same data protection rules to all customers.
However, becoming compliant with GDPR is a complex process that can be expensive, difficult to implement and disruptive to the existing economic and technical infrastructure of many websites. Facebook, whose users in Africa, Asia, Australia and Latin America agreed to terms of service with the company’s Irish headquarters, recently shifted these users’ registrations out of Ireland, putting 1.5 billion users out of reach of the GDPR and its benefits. Some companies have even gone so far as to shut down their European operations because they found compliance to be unworkable.
What GDPR means for consumers
Part of the drive to implement the GDPR framework is down to the fact that the previous data act was formulated for a pre-digital age in which people generated far less information.
In contrast, today’s data-driven economy depends on consumer information – and the companies that can analyze this data to target their products and services. Digital giants like Google and Amazon depend on their ability to serve up uber-personalized results, while many smartphone apps are notorious for requesting access to user data that have nothing to do with the service or game itself, but are used to target third-party advertising.
Under the new regulations, companies will have to give individuals in the EU more control over their personal data and obtain consent before using their data.
Your new rights under GDPR
New rights under GDPR include:
The right to request access to your data, free of charge
You’ll be able to email any company required to be GDPR-complaint, ask what information they have about you and what it’s used for, inside the company and if it is shared with third-parties.
The right for your data to be deleted if you terminate an account
You’ll be able to delete your account and all associated data – something most, but certainly not all, services currently allow now, according to JustDelete.me, which tracks dozens of digital services and how easy or difficult it is to delete an account.
The right to port data to a competing service provider
Companies must also not only allow users download their personal data - if technically feasible, you can request this data be transferred directly to a competitor. For example, if you were to switch from Tumblr to a similar service (and Tumblr was GDPR-compliant where you live) you could request your bio information, posts and images be transferred directly into your new account.
The right to object to data being used by the company, in some cases
You can prevent companies from using your personal data in direct marketing such as targeted advertising, whether for the company itself or on behalf of another organization.
In some cases, you can also object to your data being used in statistical compilation, scientific research or historical research – unless the company shows these projects are in the public interest and have benefits that outweigh your rights and freedoms.
The right to refuse your data to be used at all
If your data is stored with a company that has a legal obligation to store details for a particular period – such as a financial institution – you can request your data not be processed in the period before it can be deleted. (However, personal data required for the company’s core service is exempt here.)
The right to be notified of a data breach “without undue delay”
There were over 550 data breaches of U.S. companies last year, exposing nearly two billion personal data records. Under GDPR, companies are required to notify customers without delay if the data leaked poses a risk to their freedoms – such as the Equifax breach that compromised the credit ratings of nearly half the country.
The right not to be subject to a decision based solely on automated means
If a decision would have a significant or legal impact on you, you have a right to object to the decision being made by an algorithmic process. This would cover scenarios such as insurance that varies depending on personal data beyond that officially submitted, and applying for an online loan – in both cases, consumers would be able to refuse consent for their data to be used in these automated decisions and/or request to appeal the decision and speak to a human.
Personal data includes any information that could be used to identify someone, including location, email address and IP address. There is also special protection for personal data classed as sensitive including racial or ethnic origin, religious views, sexual orientation and biometric data (such as that generated by fitness trackers and smartwatches). These types of data are forbidden to be processed for marketing or advertising, unless the user gives explicit consent.
Companies that don’t comply with these regulations face fines of €20 million (US$23.5 million) or up to 4% of their previous year’s revenue, whichever is higher – for a company with Amazon’s turnover, that could mean up to $7 billion in fines.
Do consumers need to do anything?
A key component of the GDPR is that companies must make clear in everyday language (versus dense legal terminology) what options consumers have regarding how their data is processed. If a company is GDPR-compliant, you might be able to head to its Privacy section and find a handy FAQ detailing how your data will be used and your rights when it comes to opting out.
If you want a (GDPR compliant) company to stop using your data to send you personalized offers, for example, you could write to them or you may be able to disable the option in a settings menu.
Since the looming GDPR deadline is spurring companies to overhaul their privacy handling systems, including being more transparent about how consumers’ data is used, you may already have seen various alerts popping up on your favorite websites encouraging you to review your new data policy (and of course, those newsletters asking for confirmation you still want to receive them).
(Use Gmail? Though the company says the change wasn’t GDPR-related, you can head to the new Google dashboard to see what the big G knows about you and make changes to it in a far more intuitive interface.)
However, most online accounts won’t require any action on for consumers to opt-in to data protection – the GDPR is aimed at businesses to consider their data practices: whether they are collecting more personal data than needed, whether they are using this data transparently, and whether they are holding people’s historical data for longer than necessary.
For now, online advertising is likely to remain unchanged in terms of what consumers see (and you can already prevent ad-tracking if you wish). However, companies that serve the automated advertising pervading the internet are likely to especially feel the impact of complying with GDPR. Because of the number of elements involved in targeting each online ad, complying with the new regulations could require a level of user consents that one industry executive called “unworkable.”
It’s also worth noting that since many social media networks operate a free service in exchange for personal data to use in advertising, users will need to consent to however these companies use their data in order to keep using those services. For example, Facebook users based in Europe have received alerts from Facebook to review its new GDPR-compliant data policy - not consenting means deleting your Facebook account, but that’s not likely to happen for most, anytime soon.
GDPR gives consumers control over personal data
The use of personal data in influencing the way consumers behave has now unraveled beyond a creepy ad that follows you around the internet. Massive data misuse such as the Facebook user details that were used by Cambridge Analytica to target political messages illustrate how significant an impact personal details can have on the outcome of major events.
While the onus lies on businesses to prove that they handle consumers’ data safely and fairly, the greatest impact of GDPR could be felt through consumers wielding their new rights – reading newly clear privacy policies, objecting to uses of their data when needed, and revoking consent for data being used for purposes they may never explicitly have agreed to. Even if denying consent and giving up the likes of Facebook, Google and Amazon are too much to ask, perhaps pushing for GDPR rights will spur the change to a more transparent economy of data.
And for anyone who has found themselves the recipient of newsletters they never knowingly signed up for, or no longer want to read, the GDPR is offering an easy out: Simply don’t opt-in on those mailers asking for consent, and from May 26, your inbox will be that much lighter.
[Image credit: GDPR concept via BigStockPhoto]