Here’s why companies are sending mass emails on updated data policies
When users practice learning Spanish on the free Duolingo app, the East Liberty company collects data on which words they know well, when they use the app, how many lessons are completed in that session and the type of device being used.
It’s key stuff, said Carl Gottlieb, who has served as data protection officer for the language learning company since November. It helps the research team improve the course and to keep the app from crashing on the company’s global audience of 200 million.
But the European Union’s rules on how Duolingo discloses all that to users in the 24-
country bloc will be changing this month and the penalties for getting it wrong are hefty — up to $24 million.
The General Data Protection Regulation, or GDPR, a slate of laws meant to help consumers gain more control over their data, goes into effect May 25.
As the go-live date looms near, data-hoarding firms like Facebook and Google, as well as a cartel of smaller firms, are sending out masses of emails and in-app notifications to let users know the terms of service and that data policies are changing.
Companies are working to give consumers a clear understanding of how their data is being used and collected under the new laws. That means no confusing legal speak and no little box to click, proving that you’ve read the terms.
“We are giving you better ways to access your data and understand how it’s used,” reads an email from the Instagram social media team. The company explained how it watches users taps and scrolls to distinguish them from bots and how it shares information with partners.
Although the new regs are a bid to make it easier for EU citizens to understand how their data is being used, the rules will influence how U.S.-based companies operate if they have a global user base — and most tech companies do.
“We’re only getting splashed with some of the water,” said Richard Franklin, professor emeritus of business administration at the University of Pittsburgh. “Though inevitably there are going to be some things that companies are going to do to make their lives easier and more consistent on a global basis.”
Mr. Franklin, who teaches information systems and technology management, said that in the U.S., the impact of the new rules will mostly be felt by businesses trying to comply. The rules are catching up not only to big companies like Facebook and Google but also startups like Duolingo and publishers like the Pittsburgh Post-Gazette.
It’s “complicated and messy” to become GDPRcompliant, Mr. Franklin said. Most will hire a consulting company to take on the burden. Some may block users from EU addresses to avoid the risk of not complying.
Under the new laws, companies must allow users to permanently delete their accounts and all data associated with them, rather than just deactivating the account; users can request a copy of all information a firm has on them, and the company has to provide it for free; and companies must explain why they’re collecting data and what it’s being used for, among other items.
Firms must strike harmony between giving users meaningful control and also maintaining their own standards for operation and monetization. After all, companies like Duolingo and Facebook primarily rely on advertising, a data-driven business, to turn a profit.
“If I were an entrepreneur, that would be something I’d be concerned about,” Mr. Franklin said.
Since 1995, the EU has been creating comprehensive laws around data practices, according to Mr. Franklin. Back in the age of dial-up internet, there was no Facebook and no extensive data collection, but firms did have digital records about their customers and transactions.
The new GDPR rules, he posits, are a response to changes in the world since 1995.
In the U.S., he said, there are no such blanket rules at the federal level. Data practices must follow a patchwork of state laws. There are two exceptions: HIPAA, an information privacy law to protect patients, and the Gramm-Leach-Bliley Act, a 1999 act that focused on deregulation in the financial services industry and prevented banks from sharing personal information with marketers.
As a result, scenarios play out where dozens of attorneys general sue a firm over a data breach because each state has its own standards.
In March, for example, Pennsylvania Attorney General Josh Shapiro sued Uber after 13,500 Pennsylvania Uber drivers were impacted by a 2016 data breach and the company kept the hack quiet for more than a year.
Under GDPR, Uber would have to disclose a breach in European countries within 72 hours and its terms of service should note that.
Not all data policies or terms of service were created equally, according to the user transparency organization “Terms of Service; Didn’t Read” (ToS;DR), playfully named after the internet acronym TL;DR which stands for “too long; didn’t read.”
TOS;DR formed in June 2012 to address what it calls “the biggest lie on the internet,” or the idea that a website or app’s users have actually read and digested terms of service before clicking “I agree.”
On its site, a handful of companies are given a rating from “Class A,” which means the website’s terms and privacy policy are agreeable, to “Class E,” the equivalent of receiving a failing grade on a term paper.
“If you can’t delete your account, that’s a blocker,” said Chris Talib, a freelance software developer and volunteer member of ToS;DR based in Brussels, Belgium.
YouTube earned Class D status because its terms and conditions may be changed at any point without notifying the user and deleted videos are not really deleted, among other items. Google was placed in Class C since it keeps your searches and other identifiable user information for an undefined period of time.
Facebook, Amazon and Twitter have not yet been rated. Mr. Talib said the organization can only rate a few companies at a time, piece by piece, because it is volunteer-based.
“After Cambridge Analytica, we can see not only that we are surveyed and watched every step and click, but that there are real consequences,” he said. “Even if you have nothing to hide or fear ... the choices you’re making are not yours anymore once they’re on the databases of those companies.”