The Atlanta Journal-Constitution
What do the new rules say?
Companies have to use plain language to explain how they collect and use data. While companies generally aren’t changing what they’re doing, they are revising privacy policies to eliminate legalese. Google is embedding video (from its YouTube service, of course) to further explain the concepts.
GDPR spells out six specific ways that companies can justify the “processing,” or use, of personal data. Some are obvious, such as to fulfill contractual obligations — for instance, when an insurer pays out a claim. For other uses, such as ad targeting, companies can seek your consent. Those that aren’t sure they got consent properly are now going back to users.
There’s also a somewhat vague category called “legitimate interests.” It’s a catch-all justification that companies can fall back on to keep using data, though the company must show that its needs outweigh potential impact on users’ privacy, said David Martin, senior legal officer for the European consumer group BEUC.
Companies are also required to give EU users the ability to access and delete data and to object to data use under one of the claimed reasons. Firms have to clarify how long they retain data.
And the rules force companies that suffer data breaches to disclose them within 72 hours. By contrast, it took Yahoo more than two years to reveal a breach that ultimately involved three billion users.