Data-privacy rules begin in Europe
Regulations should help Americans, too.
FOSTER CITY, Calif. – A far-reaching regulatory effort designed to give consumers more control of how tech companies collect and share their personal information goes into effect in Europe on Friday.
And U.S. consumers should benefit. The General Data Protection Regulation, or GDPR as it is more commonly known, will force companies to make more specific disclosures about how data is collected on their EU users and how it’s being shared and require companies to ask to collect data, rather than make a consumer opt-out. The intent is to swing the pendulum of control over our personal data away from companies and back to individuals.
The timing couldn’t be better to get consumers to take notice of how much personal information they agree to share by quickly brushing through privacy settings. The Facebook-Cambridge Analytica controversy awakened many to the stunning amount of personal information major Web companies have collected on them, all in the name of a “more personalized” service.
Who’s it for?
Crafted by the countries of the European Union in 2016, GDPR requires changes at tech companies for their EUresiding users. However, given the highly global society in which we now live, as well as the technical challenges of trying to apply the standards only to European citizens, even when they’re traveling the world, it’s likely that we’ll see standards applied on a nearly worldwide basis.
Many tech companies, from Apple to Facebook, have been revamping privacy portals and sending users updates on their privacy settings for this reason.
This is a great development for digi- tal citizens around the world. Though the 99 articles of the regulation are extremely long, complex and still up to a great deal of interpretation and debate, they’re focused on a good thing: helping us keep our personal information private and requiring companies to explicitly ask to use that data in very simple terms.
What will it do?
GDPR will force organizations to specifically ask for permission to contact their EU-residing users to use their personal data, and, most importantly, to disclose with them exactly what personal data they intend to share. They can no longer sweep collection and sharing of your information into broad categories such as “to give you a more personalized experience” or to “enhance the overall effectiveness of our service.”
If you’ve noticed a number of recent emails from companies and organizations specifically asking you to provide your permission to continue receiving their emails and other information — a process known as opt-in, where you willingly acknowledge and allow them to do so — that’s a direct effect of GDPR, even in the U.S. and other areas outside of the EU.
You can use these emails as a means of taking stock of what kind of information you’d like to keep receiving and what you’re no longer interested in (or frankly, may not even recall ever signing up for in the first place).
Companies have to honor your requests, and you have to explicitly tell them that it’s OK to keep sending material, so it should prove to be a great way to reduce some clutter in your inbox. Remember, however, that inaction on your part means that you will stop receiving information, special offers, etc. that you’d actually like to receive.
So, take a bit of extra time to go through your emails from the last few weeks and over the next several to ensure you’re getting what you want and eliminating what you don’t want.
Why companies need to pay attention
If organizations don’t follow the requirements of the regulation, the consequences can be severe. Companies that don’t comply can be fined up to 4% of their annual revenues — that translates to billions of dollars for companies such as Facebook and Google — which is se- vere enough to force tech companies to take the regulation very seriously.
The key tenets of GDPR go even further. They allow EU-resident users (and anyone if a company is following the standards outside the EU) to request that any data collected about you be deleted at any time. They require companies to disclose not only what kind of information they are collecting about you, but how they plan to use it and how you can download it yourself, and they put a great deal of emphasis on the concept of pseudoanonymization. Basically, what this means is that it’s OK for companies to collect information about you, but only if they put it together into a group with other similar individuals and not allow companies to separate out information on specific individuals.
Practically speaking, this means that, for example, they can collect and provide advertisers with collated information about 40- to 45-year-old men working in the pharmaceutical industry who live in the suburbs of St. Louis, but not all the specifics of an individual man who may fall into this category. While that may seem subtle, it’s actually a huge difference, because it prevents companies from individually tracking and profiting from specific individuals.
It’s certainly true that social media sites such as Facebook and search services provided by Google offer tremendous value to regular citizens on a daily basis. They are essentially woven into the fabric of our lives. However, it’s also true that these same sites have mishandled the privilege that we have afforded them.
It’s time to thank our European friends and work on crafting similar regulations of our own.
USA TODAY columnist Bob O’Donnell is the president and chief analyst of TECHnalysis Research, a market research and consulting firm that provides strategic consulting and market research services to the technology industry and professional financial community. His clients are major technology firms including Microsoft, HP, Dell, and Intel. Follow him @bobodtech.