EU online privacy rules prompt sweeping changes in US

Recent email from Constant Contact

Facebook, Twitter, LinkedIn, Microsoft, Strava and Soundcloud are among the major online companies that announced plans to update their terms and conditions to comply with a new privacy law out of the European Union (EU).

The New York Times reports, “On May 25, a new law called the General Data Protection Regulation goes into effect across the European Union. The law strengthens individual privacy rights and, more important, it has teeth. Companies can be fined up to 4 percent of global revenue — equivalent to about $1.6 billion for Facebook.”

For those of us who have paused from browsing websites to arrive at the startled realization that ads we’re seeing are tailored to our particular shopping and viewing habits, this sometimes unsettling trend may abate.

The New York Times explains, “The new law requires companies to be transparent about how your data is handled and to get your permission before starting to use it. It raises the legal bar that businesses must clear to target ads based on personal information like your relationship status, job or education, or your use of websites and apps. That means online advertising in Europe could become broader, returning to styles more akin to magazines and television, where marketers have a less detailed sense of the audience.”

With companies such as Facebook and Twitter aligning with the new regulations and extending them beyond the EU, the changes will likely be visible in the US.

Ad Week reports, “Twitter is just the latest in a series of companies, including LinkedIn, Strava and Soundcloud, that have started updating their terms and conditions to comply with GDPR. Meanwhile, others have been giving increased authority to their chief privacy officers, or hiring one if they hadn’t already.”

ZDNet notes, in April, Facebook confirmed it would move 1.5 billion non-EU users off an agreement with Facebook Ireland as part of a plan to reduce its exposure to GDPR. The company also said it would extend the same privacy controls and settings they have made available to Europeans to the rest of the world.

Constant Contact is also extending its new GDPR-compliant privacy policy to US customers, but on a different timeline.

From a recent Constant Contact email: “Because you are a valued Constant Contact customer, we want to let you know about upcoming changes to our privacy policy. If you are located in the European Union, these changes will go into effect for you as of May 23, 2018. If you are located outside of the European Union, these changes will go into effect for you as of June 23, 2018. We are making these changes to better explain our privacy practices to you and to reflect changes required by the European General Data Protection Regulation (GDPR). This includes more information about how we collect, use, and share any personal information you may give to us. We have reworded some content, and added details with the objective of making our practices easy for our customers to understand.”

How will the new regulations work?

The Verge, a multimedia technology analyst, explains that much of the GDPR builds on rules set by earlier EU privacy measures like the Privacy Shield and Data Protection Directive, but it expands on those measures in several crucial ways and also extends to companies based outside of the EU:

1. The GDPR sets a higher bar for obtaining personal data.

  • Now, any time a company collects personal data on an EU citizen, it will need explicit, informed consent — or opt-in — from that person.
  • Companies need to provide an easy way for people to revoke that consent.
  • People can also request all the data a company has from them.

2. The GDPR’s penalties are severe with much higher fines allowed by the Data Protection Directive.

  • Maximum fines per violation are set at 4 percent of a company’s global turnover (or $20 million, whichever is larger).

While your inbox may be full of emails from companies declaring new Internet privacy rules, “Very few companies are going to be 100 percent compliant on May 25th,” says Jason Straight, an attorney and chief privacy officer at United Lex, a company that sets up GDPR compliance programs for businesses (as reported by The Verge).

The big stumbling block is the new rule to provide people with any data a company has collected from them. People can now ask for their information to be deleted, to be corrected, and get delivered to them in a portable form.

What is challenging for many companies is how they categorize the data they collect and what they consider personal information in addition to the names, email addresses, phone numbers, and location data. Jason Straight explains that there is some data that is a bit harder to categorize such as “an oblique reference, like the tall bald guy who lives on East 18th Street. If someone said that in an email, that would be information you’d need to provide me with access to under the GDPR.”

Another question is how exactly the GDPR will be enforced. The Verge predicts, “Eventually, norms will emerge: who the regulators will go after, what kind of penalties they’ll levy for what kind of behavior, and how much of that 4 percent of global revenue they’ll extract from offenders. The general assumption is that when the deadline hits, European regulators will treat it as a soft opening, going easy on companies for a honeymoon period while everyone figures out how the law is going to work. But regulators can’t entirely control what’s going to happen on May 25th because parts of the GDPR are user-driven.”

The EU has always been ahead of the US in online privacy standards. By extending the reach of the GDPR to include companies with headquarters outside of the EU, we may soon have stricter privacy policies that give us more control of our data here in the US.

Sinu is a technology managed service provider with offices in New York City and Washington DC.