Massive tech companies are watching who you are and what you do on the internet, and there’s not much you can do about it.
Fortunately, the European Union is here to save at least some of us.
The EU is less than six months away from instituting the most aggressive personal data protections ever seen, limiting how tech companies can collect, secure, and use your information — and making sure they let you know just what they’re doing.
The rules will put the EU far ahead of the U.S. in terms of regulating tech companies. The U.S. is considering no such rules at this time.
Facebook and Google both use vast troves of data (some that you provide directly, some that it collects as you surf the internet) to show you hyper-targeted ads. This is why the two companies have come to dominate the growing online advertising market.
The EU isn’t about to stop these companies from using data, but it is working to make sure that the companies are acting responsibly — in the form of the General Data Protection Regulation, which goes into effect for member nations in May 2018.
What is the General Data Protection Regulation?
In April 2016, the EU adopted the GDPR, an expansive data privacy measure that turns the heat up on companies and organizations that make use of peoples’ personal information. The new regulations govern the ways an individual’s private data can be collected and exploited.
It doesn’t go into effect until May 2018, but its arrival will fundamentally reshape the way certain companies conduct business online. That’s a big reason why there’s been such a lengthy runway between the GDPR’s adoption and implementation.
Non-compliance equates to massive fines: For the most serious infringements — which include exploiting user data without the proper consent — it’s up to 4 percent of a company’s annual income, or €20 million.
This changes the EU landscape significantly for a company like Facebook. The social network’s “Cookie Consent Guide for Sites and Apps” includes an extensive breakdown of how new consent rules will work in the EU specifically, and which types of interests they’ll impact.
The same info page addresses how consent works throughout the rest of the world — including the U.S. — in a single sentence: “Outside of the EU, other laws and rules may require you to provide notice and obtain consent to collect and use data from your site or app.”
That disparity alone, between the laborious breakdown of EU consent rules and the one-sentence “other countries may vary” explanation, makes an eloquent point about the GDPR on its own: This is serious stuff.
How does the GDPR work?
Under the GDPR, any business or organization that works with user data online will be required to explain, up front and transparently, what they’re collecting and why they’re collecting it. Further, certain types of data come with explicit consent requirements, and users are permitted to withdraw that consent — and have any collected data erased — at any time.
The new regulation applies a broad definition to what qualifies as personal data. Certainly your name, age, profession, and all the other basic details one would normally list on their social media profiles. But it also covers IP addresses, location data, and web browsing cookies.
Then there are the more sensitive, consent-required data points, including a person’s race or ethnicity, politics, union membership, philosophical beliefs, and genetic or biometric information. Data collectors must seek consent to gather and use this information, and they’re required to purge it upon request.
Importantly, the GDPR requires a high level of transparency. A company can’t simply put a dense, 30-page EULA in front of you, have you check off a box at the bottom — or pre-check it for you — and call it a day.
“One of the things we have high hopes for significant change under the GDPR is how transparency is really delivered to users, particularly by these internet companies,” Ireland’s Data Protection Commissioner Helen Dixon told Wired in July. “We know from our engagement with them that a lot of them are looking very proactively at how they are going to do the transparency under the GDPR.”
The regulation takes more of a common sense approach than U.S. citizens are used to: If some tech company wants to use your data, they need to be straight about what they’re collecting, how they’ll use it, and who else (if anyone) will see it. They’re also required to share what they’ve collected upon request and obtain consent, in cases that call for it.
How will the GDPR affect data-driven online services?
All of these new rules present a bigger issue for a social network like Facebook than a search engine business like Google. That’s because Facebook’s targeted ads depend on data gathered from individual user profiles, whereas Google leans on anonymized search results to serve ads.
In the case of a social network like Facebook, users will need to be provided with clear, intelligible instructions for providing and revoking consent, and having their personal data deleted if they so choose. They’ll also need to be informed of how their data will be put to use and which other parties will have access to it, if any.
Some have suggested the EU is choosing sides, since an account-driven data collector like Facebook faces a more laborious set of changes under the GDPR than a search engine like Google. In truth, the explanation is much simpler: GDPR functions to protect the end-user, rather than aid the data collector. Facebook needs to make fundamental changes because, well, its methods of gathering and using your data aren’t the most transparent.
Email marketing platforms also have some work to do as they prepare for the reality of a post-GDPR EU. Documentation released by MailChimp, to point to just one example, notes that recipients of the company’s emails will be able to opt out of everything in one go.
That option is a function of the GDPR’s “Right to be Forgotten” article. As MailChimp’s updated guidelines state: “You may terminate your MailChimp account at any time, in which case we will permanently delete your account and all data associated with it.”
Fundamentally, the GDPR is driven by the common-sense belief that end-users should be given a clear understanding of exactly what they’re signing up for when they join a new social network, or consent to their personal data being exploited in some way. If it seems like this is a no-brainer, that’s because it is.
User data is one of the most valuable assets available to online businesses today, and these new EU regulations aim to make that value clearer to the end user. The absence of any similar legislation in the U.S. is primarily a testament to the power of the country’s tech lobby.