If you've opened your email recently, there's a very high chance that you have been flooded by tons of "Update our private policy" emails. Well, as much as these emails might look like spam... they're not...
2 weeks ago, the European Union passed a new law which is called the General Data Protection Regulation (GDPR). This new law contains vital information relating to digital privacy rights for companies collecting data from users within the European Union. The law demands changes in the way in which companies, websites and apps collect, use and store user's data. With hefty fines waiting around the corner for companies who do not comply with the new laws, there has been a mad scramble to update and send out new privacy policies for users to read and consent to, before the deadline.
The new law is aiming for a more transparent data collection experience from users. The new law requires users to be informed exactly why certain pieces of data are being collected, and exactly what the company/website/app intends to do with this new data they've just collected. The intention is also to give users far more control over their data, some of the GDPR includes:
- Plain and easy to understand language in the policies, companies can no longer hide behind tricky legal terms and run-around language in their explanations of data usage and collection
- Consent is required to collect and store user data, with simple and easy to "opt out" out of specific or all data collection.
- You must be able to download all your personal data, and are free to take this to another company.
- If there is a data security breach, the company has to inform all users within 72 hours of the detection of the breach.
- Users must be able to be "forgotten", i.e. all their data/account permanently deleted from the database.
- Give users control to refuse targeted marketing, which uses their data to send specific advertisements to users based on their personal details and data.
- Placements are more safeguards against data which is more sensitive in nature.
"But I don't live in Europe, how does this new EU policy affect me?" Is a question many internet users around the world had in response to the new law. Well, every single website that intends to have visitors from Europe needs to comply with the EU's new GDPR law... so essentially almost every single app, company and website on the planet.
Many companies had long emailing lists that weren't entirely kosher and now are wanting to use the GDPR as a way to "cleanse" their mailing lists.
I would say quite confidently that almost all of us don't actually read any of the privacy policies of the companies we trust with our data. In fact a study done in 2008 showed that an average person would take almost 250 hours a year (about 40 mins a day) to read all of the privacy policies for the websites they use, and that was 10 years ago...
Companies usually hide behind a wall of legal jargon and pages upon pages of T's & C's, hoping that you won't grab a cup of tea, get a magnifying glass for the fine print and spend the next day or so trawling through the policy making sure it's all squeaky clean, before clicking on the checkbox claiming that you've read it all and consent. Yet most of us just scroll our way to the bottom, and don't even glance at the 300 something page document, because really, who has the time?
There is a possibility of a "second wave" of changes to privacy policies which could emerge from the U.S. as the government may want to follow in the EU's footsteps and create their own new law concerning data collection, storage and usage.
One of the ultimate goal of GDPR is to promote an idea called, "privacy by design," whereby consideration of user's privacy rights becomes a fundamental and integral part of the early design phase of a website or app, in order for the privacy policies to not be crammed into the process at a much later stage.