Almost everybody who uses an online service or app that handles their data has been getting a flood of emails advising of privacy-policy changes.
And it’s not the U.S. behind the tech industry’s recent flurry of updates. Instead, the European Union has been driving these changes with a sweeping set of privacy rules that will go into effect May 25 — and which are also yielding benefits on this side of the Atlantic.
The EU’s General Data Protection Regulation will require companies that handle the data of EU residents to provide them with far more control over that data. Among the key provisions of this roughly 54,000-word document:
• Companies have to obtain users’ permission in much more detail before using their information for marketing or advertising.
• They have to let users inspect the data they’ve collected and correct it on request — then delete it when it’s no longer needed.
• They must allow users to download their data in a format they can then take to a competing service — what’s called data portability.
• People can challenge algorithmic decisions that affect them significantly and ask that humans make them instead.
The GDPR says nothing about how companies treat customers in other countries. But many U.S. firms that have had to rewrite privacy policies for Europe to avoid fines that could cost them billions of dollars are carrying over these changes to the States for the sake of simplicity. That has American privacy advocates pleasantly surprised.
“I, like most consumers, have been getting a series of notifications from a lot of the apps that I use that they’re updating their privacy policies effective May 25 — that must not be a coincidence,” laughed Terrell McSweeny, who on Friday wrapped up a four-year term on the Federal Trade Commission. “One of the things that I’m noticing is that as an American consumer, I’m getting a lot more options in these new policies.”
Indeed, many GDPR-driven privacy-policy rewrites take more care to describe how a company handles your data and offer clearer opt-outs to some of those uses. Another frequent change: simpler interfaces to adjust these settings, such as the revised privacy center Facebook will soon ship.
But for American users, the GDPR’s greatest gift is its data-portability mandate. When you can take your data and your business elsewhere, you have much more leverage as a customer.
Recently Instagram added an option to download your data, finally catching up to the data-export feature its corporate parent Facebook rolled out in 2010. Apple added its own data-portability feature as part of a round of GDPR-driven changes.
Expect more changes such as this. For instance, blogging service Tumblr, owned by Verizon’s Oath media division, doesn’t offer an export function but will have to add one by May 25 to comply with the EU’s new rules. But the company has yet to announce any timing for that, and a March 20 post on GDPR changes by chief privacy officer Doug Miller doesn’t mention this angle.
(Disclosure: I also write for Yahoo Finance, another Oath subsidiary.)
Letting regulators in Brussels make privacy choices for Americans may seem like a strange form of offshoring, but at least one former regulator in Washington will not complain about the results.
“I do see that there is a big change happening, as a user,” McSweeny said. “Even a user based here in America.”