If you use popular apps and websites like Facebook, Twitter and Uber, you've probably received a flood of emails recently announcing updates to the company's privacy policies. And like most sane people, you probably deleted them.
But was that smart?
The reason for the rash of updates is something called the General Data Protection Regulation (GDPR), a new data privacy law that went into effect in the European Union on May 25, 2018. The law requires any tech company with users in the E.U. to comply with a strict new set of regulations intended to give individuals more control over their online personal data and how it's shared.
Personal data is big business. It's how a company like Facebook, which charges nothing for its services, brought in revenue of $40 billion in 2017. Facebook doesn't sell your personal data to other companies, but it uses your unique online profile — your gender, education level, location, friends, likes, posts and more — to target third-party ads that appear in your feed.
Sometimes that data slips out of Facebook's hands, though, as 87 million Facebook users found out when their personal info was shared with conservative political consulting firm Cambridge Analytica without their permission. Data breaches like this, plus a general public distrust of how their information is being used online, is why the GDPR exists.
The GDPR requires companies to take several steps to secure data and give more control to users in the E.U., including:
- Plain language, not baffling legalese, in all privacy policies and explanations of how data is used
- Consent required to collect and process a user's data, including clear and easy ways to opt out of some or all data collection
- Let people download their personal data and take it to another company if they wish
- Inform all affected users of a data breach within 72 hours of its detection
- Give users the "right to be forgotten," in other words to delete their account and data permanently
- Make it easy for users to opt out of target marketing using their personal data
- Place special safeguards on sensitive information regarding health data, race, sexual orientation, religion and political beliefs
Although the GDPR only requires tech companies to offer new data privacy options to E.U. citizens, some U.S. companies like Microsoft have extended their updated policies to users worldwide. Other companies have used their GDPR compliance efforts to clarify their data privacy policies and offer better tools for controlling access. Which is why you received all those emails, even if you don't live in Europe.
If you're concerned about data privacy — and you should be — take a few minutes to actually read the emails from your favorite apps and websites. Twitter, for example, now allows users to opt out of all interest-based advertising, and Facebook lets you opt out of all kinds of marketing and data collection efforts in your account settings tab under "Ads." You can even download your full Facebook data profile.
What to do with it? For once, that's up to you.