The internet is about to undergo a major regulatory overhaul.
On May 25, the General Data Protection Regulation (GDPR) — a set of data-handling rules put forth by European Union regulators — will go into effect. The new rules require all organizations — from local governments to giant corporations like Google
— to take special precautions to protect the personal data and privacy of EU citizens. Any company that has even a single client in the EU will be subject to the rules, meaning the implications reach far beyond the continent and will create changes affecting all internet users.
““Every large organization is global today,” said Rishi Bhargava co-founder of security company Demisto. “Any rule that is applied in Europe will have an effect to US citizens too.”
With high penalties at stake, companies are scrambling to comply. If they don’t they will be fined €20 million ($24.5 million) or 4% of their global annual revenue, whichever is higher, for each infraction. U.S.-based internet giants with users around the world including Facebook, Google and Twitter will be subject to the rules, making the potential fines hefty. With Facebook’s annual revenue at $40.7 billion, for example, a single infraction — not warning users how their data is being used, for instance — could cost the company $1.6 billion.
This is good news for consumers, said Michelle Dennedy, chief privacy officer at Cisco
comparing it to the first rules regulating children’s toys or medicine. “GDPR is not the end,” she said. “It is the beginning of the era in which we start to value personal data.”
‘GDPR is not the end. It is the beginning of the era in which we start to value personal data.’
Although GDPR is meant to apply to citizens of the EU, the changes will likely affect most Americans, said Hilary Wandall chief data governance officer at TrustArc, a privacy consulting company based in San Francisco and London that works with companies like IBM
Because it is sometimes difficult to determine the location of every customer, she said the majority of her clients are changing the way they handle all data — not just that of EU customers.
“In preparing for GDPR most companies are changing their process across the board,” she said. “It is causing every company to invest much more in thinking about privacy. The new rules will empower consumers to more easily manage their settings and opt in and out specific data-sharing features.”
Rights under GDPR largely boil down to consent, she said. Companies will be required to tell customers exactly what data they are giving up and to whom. That means more notifications that your data is being collected, more clear privacy policies and, in many cases, the right to delete your data when you leave an app — and not just on EU services.
Here are some changes you can expect, even if you live in the U.S.
Consumers will get simpler messages about data
Under the rules, consumer consent about what companies do with their data must be “freely given, specific and informed.” As stated by EU regulators, “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.”
This means many companies will be changing their privacy policies for all consumers: people will be getting more pop ups and notifications when they start using a website (rather than pages of confusing “terms of service” agreements) alerting them to what data is being used. Some companies have already started emailing users to ask them to update preferences or consent to data collection, even if they do not live in the EU.
Facebook, for example, will allow users to opt out of some data collection for ads and update its permissions about what information is shared. Facebook CEO Mark Zuckerberg admitted during his recent visit to Congress that his company’s terms of service were difficult to understand, and that “the average person” likely doesn’t read it. A spokesman from Facebook told MarketWatch GDPR rules would result in changes to U.S. user experiences, though did not specify exactly how.
You may know sooner when you’ve been hacked
Companies must alert users of a breach within 72 hours under GDPR. And that worries a lot of companies, Wandall said. “After 72 hours, you don’t usually know a lot,” she said. The rules could prevent situations like the 2016 hack of Uber, which the company didn’t reveal for a year.
“GDPR will put public pressure on companies to disclose more information about breaches around the world, much quicker than they have in the past,” said Travis Jarae, chief executive officer of security advisory company One World Identity. “Because the hack disclosure rule only applies to EU citizens, American citizens will likely reap the benefits of being notified about a hack simultaneously.”
No federal law exists in the U.S. regarding data breach notification, though representatives of the Federal Trade Commission have lobbied for it in the past. Regulations requiring data breach notification exist in 47 out of 50 U.S. states but vary in nature. California, for example, requires companies to notify citizens within 15 days.
U.S. Senators introduced a data breach notification law in December but it did not pass. But experts say it’s likely that U.S. lawmakers will come under more pressure to introduce their own data breach disclosure law after it becomes commonplace in the EU.
Apps will have less access to data
Apps will now have less access to data on your devices — even if you live in the U.S., experts say. More than half of mobile applications currently do not meet GDPR requirements, according to a study by mobile-software development management platform SafeDK.
Apps with customers in the EU will need more explicit privacy policies and will not be allowed to collect unnecessary data from devices, like phone contacts or call logs, as Facebook’s app did in the past. (Facebook said it did not collect the content of those calls and said that it doesn’t sell this data to advertisers. The company says it collects the data to make it easier for users to contact friends.)
Age restrictions on data collection
Under GDPR, apps are not supposed to collect data about children under the age of 16. Rather than comply with that rule, some apps are simply creating new age limits. WhatsApp announced in April that it’s raising the minimum age to use the app to 16 across Europe.
Although GDPR only requires age restrictions on children living in the EU, experts believe the requirements will spur companies to increase age limits in the U.S. Currently, the U.S. regulates children’s data under COPPA, which restricts companies from collecting marketing data on children under the age of 13. Experts suggest that age could be raised to 16 due to the influence of GDPR.
Some apps have announced they’re shutting down
Some services, rather than attempt to comply with the new rules, will simply cease to exist. Email unsubscribing service Unroll.me announced on May 5 it will no longer be available to EU users because it cannot comply with GDPR rules. Klout, which measured online influence, announced it will shut down globally on May 25 to avoid having to change its data practices. Other companies that have been killed by GDPR include games like Loadout and Super Monday Night Combat.