“You have to fight for your privacy or you lose it.”
–Eric Schmidt, former Executive Chairman, Google and Alphabet
The General Data Protection Regulation (GDPR)
Over the last few weeks, you’ve probably received numerous emails from social media sites, apps you use, and other online service providers announcing they are updating their privacy settings to enhance the user experience and give you more control of your personal data. The fact of the matter is that nearly all of this recent activity to update privacy settings is a result of a European Union (EU) law that was adopted by the European Parliament on April 16, 2016, and, after a two-year transition period, became effective on May 25, 2018.
The EU’s General Data Protection Regulation (GDPR) only affects EU companies, citizens, and residents within the EU. However, given the reach of the world-wide web and the internet, GDPR effects a lot of U.S. companies who conduct business within the European Economic Area. Thus, many companies are adapting the standards set forth by the GDPR in anticipation of similar regulations being promulgated in the U.S. The Brussels Effect is the phenomenon of effective worldwide regulation caused by the European Union forcing its laws outside its borders through market mechanisms. Firms trading internationally, especially into or out of the EU, find it is not economically feasible or practical to maintain lower standards in non-EU markets. For non-EU companies exporting globally, it is beneficial to adopt mandated standards uniformly throughout their business, regardless of where individual customers are.
Further, U.S. companies are responding to both data breaches (Equifax) and recent scandals (Facebook and Cambridge Analytica). Recently, people have learned a lot about how companies capture, manipulate, and sell personal information. We believe the GDPR and its adoption gives users more transparency and control of their personal data. That’s a good thing for the customer and makes good business sense too.
Four Key Rights of Consumers under GDPR
There are several consumer rights spelled out by the GDPR. Here are four that we wanted to highlight because they are most likely to affect you.
- Consumers can grant or deny services consent. Companies must receive explicit consent from consumers before signing them up to receive emails and other communications. In fact, the GDPR makes it illegal to have the default setting be “Yes! Sign me up to receive your newsletter.” It now must default to the opt-out setting, meaning visitors have to intentionally check the box to be added to a subscriber list. Notably, this doesn’t apply to newsletter subscription forms as that is already a clear consent. If you provide the data to start a newsletter subscription, you consent to receiving the newsletter.
- Consumers have the right to access their personal data. Companies must provide all data it has on a consumer at the consumer’s request. The GDPR gives consumers not only the right to access their personal data, but also information about how this data is being used and processed. Both data being “provided” by the consumer and data being “observed,” such as online shopping habits or preferences, are included and must be provided upon request. In addition, the data must be provided in a structured and commonly used electronic format—in other words, it can’t be gobbledygook.
- Consumers have the right to be forgotten. At your request, companies must delete all your client and prospect data. More correctly, this is a right to erasure. If you request it, your data must be erased.
- Consumers can grant or deny placement of cookies. Companies must receive explicit consent before placing cookies on a consumer’s device. This is a whole new approach to cookies, which companies have never been required to notify you about. You will now see a popup alert every time a tracking cookie is used. In addition, companies have to provide consumers with the option to manage their cookie preferences. For example, if someone once said it was okay to use cookies on a device but now wants to revoke that permission, the company must provide an easy and straight forward way for the consumer to do so.