Why all the recent privacy policy updates?

I learned my speakers have a privacy policy. 

The last few weeks my inbox has seen an uptick in the quantity of notices regarding terms of service and privacy policy updates. I recently received one for my SONOS speaker account. My house speakers needed to let me know they were updating their privacy. I didn’t know they needed a privacy policy.

Most large businesses are getting ready for a May 25, 2018 implementation of the General Data Privacy Regulation (GDPR). While this new regulation affects citizens in the European Union, businesses world-wide whose clients are EU citizens are also required to comply.

While this won’t affect most of our clients or local businesses, there are a few who should listen up. For those not impacted, it’s worth being aware since this is the first legal regulation on a global scale regarding individual privacy rights and the ownership of data. At IdeaBank, we are prepared to slowly integrate compliance measures for our clients, so if the US does implement similar regulations, not all customer data is lost.

High-level breakdown of the GDPR.

So, what is this again?

The European Union is taking the first attempt at regulating how businesses collect, store and share an individual's data. They are empowering the individual by requiring businesses to implement ways for individuals to opt out of tracking and cookie storage, ask for any stored data to be removed, or request all the data a business might have on them.

In layman's terms.

If you have European customers, you have to let your current and potential customers know that you are actively collecting information on them, what you are going to do with it, and how long you will keep it. Do it, or pay up (fines up to 4% annual revenue).

What are most businesses doing?

Cookie privacy bannerWell, updating all their privacy policies and terms of services. The transparency of collection, uses and timelines will be key to include. You will probably continue to see more of those pop-up banners on websites declaring cookie usage and settings.

Speaking of, what are cookies? As a US citizen, should I opt out?

Data collection is taking a lot of heat right now. Cookies are little snippets of data that collect information for a variety of purposes. Unless you regularly visit shady sites, most cookies are probably making the site easier for you to use, or tracking anonymous information on what you are doing on the site to help businesses understand their users and make UX improvements on their website.

…In layman’s terms?

Cookies store information to remember you and what you did on a site. Have you ever completely cleared your cache or browsing history? This is essentially what will happen every time you browse the web. Starting from square one, every session.

You will always have to re-log into any website that you have an account on, like Facebook, any social accounts, email, banks, shopping, etc. Or if you return to a site like Amazon, there will be no previously viewed products. Or even worse, your ‘suggested products’ are completely unrelated to things you like. Be prepared for nursing fashion, next to fishing lures, next to high school textbooks on the history of english authors, next to high-end vegan health supplements. There will be no autofill when you type addresses or personal Google suggested phrases.

Cookies also send information into systems like Google analytics, so admins can gauge if the site is working correctly. People like me, will also look at these non-people-specific numbers, and pull out trends on what people on the site are doing, or not doing, that they should.

These cookies can also send information to other parties, like Facebook, to show you ads on things you were just looking at. Annoying? Maybe. But would you rather see an ad for something you were already looking at, or something completely irrelevant to you? You will probably get served an ad regardless, wouldn’t you want it to be something you might actually like?

What about email?

Email is considered personal data, and included in this regulation. This gives a European citizen the right to have their email address completely removed from a business’s database if they ask. So if you opt out, but continue to receive emails, you have legal grounds to sue the company (see cases against Flybe and Honda).

The key with email, is anytime you capture an email, clearly stating why you are obtaining it, what you will do with it, how long you will keep it, and if a user unsubscribes, making sure they are removed from the list. It seems that “obtaining email for ongoing marketing campaigns indefinitely” seems to be a legitimate explanation, it just needs to be disclosed.

And, vet your vendors.

One other suggestion: make sure any other party who is touching your customer’s data or collecting information on your website, is updating their privacy policies to be compliant. If they get caught misusing information (like selling your customer’s information to another party without that being disclosed and a user agreeing to it), you will also be held responsible for the misuse and subject to fines. Most large companies (like Google, HotJar, etc) have been sending notifications to confirm their updates, but it’s worth making sure all your partners are also responding.

Will it be successful?

Up for debate. It’s already understood that this is just the first iteration of this type of regulation, so it will be messy and adjustments will be needed. The ‘awkward cousin’ to this regulation is already coming down the pipe, called e-Privacy that will affect the GDPR, but not necessarily change it.

I also stand behind the notion of being careful what you wish for. It’s a nice thought to want no sites storing information on you. But as outlined above, these cookies or data storage methods are so universal, we don’t understand what the web looks like without customization or personalization. Because the current US climate has made us terrified of personal data collection, people will demand this option. I’m not sure I want to go back to a web that doesn’t know who I am.

You’ve scared me. Help!

Remember, this is currently only applicable to businesses with customers in the EU. There’s a slew of information out there, which analyzes the 200+ page document outlining regulation. This is a summary, of other people’s summaries (probably pulled from other summaries), so it’s not all-encompassing or 100% accurate. If you have concerns about your business or compliance, I encourage you to learn more (some of the most useful articles I found are below), and consult with any legal/compliance advisors you have.

If you are a client of ours, feel free to reach out to Sherma or Anthony and discuss some of your concerns or next steps for your business.

Relevant Articles

Browse Topics.
About the Author.