You’ve probably noticed all the notifications about it popping up on your phone and in your email. It’s not just you. Inboxes everywhere are experiencing a flood of emails for privacy policy updates or requests to opt-in to different types of data collection. Spotify, Etsy, Instagram, NVIDIA, Reddit, Yahoo!, and websites across the globe have been updating their privacy policies and terms of service.
This is happening because companies have until May 25 to be compliant with a new law called the General Data Protection Regulation (GDPR). While GDPR is only in effect in the European Union, browsing online is essentially borderless and making websites have to design their privacy policies in ways that essentially extend to people around the world, including Americans. If a company has European Union data, it needs to play by EU rules.
What is the GDPR?
GDPR is a massive overhaul of privacy on the Web laid out over the course of a 261-page document that you can read here if you’re feeling studious. The main takeaways, however, are these:
- The GDPR dictates protections for personal data, and defines personal data very broadly.
- If you are collecting personal data from anyone located in the EU, you most likely fall under the scope of the GDPR.
- Consent to collect data must be freely given, withdrawable, and in some cases, cannot be a prerequisite for a contract.
- If you suffer a security breach that includes data related to a person located in the EU, you must provide notification of the breach within 72 hours.
- If you are collecting data in one of the act’s “special categories” of data, you may need to appoint a data protection officer having expert knowledge of data protection in order to comply with GDPR.
- Persons about whom data is collected must provide explicit consent in some situations.
- Certain information must be provided to the persons about whom data is collected, including the identity of the collector, their right to withdraw consent, to access their data, and their right to lodge a complaint.
- Penalties for violating the GDPR will be at least 11 million dollars.
One way to insure your compliance with at least some requirements of the GDPR is to consider applying for the U.S. – E.U. Privacy Shield Framework, which was negotiated by the U.S. Department of Commerce (DoC). Under this Privacy Shield Framework, you self-certify that you are compliant with a number of guidelines, and the International Trade Administration of the DoC conducts verification and compliance reviews.