Right now, many of the big websites, services, and apps you use are rushing to get their new privacy policies and terms of service in order. You’ve probably noticed all the notifications about it popping up on your phone and in your email. Just this week, we’ve seen messages from Etsy, Instagram, GoDaddy, Squarespace, Square, LinkedIn, Strava, SoundCloud, and just about any other app that requires you to sign up for an account. The driving force behind this change is Europe’s new General Data Protection Regulations (GDPR), which has been approved since 2016, but goes into effect on May 25, 2018.
A 2008 study showed that it would take the average person roughly 244 hours per year to read all of the privacy policies for sites they use, which translates to about 40 minutes per day. And that was way back in 2008 when people used the internet for an estimated 1 hour, 12 minutes per day—a number that has grown to roughly 3 hours, 10 minutes. It sure is much easier just to check the box that says, “I agree” and then start using an app or service.
Technically, you have probably already given many services consent to track you and use your information in a variety of ways when you agreed to a site or app’s terms. This happens when an app like Facebook throws a wall of text at you, followed by a checkmark that says something to the order of, “I promise I’ve read all of this legal jargon, I understand what it means, and I can’t wait for you to start profiting from my data.” That last part is an exaggeration, of course, but it’s fundamentally how many online services operate.
“The privacy policies are purposely ambiguous,” says Kirsten Martin, associate professor of business ethics at George Washington University and cyber privacy expert. “They’re written with words like trusted third-party suppliers. They use vague words to ‘improve service for you’ and not explain what’s going on.” Under GDPR regulations, that kind of obfuscation won’t—or at least shouldn’t—fly.
A quote from the official GDPR FAQ sums up the top level reform in terms of privacy policies:
“The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.”
In short, GDPR gives European Union citizens the right to clearly and explicitly opt into having their data collected and used by a company on the web.
It’s clearer than the typical mountain of legalese sites and services expect you to navigate, but there are still layers to dig through. Clicking “more information” on the “personalized ads” tab, for instance, takes you to another page that outlines some real-world examples of how the ad targeting works. At the very bottom, however, it also says that opting out of personalized ads still allows the service to target you with advertising based on “what you tweet, who you follow, what type of phone you use, where you are, and the links you click on Twitter.” It saves you from targeting by third parties who may have your email address or tracked you via Twitter integration on their website, but it can’t absolve you from Twitter’s ads completely.
A benefit of the notification, however, is that everything you can actually opt out of is available in one place that you don’t have to go hunting to find. My account went from totally opted in to completely opted out because of it. “GDPR says it has to be as easy to opt out as it is to opt in,” says Martin. Getting to the settings menu in Twitter to change these settings once you’ve dismissed the initial notification takes four taps into the menus.
Out of curiosity, I did sign up for a new Twitter account (which is why I now have an account called “@babymanrampge”) and didn’t get a prompt to opt into the tracking. By default, I was opted into all of the tracking except the part that tracks my activity across the web, which allows it to look at other sites I visit that have Twitter integration.
The language barrier
But, just because some sites are offering clearer controls and policies, we shouldn’t necessarily expect that all of the GDPR protections will apply to people in the U.S. and other countries.
Etsy’s update for instance, includes the following text:
“Depending on your location, we may provide you with the ability to access, download, and request deletion of your personal information.” It differentiates user’s specific rights based on the governing regulations of their country of residence.
When senators and representatives asked Mark Zuckerberg about whether Facebook’s GDPR updates would apply globally, his response translated to a resounding, “kinda.”
Since then, Facebook has issued a couple different privacy changes. You can now download your Instagram user data, including your photos and comments. That change is a direct nod to GDPR’s requirement for “data portability,” which allows users to take their content with them to another service or save it for posterity.
Facebook even published its internal guidelines for moderating user content, which is an acknowledgement of the GDPR’s mandate for transparency. That development is particularly interesting because of its interplay with Facebook’s penchant for using AI tools to evaluate content. “You have to have the ability to ask questions about the decisions made about data,” says Martin. “Facebook has a tendency to try and automate things when they go wrong. GDPR gives people the right to a human review of decisions made by AI an algorithms in general.” By posting its content moderation guide, Facebook is offering a pre-emptive explanation of its moderation decisions.
For instance, Facebook’s guidelines shed some specific light on its policies regarding nudity, which have come under fire when breast feeding and post-mastectomy photos have been removed from the service. There’s still some ambiguity in the language, but it’s more straightforward than before.
There could be a second wave of changes
The Honest Ads Act, for instance, is a bipartisan bill meant to mitigate the ability of organizations to manipulate users with targeted political ads. Both Facebook and Twitter have voiced support for the bill, but the proposed law only addresses a small piece of the enormous privacy puzzle. It’s possible we could see more sweeping reform here in the States, but it’s likely a long way off if it happens at all.
Still, we’re reaping the fringe benefits of Europe’s efforts, which are about to come to fruition. Martin likens it to California’s efforts to raise the bar regarding vehicle emissions by imposing stricter requirements for things like miles-per-gallon, then getting other states on-board to incentivize car companies to increase their efficiency efforts.