HP TECH TAKES /...
Exploring today's technology for tomorrow's possibilities
Subscribe
Why is Everyone Updating Their Privacy Policy (and What to Look For)?
Tulie Finley-Moise
|
June 30, 2019
You wake up one morning and see a peculiar email from Facebook informing you that they’ve updated their privacy policy - again. You see these “updates to Terms of Use” or “improvements to our privacy policy” titled emails popping into your inbox more and more frequently, so it’s only fair to wonder why everyone is updating their privacy policies so often these days.
The short answer is to protect users like you. As of spring of 2018 the General Data Protection Regulation, or GDPR, requires online service providers to be more transparent with consumers.
Company-to-consumer transparency is one of those things that, as a consumer, you’re generally not worried about until something bad happens. The GDPR overhaul aims to bridge that gap and upgrade the standards on which a user’s information and privacy are handled, whether in crisis or not. Across the globe, companies based out of the United States, European Union, Brazil, Australia, and more have made leaps and bounds toward protecting user privacy on a large-scale.
But what exactly is the General Data Protection Regulation? What is a privacy policy and how are they being updated? How will you be affected? Let’s take these questions one by one so you know more about privacy policies and their effect on you as a consumer.
What is a privacy policy?
At its core, a privacy policy is a document that details the many methods an organization plans to employ to protect consumer, client, or employee information within its independent operations. So when you sign up for Facebook, you’ll see a long document of small print text that explains the type of information they collect, how they use your plugged-in information, and how they share that information.
Most websites and service providers will make their privacy policy easily accessible to users and visitors. This ensures that users understand exactly what kind of information is being stored and what the site intends to do with that stored information. So unless you’re taking the time to scroll through and read the ins and outs of a privacy document, you’re likely signing off to a number of privacy agreements you’re completely unaware of.
In fact, a 2017 Deloitte survey found that 91% of Americans consent to legal terms, privacy policies, and terms of use without reading them [1]. Results from the 18-34 age range were even more alarming; a shocking 97% of young users accept terms and conditions before reading.
Bottom line is that privacy policies dictate a company’s precise intentions with your confidential information. Today’s technology and online services utilize so much of our personal information to make a number of decisions we don’t even know about. It’s the privacy policy’s job to reveal the background noise you probably scrolled through without fully understanding or reading.
What is the General Data Protection Regulation?
Back in 2016, the European Parliament passed legislation to provide citizens with more control over their personal information and data. This legislation also required companies to safeguard the confidential data and privacy of European Union citizens for EU-based transactions.
The GDPR gave companies and organizations two years to adjust their privacy policies to comply with the legislative terms. Full implementation went into effect on May 25, 2018, which is likely the answer to why you received so many privacy policy updates around that time.
Among the many changes brought on by the GDPR, there are five that truly changed the face of how companies and organizations handle user information.
1. Breach notification
2. Right to access
3. Privacy by design
4. Data portability
5. Right to be forgotten
These are all changes that better protect you. So, how does the GDPR work for you? Let’s break it down:
1. Breach notification: Article 33 of the General Data Protection details that an organization is required to report a data breach to an appropriate supervisory authority within 72 hours of becoming aware of it [2]. This process requires data controllers and supervisory authorities to determine the impacted individuals of the breach, and what specific information may have been compromised.
If the company is dealing with a large-scale, high-risk data breach that puts user financial, identity, or other sensitive data at risk, they are required to notify affected individuals. They are also obligated to be clear and comprehensive when communicating an active situation with users. In fact, some countries require that proof of communication be provided to the data protection authority to ensure proper information is being disclosed.
2. Right to access: It’s hard to believe that this wasn’t stated within legislation before, but Article 15 of the GDPR officially states that users “shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data” [3].
As per Article 15, users have the right to access the following:
- The purpose of the processing
- The categories of the specific personal data
- The right to file a complaint with a supervisory authority
- The envisioned period of time in which the data will be stored
- The existence of automated decision-making and profiling
- The right to request rectification or erasure of personal data from the controller
3. Data protection by design and by default: Article 25 of the GDPR states that controllers responsible for application or website creation are required to prioritize user information protection [4]. This mandates that user privacy and security be at the helm of the creation process, not a mere afterthought.
4. Data portability: Though data portability is a more complex concept, it’s an important one that gives users access to data concerning him or her provided by a controller through a structured, commonly used, and machine-readable format. Article 20 also permits users to transfer personal data from one controller to another [5].
5. Right to be forgotten: Think back to your earlier internet days where you thought posting embarrassing pictures or making less-than-savory email accounts was acceptable. In your adulthood, there’s nothing you want more than to make those nightmarish photos and accounts disappear.
Luckily the GDPR introduced a new right allowing individuals to have personal information permanently erased. Also known as the right to erasure, this right is not an absolute and is only applicable under certain circumstances.
Who does the GDPR affect?
You’re probably wondering how a European Union regulation can possibly affect you when you live on outside soil. But if you’re a Google, Facebook, Twitter, or Instagram user, the GDPR has already taken effect in your life.
The Right to Access provision [6] within the GDPR mandates that each listed company and all others in compliance must provide a record of all the collected data on you provided that you request it. In the case that you want or need a copy of all of that information, it is no longer inaccessible. In essence, the GDPR gives the average user far more privacy protection freedoms than in the past.
In the larger scheme of things, the GDPR most significantly affects businesses with online services. Since the 2016 passing of the GDPR, businesses were allotted 2 years to get their privacy and security policies in perfect alignment with the GDPR’s requirements. Falling below the GDPR compliance standard results in a hefty penalty; either 4% of the company’s annual global turnover, or a $26,421,980 fine (whichever is greater).
What should I look for within privacy policy updates?
Across the board, the GDPR has lent itself to requiring companies and organizations to holding themselves to high standards when it comes to handling confidential user information. Though you may have felt a little annoyed to see your inbox filled with policy update emails, it’s the simple notification that already points the needle in the right direction.
Take Facebook for example: with over 2.32 billion users worldwide, the social media giant is home to one of the largest hubs of user information. From sharing your date of birth to photos from high school, the average Facebook user has absolutely no problem sharing their lives on the social media site. Though the focus is ultimately on sharing those moments with close friends and family, users often overlook the fact that Facebook also uses your information for other applications.
In perhaps the largest data leak the social networking site has ever seen, Facebook’s Cambridge Analytica ordeal prompted millions to revisit how much they put out onto the internet. In an attempt to rectify the situation and comply with the GDPR, Facebook made a number of changes and updates to their privacy policy - setting the stage for what to look for in revisited policies.
How information is collected and shared
When you sign up for Facebook, you’re asked to provide your name, gender, date of birth, email, and mobile phone number. This data alone can help Facebook better understand who you are, and what you will likely want to see. However, your online behavior is also tracked by Facebook.
Once you’re all signed up and logged in, Facebook will then collect and store data pertaining to:
- Additional personal information such as hometown, maiden name, current city, employment, political groups, alumni associations, main names, school, and other linked social networks.
- Every IP address that you use to log in to your account
- A complete activity log documenting “a list of your posts and activity, from today back to the very beginning. You’ll also see stories and photos you’ve been tagged in, as well as the connections you’ve made - like when you liked a Page or added someone as a friend.”
- All third-party applications that you intentionally or unintentionally link to your Facebook account. This includes everything from Uber, Airbnb, Candy Crush, Spotify, and more.
- All connected devices that you have used to access your Facebook account. This could be your smartwatch, smartphone, computer, tablet, or virtual assistants.
In essence, Facebook wants to understand exactly who you are, and uses a number of telling resources to collect the information needed to build and strengthen your profile.
When it comes to sharing your information, Facebook plainly states in their privacy policy that they “will never sell your information to anyone” and that they “have a responsibility to keep people’s information safe and secure.” According to their privacy policy, they share your information with the following audiences [7]:
- Partners who use their analytics services
- Advertisers
- Partners offering food and services within Facebook
- Researchers and academics
- Measurement partners
- Law enforcement or legal requests
- People and accounts you choose to share and communicate with
- Third-party apps and websites that have Facebook integration
Giving users control over advertising
Before the GDPR, Facebook used any and all information provided to generate targeted ads. Since 2018, Facebook will now prompt users with an option to enable or disable targeted ads based on political, religious, and relationship information you provide. Though you won't be able to completely rid your timeline of advertisements, you’ll be able to modify what information is used to target you.
Company transparency
In an effort to boost their company transparency, Facebook has made their data and privacy policy easily accessible and readable for all users. They have also introduced privacy shortcut features that remove the many confusing hoops you used to jump through in order to modify or delete your information.
Bottom line
Across the board, when looking into newly updated privacy policies, be sure to assess them for those three key features that should be thoroughly detailed:
- How they collect your data
- How they use your data, particularly for advertising
- How transparent they are about your data
The GDPR was created to keep users like you informed and protected against corporate user information exploitation.
The future of online servicer privacy policies is one worth keeping an eye on. The day the GDPR went into effect, a number of U.S. news sites went down due to policy violations [8]. This included high-profile sites such as the Chicago Tribune, the LA Times, the New York Daily News, and more.
The ambiguity surrounding the scope of the GDPR has been a cause for controversy and a definite roadblock for understanding what the future of the GDPR will look like. While it is an EU-based policy, online service providers based outside the EU who offer their services to EU users are forced to comply if they intend to keep their international reach.
Tackling internet privacy is a large task, but experts all agree that it is one that should be taken seriously. And as long as the internet exists, data will too. It’s a simple matter of regulation and enforcement that will shape how we share our information on the world wide web in the future.
[1] Deloitte; 2017 Global Mobile Consumer Survey: US edition
[2] PrivazyPlan; Article 33 EU GDPR
[3] PrivazyPlan; Article 15 EU GDPR
[4] PrivazyPlan; Article 25 EU GDPR
[5] PrivazyPlan; Article 20 EU GDPR
[6] Privacy Europe; Right of Access
[7] Facebook; Data Policy
About the Author: Tulie Finley-Moise is a contributing writer for HP® Tech Takes. Tulie is a digital content creation specialist based in San Diego, California with a passion for the latest tech and digital media news.
