This is all thanks to a new law out of Europe, the General Data Protection Regulation (GDPR). But don’t blame European lawmakers for the fact that you’re getting all of these messages at once.
The European Union passed the GDPR in April 2016, and tech companies had more than two years to prepare before enforcement of the law began on May 25, 2018. Given that the web is a global network, the GDPR has required that all digitally operating companies that have European citizens as users to make changes to the ways in which they collect, store and process user data — or else pay hefty fines.
In a nutshell, organizations can’t collect data without user consent, and they are required to fulfill users’ requests to delete any information they’ve collected on them. Users will also be able to download all of the data an online service provider has on them and see how that organization has been using it.
It’s a tall order to get companies and users alike to care about data privacy at scale. It’s complicated, because laws have frequently come into effect reactively, not proactively. People take privacy for granted, and often, it takes a massive breach for people to get concerned, such as when it came to light in March that years-old Facebook data — from 87 million users — had gotten into the hands of political consultancy Cambridge Analytica.
That scandal inspired congressional hearings with Facebook CEO Mark Zuckerberg in the hot seat, and given the impending GDPR, he testified before the EU as well. The scandal hasn’t made a dent in Facebook usage.
The same passiveness goes for the GDPR: Many online service providers scrambled to get their policies updated and their users in the know, thus the 11th-hour emails that arrived en masse leading up to May 25. It’s likely that most people won’t read them, but in one way or another, many organizations’ email subscriber lists are going to dwindle because of them.
Several of the emails lead with desperate pleas, e.g. “Please don’t go!” because their aim is for the user to opt in, giving organizations permission to continue the data-sharing relationship, a.k.a. keep them on their marketing lists. They want you to renew your vows, if you will. If you don’t, companies are supposed to unsubscribe you. That might sound like a long overdue spam spring cleaning. But the problem is, the service providers are making users do all the work — and all at once — if they want to stay in the loop.
Then, there have been reports that these emails are all for naught, based on a misunderstanding of the GDPR. Some companies already have the necessary consent from their user contacts. Now, the emails they’re sending might backfire if people get unsubscribe-happy amid the email flood.
Even though tech giants such as Facebook and Google have been more publicly under fire for their misuse of data, some have argued that the GDPR gives bigger organizations an advantage. If a lesser-known entity asks a user to consent to data access, it might be met with more skepticism, or seen as less legitimate. This is an opportunity for users to think hard about which organizations they trust and why.
“You’re quite likely to click ‘I Consent’ or ‘Yes’ when a GDPR form is put in between you and your next hit of Facebook dopamine,” John Battelle writes for NewCo Shift.“You’re utterly unlikely to do the same when a small publisher asks for your consent via what feels like a spammy email.”
As for the updated service agreements themselves, you’ve probably wondered, do these companies really expect every user to read every new contract that’s dropped into their inbox? Despite the fact that the GDPR specifies that companies must write their privacy policies in “clear and plain language,” many of the updated policies consist of the opposite. Google’s, Facebook’s, Twitter’s and LinkedIn’s are now more verbose, according to The Wall Street Journal. It seems like a classic case of cramming: the dilemma of, I would have written you a shorter note if I’d had more time to edit down my rambling first draft.
This is just one way in which companies were unprepared for Friday’s enforcement. Publications under the Tronc family, such as The Chicago Tribune and The Los Angeles Times, are among those that have blocked European citizens from accessing their websites while they continue getting their GDPR ducks in a row. Many other U.S.-based publications presented opt-in messages or pared-down websites to their audiences.
Even if you click the “x” on policy update prompts, and even if you (inevitably) don’t read all of the emails, it can’t hurt to keep them on file. You never know when you’re want to take a glimpse at the data you’ve shared with a social network, app or other service — and possibly wipe the record clean. Some of those emails might point you in that direction if that day ever comes.