You've probably received hundreds of emails this week notifying you of privacy policy updates at your favorite websites — yahoo, gmail, coinbase, poloniex, binance, bittrex etc. - and perhaps even from sites you already have forgotten.
So what's the big deal? Why all of the sudden almost all internet sites sends this privacy updates?
It isn't a scam or spam
The trigger for these privacy updates is the EU's has set a new privacy protections.
The EU's General Data Protection Regulation, or GDPR, went into effect on Friday, May 25, 2018. It seeks to expand and update data rules that have been in place since 1995 -- long before hacks, security breaches and data leaks became a common occurrence.
The new rules give Europeans more control over their personal data. The European Commission said that a lack of trust in tech companies was the main motivation behind the new rules.
While the new law would benefit consumers, it may also advantage large companies with the resources -- lawyers, data experts and programmers -- needed to make the transition.
"The implications and ramifications of GDPR compliance will challenge numerous organizations ... with resources on scales smaller than, say -- and in particular -- Facebook and Google," said Bernard.
What does it mean for companies?
Any organization that holds or uses data on people inside the European Union is subject to the new rules, regardless of where is it based. Companies that sell goods and services to people in Europe will be impacted, as well as organizations that monitor people's online behavior, for example by tracking browsing histories.
The rules mean Silicon Valley has to change some of its business practices. Facebook (FB), for example, has tens of million users in the European Union. So does Google (GOOGL).
What does it mean for people?
Consumers can expect to see more privacy warnings and consent requests. These must be made separately, and cannot be bundled with general terms and conditions. The rules mean that tech companies can no longer assume users want to hand over their data. Companies must now count on the opposite, and reflect that in their services and products.
For example: Rather than automatically signing a user up for a mailing list and later offering an unsubscribe option, companies now have to explicitly seek consent ahead of time. The default option when asking users if they want to subscribe must be "no."
What happens if the companies violate GDPR?
Failure to comply with GDPR comes with the risk of heavy fines — up to 4 percent of a company's annual global revenue, or €20 million (about $23 million), whichever is higher. In the case of Facebook, which pulled in $40.7 billion in revenue last year, a violation could mean an eye-popping $1.6 billion penalty. In fact, Facebook has already been hit with lawsuits alleging violations of GDPR on the policy's very first day; in response, the company has said it's been working to comply with GDPR for the past 18 months.
I'm in Europe. Why can't I access some U.S. sites?
A number of U.S.-based news sites — the Los Angeles Times, Chicago Tribune, Baltimore Sun and a raft of others — have basically gone offline as far as European readers are concerned. When you try to visit any of these sites from a European location, you get this (I tested it with a VPN):
The common denominator underneath these different publications is that they are all owned by the same parent company, Tronc. The media company put out a statement Friday that reads exactly the same as what viewers see on the blocked sites: "We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."
Unlike other news outlets such as NPR, which have updated their privacy policies in light of the new regulations, Tronc appears to have sidestepped having to comply with GDPR by simply making its sites unavailable to E.U. residents altogether. (The Washington Post, for its part, has updated its privacy policy and introduced a new subscription tier for readers who do not wish to have their data collected, said Miki King, vice president of marketing at The Post.)
What are the downsides for consumers?
Some companies have chosen to go blank in Europe instead of having to comply with the expansive privacy regulations, including websites such as Unroll.me and Klout. More widely accessed U.S. media outlets — including the Chicago Tribune, the Los Angeles Times and the Baltimore Sun — similarly blocked some of their European users starting Friday. It is uncertain when or if those websites will become accessible again.
Ahead of the law taking effect Friday, consumers also complained about a number of bureaucratic challenges, such as an influx of consent-seeking emails from companies trying to distribute their newsletters or doctors making their patients sign pages-long forms about how to store their data.
So, if it’s all so complicated, why did Europe bother to introduce the rules?
European Union regulators have always been much tougher on tech companies than their U.S. counterparts, for instance forcing them to give users more control, imposing fines for noncompliance and requiring platforms to spot and delete illegal content.
Depending on the E.U. countries, there is generally also more public backing here than in the United States for the sort of expansive regulations that took effect Friday — at least as long as they don’t turn the Internet into a bureaucratic nightmare.
Click here for full text of the new rule: GDPR.