You may have noticed a trend in your inbox lately. A lot of “we’re changing our terms of service” emails. It’s no coincidence. Lots of companies are rewriting these agreements ahead of the General Data Protection Regulation rollout in Europe. That’s the new set of stricter privacy rules that goes into effect in Europe at the end of the month. Marketplace’s Amy Scott spoke with Jessica Lee, partner at the law firm Loeb & Loeb, about what the GDPR means and how it will affect the U.S. The following is an edited transcript of their conversation.
Jessica Lee: The GDPR is happening in Europe, but it applies to companies that are in the U.S., which is why you’re probably starting to see a lot of updates to your terms of service and privacy policies.
Amy Scott: So they’re making the same changes for us that they’re making in Europe just for simplicity’s sake?
Lee: That’s what a lot of companies are doing. I mean, ultimately, it’s kind of difficult to manage having country-by-country specific privacy policies. It’s just really not manageable, and if you put an infrastructure in place to comply with the [European Union], a lot of companies are taking the position that they’re going to apply that globally.
Scott: And what kinds of things are companies changing?
Lee: Well, in most cases it’s not as much changing as it is clarifying. So they want very specific disclosures, what information is being collected. Who is it being shared with? You have a lot of rights under the GDPR. So you have the right to access your information, to have it erased, to rectify it, to port it, potentially. If you have pictures on one platform, you have the right to ask for all those pictures in a form where you could just port it to another platform even if it’s a competitor.
Scott: So just one example I was looking at was the changes LinkedIn is making. It seems like the company’s making it easier to figure out what kind of data it’s storing, easier to delete that data. All that sounds good. Is there anything that we should be watching for though?
Lee: I mean, these are all helpful updates, and in theory, you should be getting notices that are easier to read. So while the GDPR requires you to have a lot of detail and information, the mandate is for it to be easy for the individual consumer to read. So you might start to see charts, for example. I think some companies may be using videos, they might be getting a little bit more creative about how they give these disclosures.
Scott: Because they’re so fun to read.
Lee: No, I think this goes back to companies trying to be a little bit more specific and detailed about what they’re doing. I think for the most part that companies aren’t doing anything new or different, but they’re being more explicit about what they’re doing. So where you might have read through the policy before and not have understood what was happening, the goal now is for you to read it and really get what’s happening and the technology being used to collect information about you.
Scott: Well, I have to ask, do you read them every time?
Lee: I try to because I write them. And so it makes me feel better about my life if I know that someone actually takes the time to read it. But I also know where the important information is. So I actually have trained my sister. She’ll call if she gets a new service, and she’ll say, “Well, where do I need to look?” There are a couple of key sections: You want to know what a company is collecting about you, how they’re using it and who they’re sharing it with. In my mind, if you’re a consumer, those are the three most important sections. And so I say if you don’t have time, just kind of scan through that quickly and understand what’s happening before you move forward.
|The main differences between internet privacy in the US and the EU|
|The Data Economy: How we gave up on privacy|
|What your internet service provider knows about you|