Friday, May 25, 2018

G.D.P.R.-Related Privacy Policy Updates

Getting a Flood of G.D.P.R.-Related Privacy Policy Updates? Read Them


CreditMinh Uong/The New York Times

By Brian X. Chen

You have probably noticed a flood of emails and alerts from companies in the last few weeks informing you about changes to their privacy policies.

Don’t ignore them.


Yes, there is a lot of legalese to wade through. But resist the temptation to immediately delete those emails or close the alerts right away. They may contain important information about managing your digital privacy at a time when it’s become clear that our online data is far from safe.

All those privacy messages are appearing now because a law called the General Data Protection Regulation will go into effect across the European Union on Friday. The law has been heralded as the world’s strongest protector of digital privacy rights. And while it was designed for Europeans, the borderless nature of the online world has virtually every commercial entity that touches the web making changes to its sites and apps to comply.

The data regulation law centers on two main principles. The first is that companies need your consent to collect your data. The second is that you should be required to share only data that is necessary to make their services work.

Danny O’Brien, a director for the Electronic Frontier Foundation, offered this analogy: “A birthday cake company needs your name to put on the birthday cake. If it isn’t essential information, you can deny them consent to use that data and you still have to get the service.”

If companies don’t comply with the new rules, they can be fined up to 4 percent of their global revenue. But you should expect businesses that rely on advertising revenue to work hard to persuade as many of us as possible to give our consent for them to collect as much data as possible. Companies can do that by making it easy for people to give permission, and immensely complicated to opt out.

So to ensure you benefit from the new law, it helps to examine the revamped privacy policies we are all getting. Here is what to look for.

Companies Want ‘Consent’

Let’s start with those pesky emails and notifications. Don’t gloss over them — some sites are using the emails not only to inform you of their updated privacy policies, but also to “ask” for your consent.

Quora, the questions-and-answers site, sent an email this week saying that its privacy policy had been updated. Toward the end of the note, it tucked in a message that “your continued use of the service will be considered acceptance of our updated terms.”

A Quora spokeswoman said the company complied with the new data law by seeking affirmative consent from users when required. The company said the email explaining the particular changes in its privacy policy was an informational email and did not require consent, but that it would update the language in its email to be less ambiguous. The language has since been updated.

Other sites are using pop-up notifications to seek consent. The clothing retailer Taylor Stitch, for example, recently started showing a banner ad that explains how cookies are used for web tracking. The note added that by closing the banner ad or interacting with its website, you were agreeing with the site’s data collection terms. The company did not respond to requests for comment.

Here’s the problem: Companies clearly know that we rarely (if ever) read privacy policies. They also know that we find notifications to be annoying, because they pop up just as we are in the middle of another task.

But if we ignore them, we may be unintentionally giving consent to more of our data being shared than we actually want to give out.

“That pop-up fatigue is definitely something I’m worried about, now that these pop-ups are really more important than ever,” said Gennie Gebhart, a researcher who follows privacy issues for the Electronic Frontier Foundation.

Find the New Privacy Controls

If you skipped reading the emails and notifications, you may have missed out on the new privacy controls that internet companies recently introduced. These typically are not very easy to find, but they are worth exploring because there may be new methods to minimize the amount of data you share.

Consider Twitter. The social media company’s recent privacy-related email mentioned that people can now more clearly see and control how their data is shared with its business partners.

Here’s how: Near the very bottom of Twitter’s settings menu, there is now a button called Your Twitter data. Here, you can see the number of advertisers that are trying to target you based on your interests. You can also opt out of this so-called interest-based advertising. When I used the tool, I found out that more than 600 advertisers had my contact information, and I chose to no longer share data with the ads program.

Facebook, which has been under scrutiny for the improper harvesting of user data by the political profiling firm Cambridge Analytica, has also updated its privacy controls.

One of Facebook’s newer tools is called Privacy Checkup, which can be found in a menu called Privacy Shortcuts. When you run the checkup with the Facebook app, it quickly walks you through the people you share your posts with by default, the information you show on your profile and the apps that you share your data with.

Also inside the Facebook app’s settings menu is a button labeled Ads. This brings you to your ad preferences, where you can see which advertisers have your contact information and you can control the types of ads that can be shown to you.

For example, you can opt out of being shown ads based on information like your relationship status, employer, job title and education history. You can also opt out of being shown ads based on your activity on other Facebook-owned products like the messaging app WhatsApp or the virtual reality system Oculus.

Those are just two examples of big social networking sites. What tech products do you use the most? Take a moment to poke around in your privacy settings to see if there are any new restrictions you can put on your data.

You Can Always Leave

A big part of the new data law is that it requires companies to offer ways for you to pull your data out and take it to a new service. Google, Facebook and Twitter each offer the ability to download your own data, and some of those capabilities have been expanded ahead of the new data law’s going into effect.

Be aware that other internet products you use should soon be offering similar tools to pull out your data. If you disagree with a company’s new data collection policy, try downloading your information to see if you can exercise your right of taking your data to a better product.

But beware: Not all data-portability tools are created equal. I documented my experience downloading my data from Google and Facebook and found that Google’s data porting tool, called Takeout, was superior to Facebook’s. Google gave greater transparency into the information that was gathered, and it gave more options for the data I could move to competing products.

And if porting your data doesn’t work out, keep in mind that you can delete your account. The new data law requires companies to offer ways for European users to permanently delete their accounts and all their data along with it. Companies may choose not to offer the same option for people outside Europe, but it won’t hurt to try.

No comments:

Post a Comment