By Harper Neidig and Morgan Chalfant
A sweeping set of new data privacy regulations descending on Europe is leaving internet companies in the U.S. scrambling to overhaul their practices to avoid steep penalties.
Companies like Google, Twitter, Yelp and Uber have in recent weeks sent notices to their users about updates to privacy policies and user agreements aimed at making their data collection practices more transparent.
The moves are part of an industry-wide effort to prepare for the General Data Protection Regulation (GDPR), which goes into effect on Friday and forces companies to give full disclosure about what they do with the digital data they collect and offer their users more control over their information.
Under the new rules, European users are able to request copies of the data that websites have on them or ask companies to delete that information; websites have to ask for permission to collect and share user data; and companies need to disclose their data practices in clear language, instead of obscuring them with legalese.
The GDPR only applies to the member states of the European Union (EU), but users in the U.S. will also see changes as some websites decide to apply the new protections beyond Europe.
The law will affect virtually any company that collects and stores sensitive data, from health care organizations to banks, but the burden of complying will fall harder on some companies than others depending on their data practices.
Companies will have an easier time complying “if your business model is not built around exploiting personal information and selling it on the open market,” said Cynthia Cole, a lawyer at international law firm Baker Botts LLP, based in Silicon Valley.
Cole, who’s advising firms on implementing GDPR reforms, explained that the new rules put a tremendous cost on businesses that collect a large amount of data and share it with third parties, forcing them to devote a large amount of backend analysis to figure out where the data is going.
The internet is already seeing an impact ahead of the rollout. Instapaper, a service owned by Pinterest that allows users to clip online articles to read later, announced that it would be temporarily unavailable to users in the EU after determining it was not fully prepared to comply with GDPR.
“I underestimated the scope of work required by the deadline, and this was the required alternative,” Instapaper CEO Brian Donohue tweeted on Thursday.
Meanwhile, advertising companies like Verve, a location-based mobile marketing firm, and Drawbridge, a cross-device targeting firm, have closed their European operations in advance of the deadline to begin implementing the new data protections.
But some regulators are accusing internet giants of trying to evade the tougher requirements of the law. Last month, Giovanni Buttarelli, the EU’s top data watchdog, blasted internet “sweatshops,” saying that some of their proposed changes don’t go far enough toward correcting exploitative data collection. He warned companies against trying to manipulate users in agreeing to giving over sensitive data in exchange for their services.
“We must all be vigilant about attempts to game the system,” Buttarelli wrote in a blog post.
Companies have plenty of reason to heed his warnings. Websites risk incurring massive financial penalties if they don’t comply. The biggest privacy offenses under the new rules can result in either a fine of $23.5 million or 4 percent of a company’s worldwide revenue — whichever is higher.
The new law, originally adopted two years ago, is realizing full implementation at a time when data privacy continues to attract massive attention in the U.S. as a result of Facebook’s role in the Cambridge Analytica scandal.
The data mining firm, which has ties to President Trump’s election campaign, improperly obtained data on 87 million Facebook users without their consent. In response to the backlash, Facebook has promised to extend all of its changes for GDPR to users beyond Europe.
The scandal has given momentum to privacy advocates calling for comprehensive data rules in the U.S. in the spirit of the GDPR. And the GDPR in turn has given them a roadmap for what to aim for in the states.
“It’s a wonderful testing ground for ideas for privacy legislation,” said Allie Bohm, a policy counsel with Public Knowledge.
In the meantime, the European laws are giving tech companies’ biggest U.S. critics a benchmark to which they can hold the industry.
A group of Democratic senators on Thursday introduced a resolution calling on internet companies to expand their new GDPR changes to cover American users. And a coalition of consumer groups sent a letter to some of the biggest data collectors calling for the same thing.
“When the European privacy law takes effect, the American people are going to wonder why they are getting second-class privacy protections,” Sen. Ed Markey (D-Mass.) said in a statement. “If companies can afford to protect Europeans’ privacy, they can also afford to do so for their American customers and users.”
But even as more data leaks and breaches are revealed in the U.S., Congress does not appear to be moving toward the type of sweeping data regulations that are going into effect across the Atlantic.
And it’s still unclear what kind of changes American internet users will see. Bohm notes that the EU will be relying on member states’ individual data authorities to enforce the GDPR. But in the U.S., where the new rules have no teeth and there is no regulatory data watchdog, Bohm says the only new protections offered by internet companies will come from “the goodness of their hearts.”
The global impact of the new rules also depends on whether digital firms will take them seriously or try to test the waters to see what they can get away with.
“The devil is going to be in the details of the implementation,” Bohm said. “To the extent that they really overhaul their practices versus repackaging what they’ve already been doing remains to be seen.”