Toward the end of 2017 and the outset of 2018, lots of major digital U.S. companies updated their privacy policies and sent out notifications to their millions of customers. What did all those companies have in common? They were all doing business in the European Union (EU).
Businesses in the EU had to adopt new privacy policies to comply with April 2016’s update to consumer-protection regulations, the General Data Protection Regulation (GDPR). Policies regarding internet user privacy hadn’t been updated since 1995, and privacy concerns and practices have changed profoundly since then.
GDPR brings privacy practices into the 21st century with a surprisingly high standard that will require major investments for large, multinational companies. Those businesses that do business in both the EU and the U.S. are changing standards company-wide to comply, which means users in the U.S. will also likely benefit from those changes.
But exactly how will privacy change, and are all those changes positive? We’ll explore deeper what GDPR means for U.S. citizens.
GDPR’s Most Significant Regulations
A large-scale view of the most pertinent regulations will help internet users in the U.S. discover how the changes will affect them.
Companies are now responsible for carrying out steps that keep consumers well-informed of information-use when attempting to take action with a user’s personal information, including:
- Consent – Requests for consent must be written in an easily accessible form that eliminates legal jargon, and they are now required to make consent withdrawal as easy as accepting terms for consent.
- Breach Notification – Consumers must be notified of data breaches within 72 hours when such a breach risks rights and freedoms of users.
- Right to be Forgotten – Users will have the right to Data Erasure, which allows them to have data controllers erase personal data and cease dissemination of that data.
- Right to Access – Internet users will also have access to whether their information is under process, where it is being process, and for what purpose.
Businesses under GDPR will also have to remain accountable for their actions regarding user information, including:
- Penalties – Fines of up to 4% of annual global turnover or 20 million euro may be imposed if flagrant violations of GDPR policy are made.
- Privacy by Design – Privacy protection for users’ personal information must now be built into the design of internal systems.
- Territorial Scope – Any company that does business and collects personal information in the European Union must comply with GDPR regulations.
Rules apply to business that perform transactions with users as well that those that simply collect personal data, also called personally identifiable information (PII) in the U.S.
How U.S. Internet Users Will Be Affected
There is no shortage of internationally-operating companies that are based in the U.S., and some of America’s favorite social media and shopping sites meet the criteria for switching to GDPR. However, even multinational companies aren’t required by U.S. law to comply with European regulations in the U.S. Luckily, it’s in the best interest of those companies to make universal changes to policy that fit into both GDPR and domestic standards, especially since it could cost anywhere from $1 million to $10 million depending on the size of the company.
That’s why so many companies preemptively updated their privacy policies and notified U.S. users at the end of 2017 and the beginning of 2018. With a firm due date of May 25, 2018 for implementing changes according to GDPR, most data subjects in the U.S. should know (in easy-to-read terms) how the new privacy policies will change their rights and access to their personal information as well as how those businesses will be handling it.
Leverage Marketing respects and protects private information, and we also help companies reach the next level in their business. Ask us how.