If you live in the United States, you may never have heard of the General Data Protection Regulation (GDPR), but it is something most businesses are taking note of for a very good reason. The GDPR is essentially a set of rules governing the collection and storage of all private information online for citizens of the European Union. It was passed in April of 2016, but it go into full enforcement until today, May 25, 2018.
Anyone who has a business with a website or app, even those who don't do business with European citizens (but especially those who do), should be aware of what the GDPR is and what it requires of them. So, here's a primer.
The GDPR was designed to make the collection and storage of personal information more transparent. If you remember Facebook CEO Mark Zuckerberg's uncomfortable appearance before Congress, you recall several members complaining about the complex terms of service agreements we all enter into when we sign up for services like Facebook. In part, the GDPR is designed to simplify those types of agreements for everyday people, but it, more importantly, is about explaining to individuals how that data is used.
The GDPR considers personal information to be anything we knowingly share and a few things we don't. So, name, email, phone number are all things we share on purpose when we make purchase through Amazon or sign up for an account with Uber. But, services also collect additional information the GDPR says should be controlled by the user including location information, the address of the internet service provider they use (IP address) and other hidden information we all transmit but sometimes don't realize.
Additionally, these new regulations state that not only do businesses have to disclose everything they collect from people who visit their websites or use their apps, they must explain why they collect it (and give compelling reason), how it is stored and give individuals the ability to not only see a digital copy of it, but request they be removed entirely, something called the "right to be forgotten," a rather interesting and controversial new idea that is being challenged in courts already.
And if that weren't enough, the ability for individuals to do this should be easy and the language companies use to explain it needs to be simple and easy to understand.
European companies and companies that do business in Europe must be in compliance with these regulations or face potentially stiff fines (up to 20 million euros). No one is entirely sure of the exposure of American companies who may or may not do business with people in the EU. Some have suggested that if anyone visits your website from, for example, Spain, you are required to be in compliance even if you aren't doing any business transactions with that person and don't normally target people in Spain for business.
Most U.S. companies have opted for, at minimum, new privacy guidelines and, for additional protection, disclosure of the fact that they collect certain personal information via the use of small pieces of software on their websites called "cookies." The most common of these is information to use with analytics software to determine how many pages on your website have been visited, etc.
Given the nature of America's business-friendly regulations, it is unlikely these types of rules will be adopted here in the United States. But that doesn't mean they might not become industry standard now that the EU has put them in place. For individuals, this is good news. It means you'll have much better access to your personal information and that will be backed by law...in Europe anyway.