Your Favorite Website Isn't Complying With the GDPR

It seems like just a couple of months ago that companies were filling our inboxes with emails about their new terms and conditions. And, in fairness, it was just a couple of months ago. Which made me wonder: After all that effort, is anyone actually complying with the GDPR?

Broadly speaking, the answer is a resounding “no.”

The GDPR, as a refresher, is the General Data Protection Regulation, which defines how websites and companies should handle the collection of users’ data. Specifically, it covers users in the European Union and the European Economic Area, so that excludes a lot of people, but most companies with an international customer base committed to implementing new protocols in general. Not because the companies are particularly devoted to data privacy, as has been reported, but because it would be a pain in the ass to enact them just for folks in one part of the world.

Currently, the GDPR is the most comprehensive set of regulations covering data collection and storage in the world, and in some ways it has served as a gold standard for companies based in countries that aren’t actually subject to it, like the United States. From that perspective, for companies headquartered in the States that have mostly Americans for customers, it doesn’t really matter that they aren’t complying with European standards.

Or does it? The lack of compliance isn’t what I find worrisome. It’s the pretty solid chance that these companies that pledged to adhere to the GPDR, and in some cases are bound by the GDPR because they have customers in the protected areas, don’t actually have any idea what the GDPR requires.

I’ll explain it very, very briefly, and in a somewhat general sense, but you’ll see the point I’m trying to make. The GDPR instructs companies that compile personal user data to protect that data by default. Companies can’t assume that their customers want to share their data. Instead, companies must assume that the customers don’t want their information shared.

It also requires those companies to clarify what that data is used for and how it’s stored. And if a customer wants to interact with the company but doesn’t want the company to store their information, the company must provide that customer with the same experience they would have if they were okay with sharing their data.

Even more brief: Data collection should be opt-in, not opt-out.

Think about those pop-ups you get on some websites, the ones that talk about using cookies. The language is always a little different, but generally it’s something about using the cookies to provide a meaningful user experience. Cookies are how a website remembers your login or what you had in your shopping cart, among other things. Some cookies also track your web browsing progress. Because some cookies need personal identifying information in order to function, the use of cookies is meant (in Europe) to be opt-in. But some websites still just have the banner where the customer has to click “OK” to accept cookies.

That’s not opting in or opting out. It isn’t even a choice. And granted, any company will need time to adjust to the higher privacy demands of the GDPR (although they had been aware of the forthcoming changes for a while). But the GDPR is just the first of what should be sweeping changes in the way data is consumed, and it’s not a moment too soon. Currently too many of us view data as just a byproduct of social interaction, when really it’s becoming the stuff that makes the world go round. If a company can’t even deal with cookies, then there isn’t much promise there for our data future.

Someone once remarked that “data is the new oil.” I don’t think I’ve ever heard anything more true.

-CM