Your Favorite Website Isn't Complying With the GDPR
It seems like just a couple of months ago that companies were filling our inboxes with emails about their new terms and conditions. And, in fairness, it was just a couple of months ago. Which made me wonder: After all that effort, is anyone actually complying with the GDPR?
Broadly speaking, the answer is a resounding “no.”
The GDPR, as a refresher, is the General Data Protection Regulation, which defines how websites and companies should handle the collection of users’ data. Specifically, it covers users in the European Union and the European Economic Area, so that excludes a lot of people, but most companies with an international customer base committed to implementing new protocols in general. Not because the companies are particularly devoted to data privacy, as has been reported, but because it would be a pain in the ass to enact them just for folks in one part of the world.
Currently, the GDPR is the most comprehensive set of regulations covering data collection and storage in the world, and in some ways it has served as a gold standard for companies based in countries that aren’t actually subject to it, like the United States. From that perspective, for companies headquartered in the States that have mostly Americans for customers, it doesn’t really matter that they aren’t complying with European standards.
Or does it? The lack of compliance isn’t what I find worrisome. It’s the pretty solid chance that these companies that pledged to adhere to the GPDR, and in some cases are bound by the GDPR because they have customers in the protected areas, don’t actually have any idea what the GDPR requires.
I’ll explain it very, very briefly, and in a somewhat general sense, but you’ll see the point I’m trying to make. The GDPR instructs companies that compile personal user data to protect that data by default. Companies can’t assume that their customers want to share their data. Instead, companies must assume that the customers don’t want their information shared.
It also requires those companies to clarify what that data is used for and how it’s stored. And if a customer wants to interact with the company but doesn’t want the company to store their information, the company must provide that customer with the same experience they would have if they were okay with sharing their data.
Even more brief: Data collection should be opt-in, not opt-out.
That’s not opting in or opting out. It isn’t even a choice. And granted, any company will need time to adjust to the higher privacy demands of the GDPR (although they had been aware of the forthcoming changes for a while). But the GDPR is just the first of what should be sweeping changes in the way data is consumed, and it’s not a moment too soon. Currently too many of us view data as just a byproduct of social interaction, when really it’s becoming the stuff that makes the world go round. If a company can’t even deal with cookies, then there isn’t much promise there for our data future.
Someone once remarked that “data is the new oil.” I don’t think I’ve ever heard anything more true.