If you've been anywhere near the internet in the last few weeks, then you've probably noticed that just about every company you've ever interacted with has been busy sending out a flood of emails notifying you about changes to their privacy policies.
The reason for this, of course, is a little something called GDPR: a new set of European regulations governing how companies manage our personal data. Those rules go into effect as of Friday, May 25, which means companies everywhere are scrambling to bring their own policies up to speed with the new rules.
SEE ALSO: How to use GDPR to clean out your inbox once and for allBut GDPR is actually about much more than tweaking privacy policies. The sweeping rules will have a tremendous impact on just about every industry, not just tech. And though the laws only cover EU citizens, the effects of the regulations could ultimately extend far beyond Europe.
This Tweet is currently unavailable. It might be loading or has been removed.
GDPR, or the General Data Protection Regulation, is a set of regulations that places new restrictions on how companies handle our personal data. And while there are a lot of specific requirements that fall under these rules (more on those in a minute), the overarching goal of GDPR is to give users more control over who has access to their data and how that data is used.
These rules, by the way, apply to all organizations, not just tech companies. Restaurants, retailers, airlines, and other companies we don't typically think of as having vast troves of personal data are also required to comply with the rules.
GDPR rules are fairly complex, but the main provisions are:
the right to know what data a given company has about you, and what it's used for
the right to know if your data's being shared with outside groups
the right to access your data and and take it somewhere else (referred to as "data portability")
the right to, at least in some situations, have your data erased
There are also bigger requirements that affect how companies operate internally. One provision stipulates that companies must notify users of data breaches within 72 hours of discovering the issue. Some companies are also required to name a Data Protection Officer, who's charged with overseeing an organization's efforts to comply with GDPR rules.
Penalties for breaking GDPR rules can range from written warnings to massive fines, depending on the specific rule in question.
For the most serious offenses, organizations can be liable for fines up to €20 million or4 percent of their total revenue, whichever is higher.
For a multibillion dollar company like Facebook or Google, that adds up to hundreds of millions of dollars. Not every GDPR infraction warrants the steepest fines, which are reserved for "the most serious infringements," but even relatively smaller fines could be potentially catastrophic for smaller companies.
Even though companies have had two years to bring their policies up to GDPR's standards, the transition hasn't gone smoothly for everyone. While many companies have been frantically emailing users about changes to their terms or service, some have had to go to greater extremes.
Instapaper, the "read it later" service owned by Pinterest, informed users it was temporarily pausing all service in Europe due to issues with GDPR. So did inbox-cleaning app Unroll.me, which has also been criticized for opaque privacy policies.
This Tweet is currently unavailable. It might be loading or has been removed.
Meanwhile, some websites including those of Tronc newspapers and cable network A&E, have blocked European traffic because of GDPR.
While most of these disruptions will be temporary, it's unclear how long it will take before they're back to business as usual in Europe.
Even if you don't live in Europe, GDPR could still affect you. If you run a business that has customers in Europe, you'll still need to comply with GDPR regulations, even if you're based in the U.S.
But even if you're not a business owner, you'll likely still feel the effects of GDPR in some way. Besides the overflowing inbox notices, some companies are opting to make new privacy controls available to everyone, not just Europeans (Apple's new privacy page, for instance).
This Tweet is currently unavailable. It might be loading or has been removed.
Other, longterm, effects of GDPR are less clear. Critics have argued the measures will make it more difficult for companies to do business. Others have speculated the policies could change the economics of internet-based companies that rely on advertising dollars. Some hope it will make companies more accountable so we're able to avoid future Cambridge Analyticas.
For now, though, perhaps the biggest impact of GDPR is that it serves as a timely reminder of just how much data companies have on us. As game developer Chet Faliizek pointed out on Twitter, the fact that we're collectively getting so many GDPR-related notifications shows just how many companies are storing data on us.
And while those practice are unlikely to change dramatically in the U.S., at least in the short term, GDPR might just help get everyone to actually stop and think about their online privacy in the first place.
