Checking the mail and finding a surprise package is fun; receiving unexpected emails is, objectively, the worst thing in the world. No one enjoys an unnecessarily full inbox, but if you've been online this week, your inbox has likely been flooded with notes about companies changing their privacy policies. It's a bit of a nuisance, especially for those who already hate checking email, but there's actually a reason your inbox is filled with these kinds of messages. A European privacy law, called the General Data Protection Regulation goes into effect Friday, May 25, and it's changing the way companies are allowed to communicate with you and use any data they collect.
The General Data Protection Regulation, or GDPR, became law in 2016 when it was passed by European parliament, according to CNET. The data privacy law applies to people living in any European Union member country, and the legislation makes it harder for companies to collect data about you without you knowing what it's being used for. Here's the catch that makes this relevant to all of us: If a company receives any traffic or business from people in European Union member nations, it's overhauling its privacy policy for all users. So even though the law doesn't apply to Americans, companies need to change how they interact with all of their customers, hence the pesky emails.
What does the GDPR do? For the record, even the experts are confused —an op-ed in The New York Times calls the law a "big, confusing, mess." But we do know that companies must have your explicit permission to keep sending you emails, which is why you may be receiving emails about whether you want to opt-in to a mailing list along with those privacy policy updates.
CNET has an in-depth explainer that gives an idea of why GDPR originated and what legislators hope to accomplish. Basically, companies are going to have to be more open with you about what data they're collecting and storing. Additionally, people in the EU's member states will be able to request a record of the data a company has collected. Companies are also given three days to let consumers know about any data leaks or hacks. This is big news in the wake of Facebook's Cambridge Analytica scandal, though the law was passed before it came to light, and it means companies will get in trouble if they hide data breaches.
GDPR supervisors in each of the 28 countries will help enforce the law, and hefty fines for companies that don't comply give businesses a reason to take it seriously. Companies that violate the law will be fined $23.5 million or 4 percent of annual global revenue, whichever number is higher. Although companies have had more than two years to prepare for GDPR compliance, The Verge says that most businesses aren't ready. The publication compares it to filing tax returns — if you're super responsible, you do it early, but a lot of us leave it until the last minute. The same goes for becoming GDPR compliant, hence all of the privacy policy changes happening at the same time.
Of course, it's worth noting that the most of us don't bother reading privacy policies, and a 2014 Pew study found that nearly half of people don't know what a privacy policy is. The best way to actually become aware of what companies are doing to keep your data safe is by reading privacy policies (or by using a service that does it for you).
By the weekend, your email inbox should return to normal because companies will have met the deadline to avoid punishment from EU officials. On the other hand, I've received two GDPR-related updates from companies while writing this article, and I'm not convinced that my inbox will ever be empty again.