Friday is the dawn of a new era in consumer privacy. It wasn’t supposed to look like the promotions tab in Gmail—full of emails that may or may not be useful, none of which you want to click on, all with fine print that makes the offer less attractive.
For months, companies have been bombarding inboxes with privacy updates, nominally in order to comply with the General Data Protection Regulation, a supercharged set of privacy laws in the European Union, which go into effect Friday. Under GDPR, companies are required to have a legal basis for collecting personal data, such as the user’s consent, or face serious fines. The law applies to companies processing data of people in the EU, which means most major American companies are also affected. And, as the deadline approaches, the deluge has only intensified.
That’s prompted GDPR’s critics to point to “consent fatigue” over the notices as a sign that the regulation is burdensome and that consumers don’t care about privacy anyway. They question whether the new policies offer users any additional protection.
But EU regulators, lawyers, and privacy advocates insist it didn’t have to be this way. GDPR was supposed to inform consumers about the personal data being collected about them, and for what purpose. The idea was to incentivize companies to minimize the amount of data they hoovered up. Consent had to be informed, unambiguous, and freely-given. If people were put off by clear explanation of how their personal information was being used, then the behavior would stop.
Instead, many of the law’s defenders say companies are using these emails as a way to avoid the underlying principles of clear disclosure. In some cases, their requests for consent are unnecessary, spamming you when they already had a legitimate reason to have your info; in other cases organizations are using GDPR to mask the fact that they never had any right to your data in the first place. Then there are the emails that seem to openly flout the law—either threatening to shut down an account unless you agree to new privacy terms or saying they’ll interpret your silence as consent.
“We are a little bit disappointed,” says Giovanni Buttarelli, who as supervisor of the European data protection authority is the continent’s top data-protection watchdog. “In our point of view, sorry it’s not enough. So we think we need real change in how the giant tech companies approach people and information about them.”
In an interview, Buttarelli says many of the new policies “are written in perhaps a long and vague approach, perhaps in legalese, and this does not help people so they must be scrutinized carefully.”
‘We are a little bit disappointed’
Giovanni Buttarelli, supervisor of Europe’s data protection authority
Buttarelli says the technology companies developing and distributing their new privacy policies “are in the position to benefit from the best legal advice and the most advanced technology in implementing the principle in design.” For companies that are so efficient with data mining and artificial intelligence, why not bring that same forward-thinking technological and design principles to “being ethically oriented,” Buttarelli asked.
Don’t expect the shortcomings to lead to immediate penalties and fines. “Fines are the last step of the exercise,” Buttarelli says. “We need to first focus on compliance, and therefore what is more important is that people receive shorter more communicative notices based on very simple and concise language and where you do not need to make use of artificial intelligence,” to interpret it.
Facebook and Google, which collect an extraordinary amount of personal data, have received particular scrutiny.
Facebook users in the EU have received emails and pop-up banners instructing them that they have to accept Facebook’s updated terms by Friday to continue using the service.
In response to questions from WIRED about whether that approach is compliant with GDPR, a Facebook spokesperson said the company is “roadblocking” Europeans who come to the service, requiring them to agree to new terms of service. The spokesperson said users are asked for “their dedicated attention and consent” on three specific, critical topics—sensitive data, facial recognition, and use of outside data to inform ads. Users are “free to consent or decline each of the three choices they are offered,” she said.
To Johnny Ryan, a researcher at PageFair, which helps companies get around ad-blockers and promotes collecting less personal data, putting it at odds with the digital duopoly, Facebook seems to be playing a game of brinkmanship. “They make lots of noise about complying with the GDPR, but in practice they have produced a take-it-or-leave-it opt-in screen that is entirely unlawful under the new regulation.”
Outside of the tech giants, many companies “have email lists that were never entirely kosher and view the GDPR as an opportunity to sanitize them,” Ryan says. “In other words, don’t blame the rules, blame the companies that had your data all along and are only now asking for your OK.”
“I love the subject lines, like, ‘Please don’t leave us,’ ‘We value you,’” says Tiffany Li, a resident fellow at Yale Law School’s Information Society Project and former in-house counsel for for the coding education startup General Assembly. “The companies reaching out are like a bad boyfriend: they want you to stay, but they know they did something wrong,” Li says.
Jean-Paul Schmetz, CEO of Cliqz GmbH, a German-based startup that owns a privacy-focused browser, as well as the anti-tracking tool Ghostery, sees the “long inconvenient emails,” as the “side effect of companies trying to avoid privacy.” He points to Facebook’s request for consent around facial recognition as one example. Facebook has stopped offering the tool in the EU in 2012, after objections in numerous countries, but allowed EU users to opt in to the tool under GDPR, even though the data protection authorities had not given it the all clear. “They smuggled that in by making the whole process laborious,” Schmetz says.
It’s easy enough to imagine a privacy-friendly interface with easy to understand on/off switches that let users consent to choices like: collecting the bare minimum amount of data needed to make the product or service function, a medium amount of reasonable data, or go wild I don’t care. Still, for all the talk about companies choosing the more confusing path, no one could point to an example of a company doing it correctly, short of opting out of data collection.
“The best consent emails are the ones you don’t have to send, because you’re not doing anything that requires it,” says Schmetz.