The European Union’s General Data Protection Regulation (GDPR) came into effect today, and the web will never be the same, in Europe at least. Internal wrangling at companies between the legal, sales, marketing, editorial, and other departments has determined what approach to take to stay on the right side of the strict new rules, and the conclusions vary widely.
Hailed by many as a victory for human rights in the digital age, GDPR is designed to give EU consumers control over how companies can collect and use their personal data. Since information online is borderless, the new law affects every company that has any contact with users in the EU, anywhere up or down a company’s data supply chain.
The penalty for breaking the law can run up to 4% of global revenue, which would be a significant sum for advertising-funded firms like Google and Facebook. In fact, the first GDPR-based lawsuits have already been filed against both tech giants, arguing that the consent they require from customers to continue using their services is not “freely given.”
This is the crux of the emails you may have received recently from companies seeking approval to send newsletters, announcing changes to privacy policies, and demonstrating many other variations of GDPR-linked legal housekeeping. This has also made browsing the web in Europe an adventure today, with pop-ups, legal notices, and other barriers springing up. Here’s a tour of the post-GDPR world online:
Business as usual (more or less)
For many publishers, relatively unobtrusive pop-ups seem to suffice—some sites ask for agreement to store and track your data (like Quartz), while others simply point to privacy policies. The content on these sites remains accessible to visitors from the EU.
Newspaper sites owned by Gannett, like USA Today, are now serving up a “European Union experience” to visitors from the EU, noting that they do not collect any personally identifiable information from users.
Your consent is required
Other sites require explicit action for users before they can proceed. A feature of GDPR is the requirement for “clear affirmative action” from users (that is, opt-in) before a company can collect and use their data.
Some sites are now completely inaccessible to users in Europe. Although GDPR has been in the works for years, these companies say that they need more time to work things out before they can serve European users. Most notably, this is the case for sites owned by publishing group Tronc, including the Los Angeles Times, Chicago Tribune, New York Daily News, and others. Pinterest-owned bookmarking service Instapaper also temporarily shut down for European users earlier this week.