GDPR – Privacy Data in the EU

If you’re in the EU you will have been bombarded with messages in the last few weeks, emails from everything you’ve ever subscribed to, forced logged out of apps, and screeds of new terms and conditions to read. It’s all because of GDPR, the European General Data Protection Regulation.

The GDPR is a new law on data privacy in the EU and it relates to companies, individuals and organisations processing personal data for commercial use. It’s meant a lot of work over the last 3 years for anyone working in digital and a lot of lawyers. It grants citizens very specific rights over their personal data, here’s the list of rights from the EU official site:

The responsibility rests with companies to obtain clear consent from you, and you must opt in to receive information from them, the law states that “pre-ticked boxes are not considered to be valid consent under GDPR”. The law also recognises that consent is not always possible, for example an employee cannot consent to be supervised by CCTV for a productivity issue – since there is a power imbalance between the employer and the employee. The penalties for companies are steep, up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. No wonder companies are working hard to set up good privacy systems.

As an individual, a consumer and an employee I like the principles of the law. I’m glad to see a comprehensive overall of how our data is used, and that the EU is using its power to counteract the power behind US tech giants who haven’t taken as much care of my data as I’d like. But oh boy it’s exhausting to read everyone’s terms and conditions and sort out what I’m going to agree to. And not all companies present it in the easiest way. Here’s the notification on data sharing from FastCompany

Seems OK right?

That’s until you scroll and find out that there are 53 companies other than Fast Company who get access to your data, and they get your data not just from Fast Company but also from other sites which use these companies – that’s code for tracking cookies being set on your computer so they know which site you use. I work in digital and I have heard of about 8 of these. There’s no way anyone has time to look through the conditions of all these sites and evaluate what is being done with the data.

1. Fast Company
2. EMX Digital LLC
3. BIDSWITCH GmbH
4. Adform A/S
5. AdRoll Inc
6. Adobe Advertising Cloud
7. AppNexus Inc.
8. Flashtalking, Inc.
9. SalesForce DMP
10. Quantcast International Limited
11. Bombora Inc.
12. Oath (EMEA) Limited
13. Index Exchange, Inc.
14. DoubleVerify Inc.​
15. Confiant Inc.
16. Purch Group, Inc.
17. Dataxu, Inc.
18. MediaMath, Inc.
19. Research Now Group, Inc
20. Revcontent, LLC
21. LiveRamp, Inc.
22. Criteo SA
23. OpenX Software Ltd. and its affiliates
24. DigiTrust / IAB Tech Lab
25. Liveintent Inc.
26. Eyeota Ptd Ltd
27. Integral Ad Science, Inc.
28. BeeswaxIO Corporation
29. Celtra, Inc.
30. Revcontent, LLC
31. Conversant Europe Ltd.
32. Lotame Solutions, Inc.
33. Justpremium BV
34. RhythmOne, LLC
35. PubMatic, Inc.
36. PulsePoint, Inc.
37. GumGum, Inc.
38. SlimCut Media SAS
39. Sharethrough, Inc
40. Sizmek Technologies, Inc.
41. Sonobi, Inc
42. Smart Adserver
43. The Rubicon Project, Limited
44. Unruly Group Ltd
45. Teads
46. Tapad, Inc.
47. The Trade Desk, Inc and affiliated companies
48. SpotX
49. TripleLift, Inc.
50. Sovrn Holdings Inc
51. Sublime Skinz
52. Taboola Europe Limited
53. comScore, Inc.
54. district m inc.

Some companies weren’t able to make their sites GDRP compliant in the two years since the law was passed and I got this message