As we count the weeks down to the formal commencement of the General Data Protection Regulation, or GDPR, companies all over the world are revising their privacy statements and other related information. That's because the European Union has specified, in some detail, how Personal Identifiable Information (PII) is to be managed, what rights we have and some severe consequences for not following the new laws. So, in the changed statements, what should you look for?
A quick scan of my inbox revealed about ten updates to privacy policies or similar for online accounts and services I use. So, I've taken a look through those to see what's being changed.
The first thing that's clear is that these policies are being simplified in some cases. The majority have adopted a similar structure, such as those of Veeam and Sonos that clarify what data is collected, where it comes from whether that's directly from you for from third parties, how the data is used, whether that data is shared and, in some cases, where it is stored.
For example, the Sonos policy says
Personal data collected by Sonos may be stored and processed in your region, in the United States (for example, in our major data centres), or in any other country where Sonos or its affiliates, subsidiaries or service providers are located or maintain facilities.
All the policies I looked at specifically discuss the privacy of users under the age of 16 - an area of specific concern in the GDPR.
For example, Strava has also updated their rules and no requires all athletes to be at least 16 years old - that lifts the entry point from 13 under the previous policy.
Health related data is obviously a highly sensitive area so it's no surprise that Garmin, Strava and others are revising their policies. A look at Garmin's updated policies (they have several depending on which products and services you use) shows the extent to which the GDPR has changed things. They provide both the old policies and the new ones (which haven't yet taken effect) so you can compare the differences.
Interestingly, Garmin directly addresses the privacy of users under the age of 16 with the Vivofit Jr product which is made to be worn by kids. They have simplified the language about this, which was in the original policy albeit in lengthier and denser language.
While all the services I've received updates for have provided brief summaries of their updated terms of service and privacy policies, it's worth taking a look at them. It's easy to just click the "I agree" button when you want to use something new but it is important to understand what you're actually signing up for.
The good news is that the GDPR is raising the bar when it comes to protecting PII. And, unlike <a href="http://www.lifehacker.com.au/2018/04/facebook-data-move-means-australians-miss-out-stronger-data-protection/"Facebook which is moving data away from the GDPR's jurisdiction in order to avoid the tougher rules it's good to see many businesses taking the opportunity to make their obligations to customers clearer and, in some cases, stronger.