Anchorage, KTUU — Starting Friday, companies that collect or process the personal information of EU residents must comply with new rules that protect the privacy of people's data.
The new rules, called the GDPR, or General Data Protection Regulation, clarify individual rights on personal data collected by companies from around the world for targeted advertising.
The GDPR has caused major internet and social media companies to rewrite their privacy policies and in order to comply with the European Union's new standards, which reach beyond EU borders.
For weeks, companies have been emailing out updates to their privacy policies, many of which ask for user consent to continue sending marketing-related emails. The 'opt-in' mandate marks a significant departure from 'opt-out' email marketing, in which users are often subscribed to email marketing lists without their knowledge or consent, and must opt-out to discontinue receiving emails.
Companies are trying to understand what level of protection different data needs, whether this could force them to change the way they do business and innovate, and how to manage the EU's 28 national data regulators, which enforce the law.
Stiff penalties for violating the law — millions of dollars or up to 4 percent of annual revenue for each infraction, whichever is greater — has some internet-based businesses such as Unroll.me, an inbox management firm, and gaming company Ragnarok Online to block EU users from their sites to avoid adopting pro-consumer privacy practices. U.S. retailer Pottery Barn recently said it would no longer ship to EU addresses.
Billion dollar fines for violators
Just hours after the GDPR went into effect, a group that campaigns for data protection rights in Europe says it's filed legal complaints against Google, Facebook, Instagram and WhatsApp over the way they obtain users' consent under new EU privacy rules.
The group NOYB.EU - which stands for "none of your business" - claims its action could force the U.S. internet giants to pay up to 7 billion euros ($8.2 billion).
In a statement Friday, the group argued that the companies are making users' consent to their new terms of service a requirement if they want to continue using the service. Those who object have to delete their account.
Max Schrems, a veteran of legal fights against Facebook and chair of the privacy group, said this amounts to "forced consent," prohibited by the EU's General Data Protection Regulation.