What is GDPR?
At a high-level, GDPR is a privacy law that aims to given citizens of the EU more control around what data is collected by online services, and how that data is used. The new law also aims to increase transparency from companies on how they obtain data.
There are several major stipulations in GDPR that will change the way companies handle data collection. Specifically, companies have to be more direct in the way they ask users for consent to collect their personal data. They also have to be more open in giving users access to their data, and the ability to delete it. GDPR also changes data breach guidelines; specifically, it includes a 72-hour breach notification requirement. Some companies also have to appoint a data protection officer (DPO) to oversee data protection and ensure that the company is compliant with GDPR regulations.
What Happens if GDPR is Violated?
The consequences for companies found to be violating the terms of GDPR can be severe. The penalty is up to 4 percent of the company’s global annual revenue, or €20 million, whichever is higher. Considering that GDPR’s implementation affects a number of high-profile, high-revenue companies—such as Facebook and Google—that 4 percent could amount to billions in fines.
Why Did GDPR Change Privacy Policies?
One of the major changes that came out of GDPR is the increase in transparency around how companies collect data. Prior to GDPR implementation, companies used vague and ambiguous language to explain complex data collection policies to users. GDPR aims to stop that. In fact, an official statement from the GDPR website states that following the law’s enforcement, “companies will no longer be able to use long illegible terms and conditions full of legalese.”
How Did GDPR Change Privacy Policies?
What does this all mean? How did GDPR really change privacy policies? To answer this question, Varonis took a look at the privacy policies of major tech companies before and after GDPR went into effect.
To see how GDPR affected privacy policies, Varonis took a look at several components of policies and reviewed how they changed. They looked at ten major tech companies:
The three components they looked at were:
- Word count: How has the total word count changed since GDPR implementation? Overall, Varonis found that the word count had increased for almost all of the companies looked at. The average word count increase was nearly 26 percent. Wikipedia’s word count increased the most, at approximately 95 percent.
- Lowest word count (before GDPR): Yahoo; 1,611 words
- Lowest word count (after GDPR): Yahoo; 2,225 words
- Highest word count (before GDPR): Reddit; 5,524 words
- Highest word count (after GDPR): eBay; 5,666 words
- Lowest reading time (before GDPR): Yahoo; 7 minutes and 44 seconds
- Lowest reading time (after GDPR): Yahoo; 11 minutes and 12 seconds
- Highest reading time (before GDPR): Reddit; 26 minutes and 42 seconds
- Highest reading time (after GDPR): eBay; 27 minutes and 32 seconds
- Reading level: Reading level is the approximate level at which a user must read to comprehend what they’re reading. The general public’s approximate reading level hovers around an 8. Surprisingly, given that GDPR aimed to increase transparency around privacy policies, many reading levels increased — the average change in reading level was up almost 4 percent. eBay clocked in with the highest reading level, at 20.
- Lowest reading level (before GDPR): Facebook; 11
- Lowest reading level (after GDPR): Reddit; 12
- Highest reading level (before GDPR): eBay; 18
- Highest reading level (after GDOR): eBay; 20
Overall, Wikipedia clocked in with the largest update (word count increase) and eBay came in with the highest reading level (20). Yahoo remained steady with the lowest word count and the lowest reading time before an after GDPR. For a full overview of how GDPR changed privacy policies check out the graphic below.
Infographic source: Varonis