On May 25, 2018, the General Data Protection Regulation, an online privacy law affecting companies and citizens in the European Union, took effect. Better known as GDPR, the law changed the way companies are able to collect and use the personal data of EU citizens. The result was a flood of privacy policy updates that reached far beyond the European Union.
Q2 hedge fund letters, conference, scoops etc
What is GDPR?
At a high-level, GDPR is a privacy law that aims to given citizens of the EU more control around what data is collected by online services, and how that data is used. The new law also aims to increase transparency from companies on how they obtain data.
There are several major stipulations in GDPR that will change the way companies handle data collection. Specifically, companies have to be more direct in the way they ask users for consent to collect their personal data. They also have to be more open in giving users access to their data, and the ability to delete it. GDPR also changes data breach guidelines; specifically, it includes a 72-hour breach notification requirement. Some companies also have to appoint a data protection officer (DPO) to oversee data protection and ensure that the company is compliant with GDPR regulations.
What Happens if GDPR is Violated?
The consequences for companies found to be violating the terms of GDPR can be severe. The penalty is up to 4 percent of the company’s global annual revenue, or €20 million, whichever is higher. Considering that GDPR’s implementation affects a number of high-profile, high-revenue companies—such as Facebook and Google—that 4 percent could amount to billions in fines.
Why Did GDPR Change Privacy Policies?
As a result of GDPR’s implementation, users around the globe found their inboxes flooded with privacy policy updates. These updates are largely a result of companies changing their policies to ensure that they’re compliant with the new rules and regulations.
One of the major changes that came out of GDPR is the increase in transparency around how companies collect data. Prior to GDPR implementation, companies used vague and ambiguous language to explain complex data collection policies to users. GDPR aims to stop that. In fact, an official statement from the GDPR website states that following the law’s enforcement, “companies will no longer be able to use long illegible terms and conditions full of legalese.”
I’m in the U.S. — Why Did I Get Privacy Policy Updates?
One of the major points of confusion for users was why people around the world were receiving privacy policy updates, not just users in the EU, where the law took effect. This is because the law applies to all companies with any users located within the European Union, not just companies that are physically located within the Union themselves. So, if a company is physically located in the United States but collects data from companies within the EU (for example, Facebook) the company is still subject to GDPR. The result was a slew of privacy policy updates for users across the globe.
How Did GDPR Change Privacy Policies?
What does this all mean? How did GDPR really change privacy policies? To answer this question, Varonis took a look at the privacy policies of major tech companies before and after GDPR went into effect.
To see how GDPR affected privacy policies, Varonis took a look at several components of policies and reviewed how they changed. They looked at ten major tech companies:
- Amazon
- Wikipedia
- Yahoo
- eBay
- Netflix
The three components they looked at were:
- Word count: How has the total word count changed since GDPR implementation? Overall, Varonis found that the word count had increased for almost all of the companies looked at. The average word count increase was nearly 26 percent. Wikipedia’s word count increased the most, at approximately 95 percent.
- Lowest word count (before GDPR): Yahoo; 1,611 words
- Lowest word count (after GDPR): Yahoo; 2,225 words
- Highest word count (before GDPR): Reddit; 5,524 words
- Highest word count (after GDPR): eBay; 5,666 words
- Reading time: The second component Varonis looked at was how long it took to read the privacy policy. Overall, they found that the majority of companies increased the total reading time, in correlation with the increase in word count. It would take over 3 hours to read the privacy policies of all 10 companies looked at.
- Lowest reading time (before GDPR): Yahoo; 7 minutes and 44 seconds
- Lowest reading time (after GDPR): Yahoo; 11 minutes and 12 seconds
- Highest reading time (before GDPR): Reddit; 26 minutes and 42 seconds
- Highest reading time (after GDPR): eBay; 27 minutes and 32 seconds
- Reading level: Reading level is the approximate level at which a user must read to comprehend what they’re reading. The general public’s approximate reading level hovers around an 8. Surprisingly, given that GDPR aimed to increase transparency around privacy policies, many reading levels increased — the average change in reading level was up almost 4 percent. eBay clocked in with the highest reading level, at 20.
- Lowest reading level (before GDPR): Facebook; 11
- Lowest reading level (after GDPR): Reddit; 12
- Highest reading level (before GDPR): eBay; 18
- Highest reading level (after GDOR): eBay; 20
Overall, Wikipedia clocked in with the largest update (word count increase) and eBay came in with the highest reading level (20). Yahoo remained steady with the lowest word count and the lowest reading time before an after GDPR. For a full overview of how GDPR changed privacy policies check out the graphic below.
Infographic source: Varonis
