GDPR (or the mails you are deleting and you) and YOU

GDPR and YOU

• So what is the General Data Protection Regulation and how does it affect you?
• Why are you receiving all these emails from sites you registered to tell you to agree to continue to be "friends" (as many sites told me) to use their services?
• Wasn't the EULA you were agreeing to enough?

I will try to explain in simple terms these questions and in my search, I will try to find out if and how well most sites implemented the changes it is now required for them to operate.

GDPR is a series of regulations about data protection and privacy within the European Union made on April 14 2016 and implemented on 25 May 2018. Even though it is an EU law, any companies operating in the EU (meaning having EU customers) are required to obey those rules. This means that most global sites will have to implement those changes required by the law to have EU customers. Sites and apps already had a 2 years grace period to implement those changes.

In simple terms the changes that the sites/apps required to implement aims to:

• Give individuals more information about how their data are being used and how.
• Give users choice. Users must give an affirmative action that they agree and site/apps cannot assume consent or use pre-checked website boxes.
• Inform the supervisory authorities within 72 hours if any breach of data has happened. If it is serious, individuals must also be informed.
• Give the users the ability to move, copy or transfer their collected data.

Failure of the above may result in fines of 4% of the annual revenue or €20 million (whichever is higher).

Implementation

I will check out how many sites implemented the changes required and how they reveal what information they are using and how. Let's start with same sites.

Runkeeper

One of my personal favorite apps for tracking my workouts/runs. Let's see how clear is the language now compared with the usual mambo jumbo EULAS.
Runkeeper is owned by the ASICS shoe company so it essentially says who ASICS is and later what data they collect.
Data includes: name, postal address, telephone number, electronic identification data (IP, MAC address), date of birth, gender, time zone, language preferences, store purchases, training / running data, reviews and more.
Most of those are data we share but there are some that are for identification/tracking purposes as you see. And now to the interesting part. What do they do with all those saved data?
The use of the above data are for the purposes of:

• Commercial purposes (newsletter and general marketing)
• Improvement of the services (both aggregated and individual data are used)
• Assist in security and fraud prevention
• Remind you per email about abandoned items in your cart

And many more. Pretty forward non-bullshit explanations in all the texts. And lastly who can they share the data with?

• Partners - only if you have given consent (very important)
• Third parties in case of legal requirement (can't imagine where it will be needed in a running / GPS tracking app)
• Corporate transaction (sell, bankruptcy etc)
• With Consent (essentially to everyone as long as you consent - careful when you click next)

Of course, there is a section about cookies and how there are used for tracking and ads but that is another section.

Generally, the wall of text was pretty straightforward as what data they are using and how.

Patreon

Another favorite site of mine for supporting creator with filthy FIAT money 😝. They warn you upfront that this is a big wall-of-text but the most important stuff in each paragraph are in the beginning. By continuing to the site you automatically accept those terms.
They are keeping a good clear language about copyrights, cuts they take from creators etc.
Some things I didn't know (which probably is common for more sites as well) is that if the site is sued because of you, you HAVE to help pay for it.

Those were some sites that don't have much targeting advertisement. Let's check the big league now.

Facebook

I logged in to an old fake account I had for testing. First step, it asked you to review the following:

• How we use personal data from advertisers, app developers and publishers to show you relevant ads
• An option to turn on face recognition
• Our updated Terms, Data Policy and Cookies Policy

And this is when the things get interesting. Notice the design of the next page.

Facebook is not a small startup, they have professional designers so all this design is intentional. Notice the colored "Accept and Continue" that my guess is 90-99% of people will click to carry on and get their dose of Facebook's delicious dopamine. Also, notice how the "Manage Data Settings" button is set. Not a fair comparison to the bright and glorious "Accept and Continue". We already have some guiding from the company to accept whatever this is and move on with your life. Lastly look at the "What's collected" line. You have to scroll down to see more info about this which again most people will not do. Bonus small detail: The messaging and updates icons on the top right are putting a small pressure for you to continue and see your messages and notifications. It shows like you have some messages and updates even if you don't. There are many many things to see but I will just quote the 2 lines they give you.

Here are some examples of data that these partners may share with us:
Your activities on websites and apps that use Facebook Business Tools, such as our pixel or our Like button, including when you buy something online or download an app
Your offline interactions with partners, like buying a helmet at a cycling shop

Let's move on "Manage Data Settings". I get a screen that tells me before I review my setting to consider this to make my choice. When they use data from advertisers I get relevant ads like hotel deals if I visit travel websites but if I want them to not use that data I get the same number of ads but irrelevant to my searches etc. Let's move on to the next screen.

Again with the same tricks. Colored Button and the not so legal under GDPR pre-checked box (pre-checked boxes and inaction don't mean consent). I will get off-topic for a moment to explain how people think when they have a choice they are not sure what to pick.

In the graph above we see that Spain and Croatia have very high organ donation rates. Is there something culturally similar maybe that makes people donate more than for example the US? Not at all. The reason that these counties have a high donation rate is that they use the opt-out policy when they ask you if you want to be a donor when you get your driving license. Asking you to check a box if you DONT want to be a donor makes you actively wanting not to be to check it. It is the default choice so most people unsure will carry on to the next question and therefore be donors.

Back to Facebook. The next screens ask you about face recognition, again with the same button tricks etc, and lastly, you need to accept the updated terms of service if you want to continue using Facebook or click a tiny button that lets you backup your data and then delete your account.

ALL the choices they want you to make are possible to be made with one click. ALL the options you can make are hidden behind 2-3 "hidden" screen/clicks.

I picked Facebook because it is popular but I am pretty sure most other big sites follow the same principles. In fact, the first day the law became applicable, both Facebook (including Instagram and WhatsApp) and Google were sued for a total of $8.8 billion. Both companies use the all-or-nothing approach to consenting which is a violation of the GDPR's provisions.

The tracking cookies, on the other hand, was another issue. Really trying to find a way to disable tracking cookies was got me to this page.

How can every time you want to unsubscribe for something it takes time or days (in the case of emails) and every time you want to subscribe it takes seconds! In this case, it had a loading bar to make the unsubscribe requests! And in the end (after of course 2-3 more screens) it failed to do in some cases, due to "temporary technical issues".

Conclusions

The answers to the questions I asked, in the beginning, are quite simple.

• How does it affects you?

For the first time, you now have the ability to clearly know how the sensitive data you are sharing are being used.

• What about those emails?

Even with the EULAs companies can no longer assume consent to how your data are being used. You have to agree and the companies have to give you option about many things (including the ability to delete your account and data, move your data to another service and the ability to not track you for relevant ads).

• Wasn't EULAs enough?

EULA was and is an all or nothing approach. You agree to it to use the site. You still have to agree to those. But now you have more options as i mention above and the companies have responsibilities that can't be avoided by hiding terms in their license agreements.

Do you care about the above? Do you think that the ability to control your data under GDPR is useful? Or are you clicking "Accept and Continue" to continue browsing your favorite sites?

---

Sources:

• Wikipedia entry for GDPR
• Sage.com Simple Explanation
• PBS.org Organ Donors