Europe’s new data and privacy rules take effect a week from Friday, clarifying individual rights to the personal data collected by companies around the world for targeted advertising and other purposes.

Years in the making, the rules are prompting companies to rewrite their privacy policies and in some cases, apply the European Union’s tougher standards even in the U.S. and other regions where privacy laws are weak. Although they take effect as Facebook faces an enormous privacy crisis , that timing is largely coincidental.

Not much will change for you, at least right away; companies will keep on collecting and analyzing personal data from your phone, the apps you use and the sites you visit. The big difference is that now, the companies will have to justify why they’re collecting and using that information.

So now companies are flooding their users with notices that aim to better explain their practices and the privacy choices they offer. European Union regulators have new powers to go after companies that get too grabby or that don’t tell you clearly what they’re doing with your data.

Facebook, Google and their ilk may be headquartered in Silicon Valley, but they have millions of users in Europe – and so have to comply with the new rules. Violators face fines of up to 20 million euros or 4 percent of annual global revenue – whichever is greater. That’s an incentive for companies to take these rules seriously.


In March, Facebook updated its privacy controls in hopes of making them easier to find and understand. CEO Mark Zuckerberg has said Facebook intends to offer those same controls and settings around the world, even though the GDPR governs only EU users.

But Facebook has been vague about applying other GDPR provisions to non-Europeans. That includes one that lets Europeans object to the processing of personal data, such as for marketing.

Facebook has also ramped up efforts to get your permission to use facial recognition to automatically identify people in photos — for instance, to make it easier to tag friends or to let you know if someone uses your photo. Facebook has been using that technology in much of the world for six years, but not in the EU and Canada, where privacy laws are stronger.

Now, EU and Canadian users are being invited to turn that feature on. Facebook says it will eventually ask everyone to reaffirm the use of facial recognition; the company previously assumed consent unless users took the initiative to turn that off.

Though Facebook isn’t making major changes to its data practices, its new privacy policy has one subtle change. Previously, all users outside the U.S. and Canada were legally managed by Facebook’s Irish subsidiary. Under the new rules, everyone outside Europe will be fall under the jurisdiction of its U.S. headquarters.

That means users in Asia, for instance, won’t get the EU privacy protections. Facebook didn’t explicitly announce the change; The Associated Press confirmed it through checks in six countries.

Facebook also plans to offer a less-personalized version of its service for EU teens to comply with requirements it obtain parental permission before kids under 16 can, for instance, list their political or religious views online. In the U.S., the cutoff is lower, at 13. Facebook won’t ask for parental consent in such cases outside the EU, but will ask teens themselves I they want these features.


Google also isn’t making major changes to its data practices, although it did rewrite its privacy policy to make it easier to understand. It now includes video to explain concepts better. Section headers have larger fonts, and links to related settings are more clearly marked. Google also expanded many sections to more fully explain how it collects and uses data.

Google is also expanding the availability of Family Link, a feature that lets parents create Google accounts for their children. As part of this, parents will have to give consent to comply with new EU provisions governing teens.

The feature also gives parents tools to control Android devices, such as locking the child’s device and blocking apps. Family Link was already available in 11 countries, including the U.S., the U.K. and Ireland. Google is now making that available in the rest of the EU.


Twitter’s new policy includes a few exemptions just for Europeans. Twitter says it may receive log data from websites that embed tweets or tweet buttons. But its policy now states that Twitter won’t collect such data “from browsers that we believe” are in the EU and four countries linked to the EU by trade agreements — Iceland, Liechtenstein, Norway and Switzerland.

Twitter also provides a link to contact its data protection officer, but says it’s for those in the EU or those four non-EU countries. Twitter doesn’t say what will happen when someone outside Europe tries to make contact through that link.


That’s when the EU’s General Data Protection Regulation takes effect. Instead of separate rules in separate nations across Europe, there’s now a single set for the entire EU.

The new rules apply to all users in the 28-nation EU, regardless of where the companies collecting, analyzing and using their data are located. So the rules will affect giants such as Facebook and Google and small U.S. businesses with just one European client alike.


Companies have to use plain language to explain how they collect and use data. While companies generally aren’t changing what they’re doing, they are revising privacy policies to eliminate legalese. Google is embedding video (from its YouTube service, of course) to further explain the concepts.

GDPR spells out six specific ways that companies can justify the “processing,” or use, of personal data. Some are obvious, such as to fulfill contractual obligations – for instance, when an insurer pays out a claim. For other uses, such as ad targeting, companies can seek your consent. Those that aren’t sure they got consent properly are now going back to users.

There’s also a somewhat vague category called “legitimate interests.” It’s a catch-all justification that companies can fall back on to keep using data, though the company must show that its needs outweigh potential impact on users’ privacy, said David Martin, senior legal officer for the European consumer group BEUC.

Companies are also required to give EU users the ability to access and delete data and to object to data use under one of the claimed reasons. Firms have to clarify how long they retain data.

And the rules force companies that suffer data breaches to disclose them within 72 hours. By contrast, it took Yahoo more than two years to reveal a breach that ultimately involved three billion users.


Companies based in the EU have to offer these privacy protections to all their users, not just EU residents. Beyond that, the EU rules merely say they apply to “data subjects who are in the Union.”

But it’s an open question how the rules will affect visitors to Europe. Ailidh Callander of the London-based group Privacy International says many questions will be tested in courts and further rulemaking.

What’s clear is that companies won’t have to be as aggressive getting consent for data collection outside of Europe. (Absent regulation, companies typically assume consent unless a user says otherwise.) They can hold off seeking affirmative consent until you visit the EU, at which point you might confront a pop-up notice.


Some companies are extending at least some EU-style protections to all users. But they won’t face legal repercussions or fines if they fail to follow through with users outside the EU.

So unless the U.S. and other countries adopt privacy rules similar to those in the EU– something that’s not likely any time soon – many companies are likely to maintain double privacy standards.

Facebook CEO Mark Zuckerberg, for instance, promised “global settings and controls” for users during his U.S. congressional testimony in April, but was otherwise vague on the subject. When asked if U.S. users would have the same rights Europeans have to object to the use of data, Zuckerberg said, “I’m not sure how we’re going to implement that yet.”

But segmenting EU customers from the rest of the world isn’t easy, especially for smaller companies without Facebook’s or Google’s technical prowess. “It might seem like a smart move, but in some cases, it’s more work,” said Larry Ponemon, founder of the privacy research firm Ponemon Institute.

Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.