The other day, a friend of mine said he recently received several strange emails from every online company with which he has an account.
“They’re all notifying me that they’re updating their privacy policies,” he said. “It seems the Facebook thing has sent some shockwaves throughout companies all across the internet.”
That “Facebook thing” was the ongoing fallout from a recent privacy scandal, in which it was revealed that the personal user data of 87 million users had been improperly obtained and used by consulting firm Cambridge Analytica.
Since then, Facebook CEO Mark Zuckerberg testified in two congressional hearings. In the UK, parliament has questioned two key parties involved in the scandal this week. And now, rumors are circulating that Zuckerberg might testify again — this time, before European Parliament in Brussels.
But that’s not why my friend — and many others — received these emails. These emails are the result of the looming GDPR, and the confusion around it is widespread.
The Chaos and Confusion of the GDPR
About the GDPR
When I informed my friend that he was receiving the emails not because of Facebook privacy fallout, but rather because of the GDPR, his response was, “GDPR?”
For those who might share in that confusion — and as I’ll go on to explain, you’re far from alone — GDPR stands for General Data Privacy Regulation, a new EU Regulation that significantly enhances the protection of the personal data of EU citizens and increases the obligations on organizations who collect or process personal data. (You can read more about it here.)
Even if an organization is based in the U.S., if it controls or processes the data of EU citizens, the GDPR will apply — which is why so many of them are updating their terms and policies, and subsequently notifying users.
In my line of work, I hear about the GDPR on a daily basis, often several times a day. But most people don’t, as I learned when I shared this story with others. I learned that they, too, were a bit unfamiliar with the new regulation — and the reason why they were receiving these notifications.
The Misunderstanding of Updated Terms Notifications
To be fair, there’s been some mixed messaging within these various notifications from brands about their updated terms and policies. This one from Airbnb, for example, doesn’t mention the GDPR:
However, this one from Etsy does mention the GDPR:
In fact, when I did a personal inventory of my own inbox, I found that there were only three brands (out of dozens) that even mentioned the GDPR within their notifications.
Within the U.S.
But being the data nerd that I am, I wanted to find out just how widespread this confusion is — so, I ran a survey of 300 internet users in the U.S. to see how many were under the impression that these notifications were the result of the Facebook privacy scandal.
As the chart above indicates, nearly three-quarters of U.S. internet users believe that these notifications are the result of the fallout experienced Facebook.
But that didn’t necessarily indicate that these consumers were unfamiliar with the GDPR. So, I ran another survey of 305 U.S. internet users to find out if they were familiar with the new EU regulation.
Evidently, two-thirds of U.S. consumers aren’t familiar with the GDPR after all.
But that’s somewhat understandable, as the new regulation applies to EU consumers, not U.S.-based ones. And for many of the latter, data privacy has become a more salient topic in the wake of a misuse of our personal Facebook data. Out of the 87 million users whose information was compromised, about 80% of them — 70 million — are based in the U.S.
Within the UK
That could explain why so many U.S. consumers are under the impression that these emails are a response to this turn of events from Facebook. But still, I wanted to find out if this was limited to this country alone, where the GDPR won’t apply.
I ran a third survey — this time, of 305 internet users in the UK (where GDPR will apply until the UK leaves the EU in March 2019) to find out if they, too, thought these updated terms and policies were the result of Facebook’s privacy scandal.
As it turns out, nearly the same percentage of UK internet users believe that these are the result of the fallout around Facebook as those in the U.S. do — 72% versus the U.S.’s 74%.
But what about their knowledge of the GDPR? In a nation where the new regulation will apply, I thought, perhaps more consumers will be familiar with it. To find out, I ran a fourth, final survey of 300 UK internet users.
The numbers are slightly better here — 39% of U.K. consumers are unfamiliar with the GDPR, versus 64% in the U.S.
What’s Behind the Confusion?
The idea of over a third of consumers in a region where the regulation will apply not knowing what it is was perplexing, at a minimum.
It didn’t exactly come as a surprise, however, as research conducted by HubSpot in February indicated that only 36% of marketers and businesses leaders in the UK, Ireland, Germany, Austria, and Switzerland had even heard of the GDPR.
But now, with the GDPR coming into force in less than a month — why are consumers still so confused?
“Privacy Literacy is a core issue here,” says HubSpot Marketing Fellow, Sam Mallikarjunan. “The Cambridge Analytica issue, for example, wasn’t based off some technical exploit — just a lack of privacy literacy. Your data and anecdotes are showing this very clearly.”
But it’s not exactly a new phenomenon. “Most of this is not technological — it’s literacy,” he continues. “Just like we had to teach people to shred their bank statements, we need to teach people the basic ways in which your privacy can be abused.”
As the days remaining until the GDPR comes into force continue to wind down, it will be interesting to see if the numbers change. And once the regulation does take effect, I plan to run similar surveys again, to determine to what extent consumers understand or are aware of it.
But we have a long way to go, Mallikarjunan says, until consumers have a vast understanding of how what they put online can be used — and misused.
“If we decide that privacy is legitimately something that we’re going to continue to value in our society — which I would not say is a given,” he explains, “then we need to invest in true privacy literacy with vigor.”