At just a year old, the General Data Protection Regulation has already forced big tech firms to make significant changes to their privacy policies. And its real effects are still to come.
Europe’s General Data Protection Regulation, which celebrates its first birthday Saturday, has managed to do a lot as a tyke.
The GDPR changed the rules for companies that collect, store or process information on residents of the EU, requiring more openness about what data they have and who they share it with. The law is hailed as the global standard for privacy in the digital age, in which data is a precious commodity.
The GDPR came into effect a few months after the news broke that political consultancy Cambridge Analytica had gotten ahold of personal data on 87 million Facebook users without their permission. The timing emphasized the need for the GDPR and highlighted that it was overdue.
The law has forced Facebook and its Silicon Valley neighbors to make sweeping changes to their privacy and data-handling policies, such as asking users to consent to new terms and bringing in pop-ups to inform them of any changes. Importantly, it introduced special protections for teenagers. So far, only one US company, Google, has been hit with a major fine.
For the big US companies, the real effects of the GDPR are still to come. The EU’s move to update its privacy regulation has spurred other countries around the world — including Silicon Valley’s home turf — to consider following suit. And because it’s been used sparingly in its first year, tech companies big and small still haven’t felt the force of the regulation.