The new law, the General Data Protection Regulation or GDPR, takes effect on May 25. The law is very complex but has two main data goals: to give people control over what data they hand over to companies; and to require companies to be more open about how they use that data.
The United States has no similar law, but a couple of politicians in the hearings asked Zuckerberg to commit to giving Americans the same protections as Europeans under the GDPR. He did.
Facebook confirmed that its intention is to extend the spirit of the European standard to all its users. “The GDPR and E.U. consumer law set out specific rules for terms and data policies which we have incorporated for E.U. users,” said Stephen Deadman, Facebook's deputy chief global privacy officer. “We have been clear that we are offering everyone who uses Facebook the same privacy protections, controls and settings, no matter where they live. These updates do not change that.”
As a result of the law, Facebook is overhauling the look of three settings and asking users to reevaluate them: facial recognition data; specific profile information such as political affiliation or religious views; and data shared with outside companies so that Facebook can serve ads.
While Facebook is making those changes, those privacy protections don't have the same weight of the law behind them in the United States as they do in Europe. Here, they're backed by Facebook's promise.
That difference between the E.U. law and Facebook's agreement for U.S. users manifests itself in a couple of ways. The most notable of these are policies that apply to children ages 13 to 15. (Technically, no one younger than 13 is supposed to have a full Facebook account, anyway.)
Under GDPR, parents or guardians have to give their explicit approval before teens of that age can see ads based on their interests on Facebook or its sister network Instagram.
In the United States, since there is no comparable GDPR law, Facebook is going to give teens the option not to be served ads based on their interests, but it won't ask for parental consent.
Other differences are more subtle. Facebook's facial recognition wasn't previously turned on in Europe (or Canada) after regulators questioned whether Facebook was properly getting permission to collect that information. Now all European users will see a new option to flip facial recognition on — both for security reasons such as identifying faked accounts and for Facebook to use the data itself.
Some U.S. users will see this, others won't. Facebook has this option turned on by default in the United States. Americans who've already turned off this feature shouldn't see this screen again; Facebook will simply keep the feature off.
Finally, other differences between what Europeans and Americans see is a matter of wording. Facebook's terms of service in Europe contain specific references to parts of the GDPR that don't carry a legal definition in U.S. law. Europeans will see a screen asking them specifically about GDPR-defined “specially protected personal data,” which includes political affiliation, religious views and romantic interests with advertisers. Meanwhile, Americans will be asked about the same data, but the legal term doesn't mean anything in the United States.
Overall, the design changes will look very similar around the world. Facebook is simplifying its settings on Web and mobile, making it easier for people to find the option to download all of their Facebook data or delete their account.
Overall, the GDPR does change some things about how we interact with Facebook — but not as much as a U.S. law would.