Don’t bother thanking Washington, which remains mired in gridlock despite rising public concerns about data privacy. Rather the changes emanate from the European Union, which is imposing a host of new regulations that are forcing global changes, including for hundreds of millions of tech consumers in the United States.
“I don’t know that these companies are making radical differences in what they’re doing,” said Justin Brookman, director of consumer privacy and technology policy for Consumers Union.
But the changes do mark a rare shift toward greater user control and transparency as companies scramble to comply with the European regulations. Those that fail to do so could face fines of up to 4 percent of global profits.
The new laws, known as GDPR, for General Data Protection Regulation, take effect May 25 in the European Union. They require that tech companies use plain language to explain how their data will be used and that users give explicit consent for these uses. As companies create new ways of using data, they must ask again for permission.
Under GDPR, users also are gaining new rights to download their data and move it to other platforms. And there are new restrictions on data collection on users younger than 16, unless parents or guardians consent.
Companies are not required to apply these same regulations outside the European Union. Some, such as Twitter, said they will implement privacy rules differently in the United States and Europe. WhatsApp, which is owned by Facebook, announced this week that it was raising the minimum user age to 16 in Europe but leaving it at 13 for users in the rest of the world, including the United States.
Many others, however, are choosing to adopt a single global standard because of the logistical challenges of maintaining two sets of privacy regimes and also to avoid the potential political and public-relations backlash for giving protections to one set of consumers and not others. Companies say there may be minor variations between privacy standards in the European Union and United States but not to a degree most users would notice.
Facebook chief executive Mark Zuckerberg, during congressional testimony this month, said his company would apply the European standards to U.S. users. A company blog post later elaborated, “Everyone — no matter where they live — will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook.”
Facebook users in the United States are scheduled in coming weeks to see a series of new consent screens explaining how the company collects and uses personal data and asking permission for these uses.
There will be questions specifically seeking consent for facial recognition technology, which Facebook for years has employed to identify people in photos uploaded to the platform. (The technology will be new, however, in the European Union and Canada, and people there will be asked to consent to its use for the first time.)
Google says that it, too, is applying the same privacy standards globally across its many online services, although as with Facebook there may be minor variations in how these standards are applied.
Apple, which relies less on the collection of personal data than some other big tech companies, last month added new privacy protections in updates of its operating systems to comply with GDPR. Those updates applied to users worldwide, the company said, and created new alerts to signal when Apple collects user data. The company also is allowing all users to request their data, seek corrections and demand that any account be deleted.
“Our first priority is to meet the E.U. requirements to comply with GDPR on May 25th,” the company said in a statement. “People around the world use our service in different ways and therefore how we present features must be customized by region.”
The uneven responses among the companies are frustrating privacy advocates, who argue that the arrival of GDPR offers an opportunity for fundamental change — beyond just a series of new explanations and consent boxes that users are asked to check.
“They’re just trying to get away with business as usual,” said Jeff Chester of the Center for Digital Democracy, a consumer advocacy group.