The Washington PostDemocracy Dies in Darkness

Why you’re getting flooded with privacy notifications in your email

All those emails you've received about updated privacy policies are due to GDPR - Europe's General Data Protection Regulation. (Video: Reuters)

If you're like most Internet users, you've probably gotten a dozen or more emails this week notifying you of looming privacy policy updates at your favorite websites — and perhaps even at a few sites you'd completely forgotten about.

What is the big deal, and why is everyone from Airbnb to Yelp suddenly updating their terms of service? Here's all you need to know.

What the heck is going on? Am I being spammed?

No, this is the real deal. Websites around the world are having to update their policies because of a new set of privacy protections being put in place by the European Union.

The EU's General Data Protection Regulation, or GDPR, went into effect on Friday. The regulations were written to benefit European citizens by giving them more control over the data that's collected by online services. But in practice, the new rules will have widespread ramifications as even U.S.-based companies who handle the data of E.U. citizens try to make sure they're in compliance. The changes you're seeing in corporate privacy policies is one example.

As Europe's data law takes effect, watchdogs go after tech companies

What does GDPR say companies have to do?

The new policies, which will be enforced by the Information Commissioner's Office, require companies to be explicit in their efforts to seek consent from consumers before collecting their personal information. Companies also have to give consumers easy access to their own data, and to delete that data if the customer requests it. Many companies subject to GDPR are expected to appoint a data protection officer. And importantly, companies have to notify users quickly of data breaches when they occur — under the new rules, they have 72 hours to inform the public after a breach is discovered.

What happens if the companies violate GDPR?

Failure to comply with GDPR comes with the risk of heavy fines — up to 4 percent of a company's annual global revenue, or €20 million (about $23 million), whichever is higher. In the case of Facebook, which pulled in $40.7 billion in revenue last year, a violation could mean an eye-popping $1.6 billion penalty. In fact, Facebook has already been hit with lawsuits alleging violations of GDPR on the policy's very first day; in response, the company has said it's been working to comply with GDPR for the past 18 months.

I'm in Europe. Why can't I access some U.S. sites?

A number of U.S.-based news sites — the Los Angeles Times, Chicago Tribune, Baltimore Sun and a raft of others — have basically gone offline as far as European readers are concerned. When you try to visit any of these sites from a European location, you get this (I tested it with a VPN):

The common denominator underneath these different publications is that they are all owned by the same parent company, Tronc. The media company put out a statement Friday that reads exactly the same as what viewers see on the blocked sites: "We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism."

Unlike other news outlets such as NPR, which have updated their privacy policies in light of the new regulations, Tronc appears to have sidestepped having to comply with GDPR by simply making its sites unavailable to E.U. residents altogether. (The Washington Post, for its part, has updated its privacy policy and introduced a new subscription tier for readers who do not wish to have their data collected, said Miki King, vice president of marketing at The Post.)

What are the downsides for consumers?

Some companies have chosen to go blank in Europe instead of having to comply with the expansive privacy regulations, including websites such as and Klout. More widely accessed U.S. media outlets — including the Chicago Tribune, the Los Angeles Times and the Baltimore Sun — similarly blocked some of their European users starting Friday. It is uncertain when or if those websites will become accessible again.

Ahead of the law taking effect Friday, consumers also complained about a number of bureaucratic challenges, such as an influx of consent-seeking emails from companies trying to distribute their newsletters or doctors making their patients sign pages-long forms about how to store their data.

So, if it’s all so complicated, why did Europe bother to introduce the rules?

European Union regulators have always been much tougher on tech companies than their U.S. counterparts, for instance forcing them to give users more control, imposing fines for noncompliance and requiring platforms to spot and delete illegal content.

Depending on the E.U. countries, there is generally also more public backing here than in the United States for the sort of expansive regulations that took effect Friday — at least as long as they don’t turn the Internet into a bureaucratic nightmare.

Where can I go to find out more?

Here's a detailed checklist of the things companies must do to be in compliance. And here's where you can find the text of GDPR itself.

Staff writer Rick Noack contributed to this report from Berlin.