Even rock stars have to comply with the sweeping new data privacy law that takes effect in Europe on Friday.
The Rolling Stones sent out an email on Wednesday asking their fans to confirm that they’d like to stay on the band’s mailing list.
“You have probably had many emails like this land in your inbox in the last few weeks, regarding the new General Data Protection Regulation (GDPR),” the email states.
That’s putting it lightly.
Email inboxes have been awash with similar messages in recent weeks as companies that hold user data send legally required messages letting people know about changes to privacy policies and, in some cases, asking users to opt-in if they want to continue receiving emails.
Not a Stones fan? How about Cher?
The emails highlight just how far Europe's new regulations are expected to reach. While the law will be enforced in Europe, in many cases it also extends stronger data privacy protections to Americans, according to experts.
The new rules, called the General Data Protection Regulation, or GDPR, take effect on Friday and enforce the principle that each person owns their own data and has a right to walk away with it from any company. Companies holding consumer data are also required to notify regulators of a breach within 72 hours and could face fines as steep as 4 percent of their annual revenue for mishandling customer data and potentially be required to reimburse users for the cost of their data.
Users may be tempted to click through these notifications, but Lou Jordano, chief marketing officer of the brand analysis firm Crimson Hexagon, said there’s now a “unique opportunity for consumers to take control.”
“There is a ton of information that is out there and people are perhaps being bombarded, but it would behoove them to read it and pay attention to it,” he said.
While some emails serve only as notifications of the upcoming changes, including a user’s right to personal data, some groups are asking for subscribers to opt-in if they want to continue hearing from them after Friday.
An easy way to corral the email notifications is to do a search for keywords — such as GDPR, privacy or personal data — to ensure emails that might have been sent before last week are also included in the list to review. This is one way to see who has your data.
Companies that a subscriber already does business with may not ask people to take any additional steps in order to continue receiving emails. Other groups, such as the Rolling Stones mailing list, do present subscribers with a button to click if they want to consider receiving updates. If they don’t click it, they won’t be hearing from Mick Jagger again — at least in their inbox.
When looking through the list of emails, Barrett recommends asking the questions: “Is it a site you trust? Is it a site you didn’t know had your data? ”
In that case, these emails can be a “scary and good” wake-up call about just how many companies have your information — and motivation to take steps to ensure those companies delete your data, Barrett said.
People should “consider the source and evaluate the language they’re being bombarded with,” Jordano said. ”You have the opportunity now to pick who you are going to have a conversation with.”
In the event of a future data breach, American users could also be entitled to legal remedies against companies that are established in the European Union and process user data there, Barrett said.
An American “could bring a case concerning a violation of the GDPR to the domestic court where the company is established,” she said. Some American companies, including Facebook and LinkedIn, have already taken steps to move their non-E.U. users outside of the reach of European regulators.
While GDPR is timely and comes in the wake of the Cambridge Analytica data harvesting scandal on Facebook, the two have nothing to do with each other. The regulation was adopted by European Parliament in April 2016 and companies were given two years to become compliant.
Facebook CEO Mark Zuckerberg told members of the European Parliament on Tuesday that the company will be GDPR compliant by Friday. On Thursday, Facebook took the rare step of asking its more than two billion users to review and make choices on privacy details such as facial recognition and advertising information they’ve chosen to share on their profile. Facebook had previously prompted users in the European Union to review their settings with a similar experience, according to Erin Egan, chief privacy officer at Facebook.
Barrett said GDPR is having an “expansive effect” and will hopefully spur more discussion and action about privacy laws in the United States.
“GDPR is making some changes that aren’t in American policy law such as data portability and the right to withdraw,” she said. “It’s a chance for companies and American privacy law to take a look in the mirror and see where everything is.”