Why everyone and their sister’s best friend’s cousin’s boyfriend’s uncle is emailing you about updated Privacy Policies

Let’s talk about the GDPR. I know, right? WTF? GDPR? Is that related to the FBI? CIA? OMG! BBQ! ;aldskfad;slkas;dfk!!!!!

Wait, first – do I need to tell you that I’m not a lawyer? I’m not. Don’t take this as legal advice. This is only to try to help you wrap your head around why you suddenly have 16,000 unread emails in your inbox about Data Protection and Privacy.

GDPR = General Data Protection Regulation, and in plain English that means that online, there are generalized bits of personal online data that are now protected in the EU. It covers any file or database that has a persons name or identification by which someone could reasonably expect to be identified – such as the blogging software I’m using to write this, having my full name associated with my email address.

Enough information can be used to profile you. By looking up other websites that also have my full name and email address (let’s say Instagram, Facebook, and Ravelry) you could easily deduce that I am a chatty boozehag who takes a lot of pictures and knits. This means that any company that sells things to talkative women who drink, knit, and posts oodles of pictures of their drinks and knitting would really love to advertise to me.

If I were a person in the EU, starting tomorrow, I would legally need to be reassured by any online company (in the EU or not) that held my name and email that my information is accurate, up to date, that it is stored securely, that the company is completely transparent about what it plans to do with my information, and that the information held on me is the absolute minimum information that the company needs to do what I want it to do.

Wait – why am I telling you all about this, making your eyes glaze over, when chances are really good you’re not in the EU? Because it’s easier for companies to have one policy instead of “here’s our policy if you live here, and HERE’s our policy if you live THERE”… so pretty much everyone who’s open to doing business to anywhere in the EU (and Great Britain is, for the purposes of the GDPR, considered to still be part of the EU).

As someone who does store information about customers on my online shop, including name, email, and addresses, I am now required to tell you:
– that I have that information (which you already knew, because you gave it to me)
– I have to tell you what I’m going to do with that information (send you what you ordered)
– I have to not do anything else with it (like sell your email address to the troll that lives under the bridge over the hill so that he can send you unsolicited email)
– I have to be able to prove you gave me consent to that data (again, you provided it when you ordered something; if you’ve never bought something from me, I don’t have that data even if you read my blog every day and/or follow me religiously on Instagram)
– I am not allowed to collect any data about race, politics, religion, union status, health data, sex life or sexual orientation. Which, frankly, I don’t want anyway because that’s none of my freaking business. Same with offenses, convictions, nights in jail, whathaveyou. If it isn’t germane to sending you a product you ordered, I don’t even *want* the info, let alone that I’m not allowed to ask for it.

Want to ask me, or any other company about the data we have on you?
– I can’t take more than 30 days to respond
– I am allowed to charge for repeated requests from the same person for the same information (in other words, ask me once, it’s free; ask me sixteen times over three weeks and there’s going to start being a usage charge)
– I am allowed to ask you to prove that you are who you say you are before handing over the info I have on you (this is to discourage someone from pretending to you be you in order to get your address or other identifying information)

Anywhere I collect data (most likely: if you leave a blog comment, sign up for my newsletter, order something from my online shop), I have to tell you:
– My contact information
– Contact information for my company
– Describe to you how I’m going to use your data (to send you newsletters if you’ve signed up on Mailchimp, or to send you a product if you bought it on HaldeCraft)
– List what categories of data I’m collecting (name, email, address to mail products)
– How long I’m going to keep that data
– How you can contact me to find out what data I have and/or to delete the data I have on you
– If the data is going to be used for profiling and if so, how/why (like for my newsletters I have segments, so if you only want to hear about yarn club, I tell you that clicking this box will make it so that you only hear about yarn club – you have been self-profiled for liking yarn club, that’s what you’ll hear about)

What rights you have:
– To ask if I have data on you (to which I have to answer)
– For me to provide that data to you
– Why I have it
– What categories I have
– Who in my organization or any third parties that have access to it
– How long I’m keeping that data
– How I got the data I have on you
– If you’re in the EU, even though I am not, you have the right to lodge a complaint with the EU Commission if you’re not happy with what I tell you
– The right to update or delete or request that I update or delete your data for any reason at any time, including no reason at all, “just do it”.

If the data I hold is breached or hacked in any way, I have 72 hours to tell you so, give you the opportunity to change/delete your data, and tell you what plan I have in place to not let it happen again.

Still with me? Just want the TL;DR? I’m not actually changing that much, because I’m one person and prior to this I tended to set my policies by the Golden Rule. It’s just that now I have to spell it out for you. SO! All of the info I get from you is, and has always been, opt-in — it’s info you volunteer to give to me. Like most everyone else I have Google Analytics but I think I’ve looked at it twice in five years — I’m one person and don’t have time to dig into where people are coming from before they hit my site or how long they stay on one page. But if you want to know that information about yourself, I’ll dig it up and get it to you, and you can have me delete it if you want.

I really feel like I should have broken up this post with some cat pictures. I mean, what an info dump. My eyes have glazed over even if yours haven’t.

PS. Text on blog graphic via the Cat Ipsum generator; though I almost went the the Zombie Ipsum generator because zombies.

2 comments

  1. Very well explained. One of my favorite things about GDPR is that companies have to make it clear that customers/ visitors have to opt in to receiving communications. Firms may not use your data to start sending you advertising, newsletters, cold calls, any of that.

    GDPR also applies if you are an American who is working or travelling in the EU. Another reason international companies are taking pains to be compliant.

    • From a human being’s point of view, I love what the GDPR is doing. Down with unsolicited emails from companies I never said I want to hear from! Hurrah for transparency! Huzzah for being able to see and marginally control what data someone has on me! But from a single business owner point of view, I wish there was some sort of checkbox for “I can’t be arsed to even look at what data I have on you, it’s not like I have time to do anything with it anyway”. Hahaha?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.