By Sascha Matuszak
Just a couple days before the GDPR goes into effect, and like you, I have been inundated by new privacy policies and terms of service from any and all web services I subscribe to, even if I haven’t used them in years. Some of the updates are from companies I didn’t know existed, like the Endurance International Group, a web hosting and marketing firm, and others are from more familiar names—Twitter, Spotify, Google, and others.
Transparency. Choice. Control.
The first thing to notice about the Spotify email is the clear, simple, warm message that starts this new era off:
It’s Spotify’s version of the standard letter going out from basically every app and service under the sun, but I am immediately at ease. Then comes the blogpost, linked in the email; very quick and to the point, and let’s me know a few very important things right off the bat:
The Privacy Center – We will be launching a new Privacy Center in the coming weeks at spotify.com. It will help individuals understand how their personal data is used by Spotify and what controls are available to Spotify users to manage their privacy settings.
Privacy Settings page – We will also be launching a new Privacy Settings page accessible to Spotify users in their Account in the coming weeks. This will provide Spotify users with new controls to manage your privacy settings and enable them to download their personal data via a new ‘Download my Data’ button.
I love the fact that they mention their data protection officer (a GDPR requirement) and how to get in touch with them. Again, it’s standard in terms of what the GDPR requires, but I am already guided quickly over to the actual policy, which, is unsurprisingly also pretty easy to understand. They link the Privacy Center throughout. They want to funnel users to the one-stop click that can handle their privacy and security issues. I leave the policy believing that a lot of work was put into this by people who genuinely care about my rights.
I could be completely wrong, and this is just a beautifully crafted policy not indicative of anything more than competent staff, but I feel good about what I have read. I now trust Spotify.
Consent or Delete
Facebook’s new data policy is long, but that’s to be expected from one of the world’s largest social media networks. It’s relatively easy to read, and the layout feels accessible. Readability isn’t really the issue though; the issue is data and how vast and comprehensive Facebook’s data collection procedures truly are. They collect so much data via so many different points of contact, covering so many aspects of a person’s identity, that they can only refer to it in their policy via example: their data collection method description is peppered with “This can include . . .” and “such as . . .”
Facebook’s policy allows users to adjust some account settings, what is and what is not public, whether or not ads are relevant, and how much is shared with third party apps, but users have no control over what data is collected. If you consent to this policy, your data belongs to Facebook. You can download it, delete your account even, but much of the data remains, including offline and online data and the profiles created thereof. It’s a bit daunting. My initial feeling is that I am signing away my entire personal data set to the same company that has violated data privacy and protection regulations time and time again.
Not only that, but I must give consent, or I will be unable to use any of Facebook’s services. At this point I say to myself, these guys know they own the social media sphere, and they’re using that to leverage me, to bully me into signing my data away. It’s an uncomfortable feeling and one that may not necessarily be in line with GDPR requirements.
But I get the feeling Facebook doesn’t care. They’re too big for me, and they might be too big even for the GDPR.