17 years ago, a man by the name of Mario Costeja Gonzalez lodged a complaint against a Spanish newspaper, Google Spain and Google Inc. He complained that an auction notice of his repossessed home on Google’s search results infringed on his privacy as the issue had been fully resolved for a number of years, and was entirely irrelevant. He requested, that the newspaper remove or alter the pages in question so that his personal data no longer appeared and that Google Spain or Google Inc. remove his personal data so that it no longer appeared in the search results.
Why are we telling you a story about one man from Spain who fought against the Google machine? Here’s why: In May 2014, the Luxembourg-based Court of Justice of the European Union agreed with him, which set a major precedent over what is referred to as the Right to be Forgotten
Alright, but what’s the Right To be Forgotten?
Under the European General Data Protection Regulation (GDPR), individuals (European Union citizens) have the right to request that an organization ‘erase’ their personal data. Personal data that’s collected by all European and non-European companies that store or process information on EU citizens.
Think IP addresses and internet cookies. The GDPR, which comes into effect on May 25, 2018, gives everyone more control over their personal data. Here’s how the Right to be Forgotten is going to shake up how we interact with brands and companies across the board.
Companies Need Your ‘explicit’ Consent
Have you ever filled out an online form and post-submission, received an avalanche of marketing emails or phone calls? As consumers, we can all sleep better at night knowing those emails and calls will reduce drastically. Thanks to regulation, companies must gain your explicit consent through a statement or a clear affirmative action before they can process your personal data. Basically, default opt-ins, pre-selected tick boxes, and single consent for all data captures won’t cut it anymore.
Clear consent could include:
- A written statement –electronic or in person
- An oral statement
- The ticking of a box on a website
Instead of a company assuming you want to receive sales emails from them when you fill out a web form, they now must ask you to tick a box that says you agree to receive marketing communications from them. And when you do give consent, companies must keep a record of how and when you gave the O.K., tell you what they’re doing with your data and how they’re processing all that personal information. All this must be written in a way that’s easy to understand, which means we now we don’t have to pretend to read the agreement section and skip right to checking the yes box.
In the coming months, companies will be scrambling to get your consent by hook or by crook, attempting to trick you into giving your consent. In March 2017, the Information Commissioner’s Office realized Exeter-based airline Flybe deliberately sent more than 3.3 million emails to people who had told them they didn’t want to receive marketing emails from the firm.
The emails, sent in August 2016 advised recipients to amend any out of date information and update any marketing preferences. The email also announced that by updating their preferences, people could win a prize. Flybe was fined a combined total of 70,000 (pounds) for breaching data protection laws and sending marketing emails to people without the appropriate consent. With the Right to be Forgotten arriving soon, you’ll receive fewer marketing calls and your inbox will be less clogged. Consumers 1, marketers 0.
You Will Be Able To Ask Companies To Delete You
What happens when you give a company permission to use your personal information for marketing or targeted advertising, and then promptly regret your decision? Sadly, not all companies make it easy for you to end a relationship, and it requires more than hitting that unsubscribe button. It could take awhile for companies to remove you from their sales list, but with the new regulations, you can ask companies (including social media firms) to delete your contact details and personal information from their database. But the really fun part is that companies can no longer stall and ask you to wait six months for them to exclude you from their narrative under the following conditions:
- When processing is no longer necessary for the intended purpose
- When you withdraw your consent
- When you object to the processing and there are no overriding legitimate grounds for the processing
- When the processing is unlawful
- When erasure is necessary for compliance with a legal obligation; or when the data concerns a child and has been collected via information society services
You’ll Be Asked For Consent Regarding Use Of Your Child’s Data
Children love the internet. It’s estimated, that globally, one in three internet users are under the age of 18.
While the internet is beneficial to the education and development of children, it also exposes them to aggressive marketing practices and puts them at risk of sharing personal data without understanding the potential long-term privacy consequences. 95% of Europeans believe that ‘under-age children should be protected from the collection and disclosure of personal data’ and 96% think that ‘minors should be warned of the consequences of collecting and disclosing personal data.’
Under the Right to be Forgotten, parents or guardians will have to give consent before a company can process your child’s personal data, as long as they’re between 13-16 years old. Additionally, in cases where services are offered directly to children, companies must make sure that privacy notices are written in plain and clear language that your child can understand. Think of the Right to be Forgotten is their ‘no-monster under-the-bed-check
Companies Will Face Increased Penalties For Breaking The Rules
There are two tiers of fines for companies that breach the regulation.
The first fine is is up to €10 million or 2% of their annual global turnover of the previous year. The second is up to €20 million or 4% of their annual turnover of the previous year.
If Uber had been subjected to GDPR, they would have had to pay a fine of 4% of its global annual revenue, or €20m (£17.75m) following the data breach that occured over a year ago.
All Hail The King!
The Right to be Forgotten puts more power into your hands, and strengthens your right and ability to control your personal information and privacy. Come May 25 2018, EU citizens will be the king of their own data. they’ll be able to stop companies from sending marketing messages, ask them to delete personal information and control access to their child’s data.
With the Right to be Forgotten it’s the consumers’ data kingdom and marketers are just living in it.