The cause behind this hubbub is a major European privacy law that’s been two years in the making. The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, ensures certain data privacy rights for individuals within the EU, such as the right to obtain information about how companies process your personal data, the right to request access to this data so that you can transfer it to another service, and the right to object to companies using your data for certain purposes. Companies also have an obligation to clearly articulate their privacy policies in a way that their users can understand—so, no obscuring important privacy info in a sea of legalese.
The law passed two years ago—well before the Cambridge Analytica revelation, or the more recent scrutiny of Facebook’s and Google’s role in Ireland’s abortion referendum (many saw this vote as a test case of how well these companies could prevent foreign parties from targeting key demographics on social media to influence elections). However, the GDPR gave companies two years to comply—a deadline that just passed.
Since many of the companies affected by the law have an international reach that extends beyond the EU, a lot of North Americans have been getting privacy emails too. Some organizations have applied the more stringent EU standards to their North American users as well, while others have established separate data privacy rules for different parts of the world. And now these companies need to clearly inform users of their new policies. Hence, the heap of privacy emails in your inbox.
Words, Words, Words
Unsurprisingly, many of these statements echo the word choice of the EU’s official communications on the GDPR, which the European Commission claims “will strengthen the protection of the individual’s right to personal data protection, reflecting the nature of data protection as a fundamental right for the European Union.” The goal is for people to “have more control over their personal data.”
Pattern One: Choices and Control
Half of the twenty emails emphasized users’ control over their data, and just as many used words like choices and options and highlighted users’ ability to manage their information. The overall message was that each company wants to give you choice, or power over your data—a strong message when many of us feel a bit overwhelmed and powerless where our online personal information is concerned.
Twitter’s word choice was particularly evocative, claiming that they want to empower users, who should have “meaningful control over” their data and its use. “You have the final say about whether and how we process your personal data.”
This last quote, I should note, came right after Twitter said that if you don’t like their data privacy rules, you’re welcome to deactivate your account. So, some of the power and control these companies allegedly give you comes from the option to disengage.
Pattern Two: Totally Transparent
The messages also relied heavily on words like transparency and clarity, with many explicitly stating that their policy updates are merely to help users better understand their existing policies, to provide details and make policies more specific (careful not to imply that their previous data policies may have infringed on users’ rights). This language suggests that these changes are not substantive (whether or not that’s actually true), while also giving off the impression that these companies care that you comprehend exactly what you’re signing up for. Google’s email is a prime example:
“Nothing is changing about your current settings or how your information is processed. Rather, we’ve improved the way we describe our practices and how we explain the options you have to update, manage, export, and delete your data.”
Google was clear that they improved the way they describe their practices, not the practices themselves.
Given that these data privacy changes were prompted by the GDPR, and one of the GDPR’s main goals is increased transparency, it’s interesting that only thirteen of the twenty privacy notices I read mentioned any kind of privacy law as an impetus for their changes (and four of these kept the reference vague, not mentioning the GDPR specifically). Admittedly, these emails are a small and not necessarily representative sample, but Facebook was one of the six that failed to mention any legal reason for their policy changes. (Facebook did, however, emphasize users’ rightsand the importance of their control over their choices.)
Pattern Three: Keeping It Personal
The final pattern I noticed is that almost all these messages were super personal—evoking feelings of friendship, trust, or community and using a lot of first- and second-person personal pronouns (we, our, us, you, your). Pronoun usage may not seem that important, but peppering your writing with pronouns that include the reader can help create a personal, conversational tone that inspires trust: Ourcompany cares about you and your data privacy and your choices, and we want you to take control of your data. You can trust us.
Beyond the pronouns, many companies struck a genial tone, using their word choice to establish trust and a sense of community between themselves and you, their user. Twitter thanked users for their “trust” (implying that it had already been given), and Airbnb thanked each user “for being a member of our global community.” Similarly, Uber talked about the “lasting relationship” it has with its customers:
“We understand that protecting your privacy is essential to building a lasting relationship with you, and we’re committed to doing the right thing with the information you’ve entrusted to us.”
Overall, many of these companies implied that their privacy changes have an ethical impetus, not just a legal one. Whether this is just posturing or not, these privacy messages have been crafted to evoke good feelings about the company and its intentions toward you—and and to persuade you to trust that you don’t need to worry about what they’re doing with your data.
Privacy Rights, Privacy Wrongs
With all this talk of data privacy rights and companies’ ethical and legal obligations to respect them, it’s worth asking, what rights should we have when we freely give our data to companies online? A right is “something to which one has a just claim” or “may properly claim as due.” In general, a right connotes something deserved, whether legally or ethically. However, we don’t have clearly defined rights for a lot of what goes on in the internet age.
When I was younger, I remember talking to my dad, who is an accountant, about tax laws governing “tangible personal property” and how many state tax laws hadn’t been updated to explicitly account for digital products like software. (You could theoretically land in a situation where, in certain states, software delivered on a physical disc would be subject to tax as tangible property, while the same software delivered through the internet would not—because the latter wasn’t tangible.) It strikes me that data privacy is another area where the law hasn’t quite caught up to the technology, and where we need to continue to weigh the words we use as new standards take shape. The GDPR is the European Union’s attempt to define a standard for data privacy rights; however, it is limited geographically, and how effective it is remains to be seen. The conversation about data privacy rights and how we define them is just beginning.