Many app users’ inboxes are bulging with requests to review new terms of service and privacy conditions.
And it is no coincidence that so many developers have revamped their small print at the same time.
In just under a month, the EU will introduce a new privacy law that gives Europeans new data protection rights and threatens giant fines for organisations that do not comply.
But making sense of the new terms poses a challenge.
Some companies, including Facebook, are asking members to give explicit consent to new features such as facial recognition.
Others – such as Twitter, Fitbit and Yahoo – have told members that simply continuing to use their products will be interpreted as agreement to the tweaked conditions.
The time-strapped public would be forgiven for thinking the easiest thing to do is to tick the necessary boxes and otherwise plough on regardless, despite the advent of the General Data Protection Regulation (GDPR).
After all, who normally reads this stuff?
- Are you ready for the EU’s data privacy shake-up?
- Who controls your data?
- Facebook seeks facial recognition consent
But that would be to pass up an opportunity to understand and place limits on how your personal details are being exploited for profit.
And there is value in knowing what you have signed up for in advance of the next data privacy scandal.
Digital rights campaign group Privacy International suggests that one way to handle the deluge of documents is to search for instances of the following terms:
The phrase may be mentioned in sections that explain what data is being collected and how that is achieved.
In particular, users should watch out for details of personal information being acquired from third parties that could let the services profile them in unexpected ways.
The new law explicitly defines the places a person visits in their past and present as being a type of personal data for the first time.
Organisations are therefore required to detail how such information will be used to identify individuals.
When consent is required, it must now be given via a clear action.
The days of automatically signing up people to a marketing campaign because they did not untick a box are over.
But it’s worth double-checking how consent is being sought to avoid clicking a button without realising its consequences.
Users based outside the EU should check where the entity is based. Facebook recently switched millions of its users out of the control of its Irish office, which means they will no longer be protected by the European watchdogs enforcing the new legislation.
‘Purposes’ and ‘Recipients’
These terms are often used to inform users what a business will do with their data and with whom they will share it.
The UK’s Consumers’ Association – known more commonly as Which? – has published its own guide to GDPR.
It highlights some of the ways you can take advantage of GDPR’s new rights.
These include the right to object to any decisions taken by organisations based solely on algorithms having analysed your personal data. For instance, you can appeal against a decision to refuse you a job interview based solely on computer analysis of your CV.
You can also request a copy of the personal data being processed to make software-driven decisions.
Which’s computing editor told the BBC that people should be aware that if they are unhappy at how their personal information is being used to target ads at them, they can now demand part or all of it to be erased.
She added that people should also watch out for illegitimate enticements.
“I saw on Twitter the other day somebody share an email… saying you’d get a free pizza if/when you consented,” commented Kate Bevan.
“That is a big fat nope – consent can’t be bundled with something else.”
Those that take the time to wade through all the paperwork may still have questions.
For example, while an app might have to disclose that it shares data with third parties, it does not necessarily have to name them unless a user personally requests the information.
“They should always give you a point of contact,” explained Nicola Fulford, head of data protection and privacy at the law firm Kemp Little.
“If they sent you an email and you have questions, then they should respond to it, although obviously at the moment they may be very busy.”