Why it's meaningless to accept a GDPR privacy policy

You're drowning in these thanks to the GDPR. But they leave out something important.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
Victoria Jones/Getty Images

The European Union's General Protection Privacy Regulation takes effect Friday, and your email inbox has been slowly choking on alerts about the new privacy law.

You know, the dozens of privacy policy updates you've probably received in the past few weeks. I'm talking about updates from email providers, social media companies, banks and what seems like every random internet service you've ever interacted with -- all letting you know how they're collecting and using your data.

But here's the thing: When you click "accept" on a privacy policy, even if you've read it from start to finish, you're most likely still in the dark about what you're consenting to. That's because privacy policies don't really tell you about all the things that can be done with your data. With statistical analysis and, more recently, artificial intelligence, companies that have your data can draw all kinds of inferences about you. And they use that in ways you might never predict.

Watch this: GDPR: Here's what you need to know

Using information about your browsing habits -- including products you've shopped for, websites you've visited and search terms you've used -- companies can make informed guesses about your age, location, marital status and, according to one infamous New York Times report, whether you're pregnant.

"The typical consumer has no idea how this happens," said Lorrie Cranor, director of the Carnegie Mellon Usable Privacy and Security Laboratory, who served as head technologist at the US Fair Trade Commission under President Barack Obama.

Cue the GDPR , a new law that gives EU residents more say in how their data gets used. The trouble is, the law doesn't apply to anyone outside of the EU.

Making inferences from your data

Privacy policies don't make it easy to wrap our minds around how data collection can affect us. To start with, many internet users don't understand how data collection tools work.

That's what researchers at Syracuse University and Sapienza University of Rome concluded after speaking with people who thought their antivirus software could stop websites and advertisers from tracking their browsing activity. That's reasonable, but it's also wrong.

Researchers and journalists have also found some clues as to how personal data collection can have negative consequences, intentional or not. They did it by creating fake ads and accounts, and seeing what tech companies did with the data.

Reporters from ProPublica, for example, bought housing-related ads on Facebook that excluded groups from Facebook-assigned "ethnic affinity groups." This appeared to fly in the face of housing laws that prohibit discrimination on the basis or race or ethnicity. The findings prompted Facebook to stop advertisers from excluding ethnic groups from seeing certain types of ads.

And researchers at Carnegie Mellon University created fake user accounts and collected information on Google display ads to see indications that men were able to view job ads that women couldn't. Google attributed the findings to factors that weren't based on gender, like an advertiser targeting websites visited primarily by men.  

Cranor said companies don't need AI in order to know to know what they do about us. Good old-fashioned statistics can get number-crunchers pretty far in predicting your interests. Things can really heat up when you "add AI to the mix," she said, and that's when "you're going to see even more powerful predictions."

This is what has privacy experts like Cranor concerned.

New power in the EU

The GDPR could make things more transparent for residents of the EU. The law gives people the right to specify how they want their data used. That means EU residents can say, "Sure, collect my data, but don't use it to tailor ads for me."

They can also request copies of all the data a company has collected about them and ask companies to delete their data. The fines for breaking the law are steep -- up to 40 million euros or 2 percent of a company's annual global revenue, whichever is higher.

The law is prompting updated privacy policies for the rest of us outside of Europe -- and not a whole lot else. Yes, some companies including Microsoft, Apple, Twitter and Facebook have indicated they'll extend at least some GDPR-based rights to all their global users. But that's not the same.

As Forrester analyst Fatemeh Khatibloo pointed out, the European Union isn't going to step in on your behalf if one of these companies doesn't live up to its promises.

"If you're on North American soil, GDPR doesn't apply to you," she said. 

First published May 25, 5:00 a.m. PT
Updated, 11:52 a.m.: Adds information about internet user research.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night. 

Special Reports: CNET's in-depth features in one place.