Thanks to the General Data Protection Regulation that just went into effect in the European Union, the internet has been raining privacy updates for weeks. Although it may be tempting, especially if you’re not an EU citizen and aren’t enjoying any new privacy rights, to immediately delete these emails, they’re worth preserving long enough to take in all at once. If your inbox is anything like mine, these emails are coming from all over the place: record labels you bought an album from two years ago, that place where you booked a deep-tissue massage that one time, a sushi joint, the gym where you used to be a member. It’s the digital remnants of your consumer history, come back to remind you it exists.
My editor got an email from the indie record label Matador and the music-streaming site Tidal that their policies have been updated. I got ones from Yelp, Uber, Spotify, Medium, my old tattoo artist, my favorite Nashville pizza place (which I haven’t visited in years), and a shop I went to once to get my jeans altered in San Francisco. These companies are all letting me know what they are able to know about me, but thanks to the sheer volume of them, it’s tempting to treat the onslaught like spam. Instead, though, I’m going through them and taking the opportunity to delete many accounts I didn’t even know I had. Clicking past terms-of-service agreements has become so instinctual for us that it’s easy for these relationships to pile up without us realizing it. And thanks to services like Square, which many businesses use to process payments, we may encounter dozens of vendors we forgot have our email addresses—forgot, anyway, until all those sandwich shops emailed you their privacy policies this week. If you’re not in the EU, there’s not much you can do about all the companies that have data on you, but you can, at least, try to unsubscribe and close your accounts with them.
Under the new EU privacy rules, companies will have to send copies of the data that they collect on users in the EU if they request it. Companies will also have to delete the data if an EU user requests it be removed, and those users can even make requests for certain practices to be stopped all together—like if a company that has collected data on them uses automated software to make decisions about a person or if it profiles a person for marketing purposes. There’s also a provision that specifies what a company is supposed to do if it mishandles user data; in the event of a data breach, a business has 72 hours to alert EU users who were affected. And if a website doesn’t comply with the new rules, it could face serious fines. And so companies large and small have been forced to take stock of their data practices. We should do the same.
While outside the EU, we don’t have the level of control over our digital lives that EU residents now do, we can still treat the arrival of the new rules as an empowering moment—and delete some accounts.