Influx of privacy policy changes due to European data protection rules

(CNN  Money) -- "We value privacy and transparency, so we wanted to let you know about some changes we're making to our privacy policy."

Has your inbox been flooded with messages like this? You're not alone.

Companies are scrambling to comply with tough new European data protection rules that come into effect on May 25, and the email deluge is the most visible sign of their efforts.

The General Data Protection Regulation (GDPR) applies to any organization that holds or uses data on people inside the European Union, regardless of where is it based or conducts business.

Under the rules, businesses must generally obtain consent from Europeans before they store or process personal details, especially for use in marketing.

Data can't be held for longer than necessary, and anyone can ask a company to delete their personal information.

That's why so many organizations are blasting out emails.

Some of the messages announce changes to terms and conditions, while others warn users that they will be removed from the mailing list unless they take action.

Airbnb, LinkedIn, Instagram, Twitter (TWTR), Etsy (ETSY), Google (GOOGL), Lloyds Bank (LLDTF)and online retailer ASOS (ASOMY) are among the companies that have dispatched emails that reference GDPR.

"A lot of people are already starting to see the notices come through and there can be a bit of a consent fatigue," said Jonathan Carter, head of strategy at data analytics firm Acxiom.

Carter said that anecdotal evidence from major retailers suggests that only about one in five people are responding to the consent emails.

"Companies must be prepared to find out that just because I buy their insurance doesn't mean I want to hear from them more," said Mark Thompson, the global lead of privacy advisory at KPMG.

People outside the European Union may receive the emails because some companies have decided to apply the new rules to users worldwide.

Chris Allyn, a data privacy attorney at Moye White, said organizations may roll out the provisions to all markets in order to boost customer trust. Others may find it simpler to use just one set of rules.

Other businesses are limiting their policy changes to Europe.

WhatsApp, which is owned by Facebook (FB), announced last week for example that will hike its minimum user age in Europe to 16 from 13 in order to comply. The lower age threshold will remain elsewhere.

GDPR seeks to expand and update data rules that have been in place since 1995 -- long before hacks, security breaches and data leaks became common.

Organizations face big fines if they do not comply. European regulators can fine larger companies up to 4% of annual global sales, which for the big tech firms could run into billions of dollars.

Thompson said that companies are preparing for a wave of data deletion requests from users.

"If you are a large investment bank, it could be five requests a week. If you are a large retail bank, it could be 500 a day," he said.

The new rules are a headache for businesses, but some are better off than others.

Companies with large data stockpiles are finding it especially difficult to prepare for the May 25 deadline, and some companies outside Europe are still waking up to the scope of the law.

"I've been with a number of Global 100 boards and they are not going to be compliant. They've spent multiple, multiple millions [of dollars], some in excess of a hundred million so far," Thompson said.

Share this article: