When one uses Google or Facebook.com one willingly discloses personal data. These businesses have the right to process these data to provide their services when one asks them to. However, the application of the GDPR will prevent them from using these personal data for any further purpose unless the user permits. The GDPR applies the principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
Google and Facebook cannot confront their users with broad, non-specific, consent requests that cover the entire breadth of their activities. Data protection regulators across the EU have made clear what they expect: