Author: Forest Melcher

Is your data protected? By who? What rights do you have over your personal information once it has entered the world wide web?

  • – Who doesn’t protect your data?
  • – History of the “data” or personal information legislation 
  • – A July 2021 update on the start of legislation regarding data protection on the internet
  • – What you can do to protect your data for now.

Ever since the 2018 publicized Facebook data breach, I have been curious about what data exactly can be stored, used and “understood” by computer algorithms and what the legal implications may be. At first, I was excited  about this as a new tool. I tend to shop and look for things that are, at least branded as sustainably sourced and environmentally friendly. For me, the idea that I would only be advertised these types of items, no plastics that may off gas sounded great to me. It wasn’t until I heard some of my peers’ concerns before I seriously questioned the dangers of data collection and how this information could be used to harm. 

Social media websites, commerce websites and mobile apps have become integral parts in many of our everyday lives. We use them to connect with friends online, find like-minded people through virtual groups from across the world. These sites are used to share private, work, and “public” information. The data collected from social media can be looked at as a tool or an invasion of privacy. User data collection could give us access to knowledge which allows us to learn more about our human nature. For example, this data can tell us about different demographics and how users use  each platform. However, it also raises new issues on what should be private, and who owns the data created by user usage (the platform/company or individual using it).

What are our governments doing to protect our data – personal information- rights? Do individuals even have data rights over their personal information on the internet? If so, how will these rights be protected or regulated for? And how will legislation attempt to regulate businesses?  These are all questions that I have wondered about and hope to start to answer here. After watching Mark Zuckerberg explain to congressmen how companies make money on the internet, while remaining fre,  I had little faith that our legal system would catch up to how companies and computer programmers are using these new technologies. Many large social media companies remain free making money selling the data and virtual advertising space, which has its own legal issues. Would you rather pay for Facebook, Instagram, Twitter, Snapchat ect., or allow them to sell your data? If we demand regulation and privacy for our data we may need to make this choice. 

 Privacy on the Internet 

Federally in the United States, this area of law is unregulated territory, leaving it up to the tech and social media companies for now. However, some states are starting to create their own laws. See the pictures below.

US State Privacy Legislation Tracker

How has the government regulated these areas thus far? 

There are no general consumer privacy and security laws in the federal government legislation. However, as you may remember the US government imposed a whopping $5 billion dollar penalty for Facebook’s data breach.  The order also required “Facebook to restructure its approach to privacy…  and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight” (FTC).  This was under the Federal Trade Commission Act (FTC).

This act, past in 1914, created a government agency and prohibited companies from engaging in “unfair or deceptive acts or practises” (section 5 FTC). It protected consumers from misleading or boldly false advertising by some of America’s largest leading consumer brands (Federal Trade Commission Overview)

Interesting here is why Facebook had to pay a settlement under the Federal Trade Commission act. Under the Federal Trade commission act only companies which, “boldly false advertise,” “mislead,” or “misrepresent.” Facebook told consumers that the site did not sell their data and that users could restrict access Facebook had to data if they set it up by clicking certain boxes. The opposite was true. Facebook did not violate any internet privacy laws (there weren’t any). In this case, a 20th century legislation created, in large, to protect consumers from companies selling fake merchandise.  If Facebook had said nothing about data privacy on their website they wouldn’t have been liable for anything. Since this case, more legal regulations have been introduced. 

Complete Guide to Privacy Laws in the US | Varonis

US Privacy Act of 1974 

 

In order to understand where the legal field will go it is important to understand the history of US Privacy Rights. This act restricted what data, of personal information, US government agencies could store on their (first) computer databases. This act also gave individual’s certain rights, such as the right to access any of the data that is held by government agencies, and the right to correct any errors. It also restricted what and how the information was shared between federal and non-federal agencies, allowing it only under specific circumstances. 

HIPAA, GLBA, COPPA

These three acts further protect individuals personal information. 

HIPAA, the Health Insurance portability and Accountability Act, was put in place to regulate health insurance and protect people’s personal health information. This act laid down certain ground rules for confidentiality requirements. (HIPAA for Professionals).

The Gramm-Leach- Bliley  Act (GLBA), passed in 1999, protects nonpublic personal information, defined as “any information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”

The Children’s Online Privacy Protection Act (CPPA), enacted in 1998,regulates the personal information that is collected from minors. The law “imposes certain requirements on operators of websites or online services directed to (or have actual knowledge of) children under 13 years of age.”

 

Worldwide Internet Data Privacy 

Currently, the US does not have any federal level consumer data privacy or security law. According to the “United Nations Conference on Trade and Development, 107 countries have data privacy rules in place including 66 developing nations.”

What does GDPR mean for me? An explainer

The European Union passed the General Data Protection Regulation in 2018. This law went through a long legislative process, the data privacy and security rights law was officially approved in 2016 and went into effect May 2018. It put specific obligations on data processors and the cloud. The regulation also hopes to give individuals the ability to sue processors of data directly for damages, limit and minimize the retention of data that is kept by default and give consumers the right to correct incorrect information. The GDPR also requires explicit consent when consumers give their data. Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.”CCPA vs. GDPR - differences and similarities – Data Privacy Manager

THE U.S.’s strictest state so far:

CCPA rights and compliance requirements | DropsuiteSo far only three states, California, Colorado and Virginia have actually enacted comprehensive consumer data privacy laws according to the National Conference of State Legislatures as of July 22, 2021. The closest US law to the EU’s GDPR, is California’s Consumer Privacy Act (currently U.S.’s strictest regulation on internet data privacy). In California this act requires businesses to clearly state what types of personal data will be collected from consumers and how this information will be used, managed, shared, and sold by companies or entities doing business with and compiling information about California Residents (CCPA AND GDPR Comparison chart.) This “landmark law” secures new privacy rights for California consumers, including:

 

 

New York State Privacy Law Update June 2021 

 In the New York legislature there were a number of privacy bills that were pending, including the “It’s Your Data Act,” the “New York Privacy Act,” the “Digital Fairness Act,” and the “New York Data Accountability and Transparency Act.” Most of the bills never made it out of committee. 

US LEGISLATION TRACKER

The “It’s Your Data Act” proposed to provide protections and transparency in the collection, use, retention, and sharing of personal information. 

 

From the New York State Senate Summary:

 “The ‘NY Privacy Act’ proposed to enact would require companies to disclose their methods of identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared”, creating a special account to fund a new Office of Privacy and Data Protection. It is currently on the floor calendar, and no action has yet been taken on it. 

 

 The definition of personal information here is – “any information related to an identified or identifiable person” – includes a very extensive list of identifiers: biometric, email addresses, network information and more. 

How to balance your data privacy requirements with effective video security | Blog | Hikvision

What are Data Privacy Rights which have been identified thus far? 

Provisions in Chart

CONSUMER RIGHTS

  • The right of access to personal information collected or shared – The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
  • The right to rectification — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
  • The right to deletion — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
  • The right to restriction of processing — The right for a consumer to restrict a business’s ability to process personal information about the consumer.
  • The right to data portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
  • The right to opt out of the sale of personal information — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
  • The right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
  • A consumer private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.

Fines Increase & Enforcements Fall in First Year of GDPR | Hrdots

BUSINESS OBLIGATIONS

While many rights and obligations are starting to be recognized, again, there is not yet legislation to protect them. 

 

What Is Data Privacy? | Laws and Best Practices for Businesses

So, what can you do to protect yourself?

    1. Update and Optimize Your Privacy Settings. 
  • Review what apps have access to facebook data and what they can do with the access 
  • Delete access for all apps you no longer use or need 
  1. Share with Care. Be aware that when you post a picture or message, you may be inadvertantly sharing personal details and sensitive data with strangers. 
  2. Block “supercookies” trails – Supercookies are bits of data that can be stored on your computer like advertising networks. They are a “a much more invasive type of behavior-tracking program than traditional cookies that is also harder to circumvent.supercookies are harder to detect and get rid of because they hide in various places and can’t be automatically deleted. A supercookie owner can capture a ton of your unique personal data like your identity, behavior, preferences, how long you’re online, when you’re most active and more. Supercookies can communicate across different websites, stitching together your personal data into a highly detailed profile.
  3. Set up Private email Identity 
  4. Update your softwares – many software companies release updates which patch bugs and vulnerabilities in the app when they are discovered 
  5. Use App lockers – App lockers provide an extra level of security for apps and work 
  6. Encrypt your data – There are free apps available to encrypt or scramble data so that it can not be read without a key. 
  7. Create long and unique passwords for all counts and use multi-factor authentication whenever possible”. This additional layer of security makes it harder for hackers to get into your accounts. (Data Privacy Senate). 

A computer science expert on the data privacy crisis | The University of Chicago Magazine

Advertising in the Cloud

Thanks to social media, advertising to a broad range of people across physical and man-made borders has never been easier. Social media has transformed how people and businesses can interact throughout the world. In just a few moments a marketer can create a post advertising their product halfway across the world and almost everywhere in between. Not only that, but Susan, a charming cat lady in west London, can send her friend Linda, who’s visiting her son in Costa Rica an advertisement she saw for sunglasses she thinks Linda might like. The data collected by social media sites allows marketers to target specific groups of people with their advertisements. For example, if Susan was part of a few Facebook cat groups, she would undoubtedly receive more cat tower or toy related advertisements than the average person.

 

Advertising on social media also allows local stores or venues to advertise to the local communities, targeting groups of people in the local area. New jobs in this area are being created, young entrepreneurs are selling their social media skills to help small business owners create an online presence. Social media has also transformed the way stores advertise to people as well, no longer must stores rely on solely a posterboard, or scripted advertisement. Individuals with a large enough following on social media are sought out by companies to “review” or test their products for free.

Social media has transformed and expanded the marketplace exponentially. Who we can reach in the world, who we can market to and sell to has expanded beyond physical barriers. With these changes, and newfound capabilities through technology, comes a new legal frontier.

 Today, most major brands and companies have their own social media account. Building a store’s “online presence” and promoting brand awareness has now become a priority for many marketing departments. According to Internet Advertising Revenue Report: Full Year 2019 Results & Q1 2020 Revenues, “The Interactive Advertising bureau, an industry trade association, and the research firm eMarketer estimate that U.S. social media advertising revenue was roughly $36 billion in 2019, making up approximately 30% of all digital advertising revenue,” they expect that it will increase to $43 billion in 2020.

The Pew Research Center estimated, “that in 2019, 72% of U.S. adults, or about 184 million U.S. adults, used at least one social media site, based on the results of a series of surveys.”

Companies and people are increasingly utilizing these tools, what are the legal implications? 

This area of law is quickly growing. Advertisers can now directly reach their consumers in an instant, marketing their products at comparable prices. The FTC, Federal Trade Commission has expanded its enforcement actions in this area. Some examples of this are:

  •  The Securities and Exchange Commission Regulation Fair Disclosure addresses, “ the selective disclosure of information by publicly traded companies and other issuers, and the SEC has clarified that disseminating information through social media outlets like Facebook and Twitter is allowed so long as investors have been alerted about which social media will be used to disseminate such information,” 
  • The National Labor Relations Act, “While crafting an effective social media policy regarding who can post for a company or what is acceptable content to post relating to the company is important, companies need to ensure that the policy is not overly broad or can be interpreted as limiting employees’ rights related to protected concerted activity”
  • FDA, “ Even on social media platforms, businesses running promotions or advertising online have to be careful not to run afoul of FDA disclosure requirements”

According to the ABA there are two basic principles in advertising law which apply to any media: 

  1. Advertisers must have a reasonable basis to substantiate claims made; and
  2.  If disclosure is required to prevent an ad from being misleading, such disclosure must appear in a clear and conspicuous manner.

Advertisements may be subject to more specific regulations regarding Children under the Children’s Online Privacy Protection Act (COPPA). This act gives parents control over protections and approvable ways to get verifiable parental consent.  

The Future legality of our Data 

Data brokers are companies that collect information about you and sell that data to other companies or individuals. This information can include everything from family birthdays, addresses, contacts, jobs, education, hobbies, interests, life events and health conditions. Currently, Data brokers are legal in most states. California and Vermont have enacted laws that require data brokers to register their operation in the state. Who owns your data? Should you? Should the sites you are creating the data on? Should it be free for companies to sell? Will states take this issue in different directions? If so, what would these implications be for companies and sites to keep up with?

Facebook’s market capitalization stands at $450 billion.

While there is uncertainty regarding this area of law, it is certain that it is new, expanding and will require much debate. 

According to Custodians of the Internet: Platforms, Content Moderation, and the Hidden Decisions That Shape Social Media,  “Collecting user data allows operators to offer different advertisements based on its potential relevance to different users.”   The data collected by social media companies enables them to build complex strategies and sell advertising “space” targeting specific user groups to companies, organizations, and political campaigns (How Does Facebook Make Money). The capabilities here seem endless, “Social media operators place ad spaces in a marketplaces that runs an instantaneous auction with advertisers that can place automated bids.” With the ever expanding possibilities of social media comes a growing legal frontier. 

Removing Content 

 Section 230, a provision of the 1996 Communications Decency Act, states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider” (47 U.S.C. § 230). This act shields social media companies from liability for content posted by their users and allows them to remove lawful but objectionable posts.

One legal issue that has been arising here is, advertisements are being taken down by the content monitoring algorithms. According to a Congressional Research Services report, during the COVID-19 pandemic social media companies relied more heavily on automated systems to monitor content. These systems could review large volumes of the content at a time however they mistakenly removed some content. “Facebook’s automated systems have reportedly removed ads from small businesses, mistakenly identifying them as content that violates its policies and causing the business to lose money during the appeals process” (Facebook’s AI Mistakenly Bans Ads for Struggling Businesses). This has affected a wide range of small businesses according to Facebook’s community standards transparency enforcement report. According to this same report, “In 2019, Facebook restored 23% of the 76 million appeals it received, and restored an additional 284 million pieces of content without an appeal—about 2% of the content that it took action on for violating its policies.” 

 

Skip to toolbar