- – Who doesn’t protect your data?
- – History of the “data” or personal information legislation
- – A July 2021 update on the start of legislation regarding data protection on the internet
- – What you can do to protect your data for now.
Ever since the 2018 publicized Facebook data breach, I have been curious about what data exactly can be stored, used and “understood” by computer algorithms and what the legal implications may be. At first, I was excited about this as a new tool. I tend to shop and look for things that are, at least branded as sustainably sourced and environmentally friendly. For me, the idea that I would only be advertised these types of items, no plastics that may off gas sounded great to me. It wasn’t until I heard some of my peers’ concerns before I seriously questioned the dangers of data collection and how this information could be used to harm.
Social media websites, commerce websites and mobile apps have become integral parts in many of our everyday lives. We use them to connect with friends online, find like-minded people through virtual groups from across the world. These sites are used to share private, work, and “public” information. The data collected from social media can be looked at as a tool or an invasion of privacy. User data collection could give us access to knowledge which allows us to learn more about our human nature. For example, this data can tell us about different demographics and how users use each platform. However, it also raises new issues on what should be private, and who owns the data created by user usage (the platform/company or individual using it).
What are our governments doing to protect our data – personal information- rights? Do individuals even have data rights over their personal information on the internet? If so, how will these rights be protected or regulated for? And how will legislation attempt to regulate businesses? These are all questions that I have wondered about and hope to start to answer here. After watching Mark Zuckerberg explain to congressmen how companies make money on the internet, while remaining fre, I had little faith that our legal system would catch up to how companies and computer programmers are using these new technologies. Many large social media companies remain free making money selling the data and virtual advertising space, which has its own legal issues. Would you rather pay for Facebook, Instagram, Twitter, Snapchat ect., or allow them to sell your data? If we demand regulation and privacy for our data we may need to make this choice.
Privacy on the Internet
Federally in the United States, this area of law is unregulated territory, leaving it up to the tech and social media companies for now. However, some states are starting to create their own laws. See the pictures below.
How has the government regulated these areas thus far?
There are no general consumer privacy and security laws in the federal government legislation. However, as you may remember the US government imposed a whopping $5 billion dollar penalty for Facebook’s data breach. The order also required “Facebook to restructure its approach to privacy… and establishes strong new mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight” (FTC). This was under the Federal Trade Commission Act (FTC).
This act, past in 1914, created a government agency and prohibited companies from engaging in “unfair or deceptive acts or practises” (section 5 FTC). It protected consumers from misleading or boldly false advertising by some of America’s largest leading consumer brands (Federal Trade Commission Overview).
Interesting here is why Facebook had to pay a settlement under the Federal Trade Commission act. Under the Federal Trade commission act only companies which, “boldly false advertise,” “mislead,” or “misrepresent.” Facebook told consumers that the site did not sell their data and that users could restrict access Facebook had to data if they set it up by clicking certain boxes. The opposite was true. Facebook did not violate any internet privacy laws (there weren’t any). In this case, a 20th century legislation created, in large, to protect consumers from companies selling fake merchandise. If Facebook had said nothing about data privacy on their website they wouldn’t have been liable for anything. Since this case, more legal regulations have been introduced.
US Privacy Act of 1974
In order to understand where the legal field will go it is important to understand the history of US Privacy Rights. This act restricted what data, of personal information, US government agencies could store on their (first) computer databases. This act also gave individual’s certain rights, such as the right to access any of the data that is held by government agencies, and the right to correct any errors. It also restricted what and how the information was shared between federal and non-federal agencies, allowing it only under specific circumstances.
HIPAA, GLBA, COPPA
These three acts further protect individuals personal information.
HIPAA, the Health Insurance portability and Accountability Act, was put in place to regulate health insurance and protect people’s personal health information. This act laid down certain ground rules for confidentiality requirements. (HIPAA for Professionals).
The Gramm-Leach- Bliley Act (GLBA), passed in 1999, protects nonpublic personal information, defined as “any information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”
The Children’s Online Privacy Protection Act (CPPA), enacted in 1998,regulates the personal information that is collected from minors. The law “imposes certain requirements on operators of websites or online services directed to (or have actual knowledge of) children under 13 years of age.”
Worldwide Internet Data Privacy
Currently, the US does not have any federal level consumer data privacy or security law. According to the “United Nations Conference on Trade and Development, 107 countries have data privacy rules in place including 66 developing nations.”
The European Union passed the General Data Protection Regulation in 2018. This law went through a long legislative process, the data privacy and security rights law was officially approved in 2016 and went into effect May 2018. It put specific obligations on data processors and the cloud. The regulation also hopes to give individuals the ability to sue processors of data directly for damages, limit and minimize the retention of data that is kept by default and give consumers the right to correct incorrect information. The GDPR also requires explicit consent when consumers give their data. “Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.”
THE U.S.’s strictest state so far:
So far only three states, California, Colorado and Virginia have actually enacted comprehensive consumer data privacy laws according to the National Conference of State Legislatures as of July 22, 2021. The closest US law to the EU’s GDPR, is California’s Consumer Privacy Act (currently U.S.’s strictest regulation on internet data privacy). In California this act requires businesses to clearly state what types of personal data will be collected from consumers and how this information will be used, managed, shared, and sold by companies or entities doing business with and compiling information about California Residents (CCPA AND GDPR Comparison chart.) This “landmark law” secures new privacy rights for California consumers, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights. (Office of Attorney General on the CCPA).
In the New York legislature there were a number of privacy bills that were pending, including the “It’s Your Data Act,” the “New York Privacy Act,” the “Digital Fairness Act,” and the “New York Data Accountability and Transparency Act.” Most of the bills never made it out of committee.
The “It’s Your Data Act” proposed to provide protections and transparency in the collection, use, retention, and sharing of personal information.
From the New York State Senate Summary:
“The ‘NY Privacy Act’ proposed to enact would require companies to disclose their methods of identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared”, creating a special account to fund a new Office of Privacy and Data Protection. It is currently on the floor calendar, and no action has yet been taken on it.
The definition of personal information here is – “any information related to an identified or identifiable person” – includes a very extensive list of identifiers: biometric, email addresses, network information and more.
What are Data Privacy Rights which have been identified thus far?
Provisions in Chart
- The right of access to personal information collected or shared – The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information.
- The right to rectification — The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
- The right to deletion — The right for a consumer to request deletion of personal information about the consumer under certain conditions.
- The right to restriction of processing — The right for a consumer to restrict a business’s ability to process personal information about the consumer.
- The right to data portability — The right for a consumer to request personal information about the consumer be disclosed in a common file format.
- The right to opt out of the sale of personal information — The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
- The right against automated decision making — A prohibition against a business making decisions about a consumer based solely on an automated process without human input.
- A consumer private right of action — The right for a consumer to seek civil damages from a business for violations of a statute.
- “A strict opt-in for the sale of personal information of a consumer less than a certain age” — A restriction placed on a business to treat consumers under a certain age with an opt-in default for the sale of their personal information.
- Notice/transparency requirements — An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
- Mandated risk assessment — An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
- A prohibition on discrimination against a consumer for exercising a right — A prohibition against a business treating a consumer who exercises a consumer right differently than a consumer who does not exercise a right.
- A purpose/processing limitation — prohibits the collection/processing of personal information except for a specific purpose.
- A strict opt-in for the sale of personal information of a consumer less than a certain age
- Notice/transparency requirements
- Mandated risk assessment
- A prohibition on discrimination against a consumer for exercising a right
- A purpose/processing limitation
While many rights and obligations are starting to be recognized, again, there is not yet legislation to protect them.
- Update and Optimize Your Privacy Settings.
- Review what apps have access to facebook data and what they can do with the access
- Delete access for all apps you no longer use or need
- Share with Care. Be aware that when you post a picture or message, you may be inadvertantly sharing personal details and sensitive data with strangers.
- Block “supercookies” trails – Supercookies are bits of data that can be stored on your computer like advertising networks. They are a “ — a much more invasive type of behavior-tracking program than traditional cookies that is also harder to circumvent.” supercookies are harder to detect and get rid of because they hide in various places and can’t be automatically deleted. A supercookie owner can capture a ton of your unique personal data like your identity, behavior, preferences, how long you’re online, when you’re most active and more. Supercookies can communicate across different websites, stitching together your personal data into a highly detailed profile.
- Set up Private email Identity
- Update your softwares – many software companies release updates which patch bugs and vulnerabilities in the app when they are discovered
- Use App lockers – App lockers provide an extra level of security for apps and work
- Encrypt your data – There are free apps available to encrypt or scramble data so that it can not be read without a key.
- “Create long and unique passwords for all counts and use multi-factor authentication whenever possible”. This additional layer of security makes it harder for hackers to get into your accounts. (Data Privacy Senate).