Agreeing to the Terms of Internet Data Privacy Laws

Internet Data Privacy Laws for Website Owners

You’re probably tired of having to “Agree to Terms” to check out websites.  Are you confused by the sudden increase of these kinds of popups on websites you’ve been visiting for years? New legislation is the reason for these boxes and notices.

Data privacy and security have become a priority for millions around the world.  Accordingly, people are seeing the value inherent in their personal data.  Because of this, users want greater control over where their data goes and who is handling it.  This concern is not a conflated sense of paranoia, though.  At least 16 high-profile data breaches were announced between January 2017 and April 2018 in the United States alone.  The world is growing ever more connected through exchanged personal data.  Because of this, parliaments and senates worldwide are considering ways to keep their citizens safe.

European Privacy Regulations: GDPR

Rewind to May of this year.  Your email inbox was full of emails from retailers and media agencies communicating their compliance with the EU’s GDPR (General Data Privacy Rule).  “That only applies to Europeans”, you probably thought.  “Why does this matter to me?”  The GDPR organizes and expands upon several prior data laws covering EU residents and companies.  However, the boundaries of enforcement extend to all corners of the globe.  Any firm or service that collects or handles the personal data of EU citizens is obliged to comply with this new standard, regardless of geographic boundary.

First, companies must seek the “freely given consent” before collecting data.  Secondly, it’s crucial to clearly answer the questions of “How”, “Where”,  and “Why” regarding data usage.  With this in mind, it’s essential for companies to assess the ways they store, handle and process data to ensure responsible compliance.  Services can’t follow in the footsteps of Equifax or Yahoo, who waited months to disclose news of massive intrusions.  Specifically, GDPR requires notification following a breach within 72 hours from detection.  Failing to abide these standards could result in massive penalties.  Organizations at fault could even face private lawsuits brought by affected users in courts unsympathetic to risky data practices.

Data Protections – Coming to a State Near You

Let’s shift focus toward more familiar shores.  As of July 2018, ten states are actively pursuing internet privacy regulations.  Eleven further states have enacted or expanded legislation covering the data privacy rights of individuals.  In particular, California stood out from the crowd of privacy movement states when it rolled out the California Consumer Privacy Act of 2018, or CaCPA.  Similar in nature to GDPR, this new standard enters enforcement effective January 1, 2020.

“[The CaCP is]…a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps.” – Dr. Aleecia McDonald, Professor of Public Policy and Internet Privacy at Stanford’s Center for Internet and Society, as quoted in The New York Times.

This push for data privacy is likely to move swiftly.  Americans are increasingly appreciating the real-dollar value of their data and demanding companies – retailers, financial establishments and tech firms, especially – take steps to protect sensitive information.  There is even a push to bring the “Internet of Things” under privacy rules.  Such coverage would provide much needed protection against improper access or usage of the conversations you have within range of Alexa or other smart devices.

Your Business Liability

Companies hoping to avoid or ignore the need to revise data management and processing practices may be doing so at great risk.  As a matter of fact, some website hosting companies are already threatening to remove non-compliant websites.  No company is immune from this, either – Google and Facebook are facing $8.8 billion lawsuits for ignoring GDPR legislation.  Experts nationwide anticipate that a wave of similar rules will soon arrive in the United States.  In any case, if your business has a website and you store client information of any sort, you should give your liability and compliance priority.

Making your website GDPR compliant is fairly simple, though.  A phone call or email to your website development company can get the ball rolling down the road of website data compliance, safeguarding your customers and your business.

Awareness and action are essential, but the steps you can take now are simple:

• Accountability: Have data management systems in place that you monitor closely.
• Purposes and Limitations: Explain the following to customers: The type of information you are collecting, How you will use it, Who you share personal data with, and How long you store data.
• Data Minimization: Think of it as rationing – don’t collect more data than you need or can safely store. Create a list of who has data access.
• Data Accuracy: Keep records as current as possible.  Give users an easy way to request data erasure.
• Security & Integrity: Privacy-by-design systems limit access to a select number of authorized people. Notify users of which third parties also have access to their data.
• Storage Limits: Use software to encrypt and anonymize user information. Know where you store user data. Delete or discard data you no longer need or use.
• Lawful, Fair & Transparent: Provide contact information for users to request the review or removal of their information from your data systems.

Technology news can sometimes seem murky or confusing.  We’d love to talk more if you have questions about digital data privacy laws, or want to know what steps to take to ensure your business and customers are protected.