Internet Data Privacy Laws for Website Owners
You’re probably tired of having to “Agree to Terms” to check out websites. Are you confused by the sudden increase of these kinds of popups on websites you’ve been visiting for years? New legislation is the reason for these boxes and notices.
Data privacy and security have become a priority for millions around the world. Accordingly, people are seeing the value inherent in their personal data. Because of this, users want greater control over where their data goes and who is handling it. This concern is not a conflated sense of paranoia, though. At least 16 high-profile data breaches were announced between January 2017 and April 2018 in the United States alone. The world is growing ever more connected through exchanged personal data. Because of this, parliaments and senates worldwide are considering ways to keep their citizens safe.
European Privacy Regulations: GDPR
Rewind to May of this year. Your email inbox was full of emails from retailers and media agencies communicating their compliance with the EU’s GDPR (General Data Privacy Rule). “That only applies to Europeans”, you probably thought. “Why does this matter to me?” The GDPR organizes and expands upon several prior data laws covering EU residents and companies. However, the boundaries of enforcement extend to all corners of the globe. Any firm or service that collects or handles the personal data of EU citizens is obliged to comply with this new standard, regardless of geographic boundary.
First, companies must seek the “freely given consent” before collecting data. Secondly, it’s crucial to clearly answer the questions of “How”, “Where”, and “Why” regarding data usage. With this in mind, it’s essential for companies to assess the ways they store, handle and process data to ensure responsible compliance. Services can’t follow in the footsteps of Equifax or Yahoo, who waited months to disclose news of massive intrusions. Specifically, GDPR requires notification following a breach within 72 hours from detection. Failing to abide these standards could result in massive penalties. Organizations at fault could even face private lawsuits brought by affected users in courts unsympathetic to risky data practices.
Data Protections – Coming to a State Near You
Let’s shift focus toward more familiar shores. As of July 2018, ten states are actively pursuing internet privacy regulations. Eleven further states have enacted or expanded legislation covering the data privacy rights of individuals. In particular, California stood out from the crowd of privacy movement states when it rolled out the California Consumer Privacy Act of 2018, or CaCPA. Similar in nature to GDPR, this new standard enters enforcement effective January 1, 2020.
“[The CaCP is]…a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps.” – Dr. Aleecia McDonald, Professor of Public Policy and Internet Privacy at Stanford’s Center for Internet and Society, as quoted in The New York Times.
This push for data privacy is likely to move swiftly. Americans are increasingly appreciating the real-dollar value of their data and demanding companies – retailers, financial establishments and tech firms, especially – take steps to protect sensitive information. There is even a push to bring the “Internet of Things” under privacy rules. Such coverage would provide much needed protection against improper access or usage of the conversations you have within range of Alexa or other smart devices.
Your Business Liability
Companies hoping to avoid or ignore the need to revise data management and processing practices may be doing so at great risk. As a matter of fact, some website hosting companies are already threatening to remove non-compliant websites. No company is immune from this, either – Google and Facebook are facing $8.8 billion lawsuits for ignoring GDPR legislation. Experts nationwide anticipate that a wave of similar rules will soon arrive in the United States. In any case, if your business has a website and you store client information of any sort, you should give your liability and compliance priority.
Making your website GDPR compliant is fairly simple, though. A phone call or email to your website development company can get the ball rolling down the road of website data compliance, safeguarding your customers and your business.
Awareness and action are essential, but the steps you can take now are simple:
- Accountability: Have data management systems in place that you monitor closely.
- Purposes and Limitations: Explain the following to customers: The type of information you are collecting, How you will use it, Who you share personal data with, and How long you store data.
- Data Minimization: Think of it as rationing – don’t collect more data than you need or can safely store. Create a list of who has data access.
- Data Accuracy: Keep records as current as possible. Give users an easy way to request data erasure.
- Security & Integrity: Privacy-by-design systems limit access to a select number of authorized people. Notify users of which third parties also have access to their data.
- Storage Limits: Use software to encrypt and anonymize user information. Know where you store user data. Delete or discard data you no longer need or use.
- Lawful, Fair & Transparent: Provide contact information for users to request the review or removal of their information from your data systems.
Technology news can sometimes seem murky or confusing. We’d love to talk more if you have questions about digital data privacy laws, or want to know what steps to take to ensure your business and customers are protected.
[stylebox color=”red” icon=”delete” icon_size=”48″]Disclaimer: GDPR is broad in scope and compliance will vary greatly between organizations. This article should not be considered legal advice. This is informational only and aims to help bring you an awareness of GDPR. If you need legal advice after reading this article, please consult an attorney with your specific questions regarding GDPR. [/stylebox]
Who are the NSA?
The National Security Agency (NSA) is a powerful United States intelligence organization. Basically, they are responsible for collecting, processing, and monitoring global data for intelligence purposes. The NSA has a stated role to advance national security while protecting the freedoms, civil liberties, and privacy rights guaranteed by the Constitution and federal law.
What is the issue?
Many studies, cases, and documents show that the US government is spying on American citizens using online NSA surveillance. As Americans, this invades our Freedom of Speech and our Right to Privacy. The ACLU has called this activity “unconstitutional surveillance of Americans’ communications”.
An internal NSA audit from 2012 revealed they committed 2,776 incidents of unauthorized surveillance of Americans or foreign targets in the US over a one-year period.
On May 20, 2013, Edward Snowden released files from the NSA which described, as he put it, “systematic surveillance of innocent citizens.” Based on Snowden’s documents, the NSA has at least nine major tech companies gathering data on selected surveillance targets. This revelation caused online privacy concerns to increase dramatically in the US.
Then on Dec 24, 2014, a Freedom of Information lawsuit filed by the ACLU revealed NSA documents from 2001 to 2013. Overall, these documents showed that there were instances of unauthorized surveillance of US organizations, spouses or love interests, and more American citizens.
What is a Digital Pat Down?
The inner workings of an intelligence machine like the NSA can be difficult to grasp. From leaked documents so far, we can surmise that the NSA is performing secret “digital pat downs” on American citizens somewhat regularly. This happens without our knowledge or consent.
First, an NSA analyst identifies a target and submits a request to the FBI’s Data Intercept Technology Unit. Next, dedicated employees at various tech companies receive the request and gather the requisite data. This may include emails, chat logs, and videos. Once the data is compiled, it is sent back to the FBI for analysis.
The National Security Agency is also piggybacking on the tools that enable Internet advertisers to track consumers, using “cookies” and location data to pinpoint targets for government hacking and to bolster surveillance. We’ve talked in detail about mobile phone tracking tools previously.
They are also collecting location data transmitted by mobile apps. An NSA program, code-named HAPPYFOOT, helps the NSA to map Internet addresses to physical locations more precisely than is possible with traditional Internet geolocation services.
How do Americans feel?
PEW research shows what Americans think about online privacy and the NSA.
Overall, 54% of Americans disapprove of the US Government collecting telephone and Internet data for anti-terrorism efforts.
74% said they should not give up their privacy and freedom for the sake of safety.
93% think it is important to control who can get their information.
CISPA had alarmed the privacy community by giving companies the ability to share cyber security information with federal agencies, including the NSA, “notwithstanding any other provision of law.” That means CISPA’s information-sharing channel, created for responding quickly to hacks and breaches, could also provide a loophole in privacy laws that would enable warrant-less intelligence and surveillance. The information they gather, including all hacked data and any incidental information swept up in the process, would be added to a massive database. The FBI, CIA, and NSA would then be free to query this data at their leisure.
This is how CISPA would create a huge expansion of the “backdoor” search capabilities that the government uses to skirt the 4th Amendment and spy on Internet users without warrants and with virtually no oversight.
How to prevent being spied on by the NSA and other data collectors without going off the grid
It may be impossible to completely prevent the NSA from spying on you, but you can try and make it much harder.
- Avoid popular Online Consumer services – These include Google, Facebook, and DropBox.
- An alternative to DropBox is SpiderOak.
- A common alternatives to Google is DuckDuckGo.
- Mashable has published a list of private social networks to help you avoid the Facebook plague.
- Encrypt your hard drive – You may have password protection on your files but you should go a whole step further and encrypt the entire hard drive.
- Avoid online tracking – On you browser you can use the do-not-track setting but you can go a step farther and use a plugin to stop tracking. Some reputable plugins for this include:
- Encrypt your email and chat messages – Encrypt your messages before you send them. Some common email clients with encryption include:
- Microsoft Outlook – This has encyption options if you want to use them.
- Runbox (a Norwegian secure email client) – Claims to be unreachable by the NSA.
- HushMail – Not as popular but is completely encypted.
If you chat on the Internet, you can encypt those messages too.
- ChatCrypt – Encrypts the message when it sends and can only be read by the end user, also known as end-to-end encryption.
If you use common instant messaging through Google, AOL, Yahoo or Microsoft you can use a chat extension called OTR (Off the record) which enables end-to-end encryption.
- Use TOR for online browsing – TOR stands for The Onion Router. Like an onion, it layers multiple levels of security. Basically, it bounces communication around a network of relays which makes it very difficult to track.
Online Privacy in Europe
A recent draft of the British Investigatory Powers Bill will require companies to store information for up to a year. Communications companies would hold details of which websites and apps a person uses.
Recently, the European Union has decided to invalidate the current voluntary safe harbor because they believe the US cannot adequately protect its privacy. There have been reports that European companies are transferring data out of US territory for safe keeping.
EU-US Privacy Shield
The US Government released full text of the new European Union-US Privacy Shield on Feb 29. This is not yet law.
Citizen complaints – The new agreement gives companies and citizens the chance to complain and dispute any mishandling of records and personal information.
Targeted spying – This will now be limited to: detect and counter threats from espionage, terrorism, weapons of mass destruction, threats to the armed forces, or transnational criminal threats.
The proposed framework includes the following features:
- Companies must provide greater transparency with respect to their data collection, use, and sharing practices through more robust and detailed privacy policies
- If a company handles human resource (employee) data, it must agree to cooperate and comply with EU Data Protection Authorities (DPAs)
- Companies transferring personal data to third-party service providers remain fully responsible for the proper handling of personal data; must conduct appropriate due diligence concerning its service provider; and must properly monitor and re-mediate any deficiencies of its service providers relating to the handling of personal data