Internet Data Privacy Laws for Website Owners
You’re probably tired of having to “Agree to Terms” to check out websites. Are you confused by the sudden increase of these kinds of popups on websites you’ve been visiting for years? New legislation is the reason for these boxes and notices.
Data privacy and security have become a priority for millions around the world. Accordingly, people are seeing the value inherent in their personal data. Because of this, users want greater control over where their data goes and who is handling it. This concern is not a conflated sense of paranoia, though. At least 16 high-profile data breaches were announced between January 2017 and April 2018 in the United States alone. The world is growing ever more connected through exchanged personal data. Because of this, parliaments and senates worldwide are considering ways to keep their citizens safe.
European Privacy Regulations: GDPR
Rewind to May of this year. Your email inbox was full of emails from retailers and media agencies communicating their compliance with the EU’s GDPR (General Data Privacy Rule). “That only applies to Europeans”, you probably thought. “Why does this matter to me?” The GDPR organizes and expands upon several prior data laws covering EU residents and companies. However, the boundaries of enforcement extend to all corners of the globe. Any firm or service that collects or handles the personal data of EU citizens is obliged to comply with this new standard, regardless of geographic boundary.
First, companies must seek the “freely given consent” before collecting data. Secondly, it’s crucial to clearly answer the questions of “How”, “Where”, and “Why” regarding data usage. With this in mind, it’s essential for companies to assess the ways they store, handle and process data to ensure responsible compliance. Services can’t follow in the footsteps of Equifax or Yahoo, who waited months to disclose news of massive intrusions. Specifically, GDPR requires notification following a breach within 72 hours from detection. Failing to abide these standards could result in massive penalties. Organizations at fault could even face private lawsuits brought by affected users in courts unsympathetic to risky data practices.
Data Protections – Coming to a State Near You
Let’s shift focus toward more familiar shores. As of July 2018, ten states are actively pursuing internet privacy regulations. Eleven further states have enacted or expanded legislation covering the data privacy rights of individuals. In particular, California stood out from the crowd of privacy movement states when it rolled out the California Consumer Privacy Act of 2018, or CaCPA. Similar in nature to GDPR, this new standard enters enforcement effective January 1, 2020.
“[The CaCP is]…a step forward, and it should be appreciated as a step forward when it’s been a long time since there were any steps.” – Dr. Aleecia McDonald, Professor of Public Policy and Internet Privacy at Stanford’s Center for Internet and Society, as quoted in The New York Times.
This push for data privacy is likely to move swiftly. Americans are increasingly appreciating the real-dollar value of their data and demanding companies – retailers, financial establishments and tech firms, especially – take steps to protect sensitive information. There is even a push to bring the “Internet of Things” under privacy rules. Such coverage would provide much needed protection against improper access or usage of the conversations you have within range of Alexa or other smart devices.
Your Business Liability
Companies hoping to avoid or ignore the need to revise data management and processing practices may be doing so at great risk. As a matter of fact, some website hosting companies are already threatening to remove non-compliant websites. No company is immune from this, either – Google and Facebook are facing $8.8 billion lawsuits for ignoring GDPR legislation. Experts nationwide anticipate that a wave of similar rules will soon arrive in the United States. In any case, if your business has a website and you store client information of any sort, you should give your liability and compliance priority.
Making your website GDPR compliant is fairly simple, though. A phone call or email to your website development company can get the ball rolling down the road of website data compliance, safeguarding your customers and your business.
Awareness and action are essential, but the steps you can take now are simple:
- Accountability: Have data management systems in place that you monitor closely.
- Purposes and Limitations: Explain the following to customers: The type of information you are collecting, How you will use it, Who you share personal data with, and How long you store data.
- Data Minimization: Think of it as rationing – don’t collect more data than you need or can safely store. Create a list of who has data access.
- Data Accuracy: Keep records as current as possible. Give users an easy way to request data erasure.
- Security & Integrity: Privacy-by-design systems limit access to a select number of authorized people. Notify users of which third parties also have access to their data.
- Storage Limits: Use software to encrypt and anonymize user information. Know where you store user data. Delete or discard data you no longer need or use.
- Lawful, Fair & Transparent: Provide contact information for users to request the review or removal of their information from your data systems.
Technology news can sometimes seem murky or confusing. We’d love to talk more if you have questions about digital data privacy laws, or want to know what steps to take to ensure your business and customers are protected.
[stylebox color=”red” icon=”delete” icon_size=”48″]Disclaimer: GDPR is broad in scope and compliance will vary greatly between organizations. This article should not be considered legal advice. This is informational only and aims to help bring you an awareness of GDPR. If you need legal advice after reading this article, please consult an attorney with your specific questions regarding GDPR. [/stylebox]
EU-US Privacy Shield Still Not Protecting Your Privacy
Full text of the new draft EU-US Privacy Shield was released February 29th but has not been signed yet. They have made some changes from the previous Safe Harbor Agreement. While some are good improvements, some seem to have not changed how our data is handled at all. A conclusion on if the draft agreement will be acceptable should be made by mid-April to the end of April.
History: Safe Harbor Agreement
Before going in to the Privacy Shield here is the history of why we needed a new agreement between the European Union and United States. In an earlier blog, Safe Harbor Ruled Invalid, How it Affects You, we talked about the invalid ruling of the Safe Harbor Agreement and how it affected businesses and consumers. So here’s a little history on the old Safe Harbor Agreement:
The European Union (EU) and the United States (US) established the Safe Harbor Pact in 2000. This allowed businesses to legally funnel info across the Atlantic. Common data storage and transfers might include global commerce, sending and receiving emails, and even posting on social media. US companies can “self-certify” that they meet the stricter European privacy standards.
In early October of 2015, the European Court of Justice found the US approach to domestic surveillance and absence of legislation governing certain privacy rights was not up to European standards following a case brought by an Austrian student Max Schrems. The EU then made the Safe Harbor pact invalid. They believe the US has compromised their data and would like for some changes to happen to ensure the US is not spying on their citizens.
While there are some improvements to the Trans-Atlantic data transfer deal many say it does not differ much from the original Safe Harbor and does not address the “core concerns and fundamental flaws of US surveillance law and the lack of privacy protections under US law.”
Key Positive Takeaways:
[space10]Citizen and Company Complaints
The new agreement gives companies and citizens the chance to complain and dispute any mishandling of records and personal information. Governments must resolve such complaints within 45 days or use a free “alternative Dispute Resolution”.
An ombudsman is a public advocate representing the interests of the public by investigating and addressing complaints. An ombudsman within the US State Department will handle any allegations of privacy violations.
Key Negative Takeaways:
[space10]Collecting Data in “Bulk”
In a Press Release from February 29th the European Commission states there will be “no indiscriminate or mass surveillance by national security authorities.” But then is contradicted by this:
- Detecting and countering certain activities of foreign powers
- Detecting and countering threats to US or allied armed forces
- Combating transnational criminal threats, including sanctions evasion
US Judicial Redress Act
In addition to the Privacy shield, President Obama signed the U.S. Judicial Redress Act on February 24th that will “give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the U.S. for law enforcement purposes. ” […] The Judicial Redress Act will extend the rights U.S. citizens, and residents enjoy under the 1974 Privacy Act also to EU citizens.”
At first that sounds good. After further research on the Privacy Act of 1974, many believe that the Privacy Act is “worthless”, with similar views from the Electronic Frontier Foundation (EFF),. There are many exceptions including 32 CFR 322.7 which exempts the NSA from rules of privacy on records maintained on individuals, according to 5 U.S. Code § 552a.
“Essential Equivalence” Non-Existent
One of the most important parts of changing this agreement was to have “essential equivalence” of European data protection in the US. Max Schrems points out that this deal falls short:
“The new deal does not even address the matter of private sector data misuse, despite the fact that there would have been much more leeway than in the government sector. There are tiny improvements, but the core rules on private data usage are miles away for EU law.”(TechCrunch)
Privacy Shield Certified
Under the Privacy Shield a business can become ‘certified’ to establish “adequate” protections for Trans-Atlantic data transfers. While this helps to protect your business from data transfer problems, it does not protect you completely.
The new agreement allows Data Protection Authorities (DPAs) to suspend data flow regardless of a business being Privacy Shield Certified. This would mean you cannot secure continuous data flow for your company.
The EU-US Privacy Shield still needs to be approved by the EU’s WP29, also known as the Article 29 Working Party, and from the privacy issues others have already found in the draft it does not seem likely it will be approved.
“They tried to put 10 layers of lipstick on a pig, but I doubt the court and the DPA’s now suddenly want to cuddle with it”
The Data Safe Harbor Rule
The Safe Harbor Rule was established in 2000 between the European Union (EU) and the United States (US). This agreement allowed businesses to legally funnel information across the Atlantic. Such data is normally transferred during global commerce, email correspondence, and even social media communication. Europe has stricter privacy guidelines to protect its citizens than the US does. Under the Safe Harbor agreement, US companies could “self-certify” that they met Europe’s stricter privacy standards in order to gain access to European markets.
In early October, the European Court of Justice ruled that the US approach to domestic surveillance was not up to European standards. Basically, this happened because the court was concerned that the US would compromise the data of European citizens swept up in our country’s growing mass surveillance machine. Consequently, this ruling made the Safe Harbor pact invalid virtually overnight.
The Safe Harbor Agreement 2.0
The European Union and the Unites States will be meeting on December 17th to create a new agreement for the Safe Harbor. They plan to conclude this agreement in January of 2016. The EU would like to see some changes in the new agreement such as:
- Privacy watchdogs to challenge US companies’ handling of EU data
- European citizens should be able to complain directly to national authorities about data protection
What Does an Invalid Ruling of Safe Harbor Mean?
This affects businesses and consumers from both the European Union and United States. Over 4,000 companies rely on the Safe Harbor for their data transfers, including:
Effects on Companies:
This affects any US-based company doing online business in the EU.
Many companies that relied on the Safe Harbor “Self Certification” will now have to obtain independent certification.
In Europe, EU standards from 1995 are now being used to determine whether a company’s data sharing is permissible. As of now, the EU operates under the Data Protection Directive. This requires that companies only transfer data to countries that offer adequate privacy protection.
For More Information: With Safe Harbor now “Invalid,” Companies Must Change Data Practices
Effects on Consumers:
Consumers in the US might not notice a substantial difference. European consumers may be cut off from US companies for a time, depending on how stringent the new rules become. It may take some time before US based companies have made the necessary adjustments to do business with the EU again.
Microsoft has stated they will be storing data in a German company, Deutsche Telekom, for their European cloud computing customers. Microsoft will not be able to access the data without permission of either the customer or the company.
This solution may be too expensive for many companies. As a result, the US has started offering customers and partners the opportunity to enter into ‘data processing addendums’. However, these are only a temporary solution. Consequently, many companies are awaiting to hear what’s in the new Safe Harbor Rule.
What is the Facebook Data Use Policy?
Facebook is updating its policies again, a move which will inevitably lead to another round of people declaring that the company is selling their 852 photos of Jr. and posting custom legalese on their timelines in an attempt to contradict whatever new policies the company has written.
Is Facebook using your private gallery in advertising? Will establishing your own copyrights in a post make any difference? The answers are no, but what really goes on behind the scenes regarding Facebook advertising, privacy, and its Data Use Policy can be a bit murky and complex, if not a little insidious. The current round of proposed updates includes more attempts at clarifying what already exists with new language so there’s not much new there. But just what are they doing, and how can you control your own data?
It Starts With You
First and foremost, as a Facebook user you must take control of your privacy settings. Facebook’s biggest crime is a tendency to make their users ‘opt out’ of sharing information, rather than opting in. It is up to an individual user to learn about privacy settings and who will be able to access and use their information. Facebook changes things around a lot, which makes keeping track of your permissions (and finding the settings) more complex than it has to be. Even so, Facebook will not share more than you allow – the trick is to knowing what you are allowing.
Public Information: Anyone can see your public information. It is what people use to search for others, and it’s what makes the social network social. Some information is always public, no matter how private you make your profile: your name, your profile picture and cover photos, your network, your gender, and your Username/ID. If you upload a picture of your kid as your own profile image or as your cover photo, that image WILL be visible to all.
Other Public Info vs. Private Info: From here, you choose whether to make your wall and other information public, shared with your friends, or customized. The little globe icon right next to the post button indicates that something is public, the icon of two people means ‘Friends’, and the gear means that a custom permission has been set (you can customize who sees what; for example, if you want to keep your family oblivious to your more off-the-wall hobbies). However, despite what you place as your settings, the publicity of your actions depends on what you do and where you post as well. If your friend makes a public post and you comment on it, then you should expect your response to be public. If you are posting to a public group, then other people may see it.
Your friends will see what you post to your wall, what you like, and what you share. Your friends may also affect the advertising you see, they can add you to groups, and they can affect your Facebook life in other ways – such as tagging awful pictures of you. Keep track of who you friend and how you plan to interact with that person. Sometimes the interaction can get out of hand in unexpected ways.
Likes Vs. Shares – And how Social Advertising Throws This Off
When you Share something on Facebook, you expect other people to see it and pass it along – this is a given. Facebook is social after all, and you want to share things you enjoy. Keep in mind, however, that when you Like something on Facebook, you are endorsing it – which may affect the way Facebook advertises to you. Your profile and image may also appear to your friends on that or other affiliated websites. Additionally, your endorsement may appear in the advertisements that your friends see in Facebook.
Did you click ‘like’ two years ago on a friend’s photography fan page? That photography page might show up in another friend’s news feed, endorsed by you – which could get awkward depending on the content of their photography, for example.
Social Advertising has the internet in a tizzy these days. While Snopes has put the rumor that Facebook is using your private images in public advertisements to rest, what you decide to share might very well be everybody’s business, depending on your privacy settings. Things you share and your likes will be shared with your friends. Likewise, the information that you allow apps to access will be sent to those 3rd party companies.
Even if Facebook is not stealing your images to use in public advertising (and your content DOES belong to you) Facebook’s data gathering is complicated, and may reach well beyond the scope that many people realize.
Everything you do on the Facebook platform is tracked – what you click on, what you like, the information you post about yourself, where you are, and your general behaviors. This information is intended to personalize the targeted advertising to you – it’s all about the ads. Say your public information states that you are a 28 year old male in Flint, that you like a given restaurant and you like ice hockey. Even with your personal identifiers are removed, that information is still highly detailed. If someone is looking to advertise a Flint Generals event at a given restaurant, you might fit into the demographic, sparking an oddly specific advertisement to appear on your news feed.
Even if you yourself rarely click a Like button, your friends can be used to fill in the gaps. (This is why we mentioned being careful about the people you are Friending.)
Beyond the Web
Data mining is not limited to Internet activity alone. Remember those little customer loyalty cards you scan at the store for discounts? The information gathered from these cards can be fed into one of several big data mining companies who can then associate it with your Facebook account (using a hashed email or phone number). If you purchase a car at a local dealership, you may be shown an advertisement for that car dealership on Facebook even if you never Liked anything related to it.
What to Do
Does this make you uncomfortable? If not, continue on your merry way. If so, however, there are steps that can be taken to minimize your use to advertisers in this way.
Update Privacy Settings: On Facebook you should regularly update your privacy settings and check out the new features. The little lock icon in the right hand corner of Facebook’s blue nav bar along the top will take you to the privacy page which allows you to manage everything from your timeline and tagging to deleting old apps and editing your Facebook Ads permissions. This is where you control social advertising.
Audit Your Likes: If you are worried about what might show up in advertising you can go through and delete old Likes, hide or delete wall posts, and otherwise clean up your account. Even if you’ve set your security to private, this can minimize future awkward advertising and associations, and avoid giving free advertising to companies that you don’t actually want to endorse.
Addon Help: Facebook utilizes cookies and browser storage. There are a variety of browser addons and extensions that will reduce your cookie tracks throughout the web, and there are also addons that will allow you to adjust what you see and use on Facebook.
Opting Out: The real-world data mining can be controlled to a degree as well. Using a different phone number (Google Voice offers secondary phone numbers) or an alternate email than the one used with Facebook can reduce the ability for companies to associate the two. The Electronic Frontier Foundation has written a guide on how to opt out of data mining for some of the big data companies.
Calling it Quits
If all this data mining combined with concerns over the NSA’s information gathering make you want to reach for your tinfoil hat, deleting your Facebook account is an option as well. This takes about a month to do and you may still have data in their servers for up to 90 days, but it is always an option to consider. While things you have posted on other peoples’ walls or comments may not entirely disappear, it will definitely reduce your digital footprint.