Privacy Policies are Changing: What’s New and What You Can Do
Tech Quest Apprenticeship is providing this article in observance of October as Cybersecurity Awareness Month.
A privacy policy is a statement, often in the form of a legal statement, that makes known some or all of the ways an organization gathers, uses, manages and shares your data. Every organization that collects information on consumers and users should have a privacy policy. This includes any business or website that stores or manages customer data, as well as big social media and app companies.
What do privacy policies mean to you?
The monetization of consumer data has led to big tech companies collecting and selling this data in exchange for providing free services. Consumers do not always understand the long-term ramifications of privacy policies. Why is that the case with something as important as how our data is collected and stored?
The three main causes are:
- The privacy policies are often very long and difficult to read (Google’s policy is 35 screens long) and companies often purposely write them that way so that people won’t read them;
- Many people believe that they’re law-abiding and have nothing to hide;
- They believe that their personal data is too small or insignificant to worry about.
This limited customer attention leads to private data being packaged or aggregated and sold to other businesses to target users with consequences such as targeted ads.
Laws Concerning Privacy Policies
EU taking the lead
The European Union (EU) has been leading the way worldwide to allow people to control how their personal data is collected and distributed. In 2016, the EU passed the General Data Protection Regulation (GDPR) into law, with the aim of giving people more control of their personal data and a greater understanding of how companies may use it.
This law applies to any enterprise, regardless of where it’s located, and covers everyone, regardless of their citizenship, if they are inside the EU. The GDPR essentially states that no personal information may be gathered unless the gathering takes place with one of consent, contract, public task, vital interest, legitimate interest or legal requirement. Also, everyone has the right to revoke access at any time.
In October, the European Court of Justice ruled that EU countries cannot collect phone and internet data en masse. This will prevent any EU state from forcing communications companies to gather and retain data to combat future crime or safeguard national security, while allowing for certain exceptions when an imminent threat is identified. This decision is in response to the surveillance activities of the U.S. government.
California at the forefront
California has some of the country’s tightest privacy laws. In 2018, the state passed The California Consumer Privacy Act (CCPA), which is similar to the CDPR. A proposal to overhaul it, known as Proposition 24, is on the November ballot. Andrew Yang chairs the Proposition 24 advisory board.
The proposal would require that all businesses doing business in California that meet one of the three criteria comply with it:
- Have more than $25 million in gross annual revenue;
- Buy, receive or sell personal information of 50,000 or more Californians;
- Receive 50% or more of their annual revenue from selling California residents’ personal information.
Significant proposed changes in Proposition 24 include:
- The definition of “personal information” would change to be information that identifies, is related to or could reasonably be linked with you or your household. Examples include your name, Social Security number, email address, records of purchases, internet browsing history, geolocation data, fingerprints and inferences from other personal information that could create a profile about your preferences and characteristics.
- Several loopholes in sharing of data would be closed.
- User could opt out of having their data sold.
- Consumers could limit geolocation tracking.
- The personal information of minors would receive enhanced protection.
- Using personal information to target consumers with certain advertising would be restricted.
- Consumers could file lawsuits for data breaches that include sharing their email username and password.
California often leads trends in the U.S. You’re likely to see a move to enhance privacy legislation in your state soon.
What You Can Do
Whether you own a business or are just concerned about your personal data, it’s time to review what private data you’re sharing, purchasing or using, and why. If you run a business, you should review your business model to exclude monetization of consumer private data wherever possible or at least review your privacy policy to ensure you’re complying with the law.