The slew of emails about privacy policies and terms of service updates, popups, cookie consents, and general Googling of “What is a cookie?” spiked post-GDPR. The finalization of GDPR ushered in a whole new age of consumer awareness.
As did the Cambridge Analytica scandal. Which, beyond doubt, pushed GDPR to the forefront of policy maker’s minds.
But if you’re like most people, you still have a pretty vague and fuzzy idea about what personal data is, why it matters, and what privacy laws are in place to protect you.
What Is PII?
PII is short for personally identifiable information. This is any information that can identify who you are.
PPI includes things like:
- Social Security number
- mailing address
- email address
- phone number
- IP address
- login ID
Although the definition of PII is broad and creates many security and privacy challenges for companies. Especially when specific and stringent safeguards for it are spelled out, by what classifies as PII are not.
What Is Personal Data?
Personal data (PD) includes all PII listed above, but not all personal data is PII. PD in the context of GDPR covers a much broader range of information.
Personal data includes things like:
- Social media posts
- Preferences – for literally anything from pets to S.O.s
- Locations you go to/lived at
- Purchase history
- Biometric information like your heart rate, rate of respiration, etc.
- Device IDs
The list gets too long to, well, list. But remember personal data refers to information that is recorded about you – but can’t necessarily be linked to you. Although data that can be linked to you falls under this umbrella as well.
In short: personal information.
What Isn’t Covered Under PPI or Personal Data?
Personal data relating to someone who is dead, public authorities, public companies, any data that is properly anonymized, and anonymized data from government agencies isn’t covered by privacy laws.
Most of this information can be pulled in a FOIA request, and restricting that data would compete with those laws.
In the US, at least.
Why Is Data Privacy A Human Rights Issue?
Privacy is a fundamental human right. This right is recognized by the United Nation’s Declaration of Human Rights, the International Covenant of Simple and Political Rights, and other international and regional treaties.
Privacy is considered the underpinnings of human dignity and other key values such as freedom of association and freedom of speech. But, given recent events, the lack of privacy was considered to have interfered with democracy.
If you haven’t heard of the Cambridge Analytical scandal at this point, it’s a bit too messy to get into here. But the short is: they were a UK-based company that was accused of tampering with democracy around the globe.
What they were doing at Cambridge Analytica was considered to be “weapon’s grade communication” in Europe.
But there’s an even older and – often – much more consequential way PPI can be used that’s caused deaths, never mind allegedly interfered with politics and the outcomes of entire nations.
What Is Doxxing?
Unless you live on the internet, you likely haven’t heard of this phenomenon.
It’s essentially the act of finding out someone’s PPI and releasing it to the public. In most cases, this internet vigilante justice. Someone’s name, address, and other personally identifiable information gets released on the internet and letting whatever happens, happen.
In other circumstances, this includes the release of nude photos of someone, typically women, with an address or phone number included. Or, worse yet, the names, phone numbers, and addresses of you, your friends, and your family.
This kind of information leak cost people their privacy, jobs, families, homes, and – on rare occasions – their lives.
One way this can escalate beyond Doxxing is with something called “Swatting.” This is when someone has someone’s name and address and calls the cops to report a serious crime. Think bomb-threats and hostage situations.
The kind of crime where the SWAT team rolls up and shoots the “threat” when they answer the door kind of crimes. Only the crime is fake.
This is exactly what happened in the case of Andrew Finch (28), in December 2017 because Tyler Barris (25) called and reported a murder with a hostage situation at his house. And then bragged about it on Twitter when he saw Finch’s house on the news.
And if that weren’t bad enough, it was over Call Of Duty. (If you aren’t familiar, it’s a video game.)
Doxxing – and worse – Swatting are illegal on more than one level. But what about normal privacy violations?
What Are The US Laws About Data Privacy?
There are a few laws that govern privacy and data protection in the US. One of the big ones is the Privacy Act of 1974.
Here are the cliff notes:
- Rights of US citizens to access any data held by government agencies and our right to copy that data
- right of citizens to correct any information errors
- agencies should allow data minimization principles in collecting data least information relevant and necessary to accomplish its purpose
- access to data is restricted on a need to know basis
- sharing of information between other agencies is restricted and only allowed under certain conditions
Another one that you’ve surely heard of is HIPAA. Though much more recent and specialized than the Privacy Act. HIPAA was passed in 1996.
It stands for Health Insurance Portability And Accountability Act. But you likely know it as the thing that says doctors can’t share your information with anyone but you unless you ask them to.
There’s also the much less heard of and underappreciated COPPA. AKA the Children’s Online Privacy Protection Act.
COPPA took its first steps in regulating personal information collected from minors. This law prohibits online companies for asking for PPI from children 12 unless there is verifiable parental consent.
GLBA is another product of the late 90s legislation, AKA the Gramm-Leach-Bliley Act. GLBA laws cover banking and financial laws. Its protections of personal information are a major improvement over previous consumer financial data laws.
This set of laws protects nonpublic personal information (NPI.)
NPIs are defined as any information collected about an individual in connection with providing a financial product or service. Unless that information is otherwise publicly available, in which case, it would just be PPI or simply personal data.
Essentially, it boils down to personal and financial privacy.
Privacy Laws By State
Not all states have privacy laws at this point. But that does seem to be the trend. I imagine the states that have privacy laws will continue to rise until the US – as a whole – adopts something closer to GDPR.
California Consumer Privacy Act
The California Consumer Privacy Act (CCPA) was signed in 2018.
Its goal is to extend consumer privacy protections on the internet. Under the CCPA, consumers have a right to access their data.
Additionally, businesses can’t sell consumers’ personal information without providing a web notice and giving them an opportunity to opt-out. Similar to GDPR – which is not a US law – there is also a right to deletion of personal data.
Though, unlike GDPR, CCPA gives consumers limited right to action (IE: ability to sue) if they’re a victim of a data breach.
Massachusetts Data Privacy Laws
The MA proposed privacy laws build mostly off the language in CCPA. This includes consumers’ access right to personal information, right to delete, as well as explicit notification of privacy rights and a chance to opt-out of third-party sales of data.
There are a few divergences from CCPA, however. Most notably, the right for consumers to sue for any violation of the proposed Massachusetts law. In Mass’s proposed laws, consumers don’t need to have lost money or property as a result of the violation to sue.
New York Privacy Act
New York’s proposed law is currently on hold. Though, like Mass, it contains some echoes of the CCPA as well.
There’s a right to delete and request personal information, the definition of personal information includes a very extensive list of identifiers. Unlike California – but similar to Mass – New York’s act also has a private right of action for any violation of the law.
The law applies to all businesses without any revenue threshold, which differs from California and other states. This makes the proposed New York law one of the stricter laws about privacy.
Although the New York bill only requires businesses to disclose to consumers the broad categories of information shared to third parties, under some circumstances, consumers would have the right to request copies of specific information shared.
Hawaii Consumer Privacy Protection Act
Another law set similar to the CCPA, Hawaii’s offers all the same major rights and protections.
But while CCPA explicitly applies to businesses and websites that conduct business in the state of California, Hawaii spell has no similar clause.
In theory, websites based anywhere in the world could violate the law if they don’t offer adequate protection as outlined in the bill.
Maryland Online Consumer Protection Act
Businesses under the Maryland Online Consumer Protection Act have similar obligations to disclose information usage. Though to a lesser degree than CCPA.
Maryland’s law use will go beyond the scope of CCPA when it comes to disclosing third-party involved.
Under CCPA, companies only have to disclose if consumer information is being sold to a third-party. But in accordance with Marilyn’s SB -13, companies would have to disclose any information that’s passed to third parties.
Even if that data is transferred for free.
North Dakota HB-1485
North Dakota’s HB-1485 is currently in the State House of Representatives and it’s the most lightweight bill on the list.
The only significant clause would completely restrict websites from passing any information to third parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.