[This article was first published in September 2020.]
The more connected we become, the more data we will continue to share. Think about how often you access the internet and input or view sensitive information. From accessing health care information to paying bills online to even tagging your location on social media, you’re sharing information that can be collected.
According to a recent study, 47% of Americans were not sure they understood what was done with their personal information and 59% were confused by the privacy policy presented by companies. In a time when our lives are so heavily entwined with the internet, knowing what’s done with the data you share is critical.
Why it matters
Landmark security breaches remind us how vulnerable our data really is. Equifax, one of the top three credit reporting agencies, disclosed a data breach in September of 2017. Information like social security numbers, names, addresses, and driver’s license numbers were compromised for 147 million people, along with 209,000 customer credit card numbers. Given the severity and importance of the information leaked, the Equifax breach is regarded as unprecedented in impact. The settlement reached with the Federal Trade Commission amounted to $425 million to be paid out to help people who were affected.
Facebook has experienced a series of security breaches, which has resulted in federal investigation. In 2019, the user data of 540 million Facebook users was exposed on Amazon’s cloud computing services. It was revealed that Facebook partnered with more than 150 companies to share personal information of the hundreds of millions of people who use the social media platform. Users were not aware of this exchange. In a focus group conducted by the Pew Research Center, people spoke negatively about the consequences of sharing data and cited that companies could have an ulterior motive for collecting their data.
Federal Laws
- U.S. Privacy Act of 1974: This act established regulations on the collection, maintenance, use, and sharing of information. It requires that agencies obtain written consent from the individual before disclosing any of their information, unless it is part of the 12 statutory exceptions. Under this act, individuals are also able to request amendments to their records.
- Federal Trade Commission Act: This act gives the Federal Trade Commission the power to protect consumers from unfair or deceptive practices taken by companies and seek monetary compensation. They also have the right to enforce federal data and privacy protections.
- Children’s Online Privacy Protection Act (COPPA): COPPA prohibits the collection of data from anyone under the age of 13 without obtaining verifiable parental consent.
- Video Privacy Protection Act (VPPA): VPPA bans the disclosure of personal information or data unless the customer is aware and consents. This act includes streaming services.
There is no single catch-all data privacy law. Instead, there are a mixture of federal and state laws that try to address the different aspects of data protection. The lack of federal laws pertaining to consumer privacy led individual states to pass their own laws protecting citizens. Even still, all-encompassing laws are not widely held. There is still a lot of ground that needs to be covered to ensure that American consumers are completely protected.
Types of Data Privacy Laws
Consumer privacy
Do you ever wonder why things like Facebook or Instagram are free? You pay in privacy. These types of online services are free of monetary charge because they collect your data in exchange for their hosted services. However, 38% of surveyed Americans said that they were confused by the information presented in a privacy policy.
As of January 2020, the California Consumer Privacy Act addresses that exact issue. This law puts pressure on companies to be transparent with their practices and gives residents the right to know what personal information has been collected, shared, or sold. Additionally, consumers have the right to delete personal information that’s already been collected and the right to opt-out of the sale of personal information. The idea of trading your personal information for a free service is better accepted when the consumer has control.
Children’s online privacy
One of the only inclusive data privacy laws is concerned with children’s online privacy. Children’s Online Privacy Protection Act (COPPA) is a federal law that prohibits the collection of data from children who are under 13 years old. This means that parents have control over the information the companies can have and can request that any collected data be deleted.
In February 2019, TikTok paid $5.7 million to the FTC over concerns that the video app was in violation of COPPA. The largest children’s privacy civil penalty to date, TikTok was accused of illegally collecting personal information from children without parental consent. In addition to the substantial settlement, TikTok was required to update its practices and remove all videos that are made by children under the age of 13. TikTok is only one example, Google and YouTube have also been investigated by the FTC.
E-reader
There are only a handful of states that have laws governing consumer privacy when it comes to e-readers. These laws prohibit entities from collecting or sharing information regarding the type of material being rented or bought using the e-reader. Within the states that have laws pertaining to e-readers, most have focused on information that can be gathered by public entities like libraries. However, efforts are being made to protect the privacy of the content people choose to read on their electronic devices. The Electronic Frontier Foundation took the time to comb through the popular e-book platforms’ privacy policies to give you the answers you’ve been searching for.
Online services
Consumers are seeing changes when it comes to online services and privacy data. Companies are now more transparent when it comes to their efforts in collecting information about your browsing habits, whether in a good-faith effort to keep their consumer’s trust or because of the laws that require it. Additionally, approximately 86% of internet users have taken steps to maintain their online privacy. Clearing cookies, using a virtual network and encrypting their email are some of the actions taken. Still, 61% say that they still would like to do more to protect themselves.
Information sharing by business
While businesses collecting and sharing your information is nothing new, recent changes require that companies clearly inform you of what their intentions are when collecting that information. The reason why the company collects your data will vary, though generally companies use it to improve customer experience, assess their marketing strategy, or make money. The relationship around data privacy is a give and take between both consumers and data collectors. Businesses must be held accountable for the data privacy methods they have in place and be transparent about how they use the data they harvest. It’s also imperative that consumers know their rights and ability to impact how companies collect and use their information.
Notice when recording phone calls
Generally, the biggest concern when recording phone calls is consent. Many states are one-party consent states, meaning that phone calls can be recorded as long as one person consents. But what is considered consent? Think about when you call a customer service line and hear the ever-identifiable “this call may be monitored or recorded…” message. When a caller continues with the call, many states take that as implied consent.
There are 11 states that require both parties to consent to the recording: California, Delaware, Florida, Illinois, Maryland, Montana, Nevada, New Hampshire, Pennsylvania and Washington. Sometimes regardless of which law the state follows, there are exceptions to the rules. Which include: police recordings, court orders, and emergency services.
Breach notification laws
Every single state has a data breach notification law in place, although some states were slower than others to adopt one. Still, many states are actively amending their laws and expanding the definitions they hold. States like New Jersey, New York, and Oregon have broadened the scope of what is protected and established what regulations they impose on companies. Breach notification laws require that companies notify consumers of any data breaches involving personal or otherwise identifying information. Each law has a specified time frame in which action needs to be taken.
Data disposal
Data disposal laws are concerned with what happens to your information when the company no longer wants to store it. To prevent unauthorized access, both government and private agencies are required to destroy or make indecipherable information in consumer reports. The Federal Trade Commission has impressed a disposal rule that outlines what the rule applies to and what constitutes proper disposal. Proper disposal of consumer records should be a part of every company’s security program.
Understandably, the mashup of federal and state laws can be hard to navigate. This table can help you break it down.
State | Title | Type of Law |
Alabama | SB318 | Data breach notification |
Alaska | Alaska Stat. § 45.48.010 | Data breach notification |
#rowspan# | Alaska Stat. § 45.48.500 | Data disposal |
Arizona | Ariz. Rev. Stat. § 41-151.22 | e-reader |
#rowspan# | A.R.S. §§ 18-55 | Data breach notification |
#rowspan# | Ariz. Rev. Stat. § 44-7601 | Data disposal |
Arkansas | Ark. Code §§ 4-110-105 | Data breach notification |
#rowspan# | Ark. Code §§ 4-110-104(b) | Consumer data |
#rowspan# | Ark. Code §§ 4-110-104(a) | Data disposal |
California | Cal. Civ. Code §§ 1798.100 et seq. | Consumer data |
#rowspan# | Cal. Bus. & Prof. Code § 22948.20 | Consumer data |
#rowspan# | Cal. Civ. Code §§ 1798.81 | Data disposal |
#rowspan# | Calif. Bus. & Prof. Code §§ 22580-22582 | Children’s online privacy |
#rowspan# | Cal. Ed. Code § 99122 | Online services and websites |
#rowspan# | Cal. Civ. Code §§ 1798.130(5), 1798.135(a)(2)(A) | Online services and websites |
#rowspan# | Calif. Bus. & Prof. Code § 22575-22578 (CalOPPA) | Online services and websites |
#rowspan# | Calif. Bus. & Prof. Code § 22575 | Online services and websites |
#rowspan# | Cal. Civ. Code §§ 1798.83 to .84 | Information sharing |
Colorado | Colo. Rev. Stat. § 6-1-716 | Data breach notification |
#rowspan# | Colo. Rev. Stat. § 6-1-713: | Data disposal |
Connecticut | Conn. Gen. Stat. § 42-471 | Data disposal |
#rowspan# | Conn. Gen Stat. § 36a-701b | Data breach notification |
Delaware | Del. Code § 1204C | Children’s online privacy |
#rowspan# | Del. Code tit. 6, § 1206C | e-reader |
#rowspan# | Del. Code Tit. 6 § 205C | Information sharing |
#rowspan# | Del. Code tit. 6 § 5002C | Data disposal |
Florida | Fla. Stat. §§ 501.171(3)-(6) | Data breach notification |
#rowspan# | Fla. Stat. §§ 501.171(2) | Consumer data |
#rowspan# | Fla. Stat. §§ 501.171(8) | Data disposal |
Georgia | Ga. Code §§ 10-1-910 et. seq. | Data breach notification |
#rowspan# | Ga. Code §§ 10-15-2(b) | Data disposal |
Hawaii | Haw. Rev. Stat. § 487N-2 | Data breach notification |
#rowspan# | Haw. Rev. Stat. §§ 487R-2 | Consumer data and data disposal |
Idaho | Idaho Code § 67-831 through § 67-833 | Data breach notification |
Illinois | 20 ILCS § 450 | Consumer data |
#rowspan# | 815 ILCS § 530/45 | Consumer data |
#rowspan# | 815 ILCS §§ 530/1 to 530/25 | Data breach notification |
#rowspan# | 815 ILCS § 530/30 | Data disposal |
Indiana | Ind. Code §§ 4-1-11 et. seq | Data breach notification |
#rowspan# | Ind. Code §§ 24-4-14-8 | Data disposal |
Iowa | Iowa Code §§ 71.C.1 – 715C.2 | Data breach notification |
Kansas | Kan. Stat. § 50-7a01 et seq. | Data breach notification |
Kentucky | KRS § 365.732 and KRS § 61.931 to 61.934 | Data breach notification |
#rowspan# | KRS § 365.725 | Data disposal |
Louisiana | La. Rev. Stat. §§ 51:3071 et seq. | Data breach notification |
Maine | 35-A MRSA § 9301(active 7/1/20) | Online services and websites |
#rowspan# | Me. Rev. Stat. tit. 10 § 1346 et seq | Data breach notification |
Maryland | Md. State Govt. Code § 10-624 (4) | Information sharing |
#rowspan# | Md. State Govt. Code §§ 10-1303 | Data disposal |
#rowspan# | Md. Code Com. Law §§ 14-3504 | Data breach notification |
Massachusetts | Mass. Gen. Laws § 93H-3 | Data breach notification |
#rowspan# | Mass. Gen. Laws § 93H-2 | Consumer data |
#rowspan# | Mass. Gen. Laws § 93I-2 | Data disposal |
Michigan | Mich. Comp. Laws §§ 445.72 | Data breach notification |
#rowspan# | Mich. Comp. Laws §§ 445.72a | Data disposal |
Minnesota | Minn. Stat. §§ 325M.01 to .09 | Online services and websites |
#rowspan# | Minn. Stat. §§ 325E.64 | Data breach notification |
Mississippi | Miss. Code § 75-24-29 | Data breach notification |
Missouri | Mo. Rev. Stat. §§ 182.815, 182.817 | e-reader |
#rowspan# | Mo. Rev. Stat. § 407.1500 | Data breach notification |
Montana | Mont. Code §§ 30-14-1701 et seq | Data breach notification |
#rowspan# | Mont. Code §§ 30-14-1703 | Data disposal |
Nebraska | Neb. Rev. Stat. §§ 87-801 et seq. | Data breach notification |
#rowspan# | Neb. Stat. § 87-302(15) | Inaccuracies in privacy policies |
Nevada | NRS § 603A.300 | Consumer data |
#rowspan# | NRS § 603A.340 | Information sharing |
#rowspan# | SB 220 | Online services and websites |
#rowspan# | NRS § 205.498 | Online services and websites |
New Hampshire | N.H. Rev. Stat. §§ 359-C | Consumer data, information sharing, data breach notification, data disposal |
New Jersey | N.J. Rev. Stat. §§ 56:8-163 | Data breach notification |
#rowspan# | N.J. Rev. Stat. §§ 56:8-162 | Data disposal |
New Mexico | 2017 H.B. 15, Chap. 36, Section 6 | Data breach notification |
#rowspan# | 2017 H.B. 15, Chap. 36, Section 3 | Data disposal |
#rowspan# | 2017 H.B. 15, Chap. 36, Section 4 | Consumer data |
New York | S5575B | Consumer data |
#rowspan# | N.Y. Gen. Bus. Law § 399-H | Data disposal |
#rowspan# | 23 NYCRR 500 | Data breach notification |
Oregon | ORS § 646.607 | Information sharing |
#rowspan# | SB684 | Data breach notifications |
North Carolina | N.C. Gen. Stat. § 75-65 | Data breach notifications |
#rowspan# | N.C. Gen. Stat. § 75-65 | Data disposal |
North Dakota | N.D. Cent. Code §§ 51-30-01 et seq | Data breach notifications |
Ohio | Ohio Rev. Code §§ 1347.12 and Ohio Rev. Code §§ 1349.19 et seq | Data breach notifications |
Oklahoma | 24 OK Stat § 24-163 (2016) | Data breach notifications |
Oregon | Oregon Rev. Stat. § 646A.604 | Data breach notifications |
#rowspan# | Oregon Rev. Stat. § 646A.622 | Data disposal |
Pennsylvania | 18 Pa. C.S.A. § 4107(a)(10) | Inaccuracies in privacy policies |
#rowspan# | 73 P.S. §§201-1 – 201-9.2 | Consumer data |
Rhode Island | R. I. Gen. Laws §§ 11-49.3-1 to .3-6 | Data breach notification |
#rowspan# | R. I. Gen. Laws § 6-52-2 | Data disposal |
South Carolina | S.C. Code Ann. § 30-2-40 and S.C. Code Section 30-2-20 | Consumer data |
#rowspan# | S.C. Code SECTION 39-1-90 | Data breach notification |
#rowspan# | S.C. Code Section 37-2-190 | Data disposal |
South Dakota | SD SB62 | Data breach notification |
Tennessee | Tenn. Code §§ 47-18-2107 | Consumer data |
#rowspan# | Tenn Code §§ 8-4-119 | Data breach notification |
#rowspan# | Tenn Code § 39-14-150(g) | Data disposal |
Texas | Tex. Bus. & Com. Code § 521.053 | Data breach notifications |
#rowspan# | Tex. Bus. & Com. Code § 521.052(a) | Consumer data |
#rowspan# | Tex. Bus. & Com. Code § 521.052(b) | Data disposal |
Utah | Utah Code §§ 13-37-201 to -203 | Information sharing |
#rowspan# | Utah Code § 13-44-201(1)(a) | Consumer data |
#rowspan# | Utah Code § 13-44-202 | Data breach notifications |
#rowspan# | Utah Code § 13-44-201(1)(b) | Data disposal |
Vermont | NRS § 603A.300 | Consumer data |
Virginia | Va. Code §§ 18.2-186.6. | Data breach notifications |
#rowspan# | Va. Code § 59.1-442 | Information sharing |
Washington | Wash. Rev. Code §§ 19.255.010 | Data breach notifications |
#rowspan# | Wash. Rev. Code §§ 19.215.030 | Data disposal |
West Virginia | W.V. Code §§ 46A-2A-101 | Data breach notifications |
Wisconsin | Wis. Stat. § 134.98 | Data breach notifications |
#rowspan# | Wis. Stat. § 134.97 | Data disposal |
Wyoming | Wyo. Stat. §§ 40-12-501 et seq. | Data breach notification |
District of Columbia | D.C. Code §§ 28-3851 et seq. | Data breach notification |
Puerto Rico | 10 L.P.R.A. § 4051 | Consumer data and data breach notification |
Quick Tips to Protect Data at Home
Possible security breaches and companies collecting your information are only one facet of data safety. Your data is also susceptible to being stolen or compromised by hackers. Thankfully, there are a number of things you can do at home to combat them. You don’t need advanced tech skills or world-class equipment; these are things you can do on your home computer.
Security software
Installing security software on your computer is one of the first steps you should take. Security software keeps your computer healthy and your information safe from attacks or computer viruses. Make sure you stay up to date with any and all updates of your software. It’s easy to close out the persistent pop-up box that reminds you to update, but don’t ignore it! Security software is especially important if you are regularly connected to public WiFi networks. While most in-home routers are encrypted, there is no way to know if the internet you are connecting to is safe.
Use a password manager
Using the same password for everything leaves you vulnerable to potentially giving someone access to all of your information. But remembering a gaggle of passwords is no easy feat. Using a password manager is an easy way to ease the burden. Password managers are designed to generate long and complicated passwords that are less likely to be compromised. Your passwords are encrypted and can only be accessed through the master password you create. Depending on the password manager, it may offer an automatic fill feature that kicks in when you go to a page you have a saved password for.
Backup your data
In the event that your information is lost, compromised or stolen, backing up your data is a way to make sure all of your hard work and cherished memories are not lost. When you back up your data, you’re making a copy that is not stored on your computer. Whether you use a local storage option or the cloud, the point is to make your files unavailable to anyone else except you.
Data encryption
Data encryption is an essential way to keep your personal information safe. It works by taking readable text from an email or document and scrambling it into an unreadable cipher text. Encrypting your data will secure it not only on your computer, but also when it is transmitted over the internet. For the information to revert back to its original form, both the sender and recipient have to have the encryption key.
What to do After a Data Breach
So you’ve heard on the news or received an email that there has been a breach and your data may have been affected. A security breach does not automatically mean someone is going to steal your identity. Before you panic, use these steps to help you through the process.
1. Confirm if you were affected by the security breach
Beware of scammers attempting to coax more information out of you with fake emails. If you receive an email that a breach has occurred, contact the company directly to confirm. Do not reply to the email.
2. Find out what information was compromised
What you do after a security breach may vary slightly depending on the type of company that was breached. You should tailor your response to the circumstances and to what information was stolen. If you find that you are the victim of the security breach, don’t pass up the company’s offer to help.
3. Change your passwords
The next important step to take is to address your personal security. Update your login information and security questions for all of your sensitive accounts – not just the ones affected by the breach. Take this time to enact two-factor authentication into your login process to add another layer of security to your accounts.
4. Contact a credit reporting bureau to report
To make sure you aren’t the victim of identity theft, call any of the major credit reporting bureaus and have them file a fraud alert on your name. This alert makes it harder for someone to open new accounts under your name and lasts for one year. Additionally, you may also consider putting a credit freeze on your report, which will restrict access to your credit report. Bear in mind this will require you to manually lock and unlock your credit report when filing for new lines of credit, like a rewards card or a house.
5. Monitor all accounts closely
Finally, after you’ve changed your passwords and placed a fraud alert in your name, the last thing to do is closely monitor your account for any suspicious activity. A fraud alert and credit freeze will make it harder for thieves to open new accounts, though it does not guarantee safety to the accounts they may already have access to.