Feb 05•13 min read

Is our digital privacy lawfully protected?

Recently, Blocksurvey has conducted a study on “Digital Privacy Awareness”. In our survey, one of the questions was “Are you aware of any Digital Privacy Laws?” About 44% of people answered “ I know there are laws, but I don’t know the details”,28% answered “Yes” and 27% answered “No”. Now this made me think of writing this blog on some of the Digital Privacy Protection Laws available across the globe.

First of all, Why is there a need for a law on protecting Digital Privacy?

Individual privacy rights are important facets of almost every country’s legal system. While no two privacy laws or regulations are the same, they all serve the same purpose: to allow individuals to act and speak without fear that things done and said in private will be exploited or exposed.

There are many different types of Internet privacy laws, ranging from protections for employee e-mail communications and restrictions on re-broadcasting social networking data to browser tracking activities and online data breaches.

Familiarization with privacy laws is a good idea whether you’re an individual consumer looking to go shopping online, a business collecting personal customer information, or someone who otherwise has anything else to do with the Internet.

In this blog, let’s journey together to know about a few of the Digital Privacy Protection laws available across the world.

GDPR (General Data Protection Regulation)

The European Parliament adopted the GDPR in April 2016, replacing an outdated data protection directive from 1995. It carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The GDPR also regulates the exportation of personal data outside the EU. The European Data Protection Regulation is applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe.

The GDPR is an attempt to give people a say in how their data is used and mandates strict guidelines on how companies collect, store, and leverage it.

Important Highlights of GDPR

Under the GDPR, individuals have:

1)The right to access — Individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in electronic format if requested.

2)The right to data portability — Individuals have a right to transfer their data from one service provider to another. And it must happen in a commonly used and machine-readable format.

3) The right to be informed — this covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers have to opt-in for their data to be gathered, and consent must be freely given rather than implied.

4)The right to have the information corrected — This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.

5)The right to restrict processing — Individuals can request that their data is not used for processing. Their record can remain in place, but not be used.

6)The right to object — this includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.

7)The right to be notified — If there has been a data breach that compromises an individual’s personal data, the individual has a right to be informed within 72 hours of first having become aware of the breach.]

8)The right to be forgotten — One of the important aspects of GDPR is “Right to Erasure”, also called “Right to be forgotten”. The right to be forgotten derives from the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014).

Now, let's see how do businesses need to take GDPR.

Do I need to be a GDPR compliant?

The business of any size involving EU residents or businesses operating out of the EU has to be GDPR compliant.

From companies, the perspective below are the key points to remember for becoming GDPR compliant.

1) Build products/applications which adhere to the 8 key principles of GDPR. For already established products, first, map all your company data and remove data which is rightfully personal data to the customers/consumers.

2) Develop and implement safeguards throughout your infrastructure to help contain any data breaches. This means putting security measures in place to guard against data breaches, and taking quick action to notify individuals and authorities in the event a breach does occur.

Worryingly, law firm EMW found that data breach complaints have increased by 160% since the GDPR came into effect

Are there any effects of not being GDPR compliant?

Fines of between 20 million euros ($25 million) and four percent of a company’s annual worldwide turnover, whichever is higher are possible, though lesser fines of $10 million or two percent of annual turnover could be applied.

The California Consumer Privacy Act (CCPA)

This act allows consumers the right to request a business to disclose the categories and specific pieces of personal information that the business has collected about the consumers as well as the source of that information and business purpose for collecting the information. Provides that consumers may request that a business delete personal information that the business collected from the consumers. Provides that consumers have the right to opt-out of a business’s sale of their personal information, and a business may not discriminate against consumers who opt-out. Applies to California residents. Effective Jan. 1, 2020.

Important Highlights of CCPA

There are 5 general CCPA highlights that the state of California refers to as “rights” of their consumers. These include:

Right to know what personal information is collected about them
To know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale
To access their personal information that has been collected
To have a business delete their personal information
To not be discriminated against for exercising their rights under the Act

Do I need to be CCPA Compliant?

From a business perspective, CCPA applies if you’re a for-profit business that collects and control California resident’s personal information or do business in the State of California and meet at least one of the following thresholds:

● Annual gross revenues larger than $25 million

● Receive or disclose the personal information of 50,000 or more California residents, households, or devices each year

● Make 50 percent or greater annual revenue from selling California residents’ personal information

Non-profits, smaller companies that don’t meet the revenue thresholds, and/or those that don’t traffic in large amounts of personal information from California residents, and don’t share a brand with an affiliate that’s covered by the CCPA won’t have to comply. More details are found here.

Effects of not being CCPA Compliant?

Consumers are able to seek $100-$750 per incident for actual or statutory damages.

Fines for violations include:

$2,500 for unintentional and $7,500 for intentional violations of the Act.
US$100-$750 per incident, per consumer- or actual damages, if higher — for damage caused by a data breach.

As currently written the law states that businesses shall only be in violation of the CCPA if it fails to cure any alleged violation of the CCPA within 30 days after being notified of alleged noncompliance.

Now, a small comparison between GDPR and CCPA is given below.

Digital Privacy Act and PIPEDA, Canada

The Canadian government approved changes made to the Personal Information Protection and Electronic Documents Act, and it was officially passed into law on June 18, 2015, and came into effect in November 2018. Known by many names, most notably called Bill S-4 or the Digital Privacy Act, this amendment to PIPEDA impacts every sector from law to health care.

Key Highlights of PIPEDA

PIPEDA aims to give individuals the right to the following:

1. The knowledge behind why an organization is collecting, using and disclosing their personal information.

2. The expectation that an organization will collect their information for an appropriate reason, and won’t be using it for anyway other than specified.

3. Contact details for the person in the organization who is in charge of protecting their personal information, as well as whom they can complain to if they have any queries or issues.

4. The expectation that an organization will use appropriate security measures to protect their information.

5. Access to any of the personal information a user has shared with the organization, as well as the assurance that this information will be accurate and up to date.

Do I need to be PIPEDA compliant?

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of commercial activity. All businesses that operate in Canada and handle personal information that crosses provincial or national borders are subject to PIPEDA, regardless of the province or territory in which they are based (including provinces with substantially similar legislation).

The law defines a commercial activity as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.

And as an organization, you are required to do the following:

Get explicit consent from each user before you collect and use any of their personal information.
Provide a user with your product or service even if they don’t give you consent to collect their information.
Ensure any collection of information is done in a fair and lawful manner.
Have company policies that relate to personal information, and ensure these policies are clear, easy to understand and available to anyone.

What happens if I am not compliant?

If an organization is found to be knowingly in breach of PIPEDA requirements, they can be fined up to $100,000 for each violation.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act is a United States Federal law. It was amended in 2012, with changes officially implemented in 2013. It requires websites that collect information on children under the age of 13 to comply with the Federal Trade Commission (FTC). The FTC determines whether a website is geared towards children by reviewing its language, content, advertising, graphics and features, and intended audience.

Highlights of COPPA

Key regulations of COPPA includes the following

1. Posting a clear and conspicuous link to your Privacy Policy on your website or within your app.

2. A notice to parents that requests their consent before you collect any information from the child.

3. Parents must be given the choice to consent or deny sharing of their child’s information with any third parties.

4. If any changes occur within the data collection practices of the company, a notice must be sent to all parents, with the aim to receive new consent.

5. A parent must be able to request access to the kinds of personal information collected from children, as well as be able to revoke their consent and request the deletion of all personal information that has been previously collected.

Do I need to be COPPA compliant?

If your company, product and/or service is marketed towards children who are under 13 years old and located in the US, you will need to know how to abide by COPPA guidelines as well as what’s at stake if you fail to meet them.

While COPPA applies only to US children under 13 years old, if you’re based in the US then it’s expected that you provide the same levels of protection and security to under 13’s all around the world.

The main purpose of COPPA is to gain parental consent before the collection, usage, disclosure, tracking and/or sharing of a minor’s private information.

It also applies to any third party services and plugins your website might be using.

What happens if I am not COPPA compliant?

Violating COPPA used to carry a maximum civil penalty of $16,000 USD, however, this changed on the 30th of June 2016, when the FTC increased that maximum amount to $40,000 USD.

Disney was sued in 2017 for allegedly violating COPPA laws by collecting personal information from underage users of a number of Disney apps and sharing that data with advertisers, all without consent from the parents. It’s extremely important to ensure all your company websites and/or mobile apps are up to date with the regulations.

Other Privacy Laws across the Globe

State Level Internet Privacy Laws in the United States

Apart from the above-mentioned laws, There are multiple state-level privacy laws available in United States across multiple categories such as Consumer Data Privacy, Children’s Online Privacy, e-Reader Privacy, Privacy Policies and Practices for Websites or Online Services, Privacy of Personal Information Held by Internet Service Providers (ISPs), False and Misleading Statements in Privacy Policies and Notice of Monitoring of Employee E-mail Communications and Internet Access. Read more at http://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx#Nevada.

Conclusion:-

The advent of the Internet has brought new challenges to privacy protections. Now, many countries spanning across continents have enacted privacy laws that seek to protect the information of internet users. Privacy regulations are great, but in order to enjoy them, we have to be proactive. Starting to discuss our rights rather than ignore them is a key step. It is also important to try out alternative privacy-enhancing platforms such as Blockstack and the applications built on top of the platform.

Let’s spread awareness and improve digital privacy.