Businesses need consumer information to advertise their services, communicate with prospects, deliver their products, and get proper feedback. But how do they collect it? Through websites.
Several websites collect user information that is either submitted manually by the user or automatically through cookies. And while people usually don’t have a problem with submitting information, they are understandably concerned as to what happens to it after.
How is their personal information stored? Who all has access to it? Are there any safeguards put in place to protect their privacy? These are all viable questions, but sadly with mostly vague answers.
Since several states such as California have taken various measures to protect the privacy of its citizens, it’s crucial to stay up-to-date with data privacy laws to avoid fines, lawsuits, or even the prohibition of a site’s use.
Let’s take a quick look at ways that can help you avoid getting sued.
Table of contents
- California Consumer Privacy Act (CCPA)
- Massachusetts Data Privacy Law
- New York SHIELD Act
- Data Subjects‘ Rights
- Data Breach Notification
What is data privacy law?
Data privacy is a culmination of practices that can ensure that the data shared by customers is only used for its intended purpose. It’s also known as information privacy.
In today’s world, privacy is rightfully getting more scrutiny from governments and major corporations alike with the ever-growing mountains of big data. We still have a long way to go, since there is no over-achieving federal law regulating data privacy practices, which is mainly because of its fragmented concept.
The U.S Constitution does provide protection, but it’s limited to specific kinds of government intrusions. For instance, the Fourth Amendment protects people against unreasonable government searches. However, there are no constitutional provisions that give citizens a general right of privacy against the government, and definitely none against private actors, namely private employers.
Furthermore, most American consumers seem to be fully aware of the data privacy risks that exist, and yet aren’t willing to sacrifice convenience for greater privacy protections. For example, in a survey of 2,000 American adults, 79% said that they were concerned over large FinTech firms exploiting their data. Despite this, 60% of them also stated that they were not willing to give up working with said FinTech firms due to the convenience that those firms offer. It just goes to show how while many people may value their privacy, they value expediency in their daily lives more.
Of course, this isn’t the same for everyone, as many people have now realized the importance of stopping unauthorized access to their privacy even if it means making things a little bit less convenient in our everyday lives. But there’s no denying that most people will click and accept privacy policies from major companies without reading those policies, and you may be surprised by what these kinds of policies allow companies to do in regards to the information they can collect.
US data privacy laws
As mentioned before, you won’t find any comprehensive regulatory law in place for information handling. Instead, you’ll find various sector-specific and medium-specific laws patched together that apply to different niches.
Meanwhile, when the European Union passed data protection regulations back in 2018, even the US government was encouraged to take critical measures to safeguard the interests of its citizens. These regulations have deeper implications once they are passed, as they start affecting every single business that retains customer data.
Let’s look at the common state data privacy laws. While some of them apply exclusively to governmental entities, some are applicable for private entities, and others for both.
California Consumer Privacy Act (CCPA)
CCPA is probably the most comprehensive state data privacy legislation to date and was signed into law just a month after the GDPR.
It’s cross-sectoral legislation that tries to introduce important definitions and broad individual consumer rights. At the same time, the legislation also imposes substantial duties on entities and individuals that collect personal information about or from a resident of California.
Massachusetts Data Privacy Law
The Massachusetts Data Privacy Law has plenty of similarities with the CCPA – consumer access to personal information, right to delete, and a broad definition of personal information et al.
But there are a few deviations too. Under this law, consumers have the right to sue for any violation of the proposed Massachusetts law. According to it, consumers “need not suffer a loss of money or property as a result of the violation“ to bring an action.
New York SHIELD Act
New York passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in July 2019.
The act was passed in a bid to update the existing data breach notification law in the city and successfully strengthen data security requirements for companies that collect information on New York residents. It broadens the scope of consumer privacy while simultaneously improving protection levels for New Yorkers. More so from data breaches where their personal information is concerned.
As of March this year, the law is fully enforceable.
EU Data Privacy Laws – The GDPR
The General Data Protection Regulation (GDPR) is the most significant data protection legislation implemented to date. With a broad scope, this privacy law governs the collection, use, transmission, and security of the collected data from the residents of any of the 28 member countries of the European Union (EU).
In short, all EU residents must adhere to the GDPR regardless of their location if they deal with personal data in any form. Organizations should definitely take care to comply with the institutes of the GDPR. Otherwise, they could face fines of up to €20 million or 4% of their total global turnover. The most crucial requirements of the GDPR include consent, data breach notification, and data subject’s rights.
In the United States, some forms of information are not explicitly considered as “personal information,“ but the GDPR still considers them as “personal data.” The IP address of a user’s computer is a common example.
Data Subjects‘ Rights
The GDPR has given certain rights to data subjects with regard to their personal information. Each one of them must be clearly communicated to data subjects by the organization’s website.
- The right to be informed
- The right to access the data
- The right of rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
Basically, data subjects have to be informed if their personal data is being collected, and they can also request a copy of their personal data via data subject request. Moreover, they have the right to rectify it, demand their total erasure within 30 days of the request, and the right to restrict or suppress it.
Data subjects and also have the data transferred from one electronic system to another, along with a right to object to holding information is being leveraged for marketing, sales, or non-service related purposes.
However, the right to object does have certain exceptions. It cannot be enforced in the following cases:
- When legal or official authority is being carried out
- When a task is carried out in public interest
- When the organization requires the data to provide you with a service the subjects have requested themselves
Data Breach Notification
One of the biggest provisions of the GDPR is that companies have a very short amount of time to alert individuals and the authorities that data has been stolen or compromised.
In the event of a data breach, organizations specifically have 72 hours to notify supervisory authorities and other subjects about it. As soon as the breach is identified, entities will need to evaluate and seal it, and then notify any customers or clients who provided sensitive information that was affected. This notification should include suggestions and recommendations on how the customer can protect themselves from future data theft.
Additionally, if the entity succeeds in sealing the breach, they will also need to notify the affected customers that the breach has been stopped.
Understanding the need for privacy policies in data privacy laws
- What information is being collected?
- How is the collected information going to be used?
- Will it be shared by the website?
- What are the security measures taken by the website to prevent data breaches?
Additionally, it’s crucial for all data subjects to have the opportunity to consent to the collection of their personal information under both the American and European data protection laws.
Companies must be compliant with data privacy laws
If there is one thing that looming security threats have taught us, it’s the increasing realization about the right to privacy, and how breaches can have some drastic consequences – both financially, socially, and psychologically.
Customers should be the top priority for businesses, and today, data privacy is part of the deal.
If you intend to do businesses in places like California, New York, or the European Union, you have to familiarize yourself with the requirements of the respective acts that govern them. You’ll have to think about where your potential users reside and the regulations that apply, even if your company is a part of a jurisdiction that hasn’t implemented comprehensive data privacy legislation.
In the long run, it’ll actually be simpler and less expensive for your organization to adhere to these standards and formulate a uniform set of rules for all your customers instead of differentiating them on the basis of location.
The conclusion – Data protection and privacy laws
Businesses will always need customer information for their growth and development. After all, you can use these insights to create better advertising strategies to generate leads, raise brand awareness, and drive sales. Most of the time buyers don’t mind sharing information, provided data gathering is done ethically.
Data protection isn’t going anywhere, which means data privacy laws aren’t, either, and will eventually start affecting user decisions about where they do their online browsing and shopping. Interestingly, a company that values its users’ privacy and responsibly handles personal data will gain more leverage over its competitors. In other words, responsible behavior will become an asset that will have a positive impact on businesses.