We create 2.5 quintillion bytes of data every day, and that number (which, yes, you read correctly!) is only increasing. Contained in that mind-boggling statistic is an equally staggering amount of information we share with others about everything in our lives. The more that we rely on the internet for so many daily activities, the more information others, often with whom we do not even interact, get to know about us.
Businesses monetize this data in a largely unregulated environment, and with the amount that they know about us doubling every two years, the exchange of information has become incredibly lucrative – and it becomes increasingly harder to anonymize (remove personal information from) data.
Download the Business Response Plan here.
Current Privacy Expectations
These trends, as well as widely reported data breaches, have led to an increased awareness among consumers and privacy advocates as to how data containing personal information is used – and who has what rights to such data. These concerns fall largely into two overlapping categories being addressed by legislatures and regulators: Consumer Privacy and Cybersecurity.
Laws and regulations relating to consumer privacy, such as the European Union’s General Data Protection Regulation (“GDPR”) and California’s enacted Consumer Privacy Act (“CCPA”) are broad in scope and application, and regulate what rights consumers have with their information. Those relating to cybersecurity such as Michigan’s Insurance Data Security Model Law and the New York Department of Financial Services’ “Cybersecurity Requirements for Financial Services Companies” tend to be more industry-specific and prescribe measures industries must take to safeguard information in their possession. The nucleus is that state and federal legislators and regulators, like consumers, are paying more attention than ever to information businesses possess about consumers.
Most businesses are now required to answer the following questions for their users:
- What personal information is collected about me?
- Is my personal information sold? If so, to whom?
- Can I say “no” to the sale of my personal information? If so, how?
- How do I access my personal information? Can I download it? If so, how? Can I remove it? If so, how?
- If I say “no” to the sale of my personal information, do I have a different experience on the site than if I consent to the sale of my personal information? If so, what’s different?
Virtually every website may be accessed from at least one jurisdiction whose laws require those questions to be answered. Therefore, we highly recommend that you analyze your data collection practice, what you do with that data, and how you will answer these questions when your users ask them. Failure to address these questions can have significant consequences, including scrutiny from the Federal Trade Commission, which considers publishing misleading or false privacy and security policies to be an unfair and deceptive trade practice, as well as steep penalties from other regulators.
Future Predictions for Privacy Expectations
As we craft privacy and other data policies for the 2020s, the questions above will likely expand to include:
- What information do you collect using cookies or tracking pixels?
- Do you aggregate that information? If so, how?
- Do you synthesize that information with information from outside of your organization? If so, how?
- Do you trade or sell any information gathered using cookies or tracking pixels? If so, do you anonymize it?
- If you anonymize it, what information is removed and what information remains?
- How do you secure your users’ information?
- What will you do in the event of a cyber-intrusion?
As additional laws and regulations governing consumer privacy and cybersecurity take effect, and the public is increasingly attentive as to how their information is used, we recommend that you evaluate your data collection and user practices to make sure that your customers – and government regulators – are able to quickly and easily obtain the answers to each of these questions.
As the regulatory environment around data collection and cyber-security continues to evolve, sign up here to stay informed about changes that will affect how you do business online.