Internet privacy, as is the case in most of the world, is of growing concern in the U.S. However, while the citizens are interested in increasing their online privacy, the government has allowed internet privacy to suffer. Internet privacy is a subset of personal privacy, so the need to expand it is dire.
Technology companies, internet service providers and lobbyists have found success in persuading U.S. lawmakers to get rid of internet privacy rules and regulations. These privacy policies provided internet users with some anonymity and data security. However, many of the improvements that were made in the realm of online privacy have been reversed in recent years.
Previously, the Federal Communications Commission or FCC rules essentially forced internet service providers in the country to obtain explicit consent from the consumer before they could gather the consumer’s data. Only after receiving this consent could they then sell the private information to third parties.
The information that was protected under the FCC rules included the user’s browsing history, which apps they had installed, which apps they used and business locations that the user had entered. This information is very valuable which is why technology companies and trade groups want all restrictions removed regarding how they collect and sell it.
Republican Senator Marsha Blackburn and former Republican Senator Jeff Flake sponsored legislation that aimed to get rid of internet privacy laws after being persuaded by lobbyists.
According to The Washington Post, both of these senators received large campaign donations from eight technology companies and internet service providers, with Blackburn receiving $20,500 and Flake receiving $22,700. After a tight party-line vote, Congress managed to abolish many internet privacy protections.
A year later in 2018, California passed the California Consumer Privacy Act which gave consumers the right to ask companies what personal information they collected, the right to ask the companies to delete their personal information and the right to ask them not to sell their information. Additionally, the law required the companies to inform users when they are collecting information, what information they’re collecting and what they’re planning to do with it.
The law also gave companies the right to incentivize their users to allow them to collect their data. They’re allowed to offer deals or promotions if users change their privacy settings to allow their data to be collected and sold. Additionally, the companies have the right to refuse service to the customer if they do not allow their data to be collected and if the data is required for the service.
What Is the Current State of Internet Privacy Laws in the U.S.?
While net neutrality laws were removed under former FCC chairman Ajit Pai and legislation was pushed to abolish privacy protection laws, that doesn’t mean that there are no online privacy laws in the U.S. That being said, the U.S. doesn’t have a central federal online privacy law, unlike the E.U. which adopted GDPR in 2016.
The U.S. has several federal privacy laws that focus on different aspects of online anonymity, privacy and security. Apart from that, many lawmakers are now pushing new consumer-oriented data privacy laws that may pass in the near future. The four most prominent U.S. data privacy laws are:
- Privacy Act of 1974
- Health Insurance Portability And Accountability Act (HIPAA)
- Gramm Leach Bliley Act
- Children’s Online Privacy Protection Act (COPPA)
Let’s take a closer look at each of these laws to see how they individually affect internet users.
Privacy Act of 1974
Governments and academics have always been concerned about large databases that contain millions of records on people because they can easily be abused by any entity that can access these databases. As a result, Congress passed the Privacy Act of 1974. The act restricts access to the information that government agencies have about the citizenry and introduced many other privacy-positive rights.
The act gives U.S. citizens the right to demand access to any type of data that government departments may have on them. Moreover, the act also allows them to copy their data. People living in the U.S. can request corrections to be made to their records if there are any errors.
Any record that’s held by government agencies must only be accessed by relevant employees in the concerned job role. In other words, all user data is available only on a need-to-know basis. If certain conditions aren’t met then there are restrictions on the data that federal and non-federal agencies can share with each other.
HIPAA
The legislature passed HIPAA in 1996. Its main objective was to bring in new regulations for health insurance data. As you can probably imagine, this legislation had to deal with hundreds of moving parts and involved the complex language associated with the insurance industry. However, for the most part, it did manage to provide privacy and security for user data.
HIPAA mostly exists to protect health information from third parties. The HIPAA Privacy Rule allows family members and spouses to review a patient’s health records. However, they can only do so if the patient has completed the appropriate paperwork to allow their health service provider to release their health records.
Note:
It’s not important for you to read the Privacy Rule document in its entirety to see who can view your Protected Health Information or PHI as the document is too dense. What’s important to understand is that a healthcare service provider doesn’t need to see a patient’s permission to use their data for health care operations, payments or treatments. However, they do need the patient’s permission to use their information for marketing or sales purposes.HIPAA also has a minimum data requirement component which applies data privacy principles to how an entity shares PHI as well. The act says that any covering entity, which includes healthcare providers, health plans and clearinghouses, that wishes to share a patient’s information for any purpose not mentioned in the document should limit access to it. It also makes recommendations for how health organizations should bring in SOPs for evaluating the data they collect and practices surrounding data collection. Additionally, it set strong safeguards for protecting PHI to limit inappropriate and unnecessary access to it.
COPPA
The Children’s Online Privacy Act or COPPA was the first act that tried to regulate information various entities on the internet gleaned from minors to protect their privacy. COPPA, which became law in early 2000, prohibited all internet companies from collecting personally identifiable information or PII on anyone under 13 years old. The only way to collect information on these younger internet users was to seek verified parental consent.
Many would argue that COPPA was far from perfect and that it still has its flaws. However, with the help of several updates, the regulatory rules that it employs have become broader and more effective. The expansion of those rules means that government agencies can control more personal information from being exploited.
After its latest iteration, COPPA can now provide security and privacy to children’s data that various third parties have access to. More specifically, the website whose service generates the information must ensure that it releases personal information belonging to children only to companies with the means to keep that information confidential and secure.
GLBA
The Gramm-Leach-Bliley Act or GLBA became law as a result of some hard legislative work in the 1990s. It covers vast territories belonging to industries such as banking and finance. As with the previously mentioned laws, GLBA provides data privacy and security as well. It puts strict requirements on companies working in the aforementioned industries with regards to collecting, sharing and selling data.
Generally, it improves mechanisms that already provide protection to the personal information of clients. Financial data laws covering consumers have always been robust but GLBA improves them with the help of the Fair Credit Reporting Act or FCRA.
GLBA provides protection to Nonpublic Personal Information or NPI. The GLBA defines NPI as any type of information that a financial or banking institution collects about an individual when that individual uses any financial service or product. The only time it makes an exception is when the information is already publicly available. This publicly available information includes mortgage records and property records.
GLBA is partially responsible for requiring banks to send privacy messages to their customers that attempt to explain all the categories of NPI that they collect and share. Banks also allow their customers to opt-out of such information-sharing programs.
Note:
Keep in mind that customers are automatically enrolled in the programs that allow their banks to share their information with non-affiliated third parties and must manually opt-out if they want to maintain their privacy.When it comes to affiliated third-party companies that have agreements with various insurance companies and banks, they’re considered a member of the corporate family. As a result, GLBA is unable to provide any internet privacy to consumers. More specifically, there are very few restrictions on sharing their NPI.
This is a significant loophole in GLBA that allows financial institutions to share private information. While GLBA is certainly better than nothing, it’s a far cry from a robust internet privacy law.
California Consumer Privacy Act
The California Consumer Privacy Act or CCPA became law in 2018 with the goal of enhancing existing privacy laws that dealt with online activities. As far as the U.S. is concerned, the CCPA represents the most comprehensive information privacy legislation targeting online activities. There’s no such law in effect at the federal level.
The CCPA gives consumers the right to access specific sections and whole categories of their personal information that a covered business may have stored via a Data Subject Access Request or DSAR. It also forbids companies from selling their customers’ personal information if they don’t first provide a web notice in the form of a link. The CCPA also requires companies to give end-users full opportunity to opt-out of such programs.
There are some clear similarities between the CCPA and GDPR. Similar to GDPR, the CCPA allows consumers to exercise their right to delete privilege. There are a few exemptions that we won’t discuss here but generally, consumers can request for their personal information to be deleted.
Many credit the CCPA for broadening how personal information is defined. According to the CCPA, any type of information that identifies, relates to, could reasonably be linked with, describes, is capable of being associated with, indirectly or directly, with any household or a specific consumer is considered personal information. The only other piece of legislation that covers the term “personal information” this broadly is GDPR.
Additionally, the CCPA has a massive list of unique identifiers to further define personal information. The list includes items such as employee information, browsing history, email, geolocation, biometric information, IP address and much more.
If that wasn’t enough, the CCPA is also responsible for introducing what it refers to as probabilistic identifiers. This is a new term and there’s no doubt that attorneys all over the country will be debating what the term actually means.
In simple terms, it appears as though the term will come into play whenever there’s some information involved that increases the chance of identifying someone to 50% or higher. In such a case, the information would be considered a deterministic identifier. An example would be an entity linking geolocation information with a person’s Netflix viewing list. In such cases, the CCPA may consider the information generated as personal information. Following the CCPA, a few states in the U.S. have also started to use terms such as probabilistic identifiers in their own laws.
It’s clear that the CCPA is almost exclusively interested in bringing in broad new privacy protections for end-users to improve internet privacy in the U.S. However, the CCPA has some other focus points as well. The CCPA also recommends that companies implement and maintain sufficient information security measures.
As of right now, the procedures there’s no specific information about what procedures should be implemented. Of course, there’s a strong possibility that the government of California wants something along the lines of the NIST CIS Framework or Center of Internet Security Controls as baseline protections.
All of this doesn’t mean that the CCPA is something of an equal to GDPR. There’s nothing like GDPR implemented in the U.S. at the federal level. The CCPA only protects internet users living in California. Some other states have started to take lessons from California and have drafted regulations for enhancing user control over their personal information. The CCPA serves as a framework that other states are trying to build upon even though each state has a different view on how to properly protect and expand internet privacy in the U.S.
New York Privacy Act
The New York Privacy Act, S5642, would be on par with the CCPA. In fact, in some instances, it might even provide more internet privacy to users in the state. So much so that Facebook recently said that it would have to stop offering its products to people living in New York if the proposed law gets passed. The proposal gives consumers the right to access their personal information and, just like the CCPA and GDPR, delete any portion of their personal information.
The act defines personal information as any information related to an identifiable or identified individual. It contains a long list of identifiers, similar to the CCPA. Some of them are network information, email addresses, IP address and biometric data. There are lots of other identifiers as well that could be used to identify individual internet users.
One thing that the New York Privacy Act has in common with Massachusetts internet privacy laws is a clause that allows consumers the private right to sue companies that violate any part of the proposed law. The New York Privacy Act, if passed, would apply to any and all businesses. It wouldn’t differentiate between businesses based on the revenue they generate or the number of people they employ. This makes it markedly different from the CCPA and internet privacy laws in other U.S. states. The New York Privacy Act, if passed, would be stricter than any other internet privacy law in the U.S.
This is important:
It should be mentioned though that in its current state S5642 doesn’t require businesses of any size to make available any customer information they might have shared with third-party companies except for a small number of broad categories. The bill does allow consumers to request a copy of any personal information companies might have shared with other companies no matter how specific it is.Another aspect of the bill that sets it apart from other similar internet privacy laws is the introduction of data fiduciary duties. In simple terms, the New York Privacy Act would require all businesses operating within the state of New York to bear legal responsibility for all the information they store on their customers.
Needless to say, this internet privacy bill covers a lot of ground which could end up costing technology companies a lot of money. The bill wants companies operating in the state to carefully store and maintain confidentiality with regard to user information. The bill applies the same expectations that are held for fiduciary entities to other companies. The bill also demands that companies act in the best interest of their consumers, putting consumers’ interests above their own.
This all points to one simple concept: consumers own all of their personal information. Just like GDPR, the New York Privacy Act would give consumers the right to correct or delete any personal information. This same right is not given by the CCPA.
Massachusetts Data Privacy Law
The CCPA and the Massachusetts data privacy act, known formally as An Act Relative to Consumer Data Privacy, have a lot in common in terms of the language used for protecting internet privacy in the U.S. Both provide consumers enhanced access to their personal information on the internet and offer users the right to delete their personal information. Also, both necessitate explicit notification on part of online companies when they use consumer data which further enhances internet privacy. The CCPA and the Massachusetts data privacy act both allow end-users to opt out of third-party programs involved in selling their data. Finally, both expand on existing definitions of personal information and include new terminologies such as probabilistic identifiers.
That’s where the similarities take a backseat to the differences between the two. The Massachusetts act, unlike the CCPA, gives consumers the right to sue companies that violate data protection law in the state. Moreover, consumers don’t need to suffer damages, such as property loss or monetary damage, to file an action against the company violating the data protection law.
As a result, some attorneys have argued that the Massachusetts internet privacy act is broad enough to open internet companies up to many class-action lawsuits. Plaintiffs can potentially demand $750 per user as compensation for data breaches. Given the number of people who are usually affected by data breaches, such a penalty can bankrupt internet companies on the spot. For example, a data breach in 2017 affected nearly 3 million people living in Massachusetts. If the Massachusetts data protection act had passed before that data breach, the company responsible could have been liable for over $2 billion worth of payouts.
Is It Worthwhile To Protect Personal Data?
While individual states, privacy advocates and technology companies are trying to do their part to protect internet privacy in the U.S., there’s a section of the crowd who believes that protecting privacy is a losing game.
The problem with protecting privacy is that technology companies and the services they offer keep generating more and more information. Information that’s increasingly being used to create detailed profiles of millions of internet users in the U.S.
Not only are companies, government agencies and every app that you’ve ever used collecting more information, but they’re also doing so at an increasing speed and depth. This information is being collected across all the devices we use every day. In other words, it’s nearly impossible to keep internet privacy intact on so many devices, across so many platforms and services.
The legal system isn’t prepared for it and we know for a fact that people can’t keep up with the system. To turn the tide, someone needs to change the rules under which the digital economy is currently operating. Otherwise, society and the economy of the country will lose out in the long run.
Another recent and destructive example is that of Cambridge Analytica and how it showcased the way that Facebook and other platforms handle data breaches. It also revealed how these platforms are often involved in misusing consumer data themselves.
Moving further back in history, we have Edward Snowden’s leak of information regarding the U.S. government collecting information about their citizens. Such privacy breaches raised significant awareness among the general public about how the government and internet companies can use and abuse data.
After the Equifax data breach, which affected over 40% of all Americans, calls for dramatic changes in the way technology companies disclose their data collection practices received global attention. That opened up possibilities for privacy advocates who could work with the government to form new federal legislation to comprehensively protect internet privacy.
However, that still didn’t account for the fact that internet companies change too quickly for internet privacy law to keep up. Just this past year we had a string of massive data breaches including the Zoom credentials breach, Marriott breach, CAM4 breach, EasyJet breach, the Twitter hack that targeted high-profile figures such as Bill Gates and Elon Musk, and the Nintendo breach. These cases may not have received the same amount of media attention as the trio of the Snowden revelations, Cambridge Analytica and Equifax, but all caused massive havoc nonetheless.
Of course, there’s a limitless list of other reasons why strict actions need to be taken to protect internet privacy in the U.S. If we look at IBM alone, we see that their supercomputers are generating 2.5 quintillion bytes of information every single day.
Combine that with the fact that computing power usually doubles every 20 months or so and it becomes easier to understand how privacy issues will be compounded by an infinite stream of information that technology companies would do anything to collect and transmit.
More internet privacy issues are apparent when one considers that it’s not just computing power that’s increasing the rate of information generation. Data centers are popping up all over the world to store large amounts of information. This makes it easy for technology companies to store more information as storage services become cheaper and easier to access.
It’s also becoming easier to collect information from various kinds of devices. In addition to that, internet bandwidth per person is also steadily increasing which will allow for increased information flow and faster information transfer rates.
Technology companies are developing and implementing ever more powerful applications to extract information from any kind of activity happening on the internet from as many users as possible. That being said, we still haven’t reached the problem of network effects where new information is generated by the mere fact that one user is connected to a million other users in a network. Digital information will not only continue its explosive growth but will also continue growing faster than ever before.
This information explosion is bound to give rise to more privacy and data security issues. More problems will start to pop up at a faster rate. This will push the limits of how quickly security companies can provide solutions to new privacy problems.
The number of devices that connect to the internet has reached tens of billions and will continue to grow in the coming years. Such a huge number of devices will have its own impact on the rate of information generation and the quantity of information moving through the internet at any given time. The way that privacy legislation currently works simply isn’t fast enough to match this pace.
Note:
One major problem with internet privacy legislation in the U.S. is that it covers a very small portion of the privacy issues that exist and will exist in the very near future. It doesn’t take into account the information explosion that we’ve just discussed.A good example is the Equifax breach which resulted in new legislation that targeted data brokers. Similarly, both Twitter and Facebook’s recent criticisms have mainly focused on how they use political ads on their platforms. Then there’s the problem of bots and how they invade privacy in a plethora of manners.
Online tracking plays a major role in the discussion surrounding internet privacy in the U.S. Let’s not forget legislation targeting ed-tech products, social media accounts that are accessed by employers and protections against license-plate readers and drones. Technology companies like Facebook have responded to new legislation by changing their privacy policies and by giving end-users control over their privacy. The CCPA is an example of how legislation can make an impact but only works under current privacy policy and for current internet privacy issues.
The system for proposing and passing laws simply can’t keep up with the digital age. The information age is undermining key premises of such legislation in areas that are hard to identify quickly enough to make a meaningful impact on online privacy.
Conclusion
Current legislation, by design, only deals with information storage and collection on part of government agencies, online businesses, organizations and services. However, the online world is bustling with constant sharing and constant connection. More comprehensive legislation is needed but may not come fast enough.
Unless privacy advocates and lawmakers start to think a lot bigger, any legislation brought in to protect internet privacy will be quickly rendered obsolete by the digital age. The information universe will do nothing but expand at a faster rate than before. If privacy legislation is only passed to address a specific situation, like a breach, then most of the online activities and the resulting problems will fall outside of it.
Surveillance programs pose more threats to online users who use insecure methods to access important information like their banking accounts and records. Such risks in addition to older technologies such as Flash and insecure modern ones like cloud computing and buggy software have the potential to cause massive privacy problems.
Agencies like the Federal Trade Commission and the Federal Communications Commission need to work with Congress to implement new privacy laws to protect internet users. They must act quickly and must take into account future changes that could potentially make current law obsolete. Staying ahead of the curve with regard to internet privacy is a daunting task, but it is possible if preemptive measures are taken instead of trying to fix problems after they’ve already resulted in massive information breaches.