In the United States, 45% of respondents to a user data survey from leading encryption label RSA openly admitted that they had been victims of a data breach. With the increasing frequency of data breaches, consumers are more aware of their data- where it lives or who accesses it. With that said- businesses are looking for new ways to collect, analyze and leverage user data with business intent.

Under 15 U.S. Code 41 et seq, the Federal Trade Commission Act broadly authorizes the U.S. (FTC) Federal Trade Commission to enforce actions to protect users against unfair or deceptive applications. Failure to comply with Data Protection Law may lead to fines, lawsuits or legal liabilities. Following Washington and Nevada, even Virginia passed its Consumer Data Protection Act on March 2, 2021.

Data Protection Law

In 2020 alone, data breaches resulting from inadequate data protection measures exposed the sensitive data of over 150 million U.S. residents. In addition, Amazon’s Alexa listening to conversations and Google accessing healthcare information of millions without knowledge has alarmed the public.

In the absence of a comprehensive blanket solution like GDPR, states are now taking these issues into account. In addition, the framework of federal data privacy law is shaping the nation’s future privacy landscape. While there are no comprehensive regulations that govern data privacy in the United States, there’s a complex patchwork of data security and privacy that address financial, healthcare and telecommunication information. 

How does the FTC adjust to the shifting regulatory landscape? 

The Federal Trade Commission (FTC) is an independent agency of the US government whose primary mission is to enforce civil US antitrust law and promote consumer protection.   While the FTC has no explicit policies to regulate website privacy laws , it uses data privacy compliance and enforcement action to protect consumers. The FTC takes action against organizations breaching the Data privacy policies if: 

  • A user/ organization fails to execute a reasonable data security course of actions
  • A user/organization falls short of adhering  to the self-regulatory principles of an organization’s industry. 
  • A user/organization transfers personal data or security representations to consumers in privacy policies. 
  • A user/organization falls short of providing sufficient security for personal data or company data privacy policy. 
  • A user/organization gives away personal information in a manner not disclosed on the privacy policies.  
  • A user/organization breaches consumer data protection and privacy rights by monitoring, storing or sharing information. 
  • A user/organization engages in malpractices.

Many companies earlier relied on sharing raw consumer information or allowing others to quarry the unprocessed data files. However, the new regulations make it hard to approve, consent or provide disclosure when needed. 

Here is a list of Federal laws that administer the collection of information online: 

  • The Children’s Online Privacy Protection Act (COPPA) administers the collection of information about Minors.
  • The Fair Credit Reporting Act (FCRA) regulates the collection and use of credit information. 
  • The Health Insurance Portability and Accountability Act (HIPAA) examines health information. 
  • The Gramm Leach Bliley Act (GLBA) examines personal data collected by banks and financial institutions. 

Here’s a list of the important privacy legislation in the U.S.: 

Laws that are similar to CCPA include-

  • New York Privacy Act (S5642) 
  • Massachusetts Consumer Privacy Bills (S.120) 

Other privacy laws include: 

  • Vermont Act 171 Data Broker regulation 
  • Virginia’s Consumer Data Protection Act 

The United States has numerous sectoral online privacy laws in different states. In addition, U.S. state attorneys general oversee data privacy laws monitoring the storage of personal data of their residents and Social Security numbers. Some apply to governmental entities, and others apply only to private entities and some to both. 

Over the next decade, Europe’s May 2018 launch of GDPR would create a global ripple effect, creating coherent data privacy regulations. 

The California Consumer Privacy Act (CCPA) & The California Privacy Rights Act (CPRA)

CCPA is the most prominent piece of the U.S. legislative act affecting digital privacy rights. Motivated by GDPR, the act allows residents of California unprecedented transparency and accessibility to data accumulated by businesses. In addition, the law focuses on information that is released or sold to third parties, which distinguishes it from GDPR.

In 2020, this was revived by a new stricter legislative act- The California Privacy Rights Act (CPRA). This act will revise many concepts from CCPA and introduce harsher penalties for data compliance regulations. In the case of a suit filed by consumers from $100-$750 per resident in case of data privacy protection breaches or user information theft if not properly protected. In the case of a suit by the State Attorney General- $2500 per violation and $7,500 per intentional violation of privacy. 

Massachusetts Consumer Privacy Bill (S.120)

This state is stranger to data security and privacy breaches, with almost 2,000,000 residents reporting security infringements. The Massachusetts bill is akin to California’s predecessor; they share the same scope, business demands and other power in the hands of the people. Furthermore, this law prevents an array of online accidents and better protects user privacy. 

Under the Massachusetts Consumer Privacy Bill (S.120), users can take legal action against a company if they violate the safety of their personal information. 

New York Privacy Act (S5642)

The New York Privacy Act shares various similarities with the CCPA, but features make it significantly stricter. For example, this law allows private action against companies that breach the online privacy law. Furthermore, forbidding the sharing of personal information to third parties without a documented consent. 

According to the New York Privacy Act, the victim can seek civil penalties up to $15,000 per Data Protection Law infringement. In addition, any user whose rights have been violated can recover damages or seek compensation of $1000.00. 

Virginia’s Consumer Data Protection Act (CDPA)

Virginia’s Consumer Data Protection Act offers Virginia residents more control over how companies use or sell their information. The CDPA is also referred to as “opt-out law”, which means the under-act consumers take action to object to their data collection. The law allows companies to control the data of at least 100,000 consumers during the calendar year. In addition, it processes the personal data of at least 25,000 consumers from the sale of personal data. 

However, large corporations won’t be subject to this data privacy law if they don’t fall within these categories.

Vermont Act 171 Data broker Regulation

The Vermont Act 171 Data broker regulation rules that gather and consumer data to third parties. The regulation considers data as brokered personal information (BPI) if it’s digitally created and organized to be distributed business. 

This privacy protection act holds businesses that plan to sell Vermont-sourced information to the standard of security. 

There is no question that these data privacy regulations are drastically transitioning the way data-driven businesses operate. However, the barriers are not so tall that you can leap over them. So instead, we recommend that you understand how to tap into tools that support your business goals and consumer demand. 

Read More
September 14, 2021 0 Comments

COPPA is the abbreviation for Children’s Online Privacy Protection Act. The bill – the U.S. law for protecting children’s online data – came into existence in 1998. It governs the way services and websites handle children’s data. The COPPA rule, which was enacted in 2000, dictates how the act must follow. Online services & websites for children under the age of 13 need parental consent. Before disclosing, collecting, and using user information, parental consent is required. The phrase ‘directed at children’ is crucial. That’s a straightforward way to ask for parental consent from children. 

This bill was passed in the burgeoning days of the Internet to protect kid’s privacy online. It applies to websites geared towards children. The bill leaves the door open for social media organizations to argue with the wrong rules. But, even several social media companies agree that children lie about their age. The contrary beliefs go on and on.  COPPA is decades old but is relevant now after the update in the bill.

Updation in the Bill

Rep. Kathy Castor (D-Fla.) did the honors by introducing the bill on Thursday. There have been amendments in the old law governing children’s privacy online. The renewal of the bill is an effort to build up attention on the issue from kid’s advocates and lawmakers. There are stringent rules around children’s online privacy. For non-compliance, the penalty is around  $42,530 per violation per child, per day. As per the criticisms in recent years, it’s believed that the law hasn’t been enforced to the full extent. The Federal Trade Commission (FTC) keeps an eye on COPPA adherence. Agency must be strict with giant technology organizations violating the law. That’s what many believe! 

The new bill asks the FTC to set a distinct division for youth privacy. With respect to that, the FTC briefed a long investigation. It was an interrogation on Google’s video streaming site YouTube in 2019. The outcome was a $170 million settlement as the response to the allegations. The ones who gathered illegal data had to suffer.

Noteworthy Cases

For instance, penalizing a local bakery a million dollars causes cessation. But, if you fine Google a million dollars with a warning not to misbehave, they can pay it over and over again. They won’t restructure a thing. 

In September 2019, the most newsworthy case came into origin. The FTC along with YouTube profited by gathering children’s personal data settled with Google. There was a charge of $170 million over allegations on them. After the largest settlements in COPPA to date, critics said it was weaksauce. The FTC pulled back the curtains and didn’t go far enough to amend new rules for accountability. The FTC allowed Google to hook off with a petty fine and a set of fresh requirements. These requirements are not enough to make YouTube a healthy and secure place for kids. For the last 22 years, since COPPA became law, the FTC has invited comments thrice on the bill. One time in 2005, then 2008 and the recent in 2010.

After many comments on the bill in 2010, the FTC revised the bill. The revision was to provide parents and children more control over their privacy. The information couldn’t be gathered without consent. It extends to those covered by COPPA, including third parties among varied changes.

COPPA is a well-made law but not understood very well by many people. Linnette Attai spent 12 years in the privacy of NIckelodeon before founding PlayWell. It’s a consultancy agency for student’s and children’s privacy. The issue is whether companies self-identify as a service-geared towards children. It happens usually with non-traditional children’s organizations that work as service providers. They work in the children’s space as startups and struggle from time to time. That’s why they don’t understand the intent of the law. Instead, they put the practices into place for better implementation.

In 2008, Tim Tobin (Hogan Lovells attorney) spoke for SONY BMG. It was the time when FTC investigation was held for COPPA violations.  This case came up with the largest settlement to date at that time i.e. $1 million. He agreed that the terms establishing your website under the COPPA act is vital. Not following the privacy rules becomes the reason for infringement. For this, the FTC outlines all the attributes that qualify a website in its FAQs. The checklist includes subject matter that features –

  • Visual content
  • Presence of child celebs
  • Music and other audio content

According to Tobin, there’s a thin line that must be drawn. For instance – If you’re into animation, you might create unique stuff. You might be unsure whether it’s child-focused or not. Sometimes, it’s difficult to understand where the line has to be drawn. There’s room for interpretation here. 

Websites and services are not recognizing that they’re child-directed. It’s a pitfall in which companies fall quite often. For this, organizations must go for the ‘totality of circumstances’ test. 

COPPA applies when you look, feel, smell and act as if you’ve created a website for kids under the age of 13. To eradicate such consequences, updations in the bill were made. Organizations run into legal trouble. Because they don’t monitor their third-party vendors. It’s known as ‘third-party footprint’. 

Organizations are responsible for their own compliance. Privacy and security with due diligence is the main aim under COPPA. Under COPPA, there’s a standard called ‘actual knowledge’. You need to gain actual knowledge of your website. Find out whether it’s directing towards children or gathering kid’s data. Who is the intended audience? When vendors don’t have the actual knowledge, it becomes a liability. Under COPPA, you must be diligent and put controls in place. Make sure you follow the regulations.

Future of Children’s Online Privacy Protection Act (COPPA)

Looking further, COPPA will amend again. It’s difficult to say when, where and how. As per the recent public comments by the FTC, the current calling is to change the age of the children under COPPA. The change is the need of the hour. The age must change from 13 yrs to 16 yrs. 

EU’s sweeping privacy law treats anyone under the age of 16 as a minor. Many say that it’s the best approach for the U.S as well. It’s the gold seal privacy law. Again, there have to be many changes from an FTC rulemaking perspective. More changes at the margins are required. Federal legislation needs to broaden the age among many other factors. 

The industry has been calling for clear rules on privacy for many years now. It seems that the EU is about to take punitive measures against the U.S. for the failure to establish the rules. Recently, the EU invalidated the privacy shield. It’s the data mechanism for moving data from the EU to the U.S. That’s the second type of agreement invalidated by the EU. With the Democrats taking control, there’s a suspicion of bringing transformation. But, there’s a big undertaking coming for alignment. This is to help everyone to get aligned as per the Act.

The Children’s Online Privacy Protection Act is long overdue for improvisations. It’s important to protect teens from deceptive online ads and digital manipulation. It’s especially for children who spend too much time online. Some social media companies tried their best to get ahead in the line by asking for separate acts. They say that there must be stricter policies and limited online ads. YouTube Kids, Facebook’s Messenger Kids and  Instagram’s products are still controversial.

Organizations are working on making these products and services safe for children. New policies for the main photo-sharing app on Instagram are announced. As per the rule, new accounts of teens under the age of 16 yrs will go into private mode by default. It will limit ad targeting for users under the age group of 18. But, the rules are not enough for a few lawmakers. Because children are still addicted to newer technology. Regulating authorities are also searching for the solution to online addiction among kids. 

The future of COPPA will cover the following questions –

  • How does the development of business models harm children?
  • How does it affect the children’s privacy policy in future?
  • How does it change the way children and parents use online services?
  • How will the Act address parental consent for children?
  • How are third party vendors going to gather information?
  • Whether the modifications made before were amended?
  • What more should the Act include?

Final Words

The right knowledge will save you from the consequences. Knowledge about the law and how to protect your data is important. The ones gathering personal data of children under 13 yrs must be aware. Make sure you create protection around that data. 

Read More
September 3, 2021 0 Comments
Personal data protection concept

Five Privacy trends to watch in 2021

Read More
December 30, 2020 0 Comments

The long-awaited amendment in the New Zealand Privacy Bill, which proposes amendment in the Privacy Act 1993, finally got a green flag in the parliament in June this year. The said amendments come into effect on 1st December 2020, and are expected to bring about some of the most significant changes in the New Zealand Privacy Law till date. 

These changes come at an exciting time, when the global data protection landscape is witnessing significant disruption. With ever-growing cyber threats and stringent media attention on data breaches, cybersecurity and data protection are getting major attention from businesses across the globe. 

Seeing how the changes introduced as a part of this data protection act can transform the New Zealand data privacy law, it becomes imperative to understand them in detail.

Significant Reforms Listed in the Updated NZ Data Privacy Law

International Data Flow

The New Zealand Privacy Act 2020 proposed update restricts disclosure of personal data outside of New Zealand, without prior authorization from relevant individuals. In case of any offshore data transfer, the disclosing party must ensure that the information is protected by safeguards comparable to New Zealand’s privacy laws. 

Some ways organisations can become compliant with this update include –

  • imposing contractual data protection obligations on the recipient comparable to the protections in the Privacy Act; or
  • ensuring the recipient is subject to laws of another jurisdiction that provide comparable protection to the Privacy Act (countries can be ‘whitelisted’ in regulations, which will have a similar effect to a GDPR adequacy decision)

However, this update comes with an exception – if the personal information is transferred to an offshore data processor, it does not constitute an overseas disclosure.

Mandatory Data Breach Reporting

This is an international best practice that has been incorporated into the New Zealand data privacy law. According to the new update, if there is a data breach that causes or can cause serious harm to involved individuals, the responsible organisation must inform the Privacy Commissioner and the affected individuals. The act also lists some guidelines to assess the harm done by a breach – 

  1. any action taken to reduce the risk of harm following the breach;
  2. whether the personal information is sensitive in nature;
  3. the nature of the harm that may be caused to affected individuals;
  4. who obtained (or could obtain) the personal information as a result of the breach (if known); and
  5. whether the personal information is protected by a security measure.

Again, there is an exception to this amendment. The update lists a few circumstances where companies may delay notifying the individuals or not notify them at all in case of a breach. Here is what an instance stated by the Justice Committee following its review of an earlier draft of the amendments said – if an organisation’s security systems were shown to be vulnerable as a result of a privacy breach, notification could risk wider exploitation of the vulnerability, and should be delayed to prevent the risk of more harm (though the Privacy Commissioner would still need to be notified). 

It was, however, made clear by the Committee protection of its reputation is not a reason good enough to delay notifying the affected parties.

Extraterritorial Scope

It has been explicitly stated in the Privacy Act that it is applicable to any actions that an overseas organisation will take while conducting business in New Zealand, irrespective of where the information was collected or where the data subject is from. The definition of an organisation carrying business in New Zealand is if it earns money in exchange for goods or services, or makes profit from its business there. 

Fines and Penalties: New Zealand Privacy Act 2020

The 2020 update of the NZ Privacy Act states that if an organisation fails to comply with the law or misleads another organisation/individual in a way that affects personal information, it can be levied with a fine of up to $10,000. While some may argue that this financial penalty isn’t enough, it is the potential damage to the reputation of the organisation that can be a cause of concern for those who are non-compliant. This can be better understood in the words of John Edwards, New Zealand’s privacy commissioner“We have a fairly high trust environment [in New Zealand], so the reputational harm of a commissioner declaring a company as non-compliant should be an incentive. That’s what we will work with—that’s the assumption that we will test. Our powers of persuasion, our ability to make findings and to issue compliance notices should be able to give New Zealanders the confidence they need to deal in the digital economy.

For help related to Privacy Data Risks, Please reach out via Secuvy’s Demo Page or email us at [email protected]

Read More
October 11, 2020 0 Comments

California Consumer Privacy Act (CCPA) came into implementation from Jan 1st 2020. In this blog post, we will talk about history of CCPA and How is CCPA Applicable to your Business.

What is CCPA?

CCPA applies to any global business, including any for-profit entity that collects consumers personal data, which does business in California, and satisfies at least one of the following thresholds:

  1. Have $25 million or more in annual revenue; or
  2. Possess the personal data of more than 50,000 “consumers, households, or devices” or
  3. Earn more than half of its annual revenue selling consumers’ personal data

CCPA History

For 2 years (2016-2018) Alastair Mactaggart, a real estate developer, created and led a ballot initiative for a privacy law that led to CCPA (Assembly Bill (AB) 375). On June 28th, 2018, the governor of California signed AB 375 into effect, establishing the most extensive consumer privacy legislation ever passed in the United States

Timeline:

June 28th, 2018AB 375 signed into law
September 23rd, 2018Senate Bill No. 1121 signed into law, modifying CCPA
October 10th, 2019California Attorney General released the proposed text for CCPA regulation
October 11th, 2019California Governor Signs CCPA Amendments into Law
January 1st, 2020CCPA goes into effect
July 1st, 2020Enforcement begins

California Residents Rights under CCPA

CCPA grants California residents, who are consumers, specific rights regarding their personal information businesses maintain. If you are a California resident, you have the right to request that a business inform you about its processing activities with respect to your personal information, to delete your personal information and to opt-out of the sale of your personal information.

Summary

Companies preparing for CCPA or are planning to implement must remember that a privacy program needs to adapt and change accordingly to applicable privacy law. If you are looking to build a privacy program it’s not too late to start preparing for CCPA compliance. To request a CCPA privacy software demo email us at [email protected] or visit Secuvy.ai

Read More
April 2, 2020 0 Comments