“The house of every one is to him as his Castle and Fortress as well for defense against injury and violence…” — Sir Edward Coke, English judge and jurist.
Coke uttered the famous words across the pond more than 400 years ago. For centuries, the legal precedent has underpinned the right to freedom from intrusion.
One can only imagine what Coke would think about today’s ongoing privacy debate between consumers, big tech, and legal systems.
No longer are homes the only places we store personal information. Today’s companies have multiple options (and incentives) for collecting, storing, and sharing data.
As the IT admin of a small-to-medium-sized enterprise (SME), what do these developments mean for you? And what are the essential things you need to know about data privacy laws?
Keep reading to learn more about data security versus data protection, the history of data privacy laws, and the most relevant laws in the U.S. and Europe. In addition, we’ll share our best tips on how to strengthen your compliance efforts.
Data Privacy Laws and Why They Exist
The topic of data privacy entered the world stage in 2018. That’s when the Facebook-Cambridge Analytica scandal flashed across news headlines around the world. The New York Times reported that the company harvested the Facebook profiles of 50 million users, without their permission, for nefarious political purposes.
Shortly after, several high-profile data breaches further emphasized the need for enhanced data privacy and security regulations. Google+ developers discovered a breach that allowed 438 external apps to access 500,000 Google+ users’ data, including names, emails, addresses, occupations, genders, and ages. The result?
Lawmakers and regulators worldwide are now taking data privacy seriously. Several laws and regulations have popped up in recent years to protect people’s privacy. The most notable and expansive of these are the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States. We’ll dive into these regulations in a moment, but first, let’s define data privacy laws.
What Are Data Privacy Laws?
Data privacy laws are mandates that govern how organizations can collect, use, and share personal information. The laws exist to protect individuals from having their personal data mishandled or misused.
In addition, data privacy laws set standards for how organizations must handle and secure data and give data subjects rights over their information. This often includes the right to know and permit what information is collected, the right to have it erased, and the right to object to its use.
The specifics of data privacy laws vary from country to country. But they all aim to achieve the same goal: to protect people’s information from falling into the wrong hands.
Benefits of Data Privacy Laws
The benefits of data privacy laws for individual data subjects are self-evident. However, they may seem somewhat burdensome for corporations.
After all, complying with data privacy laws requires significant time, resources, and money investments. But make no mistake, adhering to data privacy laws is not only the right thing to do, but it’s also good for business.
1. Enhance Consumer Trust (and Credibility)
In a world where data breaches are becoming increasingly common, customers want to work with companies they can trust.
In fact, 71% of respondents in a 2020 McKinsey survey stated they would take their business elsewhere if a company released sensitive information without permission. Complying with data privacy regulations sends a strong signal to stakeholders that you take privacy seriously and do everything you can to protect their data.
2. Level the Playing Field
Submitting all companies to the same standards means the differentiating factor would be products and service quality, not who has the most lenient data privacy practices. This is particularly important for SMEs that lack the resources of larger corporations and would be at a competitive disadvantage if there were no data privacy regulations.
Understanding Data Sovereignty
As noted earlier, different countries have different nuances on data privacy laws, making the discussion on data sovereignty ever-important.
Data sovereignty is the concept that data should be stored and managed in compliance with the laws of its country of origin. This is especially critical for companies that operate in multiple countries, as they need to ensure that their data complies with the laws of each country.
It also extends to the idea that organizations should store data originating from a country in the same country to avoid subjecting individuals’ privacy to a foreign government’s jurisdiction.
Data sovereignty has immense relevance in cloud storage applications as companies sometimes host servers in different countries from where the data is collected. Data sovereignty will become even more critical as the internet grows and expands.
Data Security vs. Data Protection
People often use the terms data security and data protection interchangeably without realizing they are two completely different concepts.
Data security is the practice of restricting access to data. This includes ensuring that only certain users can obtain data and that information is not modified or destroyed without authorization.
Data security is vital for both individuals and organizations, as it helps protect information from being misused or stolen. Examples of data security strategies include encryption, firewalls, and password protection.
Organizations can use an IT toolkit like the JumpCloud Directory Platform to streamline data security compliance, oversee device management in heterogeneous environments, provision/deprovision users, and enforce password controls.
Data protection involves safeguarding data from loss or damage. It includes measures such as backing up data and storing it in a secure location to ensure that important data is not lost in the event that security measures fail.
For example, suppose cyberattackers seize control of an organization’s server in a ransomware attack. In that case, data protection measures ensure that the organization can still access its data.
Though relevant as the last line of defense in a wider security strategy, data protection is also handy for other reasons besides malicious attacks. For example, it helps businesses recover from data loss due to technical failures or human error.
Also, if different locations house data (e.g., on premises and in the cloud), data protection helps ensure critical systems don’t grind to a halt if one storage location goes down.
The Four Basic Data Privacy Protections
Oftentimes, implementing data privacy policies is challenging for organizations because they don’t approach it as a baseline for operations.
Instead, they treat it as an afterthought and only focus on meeting regulatory compliance when required. At JumpsCloud, we’ve seen SMEs take a similar approach with IT security compliance measures to their own detriment.
Organizations seeking to take a proactive approach to data privacy should have the following protective measures in place as mandated by the General Data Protection Regulation and other similar laws:
- Data Collection and Sharing Rights
Your privacy approach should include letting users know what types of data you collect, how you use it, who you’ll share it with, and what purpose you’ll use it for.
It should also inform and enable them to exercise their rights over their data, such as the right to access, delete, or correct their data.
They should also have the right to deny third-party access to some or all of their data.
- Opt-In (Consent)
What’s better than letting your users know what data you handle? Asking their permission for how you intend to handle it.
It’s common for websites to have pre-ticked boxes that allow users to opt out of cookies or the collection of certain information. This is neither good practice nor in line with the laws, such as the GDPR’s cookie consent requirements.
Require your customers to take clear and proactive action to indicate that they agree to have their data collected.
- Data Minimization and Storage Limitation
Only collect and store the data that is necessary for you to fulfill your business purpose. For example, suppose you’re a business that sells products. In that case, you’ll need to store data such as the customer’s name, shipping address, and payment information.
Don’t store data such as visitor browsing history on your site or the sites they visit after leaving yours. Furthermore, limit the amount of time you keep data. For instance, you can delete customer data once they haven’t interacted with your site for a certain period, such as 12 months.
Perhaps, the most shocking cautionary tale is the double-header case of AdultFriendFinder, where a dating website got hacked twice, and very private information of users was made available on the dark web. What was already a sticky situation became even worse. It turned out that the data of former users who had deleted their accounts were still being kept and were among those leaked.
- Nondiscrimination and No Data-Use Discrimination
This protection requires you not to engage in discriminatory behavior against individuals who choose to exercise their data privacy rights.
For example, you cannot charge a higher price, refuse service, or give them a lower quality service because they exercised their right to access or delete their data. Also, you can’t use collected data to profile individuals along discriminatory lines.
For instance, using data to target ads or content to individuals based on their race, ethnicity, gender, religion, disability, or other discriminating factors could violate your data subjects’ rights.
Evolution of Data Privacy
As referenced in our introduction, the notion of privacy has been around long before the digital age. Here’s some additional fun facts for the history buffs out there:
- In 1890, two Americans, Samuel Warren and Louis Brandeis wrote “The Right to Privacy.” The article advocated individuals “be left alone” and not have their lives turned into public spectacles. With time, the need to protect people’s information became more apparent as the technological landscape changed.
- In 1967, an interesting development to the U.S. constitution’s fourth amendment arose in Katz v. The U.S., where investigators had recorded a gambler’s conversations on a public telephone. The court held that the right to privacy extended beyond a person’s house, papers, and effects to include areas where a person has a reasonable expectation of privacy, such as a telephone booth, as in this case.
- Katz vs. The U.S. accelerated the movement toward data privacy, and in time, Sweden enacted the first national data privacy law in 1973.
- The 1980s saw the Organisation for Economic Co-operation and Development (OECD) release data privacy guidelines which then and till today, form the basis for many data privacy laws around the world.
- Then came the internet, which made it easier for organizations to store more information than ever. In response, the European Union (EU) passed the Data Protection Directive in 1995.
- During the Wild West days of the internet, data privacy concerns took the backseat while data security rode shotgun. However, this soon changed with the rise of big data firms such as Google, Amazon, and Facebook in the 2000s.
The massive data these organizations collected, coupled with high-profile privacy scandals, made it inevitable that data privacy would come to the forefront again.
As previously mentioned, several countries have enacted data privacy laws reflecting its greater importance. Meanwhile, only time can tell what new technologies will develop and what concerns and responses to data privacy they might bring.
U.S. Data Privacy Laws
The United States does not have a single, all-encompassing data privacy law. Instead, it relies on a patchwork of federal and state laws and industry-specific regulations.
National Privacy Legislation
There are several pieces of U.S. federal legislation that deal with data privacy. Perhaps the most popular are the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA).
HIPAA establishes national standards to protect people’s medical information. It applies to healthcare providers, health plans, and other medical information organizations.
The GLBA requires financial organizations to safeguard sensitive information and explain their information-sharing procedures to customers. It also demands that they respect the customer’s right to opt out of any data sharing with unaffiliated parties.
COPPA protects the online privacy of children under 13 by prohibiting website operators from collecting personal information from children without parental consent.
State Privacy Legislation
Several states also have data privacy laws. For example, The Massachusetts Data Privacy Law is one of the most comprehensive state data privacy laws. It requires businesses to take reasonable security measures to protect personal information. It imposes harsh penalties for companies that suffer data breaches.
California has the California Consumer Privacy Act (CCPA), which came into effect in 2020. The act contains residents’ right to know what personal information is being collected about them, the right to delete that information, and the right to opt out of its sale. With few exceptions, the CCPA contains as many measures as the GDPR.
There is also the Nevada Internet Privacy Law, with similar provisions to the CCPA but limited to online and web services only.
EU Data Privacy Laws
The European Union has one of the world’s most comprehensive data privacy laws. The EU’s General Data Protection Regulation (GDPR) came into effect in 2018 and builds on the EU’s 1995 Data Protection Directive.
The GDPR requires businesses to get explicit consent from individuals before collecting, using, or sharing their personal data. It also gives individuals the right to know what private data organizations collect about them, the right to have that data erased, and the right to object to its use.
The GDPR applies to data processes irrespective of whether the data is collected online or offline; or whether or not the business is in the EU.
Companies that violate the GDPR can receive a fine of 4% of their annual global revenue or €20 million, whichever is greater.
Data Privacy Quick Tips for SMEs
So, what can SMEs do to comply with data privacy laws? Here are some quick tips:
- Get rid of dark patterns: You know how easy it is to use those complicated menus to frustrate users and discourage them from using the opt-out button. Or how easy it is to place confusing words like “Don’t Not Sell My Personal Information” beside the “I agree” checkbox. Well, don’t use them. Dark patterns are not only annoying to your user; specific instances of them could also be illegal under relevant laws.
- Implement privacy by design: This means building privacy into your products and services from the ground up. It starts with understanding what personal data you are collecting and why. Do you really need it? Can you get by with an email address? Once you’ve decided what data you need, figure out how to collect it to minimize the risk of exposure. For example, if you’re managing sensitive information like health data, consider using encryption to keep this information safe both during and after collection.
- Data privacy is more than the internet: Remember that privacy laws also apply to offline data collection. This includes data collected through paper forms, over the phone, or in person. So, if you collect this type of information, take steps to protect this information from exposure and use it only for the purpose it was collected.
Improve IT Security Hygiene with JumpCloud
Data privacy laws are constantly evolving, and businesses must keep up to date with the latest changes. By understanding the basics of data privacy, you can ensure your organization complies with relevant laws and protects your customers’ personal information.
Did you know that instituting and enforcing IT hygiene policies helps improve organizational data privacy, security, and protection posture?Learn how organizations can adopt data-hygienic practices, improve data privacy, and avoid breaches in The IT Manager’s Guide to Data Compliance Hygiene.