Category Archives: privacy law

Will Business Lose Its Cookies Over These New Privacy Laws?

Last month marked the one-year anniversary of the European Union’s General Data Privacy Regulation, or GDPR. Since then, California and New York State have created similar bills aimed at protecting the privacy of their citizens. Nevada has recently enacted a narrow privacy law. Meanwhile, privacy is dead.

Long Live Privacy!

While privacy legislation seems like common sense in the surveillance economy, where unimaginatively intrusive data tracking and compiling is commonplace, even the GDPR’s strongest proponents say the launch of the EU’s much vaunted privacy protections was pretty rocky. While California has passed similar strict legislation, it does not take effect until 2020, and as regulations required for its implementation are being promulgated, there is enormous pressure being brought to bear by various business and industry lobbying groups to water it down. New York’s Privacy Act might up the ante for no-can-do in the realm of who-are-you with even more stringent prohibitions than put in place by California’s Consumer Privacy Act (CCPA).

At this anniversary time, it’s worth looking at what has and hasn’t worked in Europe.

The Good, the Bad, or the Woefully Ineffective?

Looking at the numbers released by the EU, familiarity with the law itself has been one of its greatest successes: Sixty-seven percent of Europeans have heard of the GDPR, and there were 144,376 queries and complaints reported in its first year. Add to these impressive figures the 89,271 data breach notifications issued, and it’s clear that despite its flaws, the law successfully addresses a set of problems that a more scattershot approach (with multiple statutes enacted by different EU member states) was unable to achieve.

Where the GDPR comes up short is enforcement: While the law includes fines for the mishandling of data for up to 4 percent of a company’s annual global revenue, the actual numbers so far have been underwhelming. Far from preventative, they almost encourage bad cybersecurity. Take Google. The company was fined €50 million (roughly $57 million) for lack of consent on advertisements–not a big number for them–and this fine comprised the bulk of the €56 million of fines levied in total.

Needless to say, for Google a fine of this nature would be an acceptable cost of doing business in the EU.

It is anticipated that heavier fines will be placed on companies under the GDPR going forward, Facebook most likely being the poster child, but the message so far is clear: Fines need to hurt if the goal is the deterrence of poor data practices.

The Biggest Issue

By far the largest flaw in the GDPR has been a lack of clarity caused by poor communication.

Even though 67 percent of Europeans have heard of the GDPR, only 20 percent know which public authority is responsible for it. Misinformation combined with the requirement for 72-hour breach notification set off a deluge to the U.K. data privacy regulator in 2018. One-third of those calls involved incidents well below the GDPR’s threshold. Misconceptions about what exactly was required under the law were so widespread that the Irish Data Protection Commission actually blogged about whether taking pictures of one’s children at a school event is permissible. (It is.)

Corporations have also struggled with what many perceive as the law’s ambiguity. Under the GDPR, “companies processing large amounts of special categories of personal data” are required to hire a data protection officer, or DPO, to ensure compliance. The problem is that the law doesn’t specifically define what “large amounts” are, and although the DPO is required to have “expert knowledge of data protection law,” there is no set definition for what qualifies as an expert, either. It’s a great idea to have someone at large corporations ensuring the careful and lawful handling of customer data, but the implementation is ill-defined by the GDPR, which could make a DPO’s job awkward or downright impossible.

The kinds of confusion caused by the GDPR seem contagious, and that’s just the nature of the beast. There are many stakeholders in the privacy racket, and they are often vigorously at odds with one another.

The privacy laws in the U.S. will be more of the same. The best innovation when it comes to the GDPR was that it created one law instead of a patchwork that might change the moment you crossed a border. While New York and California should be applauded for taking steps to protect the privacy and data of their citizens, having multiple sets of requirements for websites and businesses alike (as we have witnessed with more than 50 U.S. jurisdictions’ having individual and not necessarily complementary breach notification laws) will necessarily lead to widespread difficulty in their implementation and accessibility.

Perhaps the most important takeaway for any state wishing to mirror the data protections of the GDPR is that in order to be privacy-friendly and consumer-friendly, the application of the law itself should at least try to be user-friendly, too. Too many differences run the risk of any and all of these laws’ being accept gnats to be clicked away when we visit our favorite websites–and that is a giant fail.

Laws are supposed to solve problems, and keep others from happening. When it comes to privacy, we have a long way to go.

The post Will Business Lose Its Cookies Over These New Privacy Laws? appeared first on Adam Levin.

Maine Passes Internet Privacy Bill

Maine has passed a bill prohibiting ISPs from using and selling the data of internet users within the state.

The Act to Protect the Privacy of Online Consumer Information is closely modeled on an Obama era FCC rule that prohibits internet service providers from collecting information on their customers. The rule was revoked in 2017.

According to bill, the Maine legislation, “prohibits a provider of broadband Internet access service from using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access…. The bill prohibits a provider from refusing to serve a customer, charging a customer a penalty or offering a customer a discount if the customer does or does not consent to the use, disclosure, sale or access.”

Additional requirements include “reasonable measures” to protect user data from outside access, although there is not much in the way of specifics regarding these measures.

Although the bill passed with broad bipartisan support, tech companies and ISPs strongly opposed the measure.

“Maine should avoid being the first to attempt to regulate an interstate service,” wrote Christina Fisher, a representative for a coalition of 84 technology companies opposing the law.

State Attorney General Aaron Frey disagreed.

“The state has a significant interest in protecting Maine consumers from practices that may compromise their personal data, or which place their financial well-being at risk,” Frey said in a statement in support of the law.

Read more about the law here.

The post Maine Passes Internet Privacy Bill appeared first on Adam Levin.

Upcoming Webinar: What New U.S. State Privacy Laws Mean for your Business

TrustArc is proud to present the next Privacy Insight Series webinar “What New U.S. State Privacy Laws Mean for your Business” with TrustArc Principal Consultant and Director EMEA Ray Everett and Internet Law Center Founder Bennet Kelley. This webinar will take place on Tuesday, June 11th at 9am PT / 12pm ET / 5pm GMT. Don’t miss this opportunity to learn more about how U.S. state privacy laws will impact your business – register today! While the focus over the past two years has been around global privacy regulations such as the EU GDPR regulation, individual US states have been … Continue reading Upcoming Webinar: What New U.S. State Privacy Laws Mean for your Business

The post Upcoming Webinar: What New U.S. State Privacy Laws Mean for your Business appeared first on TrustArc Blog.

Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information

On May 29th, Nevada Governor signed into law Senate Bill 220, a new privacy law granting consumers the right to opt-out of the sale of their personal information. Nevada is the second state to grant this right, following California (CCPA). SB 220 does not provide for a specific effective date; therefore, following Nevada law, it will go into effect October 1, 2019. While similar to the “Do Not Sell” provisions of the CCPA, the SB 220 has notable differences: SB 220 defines “sale” more narrowly. SB 220 defines “sale” as the sale or licensing of personal information for monetary consideration. CCPA … Continue reading Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information

The post Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information appeared first on TrustArc Blog.