One thing that we all need to be concerned with is internet privacy and security. Every year, there are millions of records that are compromised due to data breaches. As a business owner, it is your responsibility to make sure that employee and customer data is protected.
Of course, you also need to respect the rights of people. We’re entitled to privacy. You cannot simply hold onto any information about a person!
Your first port of call should be understanding the different rules and regulations that are in place. After all, compliance is something that you cannot simply skip! Plus, it is for your own business benefit.
Considering that, we have put this blog post together for you, providing some key tips and helping you to understand some of the different steps that you can take to achieve website compliance.
THE PRIVACY LAWS THAT ARE IMPLEMENTED THROUGHOUT THE UNITED STATES
There are four key laws that are in place across the United States. These are as follows:
- The US Privacy Act of 1974
- Health Insurance Portability and Accountability Act (HIPAA), which was in 1996
- GrammLeach Bliley Act (GLBA), which was implemented in 1999
- Children’s Online Privacy Protection Act (COPPA), which came into play in 2000
US Privacy Act of 1974
The landmark US Privacy Act was passed in 1974. This featured vital restrictions and rights on data that US government agencies held. Some of the key areas of this law are as follows:
- The restriction of data sharing between other federal and non-federal agencies – with permission only allowed under specific conditions.
- Data access is restricted on a need-to-know basis, for instance, workers who require records for their job roles.
- Data minimization principles must be followed when it comes to data collection, meaning the minimal amount of data necessary and relevant for accomplishing the purpose.
- Citizens have the right to correct any mistakes relating to their information.
- US citizens also have the right to get their hands on any data that government agencies hold about them, and they have a right to copy this information.
Next, we have the GLBA, which is a very vast piece of legislation that covers financial and banking law. However, buried within it is a lot of vital information regarding security and data privacy requirements.
The personal data protection within this act represents a significant improvement when compared with past financial data laws, i.e. the Fair Credit Reporting Act (FCRA).
Essentially, nonpublic personal information (NPI) is protected within GLBA. This is defined as any sort of data that is collated about a person in connection with providing a financial service or product, unless that data is otherwise available publicly.
The COPPA represents the initial step that has been taken when it comes to the regulation of personal data collected from minors.
As per this law, online businesses are prohibited from asking for PII from children that are under the age of 12-years-old unless verifiable consent is provided from a parent or guardian.
A few years ago, there were a number of updates to COPPA, which has meant that the reach of the law has been expanded. Now, there are more types of personal information that are protected, including street-level geo-coordinates, audio files, photographs, video chat names, email addresses, and screen names.
These updates have also extended security and privacy coverage to third parties that utilize the children’s data. The originating site must take the required steps to ensure that the personal information from the child in question is released only to businesses that are capable of ensuring it is kept confidential and secure.
Last but not least, the fourth federal law that has no place with regard to internet privacy is HIPAA, which was passed back in 1996. At the time, this was landmark legislation for the regulation of medical insurance.
This is a very complicated law that has many different moving parts, which include both security and data privacy sections.
You can find the data protection area of this legislation is located within The Security Rule. There is then The Privacy Rule section where you will find confidential requirements.
If you have ever had to complete a form at your local medical office that enables your spouse or other members of your family to see or review your health information, you have seen the Privacy Rule in action.
There is a convoluted list of rules within the Privacy Rule regarding who is able to view PHI. However, in short, a medical provider or any covered entity has the permission (more or less) to utilize patient data that is related to health care, payment, and treatment operations. Nevertheless, selling the PHI or using it for marketing reasons requires explicit authorization.
HOW IS PRIVACY HANDLED ON THE INTERNET?
Well, a lot of people would say that it is not handled. Outside of the industry-focused federal laws in the United States, the internet is a territory that is deregulated where social media and tech companies, in particular, have followed an anything-goes approach.
However, we are pleased to see that some US states are now stepping in and implementing their data privacy laws, which have been much needed. California is very much taking the lead here!
NEW STATE LAWS ARE COMING INTO PLAY IN THE UNITED STATES
As mentioned, we are seeing a lot of states take the reins and implement laws so that they can protect the privacy of their people. One state that is certainly leading the way is California, so it is only right that we take a look at their efforts.
California is leading the way in internet privacy laws
The California Consumer Privacy Act (CCPA) was signed into law in 2018. However, it is set to be replaced by CPRA, with this effective from the 1st of January in 2023. Anyone doing business in California must understand the CPRA.
The aim of this legislation is to extend privacy protections that consumers currently hold to the internet. It is no exaggeration when we state that the CRPA is the most comprehensive internet-focused data privacy legislation in the country at the moment. There is no equivalent at the federal level.
There are a number of considerable changes you can expect as a consequence of CPRA. One of the main changes is that there is a new set of obligations in place for companies when it comes to sensitive data processing.
Sensitive data is designed pretty broadly, yet it includes any information that reveals the following about an individual: health, genetics, communications, finances, religion, race, union membership, sexual orientation, geolocation, and government ID.
Consumers have also been provided with enhanced control when it comes to sensitive information. Previously, under the CCPA, consumers had the ability to opt-out of businesses selling their information to marketing companies and other interested parties. Now, you have the ability to tell a company not to disclose or use your sensitive personal data.
There are also new rules regarding data sharing and data retention limits have been imposed. Companies are not able to retain sensitive or personal data for any other reason than what it was collected for in the first place or for a longer period than what is reasonably required for that disclosed purpose.
Who is impacted by the CPRA?
The CPRA is applicable to any for-profit organization that does business within the State of California and meets the following requirements:
- Derives half (or more) of their yearly revenue from sharing or selling the personal information of California residents, OR
- Sells, receives, or purchases the personal data of 100,000 or more residents, devices, or households in California, OR
- Has a gross yearly revenue that is $25 million or higher within the preceding calendar year
California is certainly leading the way when it comes to the privacy laws that are in place, and it is likely that we are going to see a number of other states follow suit as a consequence.
PRIVACY IS A FIELD THAT IS MOVING ALL OF THE TIME
As you can see, there are new privacy laws being implemented all of the time. Therefore, it is imperative that you stay in the know about everything that is going on. The last thing you want to do is be caught napping!
It is highly likely that there will be new rules over the coming years that you are going to need to adhere to. If you do not have the capacity to handle the management of this, look to a data security company that can assist you.
FINAL WORDS ON FOLLOWING THE INTERNET LAW
So there you have it: everything you need to know about internet law and following the different rules and regulations that are in place.
This should be a priority for all businesses, and you cannot simply address it one time and then forget about it. After all, new laws are being developed all of the time, and you need to keep abreast of these changes.