The new era of privacy
When you really get down to it, we have to thank Facebook and Cambridge Analytica for the change in consumer attitudes towards privacy, from lackadaisical to concerned and willing to do something about it. In 2018, multiple journalists reported on what we now know as the “Cambridge Analytica scandal”, an incident where millions of Facebook users’ Personally Identifiable Information (PII) was harvested without consent. That PII was then used for political advertising. The scandal opened up the eyes of consumers to the dangers of providing their PII to companies online and showed them just how easy it is to lose their privacy. In fact, the scandal was so upsetting to consumers that they started to pressure their state legislatures to propose and pass privacy laws that would prevent the loss of privacy online.
The following study results clearly illustrate changing consumer attitudes towards privacy:
- 84% of respondents said that they are open to new state privacy laws;
- 91% of respondents said that the right to delete PII and know how their PII is used should extend to all US citizens;
- 52% of Americans will not use products or services that they believe have privacy issues; and
- 93% of Americans would switch to a company that prioritizes privacy.
It is important to note that even though the Cambridge Analytica scandal concerned two large companies with access to the PII of millions of people, consumers have not identified privacy as an issue that only large companies need to deal with. As a result, small businesses have also been swept up in this regulatory storm as well.
Current privacy laws and who they apply to
Currently, there are multiple privacy laws in place that concern websites that collect PII from consumers. If you are unsure as to whether your website collects PII, take a look at your forms. Do you have a contact form or a newsletter sign up form that collects names, emails, or phone numbers? Have you installed analytics that collects IP addresses? If you’ve answered “yes,” then your website collects PII and multiple privacy laws may apply to you. The privacy laws that are currently in place include:
- The General Data Protection Regulation (GPDR), which protects the privacy of residents of the European Union and will apply to you if you are offering goods or services to such residents or if you are tracking their behavior online through cookies, pixels, and analytics services;
- The California Online Privacy and Protection Act (CalOPPA), which applies to any website that collects the PII of California consumers;
- The California Consumer Privacy Act (CCPA), which is a new privacy law that protects the privacy of residents of California;
- The Delaware Online Privacy and Protection Act (DOPPA), which applies to any website that collects the PII of Delaware consumers;
- Nevada Revised Statutes Chapter 603A, which applies to websites that collect the PII of Nevada residents and that have sufficient connections to the state. Basically, you’ll need to comply with this law if you have customers in Nevada or if you are located in Nevada; and
- The Personal Information Protection and Electronic Documents Act (PIPEDA), which protects the privacy of residents of Canada and will apply to websites that collect the PII of Nevada residents in the course of business.
For those breathing a sigh of relief because they are not located in these states or countries, not so fast! Privacy laws protect consumers and not businesses. Anyone from anywhere could be submitting their PII to your website meaning that you may be required to comply with multiple privacy laws, even if you are not physically located in that state or country. When it comes to the application of privacy laws, the factors that matter are:
- Whose PII you are collecting;
- Where you do business;
- Where your customers are located; and
- Who you track online through cookies, pixels, and analytics services.
- All of the proposed bills would apply to businesses outside of the states in which they are passed;
- While some of these bills include an exemption for small businesses, most still require small businesses to comply;
- All of the proposed bills would include new privacy rights for consumers.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.