New York Isn’t Sleeping on Consumer Privacy

Two years later the impact of Equifax’s massive data breach continues to be felt. As we reported last week, the FTC announced a $700 million settlement with Equifax. Then on Thursday, in reported response to the settlement, New York governor Andrew Cuomo signed two new data privacy bills into law.  

Here is a quick run down of the two privacy laws New York passed last week and how they could impact your business:

Senate Bill S3582

The first bill passed into law last week concerns consumer credit reporting agencies. Under the new law, all credit reporting agencies that have experienced a data breach are required to offer effected consumers free identity theft prevention and mitigation services for up to five years. The law additionally gives effected customers the right to freeze their credit at no cost.  

SHIELD Act

The second and by far most impactful of the laws passed is the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). While the focus is simply on breach notification procedures, the law is noticeable for the expanded scope of the regulation and the broadened definitions it introduces. 

In short, the new law requires businesses to report any breach of personal information that an organization hasWhat is notable, however, is that the SHEILD Act doesn’t just apply to businesses operating within New York. Instead, any organization that owns the personal information of New York residents must now comply with the reporting requirements.  

What’s more, the law expands the definition of what counts as a data breach. Traditionally, data breaches are understood as an instance where someone actually takes an organization’s data. The SHIELD Act, however, expands this definition to also include instances where the data has simply been accessed by an outside entity. The definition of personal information has also been expanded by thnew law to include biometric data and a usernames or email addresses in combination with a password or security question.  

In addition to notification requirements, the law requires businesses with the personal information of New York residents to implement “reasonable” security requirements. These include compliance with regulations such as HIPPA and GLBA as well as “reasonable administrative, technical and physical safeguards.” 

Lastly, the law lays out a new penalty framework for organizations that fail to properly report data breaches. Under the SHEILD Act, action against businesses will be pursued by the State Attorney General rather than through individual or class action civil suits. The law also increases the maximum penalty for organizations from $150,000 to $250,000.  

Signs of Regs to Come

These two new laws solidify the impression that New York is working hard to strengthen its stance on cyber security and data privacy. Just last month state senator Kevin Thomas introduced the New York Privacy Act, considered by some to surpass even the GDPR in the privacy rights it gives consumers. Perhaps the most unique feature the bill proposes is the concept of Information Fiduciaries. 

While the Privacy Act has a long way to go before passing into law, the ease with which these two laws were enacted may be a sign of things time.  

Writing a Privacy Policy You’ll Actually Want To Read

Creating a privacy policy is necessary for any business collecting or processing personal information and is essentially a legal agreement between you and people visiting your website. And more often than not privacy policies are thought of as just that: a legal buffer. But with more users mistrusting the services they use, these policies should instead be seen as an opportunity to build trust with customers, establish a level of transparency, and show that your respect their privacy.  

Here is a short primer on what should be included in a privacy policy, and how to write it in a way that is accessible to users.  

The What

What information you collect 

It’s important to be upfront about all type of information you may collect about your users. This not only includes personal information (name, email, phone number, etc.), but also things like usage and analytics data, as well as the first- and third-party cookies.  

How you collect information 

Listing the methods used to collect data is another important aspect of a privacy policy. Is it information that they are freely providing? Is it automatically collected through your browser? Is it collecting through a script or plug-ins on your website? Providing this information will help users make informed decisions on how to navigate your site in a way that fits their privacy needs.  

How you use information 

It’s essential that you inform users not only of what you’re collecting, but how youre using that information. In many cases, it can help explain why it’s important that you collecting this information in the first place. Examples include customer service, payment processing, and improving site experience. On top of these, you’ll also need to state if you’re using data for marketing and joint marketing purposes. 

What information you share and why 

You’ll also want to state any information that you share with others. This might be for something like third-party advertising but can also include other companies related by common ownership, non-affiliates that market to you, or even non-profits using the data for research studies. Today, users are concerned about understanding who has access to their data, so this information is especially important.   

How that information is secured  

This is something you’ll definitely want your users to know about. Listing what security systems and practices you have in place will go a long way to show users that you care about their privacy and are taking the necessary steps to ensure it’s secure. 

What privacy options do users have 

It’s become more common for websites to give users some choice with regards to their privacy. This includes whether they can access the data that has been collected, the ability to change what information they want to share, whether they can delete data previous collected, as well as the ability to decide how long you hold on to their information. If you allow users these options, you want to explicitly state that they have those abilities.  

Who users can contact about privacy concerns 

Another component to your privacy policy should be a contact person that users can contact when they have questions or concerns regarding the policy or any other privacy-related issues. It’s important that users have someone they can reach out to when they have concerns.  

Regulation Compliance 

Lastly, depending on where you operate and even where your servers are located, you may be subject to certain privacy regulations that require you to both include certain components in your policy as well as explicitly state your compliance with these regulations. Two big regulations that could effect your privacy policy is the California Consumer Privacy Act (CCPA) (effective in 2020) and the EU’s General Data Protection Regulation (GDPR). Another important regulation is the Children’s Online Privacy Protection Act (COPPA) which requires certain privacy controls and parental consent before collecting data on children under 13. 

The How

Above all, when it comes to writing your privacy policy, it should be readable. 

Your users shouldn’t need a law degree to understand what’s in the policy. Write in plain English. Keep it as short as possible. While there is a lot of information to include, you should stay as concise as possible. If need be, you can layer the policy, meaning have basic language that provides a general overview and link else for details about different sections. Lastly, you want to ensure that the policy itself is easily accessible to users. It shouldn’t be tucked away in tiny font. Place it somewhere prominent that users to find whenever they’d like to refer back to it. 

This is especially important if you need to comply with the GDPR. Not only does the regulation require you to include certain information in your privacy policy, but also includes requirements to ensure your policy is sufficiently clear. The GDPR’s website provides some guidance on privacy policy best practices that you can find here 

Even if you’re not subject to the GDPR, it’s probably a good idea to try and follow their guidelines as well. Again, your privacy policy isn’t just a legal safeguard. It should be understood as a way to communicate to your users about their privacy and ensure them you’re being transparent about your data collection.  

Whose Identity is it Anyway?

Whose Identity is it Anyway?

Our identity is something we often take for granted. Traditionally understood, identity is a simple one-to-one relation. It’s what links a single person to a single identity.  

However, the digital landscape has changed the very nature of our identity. Now, it’s more accurate to say that a single person contains a whole multiplicity of identities, many of which we don’t have a lot of say in. At bottom, digital identities are constructed far less by what we think and say about ourselves, and far more through a complex network of information that moves and interacts with other elements to construct who we are. 

The Digital Footprint 

 When we go online, we leave a trail of our interactions. From browsing history, to shopping preferences, to movie and music tastes, to ‘likes’ on social media, everything we do is logged and collected. And the emerging landscape of artificial intelligence and the ‘internet of things’ (IoT) greatly expands the traces we leave.  

In some cases, this is done to make our experience online more efficient and convenient. Much of the time, however, our digital footprint is being used to build a detailed profile of who we are. The issue here isn’t so much that we have to wade through a bunch of highly-targeted ads. Instead, it raises essential questions over who has control over who we are 

In a post we wrote last month —and really, it bears repeating— we quoted an article by Shoshana Zuboff, who argues that data collection “is not only to know our behaviour but also to shape it in ways that can turn predictions into guarantees. It is no longer enough to automate information flows about us; the goal now is to automate us.” 

No Privacy without Control of Identity  

In the direction we’re headed, our identities are constructed for us instead of by us. This is largely because of the fact that our informational society is driven far more by the interests of the organizations collecting personal information than the interests of consumers. 

The question then becomes: how can we retain our privacy when it is only known in a digital footprint which, by its nature, is programmed by a third party? Defining our relationship to these identities is essential so that we can define how to protect them.  

The 3 P’s: Policy Protects Privacy

In many ways, we’ve accepted that handing over personal information is the cost of interacting online. The issue, however, is that in the U.S., when it comes to handling consumer information, the rule of business has largely been ‘Anything Goes!’ 

And if the deluge of privacy scandals that tech companies have faced tells us anything, it’s that consumer privacy is not exactly a top priority for many businesses. 

Because of this, it’s become clear that there needs to be some level external policy which places limits on what data can be collected and for what purposes. 

Information Fiduciaries  

New York Privacy Act is the latest consumer-focused regulation to take steps in this direction, and it contains some innovative approaches to help protect users’ personal information.  

One such approach is the inclusion of the privacy concept “information fiduciaries,” originated by Yale Law School professor Jack Balkin. The proposed regulation would require any organization that handles personal information to act as an information fiduciary and must “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and [] act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker.” 

As expected, this has many tech companies up in arms. According to an article from Wired, Facebook has argued that the line requiring companies to act ‘in the best interest of the consumer is too broad: “Different consumers, Facebook argues, have different interests when it comes to the use of their data, making that a fuzzy line to draw.”  

Facebook’s argument over differing interests might seem to make sense, but, when it comes to creating sound privacy policy, it falls far short of the mark 

The problem is that in today’s landscape, it’s becoming impossible to pinpoint consumers’ true interests. In an article titled, “Privacy and human behavior in the age of information,” the authors collected empirical data and found a variety of issues when it comes to accurately located consumers’ concern for privacy. One point they discovered was that companies have been able to effectively influence users’ privacy concerns:  

Some entities have an interest in, and have developed expertise in, exploiting behavioral and psychological processes to promote disclosure. Such efforts play on the malleability of privacy preferences, a term we use to refer to the observation that various, sometimes subtle, factors can be used to activate or suppress privacy concerns, which in turn affect behavior.” 

Disinterested Policy 

The question then becomes: how can a privacy policy rely on the individual consumers’ interest if those interests are being influenced by entities that depend on the collection, processing and sale of personal information? 

Because the tech environment is a complex world of interactions, because of the limitations in our ability to discern attempts by others to leverage our behavioral biases, and because we cannot fully trust that the intentions of the tech platforms like Facebook are congruent with our own interests, there needs to be some external baseline of privacy policies protections that help create a level playing field for everyone The question, of course, is where that baseline is drawn.  That comes down to being able to answer these questions:  What do we want to keep private?  When do we want to keep it private?  How and when do we want to share?

Sounds simple, but in a digital world of constant measurement and surveillance, it’s not so easy.

How The Cookie Crumbles

How The Cookie Crumbles

Cookies have been and continue to be an essential part of how we use the internet. In essence, cookies are small files created by websites you visit that are saved on your computer. The files contain information on what websites you visit and how you interacted with those sites.  

This might make any privacy-minded person pause. Why should we allow websites to create records of what we do online? Well, the answer isn’t so straight forward. Not all cookies are created equal. Some forms of cookies are essential to what we’ve come to expect from our online experience. Others are a little more suspect.  

First-Party Cookies

In general, first-party cookies are there to make our online experience easier and more convenient. They’re used by individual websites, and store information so you don’t have to re-identity yourself every single time you use a site. They allow you to stay logged into websites as you navigate between pages and visits to those sites. They save your location so you can quickly check the weather in your area or buy movies tickets without having to re-enter your information every time you use those sites. 

In short, we rely on first-party cookies every time we visit a website. Their essential to how we use the internet and don’t necessarily present a risk to your privacy online. 

Third-Party Cookies

Third-Party Cookies, on the other hand, are a different story. Unlike first-party cookies, these cookies track your movements between websites. These types of cookies are not created by the website your visiting, but by a third-party whose code is on that site. This could come from plug-ins, or, as is more often the case, from advertising platforms. These cookies can then keep track of your movement between any website that features these third-party codes.  

Because they are not limited to your interaction with one specific website, they can be used to construct a much larger and more detailed profile of not only your online presence, but personal characteristics, spending habits, and lifestyles.  

Taking Control of Your Cookies

Because cookies are such an important part of how we interact with websites, blocking all cookies is unnecessary and will make using sites far more inconvenient. However, depending on your level of comfort there are steps you can take to have more control of what cookies websites are using. 

  • One option is to change your browser’s privacy settings to ask permission before accepting cookies for all websites. You can choose which websites save cookies depending on your level of trust and how frequently you use those sites. 
  • Most browsers also give you the option to only block third-party cookies. This will still allow individual websites to save information about how you use their sites but will stop entities from tracking your movement across the web. There are also several ad-blocking extensions you can use that will remove advertising codes from websites when you visit them, effectively blocking those third-parties from saving cookies on your computer. 

Cookie Disclosure Requirements

By now, you’ve probably seen many websites display banners either stating that they are using cookies or asking consent for their use. This is due to several laws coming out of EU that now require websites to obtain consent to use cookies. The ePrivacy Directive was implemented in 2002 and was the first of such laws to require notification of a website’s use of cookies.  

However, the newly enacted GDPR has further enhanced these requirements. Now, websites are required to not simple notify users that cookies are being used, but most give information on how those cookies will be used and gain consent from users for each of those purposes.  

While the U.S. currently does not have such laws in place, if your organization has servers in an EU nation, you may still be subject to GDPR restrictions. In any case, it is likely such regulations will be also enacted in the U.S. soon, so many organizations are choosing to display such banners preemptively.  

Taking Aim at the CCPA

From the land of Silicon Valley comes privacy regulations that may have a tremendous impact on how tech companies use and share your data. 

Modelled largely off the EU’s GDPR, the California Consumer Privacy Act (CCPA) is the largest and most comprehensive online privacy regulation passed in the United States to date. The regulation provides California residents extensive rights over what personal information companies collect, how the information is used, and even gives consumers the right to opt-out of data collection all together.  

The bill was passed into law in September 2018 and goes into effect this coming January. With the door fast closing, the race is on to add amendments and further clarifications to the new law. Last Tuesday, California Senate’s Judiciary Committee voted on a series of new amendments that could limit the scope of the CCPA.  

Here is a brief primer on the three most contested amendments and their fate in last Tuesday’s hearing.  

AB-1416  

This amendment proposes that business should be able to sell personal information even if consumer has opt-ed out if the sale is “for the sole purpose of detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity.” The amendment worried many privacy experts, who considered it to open major loopholes in the regulation. Specifically, according to one commentator, the bill would “would chip away at the rights of Californians by allowing law enforcement to get around existing warrant requirements to access personal information.”  

The bill was withdrawn by the author, Assemblyman Ken Cooley, at the last minute and so no vote was taken. However, according to some reports, it’s possible to bill will reappear for a vote next year, after the law has gone into effect. 

AB-873 

This amendment would exclude any de-identified data from the scope of the regulation. The real issue, however, is that bill lowers the threshold of what information is understood as de-identified. According to the amendment, data such as I.P. addresses and browser fingerprints would now be considered as de-identified information. However, according the senior counsel for policy and privacy at Common Sense Media, Ariel Fox Johnson, that information could potentially be used to re-identity data to specific users. “Deidentification is not a privacy protective technique if deidentified information can identify you.” 

The vote on the amendment was split 3-3, so the bill did not pass. Howeverthe bill’s author was granted reconsideration, so it is possible another vote on the amendment will be taken before the end of the summer. 

AB-25 

Another proposed amendment takes aim at restrictions on employers. As Bloomberg Law reports, the bill would exempt personal information employers have about their employees from the privacy law’s requirement that it be disclosed or deleted upon request.” 

The bill passed with 8-0 votes in favor, but with added changes that still require employers to inform employees about the types of information they are collecting about them and why. 

Next Steps 

The California legislature has until September 13, 2019 to pass bills amending the CCPA. Any bills up for reconsideration must still pass a vote in the Senate’s Judiciary Committee. All approved bills will then move to the Committee on Appropriations for a vote in August, to be followed by a vote of the full Senate. 

While it is likely some of these changes will go into effect, the results of the Judiciary Committee’s hearing make clear that the main purpose of the CCPA will remain intact. As a result, businesses should be taking this bill seriously and begin looking into what processes will need to be implemented in order to comply with these new regulations.