Coronavirus and the Right to Privacy

Coronavirus and the Right to Privacy

 The coronavirus has unquestionably changed the way we live. It has also forced us into strange and, until just a few weeks ago, unthinkable ethical dilemmas. To visit loved ones is worth genuine ethical reflection. Modern nations, especially in the West, are built on an ethics of individual freedoms and the right to privacy. However, the current global health crisis is forcing us to rethink just how fundamental those ethics should be. While we already feel this with regards to the freedom of movement, we are just beginning to contemplate how the coronavirus can and should effect our right to privacy.

Contact Tracing and Enforced Quarantine

In order to limit the spread of the coronavirus, experts emphasize the importance of tracking every contact infected patients have had with others. Countries such as China, Singapore, South Korea, and Taiwan have all taken aggressive measure trace all potential contact infected people have had. These measures are widely considered to be a large reason why these countries have been successful in lowering the rate of transmission. However, the aggressive measures taken have come at the cost of individual privacies.

Taiwan and Singapore, for example, regularly post detailed information about everyone who test positive, including where they live and work, what train stations they have used, and what bars and restaurants they frequent. South Korea now has an app that allows users to track the exactly movement of those infected.

Countries are also using location data to enforce quarantine for those infected. Israel, for example, is now using data collection techniques previously used for counterterrorism efforts to identify anyone potentially exposed to the virus. The government uses this information to send text messages to those exposed ordering them to quarantine.

European and the U.S. Response

As the coronavirus spreads to Europe and the U.S., lawmakers are exploring the use of similar techniques. Italy now uses location data to monitor whether people are obeying quarantine orders. In the U.S., the White House is reportedly in conversations with tech companies to use anonymized location data to track the spread of the virus. HIPPA regulations are being waived to allow doctors and mental health providers to more freely use telecommunication to speak with patients. Companies in Italy, Austria, and Germany have also announced that they will provide location data to governments.

However, with privacy regulations such as the GDPR, it is unclear how aggressively European countries will be able to use personal information. The European Data Protection Board (EDPB) released a statement urging governments to continue to abide by privacy regulations in place. At the same time, however, the EDPB conceded that countries may suspend such regulations “when processing is necessary for reasons of substantial public interest in the area of public health.”

Consequences

Relaxing the right to privacy has garnered mixed responses by government officials and security experts. Many have pointed out that while the measures taken are extreme, personal information such as location data is highly effective in limiting the spread of the coronavirus. “We are stretched very thin in most states,” said the director of the Center for Global Health at Oregon State University, “so this kind of technology can help every state to prioritize, given their limited resources, which communities, which areas, need more aggressive tracking and testing.”

Others are concerned how this could endanger those whose information is made public. In South Korea, some have used information released by the government to identify infected individuals and attack them online. This has led officials to question how the government uses this information, worrying it will discourage others from getting tested for fear of being publicly exposed.

While nearly all countries have explained suspending the right to privacy is a temporary measure for the benefit of the public health, many worry it will have a permanent effect on how governments and countries view privacy concerns. After 9/11, for example, the U.S. used highly invasive surveillance measures that have since become common place among law enforcement agencies. According to the New York Times, privacy experts worry something similar could happen after the current crisis.

What restrictions we, as a society, can tolerate, and what effect this will have after the current crisis remains an open question. However, it may also involve a false choice.  There are technologies to both assist contract tracing and preserve anonymity.  Privacy by Design does not have to be put on pause as we develop these tools.  In fact, if we want to encourage wide adoption, it might be required.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

The Impact of the CCPA on Small Businesses

With the new year coming up fast, businesses are all scrambling to begin implementing necessary changes before the California Consumer Privacy Act (CCPA) goes into effect. And as one might expect, this poses some unique difficulties for small business that don’t have the same resources as larger companies might.  

This month, the International Association of Privacy Professionals (IAPP) released the findings of a number of surveys they conducted with small and medium sized businesses about their preparation for the CCPA. The findings highlight the unique impact compliance with the CCPA is having on smaller businesses 

Here are some of the key findings:

Confusion is Universal

One interesting aspect of the survey was that confusion surrounding CCPA compliance was universal to both small and large businesses. However, small businesses expressed a specific lack of clarity regarding what employee data is covered, how the sale of data relates to basic advertising, and potential conflicts with existing regulations.   

Vendor Management

Another key concern for small businesses is how the CCPA will affect their use of vendors and third parties. Because they have a limited number of employees, small businesses are more likely to outsource some of their work onto third parties. And, according to the IAPP’s findings, small businesses are less likely to have specific programs in place to ensure vendors’ privacy policies meet their own standards and comply with regulations. The report found that while small businesses do generally include privacy clauses in vendor contracts, “they use privacy questionnaires and audits significantly less often than larger companies.”  

Lack of Automation

The survey also found that small businesses are less likely to have privacy-focused automation in place. Because the CCPA requires business to process consumers’ data access requests, processing these requests along with managing data inventories will likely become more of a burden for small businesses. Without the resources to automate these processes, small businesses fear that implementing and managing data access requests will require an overwhelming amount of time and energy.  

What’s more, lack of automation could make it easier for fraudulent data access requests to slip by, resulting in data breaches that would leave them in violation of the CCPA. This has already been an issue with the GDPR, and small business worry that they don’t have the tools necessary to effectively verify the identity of individuals requesting access to their data.  

While preparation for the CCPA is a top concern for businesses of all sizes, the IAPP’s findings show that small business are facing a number of unique challenges. When it comes to compliance, the CCPA holds all businesses to the same standard. And while this gives consumers greater assurance that their privacy is protected across the board, the impact this will have on small business is greater than what larger companies are experiencing.

Changes to the California Consumer Privacy Act (CCPA) have been finalized – Goes into effect January 1

As of September 13th, the California Legislature has finished passing amendments to the California Consumer Privacy Act (CCPA) meaning no more changes to the law will be made before it goes into effect this January.  

Originally passed in September 2018, the CPPA is widely considered to be the most comprehensive privacy law in the U.S. to date. Taking their cue for the E.U.’s GDPR, the CPPA gives California consumers the right to know what data companies collect on them and even opt of the collection and sale of their personal information. However, as we wrote about in Julya number of amendments were introduced that privacy experts fear could greatly reduce the impact of the new law.  

In the months since then, some of those amendments successfully passed while others were reworked or scraped altogether. The legislature passed a number of amendments, most of the highly contested changes were put together in bill 1355 Personal Information. 

Here is an overview of some of the changes that made it through:

Non-discrimination

While the CCPA prohibits any discrimination against consumers who opt-out of the sale of personal information, the new amendment makes an exemption if “differential treatment is reasonably related to value provided to the business by the consumer’s data.”  

This is potentially a big deal. While some of this language will likely be challenged and clarified after the Act goes into effect, it opens the door for business to offer different services and/or prices if a user exercises their right to opt-out of the sale of their personal information.  

Definition of Personal Information

The amendment also makes a very small change to the definition of personal information, but one that could have large implications. In defining what counts as personal information, the bill simply adds the word “reasonably” to the phrase “capable of being associated with” a particular consumer or household. This small change creates some wiggle room for business when it comes to arguing what information is protected under the CCPA.  

This also reinforces the clarification in the amendment that de-identified and aggregate consumer information does not fall within the scope of the CCPA. And with efforts already underway to weaken the definition of de-identified information, this could potentially further limit what personal information is protected.  

Employee Information is Exempt

The other big change to the CCPA concerns employee information. The new amendments now excludes employees from the right to know, opt-out, or delete any personal information their employer collects and sells. However, this exemption sunsets in 2021 and will therefore have to be re-introduced after that. This will likely be the site of a large battle between unions and privacy advocates on one side and industry groups on the other.  

 

While these changes certainly reduce the scope and impact of the CCPA, the central tenants of the law remained largely intact. Overall, consumers will still be able to exercise their rights to know what personal information businesses are collecting, to opt-out of the sale of this information to third parties, and to even request that a business delete their information. It’s therefore important that all impacted business continue to work to be in compliance by the beginning of next year. 

Preparing for the CCPA

Time is running out. The California Consumer Privacy Act (CCPA) goes into effect January 1st 2020, and businesses need to be taking the steps necessary to comply. The new law is widely considered to be the most comprehensive privacy regulation in the U.S. to date and won’t just affect businesses operating within the state of California. Instead, any organization that collects the personal information of California residents might be subject to the new regulation. It’s important that every business reviews the regulation to understand whether they will be required to comply.  

And while the CCPA has many similarities to the E.U.’s General Data Protection Regulation (GDPR)organizations should not assume that compliance with one automatically means compliance with the other. It’s therefore essential that any business potentially affected by California’s new law understand what compliance entails and take steps to put any necessary new systems in place.  

Compliance: The Essentials

Inventory California Data

Really, it’s always a good idea to conduct an inventory of the data collected and processed, but it’s going to be especially important for compliance with the CCPA. Because the regulation gives consumers the right to request information about how their data is used, the first step will be to conduct and maintain a comprehensive inventory of your data. This should include not only what data you’re collecting, but also how it’s collected, where it’s stored, and who it’s shared with.  

It’s important to note that “personal information” covers more than just names and addresses. It also includes, among others, biometric data, geolocations, and internet activityReally, any information that can be linked back to an individual will fall under the scope of the CCPA.  

Develop Systems to Process Consumer Requests

After conducting a throughout inventory of this data, organizations will need to put in place procedures to quickly and accurately processing consumer requests to access this information. Under the CCPA, consumers have the right to request information on what data is being collected and who that information is being shared with. 

The regulation requires organizations to provide at least two methods for requesting this information, including at minimum a toll-free number and a webpage designated for requests. Once a request is made, businesses need to be able to quickly process and fulfill them. The CPPA requires all requested information to be delivered to the consumer within 45 days of the request.  

For most businesses, this will be the toughest aspect of the regulation to put in place. To help, there are a number of automated tools that can assist with processing. We also recommend having someone on staff certified in privacy through the IAPP or have someone on retainer who can assist with the process.  

Introduce an Opt Out Link on the Homepage

Under the CCPA, businesses will need to include a link on their homepage allowing users to opt out of the sale of any personal information. The regulation requires that this link needs to be “clear and conspicuous” and be titled “Do Not Sell My Personal Information.” Consumers also need to be able complete the opt out request without having to create an account.  

Update Privacy Policy

The CCPA will require businesses to update their privacy policy. According to the regulation, privacy policies will now need to include a description of consumer rights under the CCPA as well as a list of the types of personal information the company collects, shares, and sells with other entities. The privacy policy should also include the link to the “Do Not Sell My Personal Information” page. 

Review Overall Cybersecurity Policies and Practices

On a more general level, businesses should also take the time to ensure their cybersecurity policies and procedures are up to snuff. According to the CCPA, if an organization experiences a data breach, they will be considered responsible and be subject to fines if the state deems the organization to have failed to implement and maintain reasonable security procedures and practices.” There will likely be more clarification on what “reasonable security procedures and practices” entails once the regulation goes into effect, but organizations should play it safe and ensure they have a strong cybersecurity system in place to safeguard against potential liability 

New York Isn’t Sleeping on Consumer Privacy

Two years later the impact of Equifax’s massive data breach continues to be felt. As we reported last week, the FTC announced a $700 million settlement with Equifax. Then on Thursday, in reported response to the settlement, New York governor Andrew Cuomo signed two new data privacy bills into law.  

Here is a quick run down of the two privacy laws New York passed last week and how they could impact your business:

Senate Bill S3582

The first bill passed into law last week concerns consumer credit reporting agencies. Under the new law, all credit reporting agencies that have experienced a data breach are required to offer effected consumers free identity theft prevention and mitigation services for up to five years. The law additionally gives effected customers the right to freeze their credit at no cost.  

SHIELD Act

The second and by far most impactful of the laws passed is the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). While the focus is simply on breach notification procedures, the law is noticeable for the expanded scope of the regulation and the broadened definitions it introduces. 

In short, the new law requires businesses to report any breach of personal information that an organization hasWhat is notable, however, is that the SHEILD Act doesn’t just apply to businesses operating within New York. Instead, any organization that owns the personal information of New York residents must now comply with the reporting requirements.  

What’s more, the law expands the definition of what counts as a data breach. Traditionally, data breaches are understood as an instance where someone actually takes an organization’s data. The SHIELD Act, however, expands this definition to also include instances where the data has simply been accessed by an outside entity. The definition of personal information has also been expanded by thnew law to include biometric data and a usernames or email addresses in combination with a password or security question.  

In addition to notification requirements, the law requires businesses with the personal information of New York residents to implement “reasonable” security requirements. These include compliance with regulations such as HIPPA and GLBA as well as “reasonable administrative, technical and physical safeguards.” 

Lastly, the law lays out a new penalty framework for organizations that fail to properly report data breaches. Under the SHEILD Act, action against businesses will be pursued by the State Attorney General rather than through individual or class action civil suits. The law also increases the maximum penalty for organizations from $150,000 to $250,000.  

Signs of Regs to Come

These two new laws solidify the impression that New York is working hard to strengthen its stance on cyber security and data privacy. Just last month state senator Kevin Thomas introduced the New York Privacy Act, considered by some to surpass even the GDPR in the privacy rights it gives consumers. Perhaps the most unique feature the bill proposes is the concept of Information Fiduciaries. 

While the Privacy Act has a long way to go before passing into law, the ease with which these two laws were enacted may be a sign of things time.  

Writing a Privacy Policy You’ll Actually Want To Read

Creating a privacy policy is necessary for any business collecting or processing personal information and is essentially a legal agreement between you and people visiting your website. And more often than not privacy policies are thought of as just that: a legal buffer. But with more users mistrusting the services they use, these policies should instead be seen as an opportunity to build trust with customers, establish a level of transparency, and show that your respect their privacy.  

Here is a short primer on what should be included in a privacy policy, and how to write it in a way that is accessible to users.  

The What

What information you collect 

It’s important to be upfront about all type of information you may collect about your users. This not only includes personal information (name, email, phone number, etc.), but also things like usage and analytics data, as well as the first- and third-party cookies.  

How you collect information 

Listing the methods used to collect data is another important aspect of a privacy policy. Is it information that they are freely providing? Is it automatically collected through your browser? Is it collecting through a script or plug-ins on your website? Providing this information will help users make informed decisions on how to navigate your site in a way that fits their privacy needs.  

How you use information 

It’s essential that you inform users not only of what you’re collecting, but how youre using that information. In many cases, it can help explain why it’s important that you collecting this information in the first place. Examples include customer service, payment processing, and improving site experience. On top of these, you’ll also need to state if you’re using data for marketing and joint marketing purposes. 

What information you share and why 

You’ll also want to state any information that you share with others. This might be for something like third-party advertising but can also include other companies related by common ownership, non-affiliates that market to you, or even non-profits using the data for research studies. Today, users are concerned about understanding who has access to their data, so this information is especially important.   

How that information is secured  

This is something you’ll definitely want your users to know about. Listing what security systems and practices you have in place will go a long way to show users that you care about their privacy and are taking the necessary steps to ensure it’s secure. 

What privacy options do users have 

It’s become more common for websites to give users some choice with regards to their privacy. This includes whether they can access the data that has been collected, the ability to change what information they want to share, whether they can delete data previous collected, as well as the ability to decide how long you hold on to their information. If you allow users these options, you want to explicitly state that they have those abilities.  

Who users can contact about privacy concerns 

Another component to your privacy policy should be a contact person that users can contact when they have questions or concerns regarding the policy or any other privacy-related issues. It’s important that users have someone they can reach out to when they have concerns.  

Regulation Compliance 

Lastly, depending on where you operate and even where your servers are located, you may be subject to certain privacy regulations that require you to both include certain components in your policy as well as explicitly state your compliance with these regulations. Two big regulations that could effect your privacy policy is the California Consumer Privacy Act (CCPA) (effective in 2020) and the EU’s General Data Protection Regulation (GDPR). Another important regulation is the Children’s Online Privacy Protection Act (COPPA) which requires certain privacy controls and parental consent before collecting data on children under 13. 

The How

Above all, when it comes to writing your privacy policy, it should be readable. 

Your users shouldn’t need a law degree to understand what’s in the policy. Write in plain English. Keep it as short as possible. While there is a lot of information to include, you should stay as concise as possible. If need be, you can layer the policy, meaning have basic language that provides a general overview and link else for details about different sections. Lastly, you want to ensure that the policy itself is easily accessible to users. It shouldn’t be tucked away in tiny font. Place it somewhere prominent that users to find whenever they’d like to refer back to it. 

This is especially important if you need to comply with the GDPR. Not only does the regulation require you to include certain information in your privacy policy, but also includes requirements to ensure your policy is sufficiently clear. The GDPR’s website provides some guidance on privacy policy best practices that you can find here 

Even if you’re not subject to the GDPR, it’s probably a good idea to try and follow their guidelines as well. Again, your privacy policy isn’t just a legal safeguard. It should be understood as a way to communicate to your users about their privacy and ensure them you’re being transparent about your data collection.