Introduction
In today's digital age, our lives are intricately woven into the fabric of the internet. From storing essential contacts and calendar events to managing our social media profiles, we inevitably share personal details online. As a parent, the thought of freely giving out my family's information to various websites raises concerns for me.
In response to these concerns, I embarked on a journey to understand the privacy laws that protect our information online. This post is a culmination of my research, offering an overview of the privacy laws that safeguard our data. These laws, known as statutes, are enforceable by the government in the respective countries where the companies operate. For instance, Facebook's operations in Australia are subject to the Privacy Act 1988, which is Australia's governing privacy law.
Through my research, which included sources like CookieYes, GDPR.eu, and an informative article from Wired UK on GDPR, I aim to equip you with knowledge about your rights concerning your personal information on the internet. These rights include the ability to access, update, and object to the processing or selling of your information for marketing purposes.
This exploration into privacy laws spans various jurisdictions, highlighting the statutes that apply and under what conditions. Additionally, I delve into instances where these laws have been actively enforced, emphasising the importance of not just having laws but ensuring they are upheld.
Legal framework
Whenever an organisation gathers data from individuals, it must adhere to the privacy laws of the regions where those individuals reside. These laws, often in the form of statutes, are enforced by designated regulatory bodies that have the authority to levy penalties on organisations that violate these laws.
Parents have to understand when these laws apply as they do cover all scenarios. I have included criteria that each privacy laws apply.
For example, the privacy law in Australia applies to users within Australia but only affects organisations that generate an annual revenue exceeding 3 million AUD. Unlike statute laws, the General Data Protection Regulation (GDPR) operates as a regulation rather than a law per se, with each member state of the European Union having its enforcement agency to ensure compliance.
What is Personal Data
Personal data refers to any information that can be used to identify an individual personally. This includes obvious details such as name, date of birth, and address. It also encompasses more sensitive information like political and religious beliefs, occupation details, and even information about an individual's children, such as where they attend school and participate in extracurricular activities.
Components we need to consider
In my research, I have determined components that parents should look for in privacy legislation.
Consent and volunteering information
Parents should be cautious about providing their personal information and of their families online.
Privacy laws enable users to opt out of providing their information for sale. This is the right to opt-out. This is the explicit permission you as the consumer of their product, give to the organisation to use and sell your data. The downside of this option is that the organisation cannot provide you with a personalised service.
In addition, you can apply to get onto a Do not call list so that organisations cannot pester you with sales calls.
Data protection
Parents should be aware of how their data and the data of their family can be used once an organisation has the data. Your considerations are in how the organisation handles your data.
- Right to be forgotten: Individuals can request the organisation to remove their digital footprint - all their personal information.
- Right to opt-out: Individuals have the right to choose not to allow the organisation to obtain their personal information. They can opt out of the sale of their personal information and register on a "Do not call" register to avoid unsolicited calls.
- Right to non-discrimination: Organisations that hold individuals' information cannot discriminate against them based on their exercise of their rights regarding their data. For example, they cannot charge individuals more money or treat them differently if they choose to exercise their right to opt-out.
- Right to access: Individuals have the right to request access to their personal information held by the organisation. They can ask to see what information the organisation has collected about them.
- Right to update: Individuals have the right to request updates or changes to their personal information. They can either update the information themselves or request the organisation hosting their information to update it.
- Right to object: Individuals have the right to object to the processing or selling of their personal information for marketing purposes. They can choose not to allow their information to be used for marketing activities.
- Cross-border transfer: Organisations have to ensure that when they transfer personal information across geographical borders, the recipient organisation will uphold the rights already provided. This means that organisations must take necessary measures to ensure that the personal data being transferred will continue to be protected and handled following the applicable privacy laws and regulations. Australia's privacy law has this provision. To transfer personal information across borders, the recipient organisation has to adhere to the Australian Privacy Act.
Various Jurisdictions
In this section, I will list the different jurisdictions that I researched along with the applicable statutes. This will include the conditions under which these laws apply. Additionally, I will provide examples of cases where these laws have been enforced. After all, there is no use in having laws if they are not effectively enforced.
European Union
General Data Protection Regulation (GDPR) governs how people can access information about them and places limits on what organisations can do with personal data. GPDR addresses any organisation dealing with European citizens.
GDPR is a significant milestone in the development of privacy protections for residents. Many of the considerations I have mentioned above align with GDPR. Other legislations in my research also seem to use GDPR as a benchmark to measure privacy legislation.
As an anecdote, I had been receiving a lot of emails about how websites had to change to accommodate for new interventions required by GDPR.
An enforcement tracker is available here.
Australia
Australia's Privacy Act 1988 is a key piece of legislation that governs how personal information is handled by organizations and government agencies. It applies to entities with an annual turnover exceeding 3 million AUD, setting out 13 principles for the management of personal information. The Office of the Australian Information Commissioner (OAIC) is responsible for enforcing these principles and ensuring compliance.
In recent years, the OAIC has taken action against major corporations for breaches of the Privacy Act. For instance, complaints were lodged against Facebook for improperly sharing user data with the app "This Is Your Digital Life" between March 2014 and May 2015, leading to an ongoing case. Similarly, Marriott faced complaints after a data breach exposed the details of 2.2 million guests, with the OAIC recommending remedial actions and threatening legal action if these were not implemented.
China
China's privacy law is the Personal Information Protection Law (PIPL). The Cyberspace Administration of China is the main regulatory authority under PIPL. Other departments such as the Ministry of Public Security, the State Administration for Market Regulation and the Ministry of Science and Technology enforce the law. The law applies to domestic and foreign organisations dealing with mainland Chinese residents' personal information.
One notable enforcement case mentioned is against Didi, a ridesharing platform. Didi was fined $1.2 billion for illegally collecting data from users' mobile phones. The data collected included call logs, contact details, location data, photo albums, and apps. It is mentioned that Didi did not take any corrective actions following the fine.
United States of America
There is no national law that governs the privacy of its residents. Individual states have separate legislation that governs the enforcement of privacy laws of their residents.
Notable legislation is in California. Another legislation is the Children’s Online Privacy Protection Act (COPPA).
California
The California Consumer Privacy Act (CCPA) only applies to for-profit companies that meet any of the following criteria:
- Have $25 million or more in gross annual revenue.
- Buy, receive, sell, or share the personal information of 50,000 or more California consumers, households, or devices.
- Derive 50% or more of their annual revenues from selling California consumers' personal information.
Under this legislation, companies are required to adhere to strict privacy protections for California residents, ensuring that their personal information is handled responsibly and transparently.
Specific allegations against Google and Kaiser that led to financial penalties were as follows:
Google: The company was ordered to pay $93 million to resolve allegations that it violated California's consumer protection laws through its location privacy practices. Google was accused of deceiving users by collecting, storing, and using their location data for consumer profiling and advertising purposes without their informed consent. This practice was in direct violation of the privacy rights safeguarded by the CCPA, as it involved the handling of personal information in a manner that was not transparent or fair to the users affected.
Kaiser: Kaiser was found liable for $49 million due to allegations related to the mishandling of medical waste and protected health information at its facilities statewide. This situation not only posed a risk to patient privacy but also violated regulations concerning the secure and respectful handling of health information and medical materials. The financial penalty imposed on Kaiser aimed to address these serious allegations of privacy and health safety violations, ensuring that protected health information is managed in compliance with applicable laws and regulations.
These cases underscore the importance of companies adhering to privacy laws and regulations, particularly those like the CCPA, which are designed to protect consumers' personal information and ensure their privacy rights are respected.
Children’s Online Privacy Protection Act (COPPA)
COPPA falls under the jurisdiction of the Federal Trade Commission (FTC). COPPA's primary objectives are
- to give parents control over what information is collected from their children online
- protect children's the safety while they navigate the internet
- ensure the security of children's personal information
- require parental consent when collecting personal information of children.
A high-profile case is against YouTube. As part of the $170 million settlement, YouTube created a new platform for content marked Made for Kids. This content would be vetted differently by YouTube if it is marked Made for Kids. Additionally, YouTube agreed to stop serving personalised ads on content that is identified as being directed to children and to disable comments and notifications on such content. This settlement was significant as it was the largest penalty ever assessed under COPPA at the time and highlighted the importance of digital platforms adhering to laws designed to protect children's privacy online.
Conclusion
Knowing your rights will be important when dealing with privacy issues. Organisations that collect and handle your information must comply with privacy laws. Knowing what you are looking for in privacy laws will enable you to better protect yourself and the people that you care about.
Research
Here is a illustration. of the points above.
Various Jurisdictions
In this section, I list down the different jurisdictions that I researched with the statutes that apply. This will include the conditions of when they apply. I will also list down cases when the laws were enforced. No use in having laws if they are not enforced.
European Union
General Data Protection Regulation (GDPR) governs how people can access information about them and places limits on what organisations can do with personal data. GPDR addresses any organisation dealing with European citizens.
GDPR is a significant milestone in the development of privacy protections for residents. Most of the considerations, I have included above. All other legislations in my research seemed to use GDPR as a yardstick to measure privacy legislation against.
As an anecdote, I had been receiving a lot of emails about how websites had to change to accommodate for new interventions required by GDPR.
An enforcement tracker is available here.
Australia
Australia's privacy law is the **Privacy Act 1988**. The governing body is the Office of the Australian Information Commissioner. The Act only applies to Government agencies and organisations with an annual turnover exceeding AUD$3 million. Within the Act, 13 principles govern how personal information is managed.
Law enforced
- Complaints were made against Facebook where personal information was disclosed to the App, This is Your Digital Life between March 2014 and May 2015. The case is ongoing.
- Complaints were made against Marriott the hotel group where 2.2 million guests' details were leaked. Recommendations were made to the organisation to remedy and address the situation. The OAIC may take the organisation to court if the recommendations do not comply with the recommendations.
China
China's privacy law is the Personal Information Protection Law (PIPL). The Cyberspace Administration of China is the main regulatory authority under PIPL. Other departments such as the Ministry of Public Security, the State Administration for Market Regulation and the Ministry of Science and Technology enforce the law. The law applies to domestic and foreign organisations dealing with mainland Chinese residents' personal information.
Law enforced
- Didi, the ridesharing platform was fined $1.2 Billion for illegally collecting data from users' mobile phone including call logs, contact details, location data, photo albums and apps. Didi did not make any corrective actions.
Canada
The Personal Information Protection and Electronic Documents Act or PIPEDA is a federal law that governs the collection, use and disclosure of personal information by organisations and enforces the privacy rights of the personal information of individuals.
The law only applies to organisations dealing with personal information for transactions defined as commercial activity. The definition is “commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. The law does not apply to
- some federal government organisations (those listed under the Privacy Act),
- provincial and territorial government,
- non-profit organisation, political organisation,
- hospital, school, university, municipality.
Further, the law applies to organisations within Canada and organisations that move data internationally.
The law is enforced by the Office of the Privacy Commissioner of Canada (OPCC).
Laws enforced are listed
- Complaints against a New Zealand company using Facebook profiles of Canadians. Recommendations were made to the company to remove the information and establish a data retention policy. This was in July 2018.
- Complaints made against Dell where information was obtained by fraudsters who used the information to call Dell customers. Dell had made improvements to their security procedures.
United States of America
There is no national law that governs the privacy of its residents. Individual states have separate legislation that governs the enforcement of privacy laws of their residents.
Notable legislation is in California.
California
The Consumer Privacy Act is the legislation responsible for enforcing privacy protections for its residents. The governing body is the California Attorney General.
The law only applies to for profit companies with
- $25 million in gross revenue,
- buys and sells or receives personal information of about 50,000 California consumer
- makes more than half of its annual revenue from the sale of personal information.
Breaches
- Google was ordered to pay $93 million to resolve allegations that the company's location privacy practices violated California's consumer protection laws. Google was deceiving users by collecting, storing and using their location data for consumer profiling and advertising purposes.
- Kaiser was liable for $49 million to resolve allegations that medical waste and protected health information at Kaiser facilities state wide.
Here is the screenshot of what I can find about laws in other states in America.
Conclusion
Knowing your rights will be important when dealing with privacy issues. Organisations that collect and handle your information must comply with privacy laws. Knowing what you are looking for in privacy laws will enable you to better protect yourself and the people that you care about.
Research
1. Cookie Yes
2. What is GDPR?
3. What is GDPR? The summary guide to GDPR compliance in the UK