What Do Privacy Laws Protect?
Privacy laws, in the US and other countries, are designed to protect user data. Keep in mind that is important but not quite the same as protecting users while they travel the net. Privacy laws are focused on the ways in which businesses collect, store and use their customers’ data. Businesses necessarily require data to complete transactions. They should only store that data beyond the transaction with user permission. They should destroy data for which there is no permission after a ‘reasonable’ time.
Both of those principles are often violated. In 2000 the credit card numbers of Bill Gates and thousands of other well-known people were stolen from registration data at the World Economic Forum in Davos, Switzerland. Unbelievably, the same thing happened on a smaller scale in 2008, and they got Bill Gates’ number again. The hackers are not plucking these numbers out of the ether. They are accessing them after they had been stored in a commercial database. In the 2000 hack data had unnecessarily been stored long after the conference was over. In 2018 it looks as if conference protesters were banned from the area and went off and hacked its records just ‘to show them’. Either way, it was embarrassing.
The Strongest Data Protection
 |
| https://www.cnil.fr/en/data-protection-around-the-world |
Many ratings give Iceland the top rating for the strictness of its data protection laws. The Scandinavian countries are mentioned frequently. Some tech experts argue that makes those countries strong candidates for locating firms that specialize in cyber security. The fact is that the large companies are global, which forces them to comply with the strongest laws. Users might be better off looking at where a company does not operate—does that mean the company is avoiding strong laws? The case in point at the moment is the General Data Protection Regulation of the European Union which went into effect in May of this year. Among other things, it has caused some US companies to block users from EU companies because they are not complying with the regulations and do not want to face stiff fines. I wrote a post for marketers last fall. This infographic summarizes the salient points.
What Businesses Must Do To Protect Customer Data
The GDPR requires that all companies doing business in an EU country abide by the regulations, which have the force of law. Large fines can be imposed on firms that do not comply. Here is what consumers can expect in terms of protection under the GDPR:
• To be informed about how and why data is being collected by means of privacy statements
• To have access to their data and to information about how it is being processed
• To have incorrect or incomplete data corrected
• To have data erased when there is no compelling reason for further processing. This is often referred to as “forgetting a data subject.”
• To restrict the processing of personal data
• To provide for transfer of data from one IT environment to another (data portability)
• To object to certain types of data processing
• To be protected against harm from automated data processing that is not subject to human intervention.
The term ‘processing’ appears frequently. What does it mean? Basically, it means any operation performed on the personal data of subjects, from collection to storage to statistical manipulation to use in a communications activity. Here is a definition from a German consulting company that specializes in the GDPR:
‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
In other words, anything done with or to the data.
How Do Consumers Know Their Data Is Being Protected?
Consumers should take the protections listed above seriously. If they make a data-related request and it is not honored, that’s a big signal that the company is not meeting its legal obligations. In the US the Federal Trade Commission is the agency most directly concerned with data security and privacy issues. The FTC is concerned with all types of scams and rip-offs and they have a page on which consumers can voice concerns about privacy. That type of concern goes under their Identity Theft heading.
• At the lowest level of acceptable permission a privacy notice just says something like “continuing to use this site will constitute acceptance of our cookie policy.” Ok, the user has been warned.
• A higher level is to require the user to click something like an Accept box before continuing to use the site. The user has done something proactive, suggesting at least a minimal level of attention.
• The graphic below has a link to the website’s settings, encouraging the user to actively manage the access and use of personal data. That’s a good, transparent thing to do and consumers should take advantage of it.
The other type of notice frequently seen these days is one that says, “We’d like to send you notifications.” The user must give an affirmative reply to start the notifications but usually has to check the negative just to get rid of the box.
Once Again, Do Privacy Laws Really Protect Users?
The laws are trying to offer protection, but it is hard to get out in front of the bad actor who always seem to have a new scheme up their digital sleeves. Users need the help of government agencies that have enforcement powers, The agencies need the help of internet users who see suspicious activity or recognize lack of required protections.
It is a case of “See Something, Say Something,” although it’s true that the wheels of justice can grind very slowly. Businesses have a huge responsibility to use consumer data with respect and to zealously protect any stored data. Consumers have a responsibility to look out for their own data welfare and to help identify malicious sites or those simply derelict in their duty.
Stay safe!
No comments:
Post a Comment