The Fundamentals of Data Privacy in America

In the last few years, data privacy, network security, cyber attacks etc. have all become buzz words. Zuckerberg’s trial and sudden emails from companies saying “We have updated our privacy policy” have got us all thinking about what this is all about. Today we will provide you with a simple guide to understand the data privacy space in America and how it is (or not) regulated.

What is Data Privacy?

Data privacy does not have a set definition. Even the EU’s General Data Protection Regulation (GDPR), which is considered as the most comprehensive piece of law in data privacy has not defined it. But to understand it in simple terms, let’s break down the two words:

1. Data: Data in the context of data privacy can include any of your personal information. Ranging from sensitive personal information like passwords, social security numbers, address etc. to other personal information like your chats, photographs, even your usage of emojis. Thus, every movement of yours can be converted into data and be monetised.
2. Privacy: Privacy is your right to protect your personal space and be in control of what others are allowed to see.

Thus, data privacy means your right to protect and have control over any personal data. In the booming era of technology, your right to data privacy extends to online spaces, which means you must have the right to control the data online companies store about you. This idea has now emerged into a greater set of rights like the right to access, right to correct, right to be forgotten etc.

Why does Data Privacy Matter?

A question that often arises in the minds of people is that why is so much hue and cry over data privacy even necessary. And why should I be scared of sharing my personal details if I’m not doing anything wrong?

Let’s think of this, say you are put in the room with 4-5 CCTV cameras constantly monitoring and broadcasting your activities. Will there not be a difference in your behaviour immediately? Data storage by corporations works in the same way. Corporations collecting and monetizing your online activities is not only unethical but is also no different from a virtual CCTV. Hence, it is your right to not be under constant surveillance even if there is no tangible harm being done to you.

It’s not like data storage cannot lead to tangible harms. Data leaks across the world have led to major crimes like phishing, stalking, financial crimes etc. Hence, data privacy matters not only in and of itself but it is also a means to protect you from any other crimes.

What is the Legal Framework for Data Privacy in America?

Unlike the EU, America does not have an all-encompassing law on data privacy. But it has several other laws at the federal and state level, which protect and deal with data privacy. This framework, however, is incomplete and there are many areas like Right to be forgotten, Right to erasure etc., which are still not available to every American. Here is a guide to all the laws concerning data privacy in the USA.

Federal Laws

1. Privacy Act, 1974

This is one of the first privacy legislation around the world. It deals with the collection, use and distribution of “personally identifiable data”.But the caveat here is that it only deals with information collected by the government. It provides citizens with a restricted right to obtain the data stored by the government, a right to correct data collected. It also ensures that only limited and necessary people within the government have access to your personally identifiable information.

But, as mentioned, this only deals with governments. Hence private corporations are not bound by this.

2. USA PATRIOT Act

An acronym for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, 200, this act was brought in immediately after the 9/11 attacks. An act that was initially aimed to counter terrorism has now become a tool for unnecessary governmental surveillance.

This law allows the government to collect and store any personal information about any person if they feel that they may be engaging in terrorist activities. With regards to data privacy, this act becomes relevant because it has provisions where the governments can seek personal information about any individual from third parties upon a mere doubt. Simply put, this means that the government can ask Facebook to deliver personal information about you, without your consent and Facebook will be bound to deliver it. Let alone consent you probably might not also be made aware of your data being shared by the government.

This act has become an important concern in the data privacy space not just in America but also in Europe and other jurisdictions with strict data privacy laws.

3. Federal Trade Commission (FTC) Act

This is the Act behind all the heavy fines imposed on Facebook, Uber etc. for privacy violations. Ironically, this act does even directly deal with data privacy! FTC is an independent law enforcement agency aimed to prevent unfair competition and protect consumers. Here is how the FTC increased its scope to deal with data privacy.

Now Section 5 of this Act prohibits companies from practising any deceptive activities in the marketplace. In the case of Facebook, it acted against its privacy policy and allowed third parties to use the personal data of individuals without their consent. Since the privacy policy was different from their actual actions, this was termed to be “deceptive” and FTC was allowed to take an action.

What this means for data privacy is that unless there is a clear violation of company policy, the FTC cannot take any action. So in cases where companies sneakily make you agree to their terms and conditions, the FTC cannot do anything.

4. Sector-based laws

There are several other sector-based regulations which deal with information of a certain group or sector of individuals. They do not directly deal with data on the internet but are indirectly applicable. Here are a few:

Children’s Online Protection of Privacy Act (COPPA): This restricts the collection of data of children under the age of 12. Data can only be collected upon explicit consent by the parents.

Health Insurance Portability and Accountability Act (HIPAA): This act was designed to protect medical and health-related information of patients, It allows only those involved in treatment and other medical processes to access your health information. It requires your consent before it is shared with anyone else.

State laws

1. Data Breach Notification

This is common between all 50 states in America. If there is a data breach i.e. a loss or accidental publication of data, the company who suffers from such a breach is mandated to notify it with the state governments. This helps in making consumers aware if there is any data breach by a company which stores their information.

2. California Consumer Privacy Act, 2018

This is one of the most comprehensive laws on data privacy in the USA. Although it is only applicable to people in California, this act is a good blueprint for a federal law. This act provides consumers with a right to access and delete any personal information held by corporations. Additionally, it also requires companies to provide reasonable security of data to consumers. However, it still does not impose any mandatory security procedures or fines on corporations. How useful and effective this act becomes is something only time will tell.

3. Others

Maryland, New York, Hawaii, Massachusetts etc. are also in the process of getting their own data privacy laws. Most of them have relied on the GDPR and CCPA and are designing their law accordingly.

However, the problem of data privacy cannot be completely resolved there is a federal law on it. As powerful as state laws can be, they still will always have restrictions when it comes to global data collections and cross-border data transactions.

How Can You Protect Your Data?

Perfect laws have never existed. There are always going to be some loopholes and difficulties in every law. It is then important for us to take preventive measures to protect ourselves. Here are a few ways in which you can protect your data:

1. Choose proper passwords: We know it is very difficult to have different passwords for every website. But having just one password for every website can do a lot of damage. So use different passwords every time. Store them in a secured place offline so you do not forget.
2. Use VPN: Public WiFi’s are great, but they can be mine for data hackers. Always use a VPN when using public WiFi in order to protect your information. VPN i.e. Virtual Private Network gives you a private mechanism to surf the internet. You can also use it to browse content from other countries, so it’s a win-win!
3. Review App Permissions: You can adjust these in your settings. Review and decline permissions which are unnecessary for an app to function.

Cyberspace is still evolving and there are many things that the American law still does not cover. But we hope this gave you a brief understanding of the current data privacy space in America. Your data is very important and needs to be protected. So ensure you take appropriate measures to protect yourself.