Current laws supporting privacy of online personal information

Personal data extends into many categories and can be very invasive.

Privacy legislation benefitting those who want control over their personal information is finally here. If you don’t like your home address, birthday, age, family information, spending habits, online behaviors, court records, criminal records and more splattered all over the Internet for others to see, share or buy you can finally do something about it! However, that’s only if you are a resident of a state that has passed such legislation. But please don’t despair if the state you reside in is not mentioned in this article. There are hundreds of other privacy bills under consideration and if current legislation does not appear to apply to you now, several of these are likely to help you in the future. Let’s explore further…

What is personal Information?

Personal information identifies, describes, pertains to, is capable of being associated with, or could be directly or indirectly linked to a specific consumer or household. It includes, but is not limited to: Real name(s), Aliases, Postal addresses and address history, Unique personal identifiers, Online identifiers, Internet Protocol (IP) addresses, Email addresses, Account names, Social security number, Driver’s license number, Passport number, Internet or other electronic network activity information, including, but not limited to a consumer’s browsing history, search history, interaction with a website, application or advertisement, Geolocation data, Education information, Professional or employment-related information, Audio, electronic, visual, thermal, olfactory or similar information, Inferences drawn from any of the information above to be used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes… and more.

What legislation currently gives consumers control over their personal information?

Most of the current state legislation gives consumers some rights if their personal data is breached, but only a few states offer legislation that gives consumers the legal right to exercise control of their own personal information. Since I am faced with regular requests to help remove online personal data for others I’m going to focus on the legislation that supports this goal and provides consumers with the power to exercise control over their personal information.  

The first bill to provide this power to consumers was Nevada’s Senate Bill 220 which went into effect in October 2019. The California Consumer Privacy Act is more comprehensive than the Nevada Bill and it goes into effect in January 2020. States that include Arizona, Arkansas, Colorado, Connecticut, Delaware, Iowa, Illinois, Maine, Maryland, Massachusetts, Michigan, Minnesota, Missouri, Montana, Nebraska, New Jersey, New York, Oregon, Pennsylvania, South Carolina, Texas, Utah, Vermont, Virginia and Washington have a version of privacy legislation pertaining primarily to data breach protection and privacy policies but do not offer consumers much direct control over their data. With many additional privacy bills in the works other states are likely to follow in California’s footsteps in the near future.

The California Consumer Privacy Act (CCPA) gives Californian consumers the right to:

• know what personal information is being collected about them.
• know whether their personal information is sold or disclosed and to whom.
• say no to the sale of their personal information.
• get access to their personal information.
• have their personal information deleted.
• get equal service and price after exercising their privacy rights.

The ability to have personal information deleted with legal backup is key!

What businesses are impacted by the CCPA?

Any business that collects data from California residents and meets one of the criteria below is impacted.

• Annual gross revenues in excess of $25,000,000.
• Buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices.
• Derives 50 percent or more of its annual revenues from the sale of consumers’ personal information.

How can a business comply with the CCPA?

Businesses must:

• honor a request from a California consumer who asks for the types of personal information that it collects about that consumer.
• promptly honor a request from a California consumer who asks to see their own personal information that is stored, shared or sold by that business.
• deliver the information free of charge within 45 days of receiving a verifiable request.
• delete personal information belonging to a Californian upon receipt of a verified request from that person or from an authorized representative of that person.
• provide consumers with two or more methods for submitting information requests. (toll-free telephone number, website contact address, web portal, or another method of contact approved by the Attorney General.)
• take reasonable security precautions to protect consumer data from breaches or be assessed fines for not doing so if breached.

Businesses are prohibited from:

• selling a California consumer’s personal information after being asked not to.
• discriminating against the consumer as a result of exercising privacy rights.
• selling the personal information of Californian consumers under 16 years without express authorization from a parent or guardian.
• requiring the consumer to create an account with the business in order to make a verifiable request.

CCPA also authorizes financial incentives for collection of personal information.

What happens when a business does not comply with the CCPA?

Any consumer whose non-encrypted or non-redacted personal information is accessed, stolen or disclosed as a result of the business’ lack of reasonable security procedures and practices to protect the personal information may file a civil action for any of the following:

• To recover damages in an amount of not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
• To obtain injunctive or declaratory relief.
• To obtain any other relief the court deems proper.

In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

How to file a claim against a business:

• The consumer must provide the business with 30 days’ written notice identifying the provisions of the CCPA that the consumer believes are being violated.
• No notice is required prior to a consumer initiating an action pertaining to damages suffered as a result of the alleged violations.
• If a business continues to violate the CCPA in breach of the express written statement provided to the consumer the consumer may initiate an action against the business to enforce the written statement and may pursue damages for each breach of the express written statement.

A business shall be in violation of the CCPA if it fails to cure any alleged violation within 30 days after being notified of noncompliance.

• The business will be liable for a civil penalty in a civil action brought in the name of the people of the State of California by the Attorney General.
• The civil penalties will be assessed and recovered in a civil action brought by the Attorney General.

Any person, business, or service provider that intentionally violates this title may be liable for a civil penalty of up to seven thousand five hundred dollars ($7,500) for each violation.

Nevada’s privacy legislation, Senate Bill 220 (Effective October 1, 2019)

Senate Bill 220 prohibits an operator of an Internet website or online service which collects certain information from consumers in Nevada from selling that information if directed by the consumer.

The act requires the following information in a business privacy policy:

• The categories of information collected.
• The categories of third parties with which the data is shared.
• A description of the process consumers may use to review and request changes to their covered information.
• A disclosure that third parties may track consumers’ online activities and the effective date of these notices.

Organizations that violate these terms may be subject to a penalty up to $5,000 per violation as well as a temporary or permanent injunction.  The attorney general’s office will have the power to bring actions for violations but allows offenders a 30-day period to fix violations other than those that deal with opt-out rights.

Maine Act to Protect the Privacy of Online Consumer Information (Effective July 1, 2020)

Maine’s privacy legislation:

• Prevents broadband internet access providers from “using, disclosing, selling or permitting access to customer personal information unless the customer expressly consents to that use, disclosure, sale or access.”
• Prohibits broadband providers from refusing to serve a customer or charging them more if they don’t consent to the use, disclosure, sale or access of their personal data.
• Requires providers to take reasonable measures to protect customer personal information from unauthorized use, disclosure, sale or access.

The CCPA and Nevada Senate Bill 220 are not iron clad however, they are likely to offer much sought out relief to those requiring privacy for a large variety of reasons even if it’s not as easy to obtain relief as the legislation implies it will be. As this legislation is put into practical use, I assume that these laws will be updated to overcome current limitations and weaknesses and other states are bound to follow. Let’s all look forward to a time in the not too distant future where every United States resident is offered significant and equal privacy protection. 

Until next time, … Stay Cyber Safe.