Privacy Policies in the Digital World

Chapter Summary
This chapter will inform the reader of the most recent privacy legislations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Readers will also explore what privacy policies are and why they are necessary. Privacy legislations have significant changes designed to better address the realities of an evolving, digital world while increasing the level of compliance and accountability for organizations processing personal data. Important concepts include greater transparency for individuals on how and why personal data is processed while strengthening the rights of individuals with regard to their personal data. This chapter will take a deep dive into the details that make up privacy policies/legislations. In addition, the chapter will discuss how the US is following in the European Union’s footsteps in implementing federal updated privacy legislation to protect consumers and mandate companies to address privacy controls and risks in our evolving digital world.

1.7.1 Privacy Policy Overview
Privacy policies are legally binding statements that specify how personal data is collected, processed, and stored. As computing power increases allowing for technology to become an everyday tool, the amount of personal data being collected from individuals is exponentially increasing. Personal data can be anything that can be utilized to identify an individual including, but not limited to, an individual’s name, contact information, address, etc. With the idea of big data increasingly becoming a reality, it is imperative to ensure that proper privacy policies are in place. Privacy policies ensure the security of the collected data and guarantee the use of data follows only the guidelines shared with the individuals whose data is being collected. For privacy policies to be effective they should be clear and highly visible. Privacy on the internet is a concern because there is a lot of valuable information being sent and received online. Privacy Policy agreements are mandatory in the United States if any personal data is to be collected. To enforce the need for privacy policies and the proper collection and use of personal data, the Federal Trade Commission (FTC) has enforced state and federal level laws outlining the do’s and don’ts surrounding data collection, data procession, data storage, and data usage. The FTC has outlined five principles to promote fair data collection practices. These principles are commonly referred to as the Fair Information Practice Principles (FIPP), which are:notice/awareness,choice/consent,access/participation,integrity/security,and enforcement/readiness. The first principle, notice/awareness, requires industries to provide consumers/users with a notice before they can proceed to collect any personal information. Choice/consent outlines the option for the consumer with the option for how their information is used. Access/participation allows consumers to view the data being collected on them and provides them with the opportunity to edit any of the collected data. Integrity/security requires the data collected to be stored in a safe and secure manner. Lastly, enforcement/redress requires that the above four principles are constantly reinforced throughout the entire data collection, processing, usage, and storage process.

1.7.2 Privacy Policies
The United States has little to no federal privacy policies to protect consumer data. The amount of data that consumers disclose to various websites and applications is staggering and there is very little regulation surrounding the collection, security, use, and storage of consumer information [in the United States]. There is no current framework for federal privacy laws in the United States compared to other countries. The European union has released a General Data Protection Regulation (GDPR) which clearly outlines the protection of consumer data and processing. Canada has enacted a Privacy Act which highlights the purpose of the act, the policies that are required for data collection, retention, and disposal. Additionally, the Canadian Privacy Act outlines any possible exemptions from the policy and how users are allowed to access their data. Countries such as Russia, Singapore, United Kingdom, and Philippines have also created privacy policies to effectively govern and protect consumer information. The United States is following slowly behind. Below we will explore some of the current privacy policies enforced in the U.S. and globally.

US Privacy Act (1974)

The US Privacy Act of 1974 gave US citizens the right to access any data held by a government agency, the right to copy that data, the right to collect data errors, and the ability to restrict access to data on a need to know basis. The regulations of the US Privacy Act include:

Right of US citizens to access any data held by government agencies Right of US citizens to hold a copy of the same data Agencies should follow data minimization principles during the data collection process Access to data is restricted on a need to know basis Sharing information between other federal and non-federal agencies is restricted and only allowed under certain conditions

HIPAA - Health Insurance Portability and Accountability Act (1996)

It was passed by Congress in 1996.

HIPAA is responsible for the following: It provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs It reduces fraud and abuse in the health care sector It mandates standards for information on electronic billing and other health-care processes It requires the protection and confidential handling of protected health information The HIPAA Privacy regulations require all parties in the health care sector (including providers and organizations), as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. Different forms of PHI include paper, oral, and electronic. Additionally, It minimizes health information to be used and shared to the minimum extent that is necessary to conduct business with.

HIPAA and the US Privacy Act of 1974 only defines policies regarding consumer health and government data, leaving the majority of other forms of consumer data to be governed by policies defined by industries and/or corporations. Some states have taken it upon themselves to create legislation to change what data the people have access and control over and almost all states have a notification policy to let you know when your data has been breached, but that would not be preventive like many of the proposed federal bills would.

COPPA - Children’s Online Privacy Act (2000)

COPPA is responsible for regulating personal information collected from minors. It was initially established to prohibit online companies from requesting PII from children that are under 12 years old, unless a verifiable parental consent is present. After updates to the regulations were conducted, the scope of the law was expanded and broadened the types of PII that it covers (screen names, email addresses, photographs, audio files are included).

COPPA additionally protects the privacy of children by allowing access only to companies that are capable of ensuring confidentiality and security.

CCPA- California Consumer Privacy Act

California is in the process of passing the California Consumer Privacy Act (CCPA). The CCPA outlines that eligible California residents will have the right to:

· 	Know what personal information (PI) is being collected about them · 	Access their PI twice in a 12-month period · 	Receive a copy of their PI being collected · 	Know if their PI is being sold or disclosed, and to whom · 	Request their PI to be deleted · 	Receive an equal level of service when exercising their rights The right to know, delete, access, be made aware of any portability, and opt-out are necessary in order to ensure that consumers have visibility towards their data. Having federal/state wide privacy policies standardizes the proper methods and practices associated with data collection. California passed the California Consumer Privacy Act (CCPA ) unanimously, went into effect at the beginning of 2020 and will begin to be enforced in July. This is groundbreaking legislation and gives the power back to the people. Since it is only a state level act, it does not have any direct effect on the other 49 states but could set a precedent. It would also be a huge step forward because California is the home of most technology companies. This act would require companies to disclose what information they are collecting, why they are collecting it and who is using the data. It also gives the customer the right to have any unwanted data deleted or to have the companies not share the data that has been collected. This would follow suit with California’s amended constitution stating that privacy is an “inalienable” right of the people (Chau, 2018). This legislation will apply for any company that operates within the state and “either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or makes more than half its money off of user data” (Edelman, 2020). This would affect many large companies, including Facebook, Google and Amazon. When someone with an IP address based in California accesses a website they will get a banner on the screen saying “Do Not Sell My Personal Information.” This will stop websites from targeted ads because no cookies will be sold to third parties. If companies do not comply with CCPA, users will be able to sue. The attorney general’s office will have the responsibility to bring any other companies that have violated the law to court. They have already said they will not be bringing cases to court just based on resources.

GDPR-General Data Protection Regulation

The General Data Protection Regulation is a privacy policy established in the European union. It describes the law on data protection and privacy in the European Union. It also addresses the transfer of personal data outside the european union. As the General Data Protection Regulation (GDPR) applies to consumers outside the European union, it is something that countries around the world have slowly begun to adopt. The data protection principles outlined within the GDPR are:

·  	Data fairness and lawfulness ·  	Data purpose limitations ·  	Data minimization ·  	Data accuracy ·  	Data storage limits ·  	Data integrity and confidentiality ·  	Data protection being the core foundational process The GDPR extends consumers in the European Union’s rights including access, consent, portability, restriction, and erasure of PI data. EU consumers under the GDPR have the right to discover how PI is being used and for what purpose. However, this does not apply to only industries and/or corporations within the EU. For example, if an individual accessing a US website/platform from within the EU the US website/platform will have to align with the GDPR policy. For this reason, many countries are slowly moving towards adopting their own privacy policies similar to the GDPR.

1.7.3 GDPR V.S. CCPA
Both the GDPR and the CCPA are meant to define how businesses handle consumers’ personal data, but there are just as many similarities as differences between the two. The CCPA was passed over 1.5 years later than the GDPR, and much of its policies are based on the GDPR. Both of them also carry penalties for companies found in violation, and they both address the right to be informed, right of access, and right of portability. All of these encompass consumers’ rights to own their private data. Specifically, they both give consumers the right to deletion of personal data, opting out, and data transparency. There are some key distinctions between the GDPR and the CCPA other than just location. The CCPA applies to Californian businesses that either have over $25 million in revenue or whose primary business is handling consumers’ data. The GDPR applies to any businesses handling European citizens’ data. Another big difference is the monetary punishment for the two, and the requirements for monetary punishments. The GDPR allows for up to 4% of a company’s annual turnover or $20 million, whichever is bigger. This punishment can be applied before and violation has happened if the company is determined to be at risk or has been irresponsible with their handling of data. The CCPA on the other hand is much lighter: violations occur up to $7,500, but allow consumers to mass-sue the company in violation. The requirements for these violations are only after a breach or incident has occurred. Many argue that this is too lenient and is too late for any real data breach prevention to occur. Overall the GDPR is focused on creating a “privacy by default” legal framework for all of the EU, while the CCPA is focusing on creating transparency in California’s huge data economy.

1.7.4 The Future of U.S. Privacy Law
The creation and adoption of a new US privacy law similar to GDPR could positively impact the country from various aspects to include economically, politically, and culturally.

From an economic perspective, implementing new and updated privacy law in the US not only protects our consumers but our US based corporations. When we think of implementing new US privacy law similar to GDPR we have to implement it both from a consumer and corporation perspective. Having a new federal privacy law rather than having each state create its own privacy law similar to CCPA would be a more common sense and efficient method to implementing new data privacy law in a digital world. Focusing on the corporate and economic perspective implementing new and updated privacy law is not a want it’s a critical need for the US. The US as an economic super power and having the largest economy in the world needs to align to global data protection standards such as GDPR. Aligning to global data protection standards will ensure the US maintains a competitive advantage in the global digital economy. As a country and having so many US based Technology companies integrating with global protection standard to include GDPR is an economic must.

From a political perspective, there are also positive impacts of implementing a new privacy law in the US similar to GDPR. Politically, it could be a good strategy to implement new privacy law similar to the EU as it would improve and maintain EU and US relations. The EU and the US are interconnected politically and economically as they heavily support the needs of each other. Data privacy in the digital world and economy should be no different than support each other’s Wars.

From a cultural perspective, the US is more than ready to adopt its own GDPR based privacy policy and CCPA is a perfect example of how consumers are in favor of stricter data privacy and security laws. GDPR sparked US consumers to demand a country and culture of digital and data privacy. US consumer have a shift in how and when US based organizations protect the data they collect, where it’s stored, and how it flows. The focus now in the US is protecting digital and data privacy as a legal imperative as protecting property or contracts. Similar to EU citizens/consumers our US citizens/consumers are now more than ready to treat privacy including digital privacy as a “Human Right”.

Conclusion
Privacy policies are essential components of society, especially in the digital age. With the amount of personal data available on consumers increasing exponentially, privacy policies and legislations are imperative to outline and standardize proper data collection, use, and protection methods. Efficient privacy policies are visible for both the user and the corporation, business, or government entity collecting any user information. These policies and legislations should clearly outline what data is being collected, how it is being collected, what measures are taken to ensure that data is protected in all stages, who [if anyone] the data will be shared with, how that data will be shared, how the data will be stored, and how to access the data being collected. Following the European Union’s lead the rest of the globe has begun to create national level, standardized privacy policies and legislations to effectively protect user data.