Are you looking into internet privacy laws? Almost all countries have implemented data privacy laws to govern the collection, notification, and control of information transferred to data subjects. Not complying with these laws can result in penalties, legal action, and even the restriction of a site’s usage in specific jurisdictions.
Understanding and navigating these regulations can be overwhelming, but website operators should be well-versed in the data privacy laws that impact their users. The same applies to Internet users.
Latest And Upcoming Internet Privacy Laws
In the wake of increased demand for web safety and the introduction of new security laws, questions arise regarding what measures should be taken. This includes employee training, secure authentication methods, network security, and access control.
Although the Brave browser is safe and safer than Chrome or Edge, there are no requirements for using it. If desired, companies can use the safe Brave browser and this will be the right measure, although not mandatory.
On the other hand, everything has certain risks and companies need to know where the opportunities and limitations lie for each security tool that is used in their business. Legislation will help with this.
ADPPA
No single, comprehensive federal law currently governs data privacy in the United States, despite several proposals put forward over the years. The American Data Privacy Protection Act (ADPPA) has made progress in the legislative process but failed to pass and has yet to be reintroduced as of now. It still faces significant hurdles. At present, it remains uncertain whether the act will overcome or succumb to those hurdles.
In the meantime, individual states have taken action rather than waiting for the federal government. There exists a complex patchwork of laws and regulations specific to various sectors and mediums. These include addressing telecommunications, health information, credit information, financial institutions, and marketing.
The FTC
The Federal Trade Commission (FTC) is a vital enforcement agency in the U.S. It draws its authority to regulate and protect consumer rights from The Federal Trade Commission Act (FTC Act), which has wide jurisdiction over commercial entities.
The FTC prevents unfair or “deceptive trade practices” and utilizes regulations, enforcement actions, and privacy laws to safeguard consumers.
Other federal laws that govern online information collection include:
- COPPA regulates the collection of information about minors
- HIPAA governs the collection of health information
- GLBA applies to personal information collected by banks and financial institutions
- FCRA regulates the collection and use of credit information
- FERPA protects the privacy of student education records
CPRA
The California Privacy Rights Act (CPRA) stands as the most extensive state data privacy legislation to date. Its effectiveness began on January 1, 2023.
The CPRA, being cross-sector legislation, introduces crucial definitions and grants broad individual consumer rights, placing substantial responsibilities on entities that collect personal information from or about California residents.
While many requirements overlap with the CCPA, the CPRA brought several amendments, such as the right to rectification and the right to restriction, enabling consumers to limit the use and disclosure of sensitive personal information.
Internet Privacy Laws
The definition of personal information was also updated, specifying the need for special protection for certain types, like Social Security numbers.
Companies are now required to ensure that third parties, contractors, and outside service providers with whom they work contractually uphold the same level of privacy protection as the first party. That is if the security measures include the use of a VPN, it is not so important whether a third party uses a Microsoft Edge VPN or an application, it must comply. This is just an example of one effective security measure, but the meaning should be clear.
GDPR
The General Data Protection Regulation (GDPR) stands as the most vital legislation enacted for data protection to date. It governs the collection, use, transmission, and security of data from residents of any of the 28 member countries in the European Union.
Regardless of the collecting entity’s location, the GDPR applies to all EU residents. Organizations failing to comply with the GDPR may face fines of up to €20 million or 4% of total global turnover.
Essential requirements of the GDPR include:
- Obtaining explicit and unambiguous consent from data subjects before collecting personal data, which encompasses information obtained through cookies. The GDPR considers certain information, such as the user’s computer IP address, as personal data, even if not typically regarded as “personal information” in the United States.
- Organizations must promptly notify supervisory authorities and data subjects within 72 hours in most cases when a data breach impacts personal information.
- Data subjects, individuals whose data is collected and processed, have specific rights regarding their personal information. These rights should be communicated through a clear, easily accessible privacy policy on the organization’s website.
Key rights of the GDPR
- Informing data subjects about the collection and use of their data during data acquisition.
- Granting data subjects the ability to request a copy of their data through a data subject request. Data controllers must explain the means of collection, the processing activities, and the sharing of the data.
- Allowing data subjects to request the correction of inaccurate or incomplete personal data.
- Enabling data subjects to request the deletion of their data under certain grounds within 30 days.
- Empowering data subjects to request the restriction or suppression of their data while still allowing for storage.
- Granting data subjects the ability to transfer their data securely from one electronic system to another without affecting usability.
- The right to object: Allowing data subjects to object to the usage of their information for marketing, sales, or non-service-related purposes.
DSA
The new regulation compels platforms like Google and Facebook to remove content that fails to meet certain standards, thereby addressing illegal and harmful content. The Council of the EU states that the primary principle is to make illegal offline activities illegal online as well.
The Digital Services Act (DSA) was implemented on November 16, 2022, with different provisions of the law taking effect at various times. The law will be fully enforced on February 17, 2024.
The regulation applies to four categories of businesses:
- Intermediary services that provide network infrastructure, such as ISPs
- Hosting services, including cloud and web-hosting services
- Online platforms that facilitate interactions between sellers and consumers, such as online marketplaces, social platforms, and app stores
- Very large online platforms, defined as platforms reaching over 10% of the 450 million European consumers.
Internet Privacy Laws
Each category has its own set of requirements. All the categories mentioned are obligated to:
- Engage in transparency reporting regarding court orders, actions taken, content moderation efforts, and more
- Update terms of service to adhere to fundamental rights
- Cooperate with national authorities
- Establish points of contact for authorities and, when necessary, legal representatives.
Remaining aware of current data privacy laws is crucial, but let’s focus on what’s new in 2024 and beyond. Some of these laws are already in effect, some will take effect this year, and some have relevant future dates.
While preparing for these upcoming regulations is important, don’t forget that there are also existing laws currently in effect.
Author: Andrew Stroshein is a privacy lawyer
