🍪 Sunday Deep Dive: Are the Cookies Crumbling? Privacy Law and What You Need to Know
You’ve heard the warnings: Companies are stealing your data. And yet, if you’re anything like most people, you keep using your smartphone, sharing your location with apps, and typing your details into websites without so much as blinking an eye. Short of returning to a medieval way of life, it feels like we have no other option but to leave a trail of data for processors to gobble up or sell to other data-hungry organizations. US businesses have for the most part been spared from privacy regulations like those in Europe, but the cookies are finally showing signs of crumbling. Lawmakers are taking action with a host of confusing and controversial laws. Here’s what you need to know.
Why consumer data is a big deal
The average human generates data almost constantly. Everything — from the embarrassing reality TV you watch on Netflix, to the food in your online grocery shop, and the gross medical questions you search on Google — is recorded, analyzed, and used to sell you things. Often that data is sold on or shared with third parties. It can be stored indefinitely on servers that could be vulnerable to leaks and hacks.
It might not seem like the end of the world if Amazon knows how many pairs of Spanx you own but what about when the data concerned is a record of abortion patients, bank details, or your precise geolocation?
There have been some egregious consumer privacy blunders in the last few years.
Hospital websites sent sensitive medical data to Meta.
A Catholic priest was outed as gay because of data from the dating app Grindr.
Race data were used to offer minority customers higher interest rates on mortgages.
The U.S. military gathered user location data through a Muslim prayer app.
Opioid addiction treatment apps accessed and shared sensitive user information.
Some violations are entirely unintended.
Apple AirTags inadvertently enabled stalking.
The personal information of 500m customers was breached between 2014 and 2018 when hackers accessed the Mariott International systems.
Big Tech’s rampant data gathering is also facilitating monopolization and allowing companies like Meta and Amazon to gain enormous control over our lives and economies.
As the so-called internet of things expands, cars, watches, thermostats, and even insulin-delivery pumps have been added to the list of devices that gather our personal data. That list is only getting longer and as more of our work and personal activities are conducted online, data privacy has become an issue affecting almost every consumer-facing business in every industry.
Why companies should care
Privacy screw-ups can be expensive. According to IBM, the average cost of a data breach in 2020 was $4.2m. That figure is on the uptick. Companies that fail to correctly manage data can fall foul of 2 groups: consumers and authorities.
Consumers care about privacy. In 2021, 96% of iPhone users opted out of being tracked when that choice became available with a new iOS update. According to a survey, 88% of consumers won’t use a brand they don’t trust with data and 39% have lost trust in a company due to a data breach or misuse of data. That sentiment will likely increase. Gen Zers are far more mistrustful about their online privacy when compared to older generations.
Dissatisfied customers can also take legal action. In May, Facebook sent out compensation checks to the sum of $650m after a class action lawsuit found that they were using facial recognition data without consent. And this month, Canadian financial services cooperative Desjardins Group settled a class-action lawsuit for $155m after an insider stole and sold the personal details of 4.2m customers. Those price tags don’t take into account the cost to brand reputation.
And then there are the authorities. This January, France hit Google and Facebook with $170m and $68m fines respectively for violating EU cookie consent rules. Since new privacy laws came into effect in California in 2020, authorities have recorded 27 cases of enforcement action — although the companies in question were allowed to remedy their errors without paying a fine.
As consumers become increasingly aware of the dangers of sharing their data and more privacy legislation is passed, that risk is only getting higher.
The law on privacy
Let’s set it straight. Most US companies are pretty much unregulated when it comes to privacy. They can use, share or sell your data — any data — without telling you. So can any third party that gets ahold of it. And there’s no federal law requiring them to inform you if that data is breached or leaked. But that’s starting to change and it’s happening fast. Here’s a snapshot of the existing and anticipated privacy legislation you need to know about.
If you were in Europe in 2018, you would have heard people complaining. Mostly because the news wouldn’t stop talking about Brexit but also because every company behind every website they ever visited was emailing them at once to ask if they could keep their data. That was the initial impact of the General Data Protection Regulation (GDPR), the EU law that is the gold standard and progenitor of privacy law internationally.
GDPR covers personal data which includes names, locations, and usernames as well as IP addresses and cookie identifiers. It applies to companies based in the region as well as companies based outside the EU that have consumers in Europe (meaning it kept a lot of attorneys very busy, well beyond the shores of the Mediterranean). Individual countries may have slightly adjusted versions of the law but the core principles include:
Collecting the minimum amount of data needed
Satisfying the legal basis for processing data
Good security practices
Keeping records of how data is handled
The law also gives consumers the right to access their data and allows authorities to fine companies for failing to comply — although the latter happens rarely.
GDPR gave the US legal faculty the heebie-jeebies. When it came into effect, the National Law Journal wrote that US attorneys were aware of the new law in “the same way that a child knows about the boogeyman. They know it’s out there, and they know it’s scary — but when you get down to specifics, things get hazy fast.” Now the US has a boogeyman or two under its own bed.
GDPR has been in effect in Europe for four years already but only five US States have successfully passed laws protecting consumer privacy. Here they are, in order of when the law came/comes into effect:
2020: The California Consumer Privacy Act (CCPA)
March 2021: Virginia’s Consumer Data Protection Act (VCDPA)
July 2023: Colorado Privacy Act (CPA)
July 2023: Connecticut Privacy Act (CTPA)
Dec 2023: Utah Consumer Privacy Act (UCPA)
Thirty-one other states, including North Carolina, have privacy laws in the works. The laws introduced in each state are different but the general idea is the same across the board. In short, customers are being given the right to know what information companies have about them and how it is being used. They also have the right to opt-out of some types of data collection.
Businesses, on the other hand, have a duty to provide customers with information about their stored data and to take reasonable steps to keep data secure. Additional rules apply for sensitive data such as biometric data, immigration status, and precise location. These laws are largely enforced by state attorneys in general. And some states (controversially) are giving customers the right to take civil legal action against companies that violate their privacy.
Let’s talk about California. California’s CCPA, which is the strictest state law, is similar to GDPR but differs in some crucial ways.
Scope. The CCPA applies to companies earning significant revenue, processing large amounts of consumer data, and/or making most of their money from consumer data. GDPR applies to companies of all sizes — although small companies have reduced compliance duties.
Legal basis. While the EU requires companies to provide a legal basis for collecting data, the CCPA allows businesses to gather data without justification, so long as customers can opt out of the sale of personal information.
Size of fines. In California, civil penalties are $2.5k per unintentional violation or $7.5k for intentional violations. In Europe, fines can be as high as €20m or 4% of annual revenue.
Privacy advocates have welcomed new state laws but most people agree that a patchwork of different and complex laws is a nightmare for companies that operate across state lines. Experts are calling for a national privacy framework that would make everybody’s lives a whole lot easier.
There are some existing federal laws governing privacy. The Health Insurance Portability and Accountability Act (HIPAA) covers communication between customers and medical providers but not others who gather medical data such as Fitbit or employers with vaccine mandates. FERPA, FCRA, GLBA, ECPA, COPPA, and VPPA (say that five times fast) are all acts that cover specific types of consumer data — from student education records to credit reports and VHS rental records. But there is no national law covering privacy for all types of data. The only federal laws with major reach are actually counter-privacy. For example, federal law requires that US-based software companies provide authorities with access to all stored data.
There have been several attempts to pass more extensive national privacy legislation over the past few years but lawmakers have always failed to agree on a solution. That may be about to change.
At the beginning of June, a bipartisan group of lawmakers published a draft bill: the American Data Privacy and Protection Act. The bill draws on many of the principles of EU privacy law and includes provisions for:
Better child protections
Limits on targeted ads
Limited private right of action
A requirement that companies minimize data collection
A chief privacy officer requirement for some organizations
A U.S. House Committee hearing on the bill took place last week and reports were largely positive but there were some doubts about the proposal, including concerns about:
Creating an excessive compliance burden
The potential for excess litigation
Questions around state preemption i.e. whether companies will still have to follow individual state privacy laws
Consumer experience or “more policies to read, more cookies to consent to” as Sen. Brian Schatz put it
If passed, the bill would be enforced by the Federal Trade Commission (FTC) but federal regulators and state attorneys general would have the right to sue companies that misbehave. Either way, we shouldn’t have too long to wait. Experts anticipate that a compromise must be made before Congress’s August Recess if the bill is to have a realistic chance of passing.
Around 137 countries around the world have passed laws designed to protect consumer privacy. Many of them draw on the principles of the GDPR. New laws are on the way such as in Canada where federal legislation is currently being considered.
So we’re all safe now, right?
The spate of new laws might make it seem like our privacy is being protected. But not everyone feels that way. Privacy advocates argue that the law does not go far enough. There’s still a big gap between US law and the stronger protections in the EU. Virginia’s new act has no opt-out provision and no private right of action — which may be because the law was heavily influenced by Amazon. Preventing private legal recourse is not necessarily a problem if authorities enforce the law but some say that enforcement agencies are seriously underfunded.
Where opt-out provisions do apply, some privacy advocates say that consumers have to go out of their way to protect their data. They would prefer that consumers were required to opt-in before data can be collected, with privacy being the default. Others are concerned that current legislation is not forward-looking because it doesn’t focus on newer technologies like facial recognition and artificial intelligence as well as areas like algorithm transparency.
Privacy best practices
Companies tend to take one of two approaches.
State-by-state: applying different practices for each state or jurisdiction. This is complicated and time-consuming but it allows companies to take advantage of more lax regulations.
The highest common denominator: applying the strictest state law to all customers, regardless of location. Microsoft, for example, is applying California’s CCPA regulations to all US customers.
There is a possible third approach. Companies could take a uniform approach across all jurisdictions that pre-empts future regulations and takes into account what consumers care about most. A survey by McKinsey (see below) found that customers trust businesses that build privacy into their brand. Research also found that 75% of companies that invested in improving customers’ privacy experience saw benefits in terms of customer loyalty and trust.
If customers are given a sense of control and can easily see what they’re sharing and what they get in return, they may even be more willing to provide their data.
More specific actions that companies can take include:
Data mapping. Keeping records is essential for knowing what’s going on.
Identifying any unnecessarily gathered data and minimizing what’s gathered in the future.
Implementing secure data storage systems.
Internal access policies. A third of data breaches come from insiders. Limiting and keeping track of who accesses data can reduce risk.
Setting up a data breach action plan. Consumers appreciate it when breaches are acted on quickly and transparently.
Setting up good systems for dealing with customer queries, complaints, and requests relating to privacy.
Allocating an adequate budget to cyber security and compliance.
What this means for legal
GCs can help businesses navigate fast-changing laws, meet compliance duties and mitigate privacy-related legal risks. Here are 5 ways to get on top of privacy.
Keep tabs on new and pending regulations. You can use the International Association of Privacy Professionals’ US State Privacy Legislation Tracker.
Draft contracts with third-party data processors to ensure compliance.
Don’t be Captain No. If you want buy-in from other departments, seek solutions before shutting down ideas or projects with a privacy-related element.
If you’re at a company with international operations, complete the CIPP training courses to become a European data privacy regulation pro.
Get to grips with the tech. Depending on what kind of business you’re in, a basic understanding of things like cookies, IDFAs, MAIDs, Meta Pixels, ransomware, facial recognition, GPS tracking, and/or eye-tracking technology could help you understand the privacy challenges your business is facing.
It turns out the little private detective icon was lying all along. Incognito mode is not enough to keep our data safe. New laws may be more like net curtains than steel walls but they are a sign of changing times. Businesses and legal departments need to get with the program or prepare to be classed as the peeping toms of the digital age.
🕵️ Want to see more where this came from? Click below to have our Deep Dives neatly packaged and forwarded over to your inbox, every other Sunday.
Curious why an article about Cookie regulation makes no mention of the Eprivacy Directive which is in negotiations to become a binding Regulation in the EU to supplement the GDPR on the subject of Cookies (in a more stringent manner).
The CNIL has already issued enforcement actions under the Directive.