US cybersecurity and data privacy laws are, to put it lightly, a mess.
Years of piecemeal legislation, Supreme Court decisions, and government surveillance crises, along with repeated corporate failures to protect user data, have created a legal landscape that is, for the American public and American businesses, confusing, complicated, and downright annoying.
Businesses are expected to comply with data privacy laws based on the data’s type. For instance, there’s a law protecting health and medical information, another law protecting information belonging to children, and another law protecting video rental records. (Seriously, there is.) Confusingly, though, some of those laws only apply to certain types of businesses, rather than just certain types of data.
Law enforcement agencies and the intelligence community, on the other hand, are expected to comply with a different framework that sometimes separates data based on “content” and “non-content.” For instance, there’s a law protecting phone call conversations, but another law protects the actual numbers dialed on the keypad.
And even when data appears similar, its protections may differ. GPS location data might, for example, receive a different protection if it is held with a cell phone provider versus whether it was willfully uploaded through an online location “check-in” service or through a fitness app that lets users share jogging routes.
Congress could streamline this disjointed network by passing comprehensive federal data privacy legislation; however, questions remain about regulatory enforcement and whether states’ individual data privacy laws will be either respected or steamrolled in the process.
To better understand the current field, Malwarebytes is launching a limited blog series about data privacy and cybersecurity laws in the United States. We will cover business compliance, sectoral legislation, government surveillance, and upcoming federal legislation.
Below is our first blog in the series. It explores data privacy compliance in the United States today from the perspective of a startup.
A startup’s tale—data privacy laws abound
Every year, countless individuals travel to Silicon Valley to join the 21st century Gold Rush, staking claims not along the coastline, but up and down Sand Hill Road, where striking it rich means bringing in some serious venture capital financing.
But before any fledgling startup can become the next Facebook, Uber, Google, or Airbnb, it must comply with a wide, sometimes-dizzying array of data privacy laws.
Luckily, there are data privacy lawyers to help.
We spoke with D. Reed Freeman Jr., the cybersecurity and privacy practice co-chair at the Washington, D.C.-based law firm Wilmer Cutler Pickering Hale and Dorr about what a hypothetical, data-collecting startup would need to become compliant with current US data privacy laws. What does its roadmap look like?
Our hypothetical startup—let’s call it Spuri.us—is based in San Francisco and focused entirely on a US market. The company developed an app that collects users’ data to improve the app’s performance and, potentially, deliver targeted ads in the future.
This is not an exhaustive list of every data privacy law that a company must consider for data privacy compliance in the US. Instead, it is a snapshot, providing information and answers to potentially some of the most common questions today.
Spuri.us’ online privacy policy
To kick off data privacy compliance on the right foot, Freeman said the startup needs to write and post a clear and truthful privacy policy online, as defined in the 2004 California Online Privacy Protection Act.
The law requires businesses and commercial website operators that collect personally identifiable information to post a clear, easily-accessible privacy policy online. These privacy policies must detail the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the process—if any—for a user to review and request changes to their collected information.
Privacy policies must also include information about how a company responds to “Do Not Track” requests, which are web browser settings meant to prevent a user from being tracked online. The efficacy of these settings is debated, and Apple recently decommissioned the feature in its Safari browser.
Freeman said companies don’t need to worry about honoring “Do Not Track” requests as much as they should worry about complying with the law.
“It’s okay to say ‘We don’t,’” Freeman said, “but you have to say something.”
The law covers more than what to say in a privacy policy. It also covers how prominently a company must display it. According to the law, privacy policies must be “conspicuously posted” on a website.
More than 10 years ago, Google tried to test that interpretation and later backed down. Following a 2007 New York Times report that revealed that the company’s privacy policy was at least two clicks away from the home page, multiple privacy rights organizations sent a letter to then-CEO Eric Schmidt, urging the company to more proactively comply.
“Google’s reluctance to post a link to its privacy policy on its homepage is alarming,” the letter said, which was signed by the American Civil Liberties Union, Center for Digital Democracy, and Electronic Frontier Foundation. “We urge you to comply with the California Online Privacy Protection Act and the widespread practice for commercial web sites as soon as possible.”
The letter worked. Today, users can click the “Privacy” link on the search giant’s home page.
What About COPPA and HIPAA?
Spuri.us, like any nimble Silicon Valley startup, is ready to pivot. At one point in its growth, it considered becoming a health tracking and fitness app, meaning it would collect users’ heart rates, sleep regimens, water intake, exercise routines, and even their GPS location for selected jogging and cycling routes. Spuri.us also once considered pivoting into mobile gaming, developing an app that isn’t made for children, but could still be downloaded onto children’s devices and played by kids.
Spuri.us’ founder is familiar with at least two federal data privacy laws—the Health Insurance Portability and Accountability Act (HIPAA), which regulates medical information, and the Children’s Online Privacy Protection Act (COPPA), which regulates information belonging to children.
Spuri.us’ founder wants to know: If her company stars collecting health-related information, will it need to comply with HIPAA?
Not so, Freeman said.
“HIPAA, the way it’s laid out, doesn’t cover all medical information,” Freeman said. “That is a common misunderstanding.”
Instead, Freeman said, HIPAA only applies to three types of businesses: health care providers (like doctors, clinics, dentists, and pharmacies), health plans (like health insurance companies and HMOs), and health care clearinghouses (like billing services that process nonstandard health care information).
Without fitting any of those descriptions, Spuri.us doesn’t have to worry about HIPAA compliance.
As for complying with COPPA, Freeman called the law “complicated” and “very hard to comply with.” Attached to a massive omnibus bill at the close of the 1998 legislative session, COPPA is a law that “nobody knew was there until it passed,” Freeman said.
That said, COPPA’s scope is easy to understand.
“Some things are simple,” Freeman said. “You are regulated by Congress and obliged to comply with its byzantine requirements if your website is either directed to children under the age of 13, or you have actual knowledge that you’re collecting information from children under the age of 13.”
That begs the question: What is a website directed to children? According to Freeman, the Federal Trade Commission created a rule that helps answer that question.
“Things like animations on the site, language that looks like it’s geared towards children, a variety of factors that are intuitive are taken into account,” Freeman said.
Other factors include a website’s subject matter, its music, the age of its models, the display of “child-oriented activities,” and the presence of any child celebrities.
Because Spuri.us is not making a child-targeted app, and it does not knowingly collect information from children under the age of 13, it does not have to comply with COPPA.
A quick note on GDPR
No concern about data privacy compliance is complete without bringing up the European Union’s General Data Protection Regulation (GDPR). Passed in 2016 and having taken effect last year, GDPR regulates how companies collect, store, use, and share EU citizens’ personal information online. On the day GDPR took effect, countless Americans received email after email about updated privacy policies, often from companies that were founded in the United States.
Spuri.us’ founder is worried. She might have EU users but she isn’t certain. Do those users force her to become GDPR compliant?
“That’s a common misperception,” Freeman said. He said one section of GDPR explains this topic, which he called “extraterritorial application.” Or, to put it a little more clearly, Freeman said: “If you’re a US company, when does GDPR reach out and grab you?”
GDPR affects companies around the world depending on three factors. First, whether the company is established within the EU, either through employees, offices, or equipment. Second, whether the company directly markets or communicates to EU residents. Third, whether the company monitors the behavior of EU residents.
“Number three is what trips people up,” Freeman said. He said that US websites and apps—including those operated by companies without a physical EU presence—must still comply with GDPR if they specifically track users’ behavior that takes place in the EU.
“If you have an analytics service or network, or pixels on your website, or you drop cookies on EU residents’ machines that tracks their behavior,” that could all count as monitoring the behavior of EU residents, Freeman said.
Because those services are rather common, Freeman said many companies have already found a solution. Rather than dismantling an entire analytics operation, companies can instead capture the IP addresses of users visiting their websites. The companies then perform a reverse geolocation lookup. If the companies find any IP addresses associated with an EU location, they screen out the users behind those addresses to prevent online tracking.
Asked whether this setup has been proven to protect against GDPR regulators, Freeman instead said that these steps showcase an understanding and a concern for the law. That concern, he said, should hold up against scrutiny.
“If you’re a startup and an EU regulator initiates an investigation, and you show you’ve done everything you can to avoid tracking—that you get it, you know the law—my hope would be that most reasonable regulators would not take a Draconian action against you,” Freeman said. “You’ve done the best you can to avoid the thing that is regulated, which is the track.”
A data breach law for every state
Spuri.us has a clearly-posted privacy policy. It knows about HIPAA and COPPA and it has a plan for GDPR. Everything is going well…until it isn’t.
Spuri.us suffers a data breach.
Depending on which data was taken from Spuri.us and who it referred to, the startup will need to comply with the many requirements laid out in California’s data breach notification law. There are rules on when the law is triggered, what counts as a breach, who to notify, and what to tell them.
The law protects Californians’ “personal information,” which it defines as a combination of information. For instance, a first and last name plus a Social Security number count as personal information. So do a first initial and last name plus a driver’s license number, or a first and last name plus any past medical insurance claims, or medical diagnoses. A Californian’s username and associated password also qualify as “personal information,” according to the law.
The law also defines a breach as any “unauthorized acquisition” of personal information data. So, a rogue threat actor accessing a database? Not a breach. That same threat actor downloading the information from the database? Breach.
In California, once a company discovers a data breach, it next has to notify the affected individuals. These notifications must include details on which type of personal information was taken, a description of the breach, contact information for the company, and, if the company was actually the source of the breach, an offer for free identity theft prevention services for at least one year.
The law is particularly strict on these notifications to customers and individuals impacted. There are rules on font size and requirements for which subheadings to include in every notice: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “More Information.”
After Spuri.us sends out its bevy of notices, it could still have a lot more to do.
As of April 2018, every single US state has its own data breach notification law. These laws, which can sometimes overlap, still include important differences, Freeman said.
“Some states require you to notify affected consumers. Some require you to notify the state’s Attorney General,” Freeman said. “Some require you to notify credit bureaus.”
For example, Florida’s law requires that, if more than 1,000 residents are affected, the company must notify all nationwide consumer reporting agencies. Utah’s law, on the other hand, only requires notifications if, after an investigation, the company finds that identity theft or fraud occurred, or likely occurred. And Iowa has one of the few state laws that protects both electronic and paper records.
Of all the data compliance headaches, this one might be the most time-consuming for Spuri.us.
In the meantime, Freeman said, taking a proactive approach—like posting the accurate and truthful privacy policy and being upfront and honest with users about business practices—will put the startup at a clear advantage.
“If they start out knowing those things on the privacy side and just in the USA,” Freeman said, “that’s a great start that puts them ahead of a lot of other startups.”
Stay tuned for our second blog in the series, which will cover the current fight for comprehensive data privacy legislation in the United States.