For nearly two months, Malwarebytes Labs led readers on a journey through data privacy laws around the world, exploring the nuances between “personal information” and “personal data,” as well as between data breach notification laws in Florida, Utah, California, and Iowa.
We explored the risks of jumping into the global data privacy game, comparing the European Union’s laws with the laws in China, South Korea, and Japan. And we also examined current legislative proposals in the United States to better protect Americans’ data.
But all that information was delivered across five separate blogs of more than 10,000 collective words. Look, we get it—it’s a lot to read through. So, we’re offering some help.
Before fully closing out our data privacy and cybersecurity law series, we are providing the top six takeaways for corporate data privacy compliance. From emerging startups to burgeoning enterprises, these rules should help businesses not just with legal liability, but also to better understand—and gain—user trust.
Here we go.
1. Write and post a privacy policy
In 2004, California changed the online privacy landscape for companies everywhere. The Golden State—which would soon become a pioneer in data privacy and online privacy law—passed the California Online Privacy Protection Act.
The law is simple. Any company, organization, or entity that runs a website which also collects the personally identifiable information of California residents must also post a privacy policy on their site.
The privacy policy must explain the types of information collected from users, the types of information that may be shared with third parties, the effective date of the privacy policy, and the process—if any—for a user to review and request changes to their collected information.
Because the law applies to any website that collects Californians’ information, it applies far beyond the state’s geographic borders. This isn’t just for California-based companies like Apple, Google, Twitter, and LinkedIn. It’s also for Washington-based Microsoft, New York-based Verizon, and Texas-based Dell.
Also, the law requires that every privacy policy be easy to find. Even Big Tech doesn’t challenge this requirement: In 2007, after reporting by the New York Times, Google decided to more prominently display its privacy policy on its website.
2. Do not lie in your privacy policy
This should be obvious, but in case it is not: Do not lie to your users about what you do with their data. You can collect their data, store their data, share their data, even sell their data, so long as you tell them the truth.
Any company that lies about its data protection practices could be hit with a lawsuit from a state Attorney General or, pending some legal hoops to jump through, an individual user. That’s because, in the US, data protection rights can still be asserted under an area of the law that prohibits “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising.
Lee Tien, senior staff attorney at Electronic Frontier Foundation, explained this area of consumer privacy law.
“Most of consumer privacy that’s not already controlled by a statute lives in this space of ‘Oh, you made a promise about privacy, and then you broke it,’” Tien said. “Maybe you said you don’t share information, or you said that when you store information at rest, you store it in air-gapped computers, using encryption. If you say something like that, but it’s not true, you can get into trouble.”
These lawsuits have been successfully filed against companies before. Last year, Uber agreed to pay $148 million to settle a lawsuit alleging the company’s misconduct when covering up a 2016 data breach. The lawsuit was brought by every single state Attorney General in the United States, plus the Attorney General for Washington, DC.
3. If you want to expand beyond the US market, consult a data privacy lawyer first
Data privacy and cybersecurity laws abroad are not like the laws in the US.
For example, the European Union recently bestowed upon its citizens the new rights to access, control, transport, and delete information that companies collect on them. China’s cybersecurity law grants its government the right to inspect and even copy the source code of incoming software products. South Korea’s cybersecurity laws include fierce penalties and even possible jail time. Singapore, often viewed as a friendly country for US expansion, has its own cybersecurity law that protects “essential” services, a definition that does not exist here in the US.
Expanding into a new country is, most of all, a question of risk: Can you afford—quite literally—the cost of compliance?
4. Personal information is not the same as personal data
The terms “personal information,” “personal data,” and “personally identifiable information” get thrown around a lot, sometimes even interchangeably, but these terms have specific legal definitions that do not carry over so easily from one to another. The definitions for the terms do vary, however, depending on which law in which state or country you consult.
The important thing to remember is that these terms describe types of information that companies are legally required to protect. Protecting one law’s definition of “personal information” is not the same as protecting another law’s definition of “personal data,” and mixing the two up could lead to compliance mishaps.
The best advice is to, once again, consult a data privacy lawyer. Getting lost in an array of country-specific, legal rabbit holes does not help anyone.
Michelle Donovan, intellectual property and cyber law partner at Duane Morris LLP put it clearly:
“What it comes down to, is, it doesn’t matter what the rules are in China if you’re not doing business in China. Companies need to figure out what jurisdictions apply, what information are they collecting, where do their data subjects reside, and based on that, figure out what law applies.”
5. Get ready for comprehensive data privacy legislation in the US
In the past year, at least four US Senators have proposed comprehensive, federal data privacy legislation. Each bill seeks to improve Americans’ online privacy.
Sen. Ron Wyden’s bill, for example, proposes that dishonest tech executives face potential jail time. Sen. Amy Klobuchar’s bill, on the other hand, focuses on making corporate privacy policies clear and understandable. Sen. Marco Rubio’s bill would ask the country’s trade enforcement agency, the Federal Trade Commission (FCC), to propose its own rules on data privacy, which Congress would later vote on. And Sen. Brian Schatz’s bill would place a new “duty to care” requirement on companies handling user data.
None of the above-mentioned bills have received a vote in Congress, but this area could move fast, and many assume that data privacy will become a lynchpin issue in the 2020 presidential election.
6. Respect and protect your users’ data
Your users have few legal options in asserting their data privacy rights. Despite this, your company should take it upon itself to treat user privacy with respect.
You will not be alone in this proactive decision. Apple, Mozilla, Signal, WhatsApp, CREDO Mobile, ProtonMail, Helix DNA, and several other companies already understand that meaningful user privacy can serve as a competitive advantage.
As Malwarebytes Labs showed this year, people care immensely about online privacy. Listening to your users should not be a matter of legal compliance, but a matter of respect.
Join us next week for another set of data privacy takeaways, this time for consumers in the US.