US Privacy Act is enacted. This law focused on government databases on how the information on them was stored and shared.
HIPAA, a law designed to regulate the insurance industry, also creates two big sections focusing on the privacy and security of private health data.
GLBA targets financial institutions and lenders, enforcing the disclosure of how personal information is used and shared.
COPPA lays down strict limitations on how data of children under the age of 13 can be used.
Apple ITP strictly limits the use of 1st and 3rd party cookies through their Safari browser.
GDPR is enacted throughout the European Union, effectively changing data privacy laws around the world.
CCPA rolls out in California, putting the rights to consumer data back in their own hands.
Support for US Federal Version of GDPR rises, more states begin writing their own laws surrounding personal information.
NY SHIELD Act goes into effect.
NJ Pushes Privacy bill that would force companies to request permission to use personal data.
Death of 3rd Party Cookie. Google announces they will get rid of support for third party cookies on Chrome browsers within two years.
Data privacy is not a new topic, although it certainly has taken center stage in recent years. In fact, data privacy laws date back as early as the 1970’s before computers and the internet were commonplace things.
Government Databases Under Scrutiny
In 1974, the US Privacy Act was passed in response to how the use of government databases may impact the privacy rights of private citizens. Computerized databases were widely used by the government and other large entities before computers with their own internal databases were developed. Public Law 93-579 required government agencies to disclose any records that were being maintained on an individual upon request. The law also required such agencies to use “fair information practices” when gathering and handling personal data. The Privacy Act also zeroed in on how an individual’s information could be transferred or shared to other agencies by implementing certain restrictions. Finally the act opened the window for individuals to sue the government if it was proven that the law’s provisions had been violated.
Health Information Security Regulations
The next big shift in data privacy came in 1996, with the Health Insurance Portability and Accountability Act, more commonly known as HIPAA. Most everyone is familiar with HIPAA, because it seems every time you visit a doctor’s office, you are required to fill out a new form. A large part of HIPAA legislation was actually designed to regulate the health insurance industry. However, the law also included important sections related to the privacy and security of individuals. The Security Rule and Privacy Rule sections of the HIPAA outline regulations pertaining to data protection and data confidentiality.
The Security Rule regulates safeguards that must be in place to ensure appropriate protection of electronic protected health information. Essentially, this is online medical records. The law sets a baseline requirement for how confidential patient information be kept safe and secure no matter what technology upgrades health institutions might undertake in order to improve efficiency in service.
The Privacy Rule delves deeper into the security and access of patient medical records. The Rule aims to protect the privacy of personal health information. It sets limits and conditions on how the information can be used and any disclosures that need to be made without patient authorization. The Privacy Rule also gives patients rights over their own personal health information, which includes the right to examine and obtain a copy of their health records, or request corrections to those records.
Financial Institutions Need To Disclose And Secure Data
On the heels of regulations to protect health information, came more regulations designed to protect financial information. In 1999, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 went into effect. This law requires financial institutions or companies that offer consumer financial products or services like to detail how they share client information, as well as how they safeguard sensitive data. This includes businesses that sell or consult on financial loans, financial or investment advice, or insurance services.
For example, auto dealerships who are extending loans or leasing vehicles, must inform customers how they are using any financial information that they collect from them – including who that information will be shared with and how they will keep any sensitive information safe. The same rules would apply to mortgage lenders, banks, brokers and more.
Data Privacy For Children
When the internet began to rise in popularity, it was clear the guidelines and restrictions would be needed to protect information related to children. In 2000, Children’s Online Privacy Protection Act (COPPA) was enacted to protect the personal data of minors under the age of 13. The COPPA rule is enforced by the Federal Trade Commission.
The COPPA rule applies to owners and operators of websites, or those that offer online services. Businesses or organizations that fall into these categories must take steps to protect the information of children and must have certain information listed within their privacy policies regarding the collection of this type of data. Parents of children under the age of 13 are required to give consent before certain types of information can be collected.
In July of 2013, the FTC updated the COPPA Rule to take into account new changes in technology. Violations of these regulations can result in law enforcement actions and civil penalties. The FTC has made it clear that they are serious about compliance in these matters.
Apple Leads Protects Personal Data With ITP
It seems that Apple has always remained on the cutting edge when it comes to technology, and the way the company views privacy in relation to technology is no exception. Apple first launched Intelligent Tracking Protection (ITP) in 2017. At the time, ITP was a feature added to Apple’s Safari browser that was designed to limit the ability for companies to monitor people’s browsing behavior when they visited the websites of other companies.
In 2019, Apple announced ITP 2.1, which would create even more challenges for advertisers, publishers, and tech vendors. ITP 2.1 would take consumer privacy a step further by purging most first-party cookies on Safari browsers after seven days and blocking all third-party cookies by default. This move made it next to impossible for businesses to render device fingerprinting and long-tail measurement on consumers.
While Apple is known for their stance on consumer privacy, they were not the only ones to begin taking such measures. Another very popular browser – Firefox, also made the move to block third-party cookie tracking by default.
GDPR Zeros In On Enforcing Data Protection
It’s plain to see that as technology has advanced over the past fifty years, so have privacy and security measures. Then came along big search engines like Google and the onset of the social media phenomenon that not only forever changed the way that people communicate, but also the way that businesses and marketers were using online data. It became clear that even tougher security and privacy measures would need to be put in place in order to protect the integrity of online data.
In 2018, the European Union made big waves when it enacted its General Data Protection Regulation (GDPR). The primary objective of GDPR was to give citizens back control of their personal data and create a simplified approach to regulating businesses in the online space.
It took three years of negotiations between those in the EU responsible for hammering out the details of GDPR and it took effect in May of 2018. The 28 member states of the EU were responsible for creating their own state legislation in order to meet compliance. The EU began enforcing GDPR policies in 2019.
GDPR essentially gives consumers control over their data instead of the corporations that have historically held all the power. Despite the regulations being set by the EU, it is not only companies operating in the EU that can be held responsible for violating the terms of the agreement. The rules pertain to an website or online business that is interacting with personal data of EU citizens. That could be virtually anyone. Big US-based companies like Google and Facebook have received fines up to $5 Billion for not being in compliance with GDPR.
US Begins To Follow Suit With New Data Privacy Laws
It was not long after GDPR came about that states throughout the US began to take their own measures to protect the online data of their citizens. California was the first state to take such measures. In 2018, California enacted the The California Consumer Privacy Act (CCPA).
The CCPA gives consumers more rights relating to their data, including accessing it, deleting it, and how their personal information is collected and shared by businesses. In fact, under the CCPA, consumers have the right to demand to see any of the information a company has saved on them, not to mention any well as third parties that company has shared the data with. Consumers also have the right to sue companies if the privacy guidelines are violated, even if there is no security breach.
Similar to the way that GDPR protects EU residents no matter where the business is based, the CCPA protects California residents even from companies that are not based in California or have a physical presence there. The companies don’t even have to be based in the United States.
Other States Release Their Own Privacy Regulations
There has been a substantial call for attention to new data privacy regulations at a federal level. Having a federal law in place could streamline the way data privacy is approached in the US. However, for now other states are following California’s lead in creating their own state-level regulations for data protection.
In 2019, New York State passed the SHIELD act, which will go into effect on March 21, 2020. New Jersey lawmakers also pushed their own privacy bill that will force companies to get permission from consumers before they collect or sell their personal data.
The Death Of The Third Party Cookie
Early in 2020, Google announced that it would be phasing out the third-party cookie on its Chrome browser and it became clear that this would be a big year for data privacy. As we already know, Safari and Firefox have already phased out the use of third-party cookies on their browser, but with changes on the horizon for Chrome, marketers and tech companies alike are scrambling to figure out what to do as further restrictions are put into place.
Google post notes that the company plans to roll out changes over a two-year timespan so that they work with marketers and publishers as a community to figure out better solutions. Google wants to rise to meet the demands of its consumers for more data privacy protection, without disrupting the online ecosystem.
According to Digiday, this type of rollout will likely be more well-received by advertisers in the online community. However, there is no doubt that the landscape is changing. It is quickly becoming more obvious that consumers, advertisers and browsers alike are all going to have to be part of the solution.
What’s Next For Data Privacy?
We live in an online world and privacy concerns are a big issue. While so much has happened with consumer data protection over the past fifty years, it is clear that we are only scratching the surface on what must still be done.
Security measures need to go beyond protecting things like social security numbers and credit card numbers from identity theft. This is not just about cybersecurity. Consumers want more control over how their data is being used in general.
In regard to eliminated third-party cookies, Google referenced the “ecosystem” multiple times throughout the post. This seems like the ideal word for the direction that data security and information privacy is headed.
There needs to be a multi-directional conversation when it comes to privacy issues. The conversation cannot simply be between advertisers, tech, and the browsers, search engines and social media platforms; consumers want to have a say too.
In general, it seems that there is still plenty of room for the advertising space to play in the online world. For the most part, it also seems fair to say that consumers want the advertisers to be there. This is a world of convenience, a world where people want to find quick answers or have products delivered with same-day service. Consumers are using the web to find good information and spend money in a digital marketplace. Ultimately, it comes down to data practices. Consumers want to know how their data is being used. Advertisers can use this changing landscape as an opportunity to start a better dialog with their consumers on how they can best deliver opportunity for goods and services to them in a way that they would like to receive it.