At the end of October, Google announced a change to its privacy and data policies permitting minors to have more control over their online images. This update follows a concerted policy shift Google began in August to protect minors online and supplements Google’s pre-existing content removal policies.
In recent years, data privacy laws have been enacted more regularly to encourage, or require, similar policy shifts. The European Union’s Global Data Privacy Regulation (GDPR), which went into effect in 2018, is probably the best-known data privacy regulation. The GDPR’s enactment immediately forced data-collecting companies to change their data policies and pressured other governments to adopt similar legislation. Despite this pressure, Google’s new policy illustrates that US data privacy regulation still runs primarily through private, as opposed to public, actors.
Smartphone notifications and cookies requesting to “track” app or browsing behavior across apps and websites are part of today’s internet experience. That tracking compiles data about an individual, which can range from personal details like an address, birth date or phone number, to information about what websites they visit, website visit duration, online shopping history or search history on search engines and video streaming sites. Data collectors—the website, service or app—can then use that information to create profiles about their users. In many cases, those services will sell or transfer customer data to third-party advertisers. Those third parties, in turn, market goods or services based on that customer data.
Broadly, data privacy laws grant rights to private citizens to prevent third parties from using data in these ways. As detailed below, these laws vary widely between jurisdictions.
The GDPR took effect in the European Union in 2018 to overhaul data collection practices for citizens of the EU and has largely set the standard for modern data privacy laws. It created eight new rights, a number of restrictions on entities that process data and created security and accountability standards for data processors. These rights, restrictions and standards are summarized in relevant part below and can be found in greater detail on the GDPR’s website.
The eight rights created by the GDPR include: (i) the right to be informed; (ii) the right of access; (iii) the right to rectification; (iv) the right to erasure; (v) the right to restrict processing; (vi) the right to data portability; (vii) the right to object; (viii) rights in relation to automated decision making and profiling.
Perhaps the most important of these rights is the right to erasure, commonly known as the “right be forgotten” under Article 17. This right permits an EU citizen to request that a data processor delete the data on that person if the collector’s use expands beyond the bounds of the initial purpose for its collection, the citizen revokes consent or the data is unlawfully processed.
Article 6 of the law restricts data processors in their ability to process data unless they have a lawful basis for doing so. The law identifies six lawful bases: (i) consent of the data subject; (ii) the data processing being necessary to enter a contract (for instance, any agreement requiring a background check); (iii) the processing being necessary to comply with a legal obligation; (iv) the processing being necessary to protect the vital interests of the data subject or another person; (v) the processing being necessary to carry out the public interest; and (vi) when the processor has a legitimate interest to process the data.
Several principles of the law’s Article 5 regulate the processing of a person’s data. For example, processors must keep their data of people accurate, they must only store as much data as is necessary for their stated collection purpose(s) and they must only process the data for those purposes specified. Data processors are also charged with setting up internal procedures that demonstrate and monitor their data processing practices and additionally, must implement data security measures to protect against breaches.
These new rights and restrictions came with substantial enforcement mechanisms. Companies can be fined between 2%-4% of their global revenue for a GDPR violation, including the failure to keep proper records or report a data breach to the supervising authority and customers. The first, and still perhaps the most notable fine leveraged against a data processor to date was Google’s €50 million fine in 2019 for transparency and consent violations. Amazon was also fined a startling €746 million in 2021 for consent violations relating to its user cookie practices.
In contrast to the GDPR, the US regulates specific types of information, rather than broadly protecting data rights. The Health Insurance Portability and Accountability Act (HIPPA), for example, protects patient medical information from unauthorized disclosure by insurance providers. Similarly, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their data-sharing practices to consumers with respect to consumer-financial products. The US also regulates the data of children under 12, data collected by the government and holds apps and websites to the terms of their privacy policies. In comparison to the GDPR’s rights, these frameworks provide a subject-matter-specific patchwork of data protection.
In lieu of a federal law, some state governments are passing their own data privacy laws. The first and likely most publicized has been California’s Consumer Privacy Act (CCPA), which went into effect in 2020. The CCPA shares similarities to the GDPR, including similar rights of access, rights to correct data and rights to delete data held by companies. The CCPA also requires companies to inform customers of their data sales practices, of which customers can opt out. The GDPR, in contrast, requires that companies proactively solicit citizens to “opt-in” to the company’s data usage. The scope of the CCPA and GDPR also differ; the CCPA only applies to California citizens and businesses above a certain size that trade in their customers’ data, whereas the GDPR applies to every data processor in the EU and those that process the data of EU citizens, wherever in the world they are.
At the time of this writing, only Virginia and Colorado have enacted comparable data privacy regulations. Legislators in New York, Massachusetts and Pennsylvania are considering meaningful data privacy legislation, but these remain proposals until enacted into law.
The impact of these laws on US-based companies has been notable, even if they do not apply uniformly across the country. Microsoft announced shortly after the CCPA passed that it would extend the CCPA’s data rights to all US citizens and enacted a similar policy after the passage of the GDPR. Many other companies are anticipating further data privacy laws by proactively becoming fully GDPR or CCPA compliant or beginning the process by adopting data security policies that are more privacy-friendly.
Google is not the only service that offers these data or content takedown controls. Facebook, for example, has an extensive list of Community Standards and reviews reported material that violates these Community Standards for removal, in addition to honoring legally-backed removal or deletion requests.
The extent to which US-based users can protect their data comes down to the policies of the website, service or app in question. Google’s removal policy is one prominent example of the private sector control of data privacy. Until more states (or the federal government) pass data privacy laws, US citizens will continue to look to private entities for their data security options.
The GDPR, CCPA and more recently proposed legislation have made it clear that data privacy is becoming more, not less, prevalent. Businesses are accordingly taking notice and in many cases are proactively updating their privacy policies and terms and conditions. They are also upgrading their data collection, transparency and accountability practices in advance of legal requirements. Data privacy practices across the US are advancing as a result- but doing so on a halting and less predictable basis.
People looking to access, amend or delete their data should keep an eye on the changing privacy policies and terms of service of the apps or services they use to stay up to date on their options. Those in California, Colorado and Virginia should familiarize themselves with their respective laws; others should keep an eye out for new legislation passed by their state.
Businesses should make themselves aware of those new laws as well and would be wise to anticipate forthcoming data privacy laws. Data collection might seem like a relatively small issue for many businesses, but failure to adopt timely and compliant policies and practices could subject those businesses to substantial fines and onerous lawsuits in the near future.
Whether you would like your data monitored or deleted, or whether your business needs a compliant policy update, an experienced attorney can help you evaluate your position and minimize potential liability.