CS406: Information Security

The United States has little to no federal privacy policies to protect consumer data. The amount of data that consumers disclose to various websites and applications is staggering and there is very little regulation surrounding the collection, security, use, and storage of consumer information [in the United States]. There is no current framework for federal privacy laws in the United States compared to other countries. The European union has released a General Data Protection Regulation (GDPR) which clearly outlines the protection of consumer data and processing. Canada has enacted a Privacy Act which highlights the purpose of the act, the policies that are required for data collection, retention, and disposal. Additionally, the Canadian Privacy Act outlines any possible exemptions from the policy and how users are allowed to access their data. Countries such as Russia, Singapore, United Kingdom, and Philippines have also created privacy policies to effectively govern and protect consumer information. The United States is following slowly behind. Below we will explore some of the current privacy policies enforced in the U.S. and globally.

US Privacy Act (1974)

The US Privacy Act of 1974 gave US citizens the right to access any data held by a government agency, the right to copy that data, the right to collect data errors, and the ability to restrict access to data on a need to know basis. The regulations of the US Privacy Act include:

Right of US citizens to access any data held by government agencies Right of US citizens to hold a copy of the same data Agencies should follow data minimization principles during the data collection process Access to data is restricted on a need to know basis Sharing information between other federal and non-federal agencies is restricted and only allowed under certain conditions

HIPAA - Health Insurance Portability and Accountability Act (1996)

It was passed by Congress in 1996.

HIPAA is responsible for the following: It provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs It reduces fraud and abuse in the health care sector It mandates standards for information on electronic billing and other health-care processes It requires the protection and confidential handling of protected health information The HIPAA Privacy regulations require all parties in the health care sector (including providers and organizations), as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. Different forms of PHI include paper, oral, and electronic. Additionally, It minimizes health information to be used and shared to the minimum extent that is necessary to conduct business with.

HIPAA and the US Privacy Act of 1974 only defines policies regarding consumer health and government data, leaving the majority of other forms of consumer data to be governed by policies defined by industries and/or corporations. Some states have taken it upon themselves to create legislation to change what data the people have access and control over and almost all states have a notification policy to let you know when your data has been breached, but that would not be preventive like many of the proposed federal bills would.

COPPA - Children’s Online Privacy Act (2000)

COPPA is responsible for regulating personal information collected from minors. It was initially established to prohibit online companies from requesting PII from children that are under 12 years old, unless a verifiable parental consent is present. After updates to the regulations were conducted, the scope of the law was expanded and broadened the types of PII that it covers (screen names, email addresses, photographs, audio files are included).

COPPA additionally protects the privacy of children by allowing access only to companies that are capable of ensuring confidentiality and security.

CCPA- California Consumer Privacy Act

California is in the process of passing the California Consumer Privacy Act (CCPA). The CCPA outlines that eligible California residents will have the right to:

• Know what personal information (PI) is being collected about them
• Access their PI twice in a 12-month period
• Receive a copy of their PI being collected
• Know if their PI is being sold or disclosed, and to whom
• Request their PI to be deleted
• Receive an equal level of service when exercising their rights

The right to know, delete, access, be made aware of any portability, and opt-out are necessary in order to ensure that consumers have visibility towards their data. Having federal/state wide privacy policies standardizes the proper methods and practices associated with data collection.

California passed the California Consumer Privacy Act (CCPA ) unanimously, went into effect at the beginning of 2020 and will begin to be enforced in July. This is groundbreaking legislation and gives the power back to the people. Since it is only a state level act, it does not have any direct effect on the other 49 states but could set a precedent. It would also be a huge step forward because California is the home of most technology companies. This act would require companies to disclose what information they are collecting, why they are collecting it and who is using the data. It also gives the customer the right to have any unwanted data deleted or to have the companies not share the data that has been collected. This would follow suit with California’s amended constitution stating that privacy is an "inalienable" right of the people (Chau, 2018). This legislation will apply for any company that operates within the state and "either makes at least $25 million in annual revenue, gathers data on more than 50,000 users, or makes more than half its money off of user data" (Edelman, 2020). This would affect many large companies, including Facebook, Google and Amazon. When someone with an IP address based in California accesses a website they will get a banner on the screen saying "Do Not Sell My Personal Information". This will stop websites from targeted ads because no cookies will be sold to third parties.

If companies do not comply with CCPA, users will be able to sue. The attorney general’s office will have the responsibility to bring any other companies that have violated the law to court. They have already said they will not be bringing cases to court just based on resources.

GDPR-General Data Protection Regulation

The General Data Protection Regulation is a privacy policy established in the European union. It describes the law on data protection and privacy in the European Union. It also addresses the transfer of personal data outside the european union. As the General Data Protection Regulation (GDPR) applies to consumers outside the European union, it is something that countries around the world have slowly begun to adopt. The data protection principles outlined within the GDPR are:

• Data fairness and lawfulness
• Data purpose limitations
• Data minimization
• Data accuracy
• Data storage limits
• Data integrity and confidentiality
• Data protection being the core foundational process

The GDPR extends consumers in the European Union’s rights including access, consent, portability, restriction, and erasure of PI data. EU consumers under the GDPR have the right to discover how PI is being used and for what purpose. However, this does not apply to only industries and/or corporations within the EU. For example, if an individual accessing a US website/platform from within the EU the US website/platform will have to align with the GDPR policy. For this reason, many countries are slowly moving towards adopting their own privacy policies similar to the GDPR.