Published on May 21, 2020 by the FairShake Team
But many people are surprisingly unaware of how privacy policies affect how their personal data can be gathered and used. And we’re all guilty of clicking “Accept” without actually reading the policy. Who can blame us? Those policies are long, complex, and present on every app and website we use, which means dozens if not hundreds of policies to read through. Who has time for that? And even if you do have the time, these policies are often impossible to understand, even for people with legal knowledge.
Here’s what we mean: The New York Times read and analyzed over 150 privacy policies for major websites. At the end of its analysis, it called them “an incomprehensible disaster.” And The Atlantic tried to analyze the policies from just the top 50 websites in the U.S. and found that reading them all would mean taking in 145,641 words — about the length of The Grapes of Wrath. It’s no wonder so few people actually read privacy policies, even though they absolutely should.
Understanding the laws around privacy policies can be tough — the internet is global, and privacy is regulated by a varying patchwork of laws from different countries, or even different states. In the U.S., the patchwork of laws that exists doesn’t give you a lot of protection, so it’s on you to read and understand all those different privacy policies — and all the jargon and legalese that comes with them. What’s the average consumer to do?
There’s also information that’s commonly tracked by cookies when people use the internet. This might include:
Keep in mind, though, that’s not an exhaustive list. Those are just some common pieces of personal information that are collected by certain sites, often without their users’ knowledge.
Various international laws require sites to clearly state their privacy policies where users can find and read them, but the U.S. has no such law (In fact, only 16 states even require government agencies to establish online privacy policies and procedures). Luckily for U.S. residents, many American websites follow more comprehensive laws from the EU and other parts of the world, and do display their privacy policies online.
To start to understand how to protect yourself online, it helps to know what laws exist to protect your privacy in the U.S. Unfortunately, it’s a patchwork of laws, none of which are comprehensive.
Compared to other industrialized parts of the world, the U.S. is lacking in privacy protection. In America, there’s no central, sweeping federal law, like the EU’s General Data Protection Regulation. But there are still American laws that protect your privacy and data, both at the federal and state levels.
When it comes to federal privacy laws in the U.S., they tend to be more specific than broad. That means there are a few important federal laws that handle certain aspects of privacy, but there are still pretty big holes left in federal privacy protection.
Here’s what federal privacy laws do cover.
In the mid-1970s, the most cutting-edge technology of the time was computer databases. People, including lawmakers, were rightly concerned about the information kept in databases, and how the government could potentially misuse the personal information it was storing.
So Congress passed what was, at the time, an innovative and landmark privacy protection law: The U.S. Privacy Act of 1974. It covered U.S. citizens’ rights and a lot of restrictions when it came to personal data that was held by federal government agencies. Some important, key points of this legislation were:
HIPAA is another well-known, landmark piece of legislation that the U.S. passed in 1996. It regulates much of how the health insurance industry operates, but the two pieces that have the most impact on your privacy are the Security Rule and the Privacy Rule.
Buried in the GLBA, which covers many aspects of banking and financial law, is an important piece of privacy regulation. Basically, the GLBA outlines how banks and financial institutions can collect and share personal information about their customers. The Act defines “nonpublic personal information” as “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.”
The problem with the GLBA, though, is that it doesn’t put a lot of restrictions on how banks can share private financial information with “affiliated” companies — consumers aren’t given any legal privacy controls over how their information is shared between different organizations in their bank’s “corporate family,” for example.
In 2000, Congress passed one of the most modern privacy laws the U.S. had ever seen, made just for the internet age. Unfortunately, it only covers children under 13 years old. COPPA was passed in 2000, and it prohibits companies from collecting data from children who are 12 and under, unless there’s verifiable parental consent for doing so.
You might have noticed that COPPA is the only one of these federal laws that specifically regulates online data-sharing — and it doesn’t even apply to adults.
The unfortunate truth is that, in the U.S., technology is far, far ahead of the law. The internet is treated like a deregulated territory, and for the most part, companies are on their own to write whatever they want into their privacy policies. Unless they exist in one of the industries that’s federally regulated, they can be as careful with your privacy as they want to be — or not.
Some states are starting to make up for the lack of federal privacy laws that apply to online activity, writing and passing their own regulations. California has definitely taken the lead on this, but some other states are starting to follow. The National Conference of State Legislatures has a good roundup on internet privacy laws that currently exist on the state level, but as you can see below, the protections they offer are truly a patchwork and not at all comprehensive:
The unfortunate short answer is that it’s not easy to protect yourself online where gaps in regulation leave your personal information in the hands of whoever is running the app or website that collects it.
The best thing consumers can do is learn how to understand individual privacy policies, and how to look for red flags that might indicate their data isn’t safe with a site or app.
It can also be helpful to lean on existing tools, like Terms of Service; Didn’t Read, which gives privacy policies a rating based on how much protection and choice they offer users. Of course, no tool is perfect, and your best bet at protecting yourself is to read privacy policies yourself, rather than relying on someone else’s analysis.
Because of the lack of laws that directly apply to online privacy in the U.S., it can be difficult to know how to seek recourse if a site or app doesn’t handle your data properly.
For that, you have even less recourse. But one possible avenue for consumers is arbitration, which can help resolve disputes between businesses and their customers, but is too often overlooked.