Make large companies pay for consumer data breaches by knowing how to file a legal claim.
We’ve all seen the headlines.
It seems like almost daily a major business makes the news for a data breach. In case after case, we learn that big companies have failed to protect customers’ private and sensitive information.
In our digital age, businesses have the technological ability to collect tons of data about us, their customers — everything from our personal information like age and address, to our banking information like credit and debit card numbers, to more sensitive data like our browsing and purchasing habits. Internet users have a reasonable desire that that data will be kept safe and secure, but we all already know from reading the news that that’s not always how it works out.
So what can you do to protect your data privacy?
As a consumer, the onus is largely on you to understand your consumer data rights and what you can do if they may be infringed. And this guide can help!
Read on to learn about what data privacy is, why it’s important, the laws that are in place to protect you, how companies are using (and abusing) your private data, and what you can do to protect yourself in the digital world as data becomes more and more important — both to businesses and to you.
Data privacy is the concept of maintaining control and limited access to any of your personal information in digital form. This impacts how data should be handled, stored, and protected, with consideration to important or sensitive it is.
Think of it this way: When you introduce yourself to a total stranger, you probably don’t mind telling them your name. But on that first meeting, you typically don’t tell them your age and street address. You definitely don’t introduce yourself with a name tag showing your social security number. And you’re sure as heck not giving them make a copy of your credit card.
But in the digital age, you routinely transmit that information to companies via the internet. That means you’re putting a lot of trust in those companies to keep all that potentially sensitive data safe, secure, and private.
In practical terms, modern data privacy encompasses these things:
How businesses collect and store data
When and how data is shared with third parties
Legislation that dictates data privacy standards, like GDPR, HIPAA, GLBA, or CCPA.
Data privacy rules and regulations generally apply to what’s called critical personal information, which is generally considered to include two different types of data:
Personally Identifiable Information: Anything that can be used to identify you, including your name, address, social security number, banking information, etc.
Personal Health Information: Anything related to your health and medical history, including hospital or doctor’s records.
For consumers, data privacy is important for two main reasons.
First, people have a right to privacy. They have a right to the reasonable expectation that they can control who has access to certain data about them, and what that data can be used for. People should be able to control how personal data about them is collected, stored, and used. They should be able to give consent about how and what data is collected, stored, and used. Data privacy regulations protect those rights.
Second, and on a more practical level, data privacy is intertwined with data security, which is all the practices companies can use to protect data from being compromised by hackers, identity thieves, and other malicious parties. Data privacy regulations exist to try to create a standard of safety to protect consumers from things like identity theft, which can happen if their private data isn’t handled correctly by a business.
There are a number of laws, on various levels, that relate to data privacy. Different laws cover different types of data and different situations in which that data might be collected or shared.
As with many consumer protection topics, state data privacy laws are a little bit of a patchwork in the U.S. — what applies in one state won’t necessarily apply in another, and state laws are being changed, updated, and enacted all the time.
In the absence of a comprehensive data protection law at the federal level, though, some states are passing their own legislation to help keep consumers safe. Here are the state laws that are setting the example for other states (or the federal government) to follow.
In addition to California and Nevada, a number of states have considered data privacy bills in recent legislative sessions. Both Washington State and New York introduced sweeping bills that would have provided residents of those states with protections on a similar level to California and Nevada (or even stricter protections, in the case of the New York bill). But in both states, the proposed legislation failed to pass this time.
Still, the fact that states are introducing such sweeping data protection laws indicates that in the future, data protection legislation is only likely to become more robust on both state and federal levels.
We’re entering the age of the data economy, which means businesses have more and more advanced technology all the time that allows them to collect customer data. Considering how much time we spend on computers, tablets, and smartphones; how wearable tech and the internet of things have become commonplace in our homes and offices; and how many of our daily activities, from shopping to catching up with friends and family, take place online; we’re handing over potentially sensitive data to a plethora of companies basically around the clock.
These are just some of the ways businesses collect data every time you interact with them (and sometimes while you’re not actively interacting with them at all):
Those terms and conditions you agree to without reading every time you sign up for a new service or download a new app? They likely include something about allowing that service or app to collect data, and you just consented.
Most businesses nowadays equip their websites with cookies and web beacons, which allow them to track your online behavior as you visit their sites — and before you get there, and after you leave. Cookies show businesses where you’ve been on their sites, what you’ve looked at, and where you went after you clicked away from their site. That’s why you so often get ads for items you’ve looked at already.
Services like Google Adwords, Google Display Network, and Facebook Pixel let businesses use this cookie information to create those targeted ads based on users’ browsing histories, putting ads in front of them for products they’re more likely to buy, since they’re already checked them out before.
Every time you buy something from a company, put something in your cart and then remove it, interact with a service department, or otherwise engage with a company online, they’re likely saving data about you and all those interactions. This data is often analyzed with customer sentiment tools to personalize your experience when you return to a business you’ve engaged with before.
Social media is an easy way for companies to collect personal data. Not only is everything you post publicly online accessible for any person or company, but when you sign into apps or services with your social media profiles (think apps like Uber and Seamless that allow you to create a profile by signing in with your Facebook or Google accounts), you generally give those companies permission to harvest certain information from your profile.
Platforms like Facebook and Google have gotten better in recent years about revealing which of your data a new app is asking for access to, and letting you make a decision of whether to grant permission to it.
According to WIRED, more than 40 percent of all emails sent worldwide are tracked. That means businesses know not only whether you’re opening their emails, but where you’re opening them and on what devices.
Since data is worth so much to businesses, there are companies that exist solely to collect and compile data about consumers, which they then sell to other companies. They link together all the small puzzle pieces of personal information you’ve left all over the internet, which sometimes allows them to create extremely detailed personal profiles that they can sell to companies for a healthy profit.
The short answer? Data can help companies make more money. There are a lot of ways it can do this.
Companies can use data about customer behavior, as well as data mined from reviews and feedback, to adapt to changes in the market in an attempt to better meet their customers’ expectations and needs. They can use data to make changes to everyone’s experience, but also to create more personalized experiences for individual users.
For instance, if you and your best friend sit down side by side and open Amazon, you’ll probably see an entirely different set of items on the first page, based on your browsing and purchase history. Companies hope that this kind of experience will turn one-time shoppers into loyal, repeat customers, which means more sales and revenue for the company.
We touched on targeted advertising above. That’s just one way that data can help companies more effectively market their goods and services. In fact, data-based advertising is common just about everywhere you go online — Google results, your Facebook feed, YouTube ads, and more. Companies are using data to predict shopping and buying behavior, and using that to target the people who are most likely to want, need, and buy their products with their online advertising.
And then there’s the fact that any time a company is collecting data on its customers, it could be sitting on a potential goldmine. Data brokers are always interested in purchasing customer data, which means selling it is a potential new stream of revenue for many companies.
While most of us understand that we should be concerned on some level about how much personal data companies collect, many people don’t know exactly why this is something they should be concerned about. Sure, it can lead to some creepy and annoying experiences, like ads for a product you looked at once that now follow you around the web.
But the bigger risk comes from a privacy perspective. Companies are going to look out for their own best interests first, even at the expense of their customers. While the majority of companies aren’t actively trying to do anything nefarious with your personally identifying information, if they have it, that means it can fall into the wrong hands. The consequences of the wrong person getting a hold of your data can be life-altering.
There’s no such thing as perfect security. Even companies with multiple layers of physical and digital security measures are likely to experience a data breach at some point. We’re not just talking about small companies — even the biggest companies in the world, that you use every day and trust to keep your data safe, are subject to serious breaches. For many companies, security experts say it’s not a matter of if, but when.
And that’s assuming that companies are actually trying to protect your data. They aren’t always.
There are a number of common ways companies violate their customers’ and users’ privacy regularly. These are just some of those ways, and some of the major companies that have faced penalties for violating consumers’ privacy.
According to the Fair Credit Reporting Act, companies need to have a valid reason to access your credit report, and they need your written permission before they do it. Stanford University was sued in a class action for violating this while pulling credit reports on job applicants without their consent.
This one has made a lot of headlines lately. Facebook was at the center of the Cambridge Analytica data mining scandal, when the company failed to stop data aggregation or notify users that their personal data was being mined. And Google has been recently sued for allegedly collecting and storing users’ location data, even if they turn off “Location History” in their accounts.
Under the Gramm-Leach-Bliley Act (GLB), all financial companies are required to tell their customers what information they collect, how they use it, and how they protect it. But the FTC filed a lawsuit against the popular peer-to-peer payment app Venmo for not providing users with a privacy notice and not having good data protection safeguards in place until 2015.
If you ever see more than five digits of your card number or expiration date printed anywhere, there’s a good chance the company that printed it violated the Fair and Accurate Credit Transaction Act. Major national chains like Six Flags and The Cheesecake Factory have been sued for printing too much credit card information on receipts.
Most consumers know that when they dispose of paper records that contain personal information, they should shred them first. You would think companies would do the same, but that’s not always the case. Cox Communications was recently sued over disposing of customer records without removing or shredding sensitive information first.
The Children’s Online Privacy Protection Act requires that companies receive parental permission before they track minors’ online activity. But a recent lawsuit alleges that 42 different Disney apps violated that law.
While the U.S. doesn’t have the most stringent data protection laws in the world, courts are already setting precedents that say companies have a responsibility to take basic measures to keep their customers’ sensitive data safe.
Anthem, the largest health insurance company in the U.S., agreed to pay $115 million to customers in a settlement after hackers stole sensitive personal data for 79 million people. The data that was compromised was not related to healthcare, the company said, but it still agreed to the settlement to pay for years of credit monitoring for those who were affected.
As you can see from all these cases, it really is up to consumers to do what they can to protect their own data, since we can’t always count on companies to do it for us. Read on for some of the best data protection practices you should be using.
We live in a digital world where it’s impossible not to share any data with any business. So how can you make sure your data stays safe? Try these practices.
Don’t give out any personal information (or enter it into a website) unless you know for sure the site is legit. Never enter personal information into sites you reach by clicking a link in an email — instead, go to the company’s site independently in your web browser so you know you’re not falling victim to a phishing scam.
Use encryption software when you send information over the internet. When entering information into a website, look for a lock icon in the address bar — this means the information will be encrypted.
Use strong passwords that are at least 12 characters, and a mix of upper and lower case letters, numbers, and special symbols.
Don’t overshare on social media.
Don’t enter your social security number online anywhere you don’t have to. Before giving your social to a business, ask why they need it, how they’ll use it, how they’ll protect it, and what happens if you refuse to give it to them.
Install anti-virus software, anti-spyware software, and a firewall
Don’t send personal information on public WiFi networks.
Don’t save your passwords on your computer for any sites that store personal information, like online banking accounts, shopping accounts, or social media.
Be aware of the contents of privacy policies and terms and conditions. Yes, they’re long and complicated. This site can help.
Wipe electronic devices of all stored information before disposing of them or getting rid of them.
Keep personal records, including health records, financial documents, social security cards, and more in a safe place, ideally a fire-proof lock box that only you can access.
When you leave home, only take ID, credit and debit cards, and any other personally identifying information that you absolutely need. Leave everything else locked up at home.
Before sharing personal information with any business (including doctor’s offices, school, and banks), ask why they need it, what they’ll use it for, how they’ll keep it safe, and whether there are any consequences if you opt not to share it.
When disposing of expired cards or any documents that include personal information, shred them first.
Destroy labels on prescription bottles before you throw them away.
Get the mail from your mailbox as quickly as possible. Take sensitive outgoing mail to a post office box instead of leaving it in your home mailbox.
Don’t have new checks mailed to your home unless you have a locked mailbox.
The future of consumer data is that we’ll likely hand over more and more of it as more aspects of our lives become digitized. However, with legislation being considered in many places around the world to better protect customers, the onus is shifting more to businesses to do more to keep their customers and users safe.
In the meantime, knowing your rights and responsibilities and learning good habits to protect yourself and your private data is the best thing you can do.