What are some of the laws regarding internet and data security?
What is internet law?
Internet law – sometimes called cyberlaw – refers to the legal principles and regulations that govern the internet's use. Internet laws are not always clear and straightforward because:
- The internet is relatively new and continues to evolve, which means legal frameworks can struggle to keep up.
- Internet laws often incorporate and apply principles from different legal fields – such as privacy laws or contract laws – which pre-date the internet and can be open to interpretation.
- There is no single law regulating online privacy. Instead, a patchwork quilt of federal and state laws apply. In addition, different jurisdictions around the world may have different interpretations of how to apply internet privacy laws.
The European Union has an overarching data privacy law known as GDPR – the General Data Protection Regulation. By contrast, the US does not have a central federal-level internet privacy law. Instead, there are several vertically-focused federal privacy laws and several consumer-oriented privacy laws amongst the different states. This overview looks at some of the critical internet security laws you should know about.
US Privacy Act of 1974
Although it pre-dates the internet, the Privacy Act of 1974 is arguably the foundation of many laws covering data and internet privacy in the US. The Act was passed in recognition of the amount of personal data held in computer databases by US government agencies. The Act covered:
- The right of US citizens to access data held by government agencies and a right to a copy of that data.
- The right of citizens to correct any information errors.
- The need for agencies to collect only the minimum information relevant and necessary to accomplish its purposes.
- Restricting access to data on a ‘need to know’ basis.
- Restricting information sharing between federal (and non-federal) agencies – i.e., only allowed under certain conditions.
However, the invention of the internet changed the definition of privacy and made it necessary to enact new data security laws concerning electronic communications.
Federal Trade Commission Act
The Federal Trade Commission Act of 1914 established the US Federal Trade Commission and was designed to outlaw unfair methods of competition and unfair acts or practices that affect commerce.
Today, while the FTC does not explicitly regulate what information should be included in website privacy policies, it uses its authority to issue regulations, enforce privacy laws, and protect consumers. For example, the FTC might act against organizations that:
- Make inaccurate privacy and security statements to consumers and in privacy policies.
- Don’t implement and maintain reasonable data security measures.
- Don’t follow the self-regulatory principles that may apply to the organization's industry.
The FTC plays a role in internet regulation, not least because it examines misleading representations made by leading tech and social media companies about the privacy of the consumer data they collect. For example, previously, the FTC has investigated complaints against Facebook for its use of customer data.
Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act of 1998 – also known as COPPA – is a US federal law. Its goal is to place parents in control of what information is collected from their young children online. COPPA applies to operators of commercial websites and online services (including mobile apps and Internet of Things devices) directed to children under 13, which collect personal information from children.
Some of COPPA’s key requirements include:
- Websites, apps, and online tools aimed at children below 13 must provide notice and obtain parental consent before collecting information from kids.
- They must keep any information they obtain from children safe and secure.
While the law originated in the early days of the internet, it has become especially relevant in an era of social media and programmatic ads. A key question with COPPA is the extent to which a site is ‘directed’ at children under 13. In the US, the Federal Trade Commission assesses sites based on various criteria, including:
- Subject matter
- Use of animated characters
- Use of child-oriented activities or incentives
- Age of models
- Presence of child celebrities or celebrities who appeal to children
- Advertising on the site aimed at children
Some websites or services screen their users by age, so they don't have to comply with COPPA regulations. For example, many social networks, whose business model is based on collecting and monetizing user data set 13 as a minimum age for registered users.
Another question raised by COPPA is what constitutes ‘collecting personal information’. Collecting names, addresses, and photographs falls into this category. But less obvious are behavioral ads – that is, ads that track user behavior across websites and apps – which also constitute collecting personal information under COPPA. Even if a third-party provider serves those behavioral ads, the website owner is responsible for them if they appear on a website that targets children. Given that behavioral ads form such a large part of the internet’s ecosystem, this has significant implications for websites aimed at children.
California Consumer Privacy Act
The California Consumer Privacy Act or CCPA was signed into law in 2018. Its goal was to address consumer privacy for Californian residents by extending consumer privacy protections to the internet. CCPA is considered the most comprehensive internet-focused data privacy legislation in the US, with no equivalent at the federal level.
Like the EU's GDPR, it gives consumers the right to access their data, along with the right to delete and opt out of data processing at any time. However, CCPA differs from GDPR in that GDPR grants consumers a right to correct or rectify incorrect personal data, whereas CCPA doesn't. GDPR also requires explicit consent at the point when consumers hand over their data. By contrast, CCPA only specifies that a privacy note is available on websites informing consumers that they have a right to opt-out of certain data collection. Other features of CCPA include:
- Consumers have the right to access their data through a data subject access request.
- Businesses can't sell consumers' personal information without providing a web notice and giving them an opportunity to opt-out.
- Consumers have a limited right of action to sue if they are the victim of a data breach.
- The State Attorney General has a more general ability to sue companies on behalf of residents.
CCPA has a broad definition of personal information: ‘information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household’. This is similar to GDPR’s expansive view of personal data.
General Data Protection Regulation
The EU’s General Data Protection Regulation – GDPR – came into effect in 2018. It is a legal framework that sets guidelines for collecting and processing personal information from individuals who live in the European Union. GDPR applies regardless of where websites are based, which means that it should be adhered to by all sites which attract European visitors. GDPR is considered one of the most stringent data security laws in the world.
GDPR specifies that website users must be notified about the data a site is collecting, and users should expressly give their consent for that data collection. This is why many websites have pop-ups asking users to consent to cookies – that is, small files that hold personal information such as site settings and preferences – being collected.
Key features of GDPR include:
- Consumers are entitled to know how their data is collected and used.
- Consumers can ask websites what information has been collected about them (without paying a fee).
- If there are mistakes in consumers’ data, they can request they are corrected.
- Consumers can request their data be deleted from records.
- Consumers have the right to refuse data processing – for example, for marketing purposes.
- Sites must notify users if their data has been compromised or breached.
The European Commission explains GDPR in detail on its official website. There have been some eye-catching penalties awarded to big companies for GDPR breaches – including Google being given a $57 million fine because important information was hidden when users set up new Android phones, meaning users didn’t know what data collection policies they were agreeing to, and British Airways being fined $28 million when 500,000 customer booking records were stolen in an attack.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 – HIPAA – is a US federal law focused on health insurance regulation, including data privacy and security sections. It prevents health care providers, businesses, and the people working with them from disclosing consumers’ health information without their permission.
When people talk about HIPAA, they typically refer to the Privacy Rule provision established in 2003. This rule was partly introduced because the US Congress recognized that the internet made health privacy breaches more likely to occur. HIPAA’s Privacy Rule gives consumers the right to control their health information disclosures, so they can tell their health care provider what to share.
However, HIPAA only protects health care information held by specific kinds of health care providers. For example, health care data on your fitness tracker is not usually covered by HIPAA. Genetic data you enter on websites like Ancestry.com is also not covered by HIPAA. Other laws or agreements like the privacy disclosures required on many apps may protect that information, but HIPAA does not.
The Gramm-Leach-Bliley Act (GLBA) – also known as the Financial Services Modernization Act of 1999 – is a banking and financial law that contains data privacy and security elements. Its protection of personal information builds upon previous consumer financial data laws such as the Fair Credit Reporting Act (FCRA).
Essentially, GLBA protects non-public personal information, which is defined as any ‘information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available.’ The reference to ‘publicly available’ means property records or certain mortgage information that may be in the public domain.
The GLBA Safeguards Rule requires data collectors to protect personal information and create appropriately sized data security systems. In other words, large national banks need more sophisticated safeguards than, for example, a neighborhood credit union.
The rule requires businesses to test regularly. Moreover, they must implement security measures in their day-to-day operations, such as running employee background checks and establishing breach action plans in case of attack.
The GLBA makes pretexting illegal. Pretexting refers to someone gaining improper access to non-public information. The term is often associated with social engineering hacks – for example, when someone passes themselves off as a manager or law enforcement agent to obtain information. Phishing scams, which sometimes involve setting up fake websites that deceive people into divulging private information, are another example of pretexting. The GLBA requires financial institutions to establish measures that prevent pretexting as part of their security plans.
Internet privacy laws: Conclusion
Different jurisdictions around the world have their own internet privacy and data security laws. For example, Brazil has the Lei Geral de Proteção de Dados (LGPD) while Canada has the Consumer Privacy Protection Act (CPPA), both of which are broadly similar in scope to the EU’s GDPR or California’s CCPA.
In the US, there is no one comprehensive federal law that governs data privacy. Internet regulation is a complex patchwork of sector-specific and medium-specific laws, including laws and regulations that address telecommunications, health information, credit information, financial institutions, and marketing.
One of the best ways to protect your online privacy and data security is using a comprehensive antivirus solution. A product like Kaspersky Total Security blocks common and complex threats like viruses, malware, ransomware, spy apps, and the latest hacker activities.