Updated: Jul 24, 2020
Through our Lunch and Learn Professional Development Series, Good Counsel Services brings in experts, professionals, and innovators from diverse fields and backgrounds to present to and be of resource for our community of social entrepreneurs and emerging non-profit organizations. Our most recent guest speaker was Rachel Glasser, attorney and Global Chief Privacy Officer at Wunderman Thompson, a full-service advertising agency that in addition to creating ads and content, provides consulting services, data and analytics, data licensing, etc., where she ensures that companies use consumer data in a way that complies with the law and in a way that aligns with consumer expectations.
Data and personal information - information that identifies us as well as indirectly identifies us based on our behavior, such as a cookie from a web browser - are collected about us everywhere: from when we visit the doctor’s office, our internet or mobile phone activity, to when we make a purchase in a retail store. In contrast to the United States, the European Union (EU) and the European Economic Area (EEA) consider personal information a “human right” where people have a right to privacy from government intrusion as well as private companies, according to Glasser. Therefore, how safe is our personal information in the United States and what do private companies use our personal data for? Glasser warns us about the perils of data collection and advises us on how to protect ourselves.
Most of the personal information collected about a person is generally benign (or so we think). However, a greater number of people have become aware of the harms of data tracking and are now growing increasingly wary about the information that is collected about us. In 2016, the General Data Protection Regulation (GDPR) came into force in the EU and EEA, which is “said to be the most sweeping change in privacy and data protection...that the world has...ever seen,” according to Glasser. Among many provisions, the GDPR changed the definition of personal information to include cookies and other identifiers that may not necessarily be your name, but linkages to your name or other personal information, and created a whole new set of obligations for businesses that collect personal information. Entities that fail to comply will be subject to severe penalties.
Any personal data that is processed in the EU and EEA as well as business conducted with members of companies based in the EU and EEA (even if you process the data elsewhere) makes you subject to the GDPR. Here is some more detailed information on the GDPR. Brazil, too, has a law - the General Data Protection Law (LGPD) - about data privacy set to take effect in mid-2021. (The International Association of Privacy Professionals, IAPP, has some information and an analysis of it here.) In addition, Canada has the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been most recently revised in 2019, and has a Privacy Commissioner, who is a Parliamentary Agent who is in charge of the protection and promotion of privacy rights in the country.
Following the implementation of the GDPR, numerous data scandals such as with Cambridge Analytica and Facebook, and other incidents, Americans have come to realize the need to regulate data and personal information within the country. Rightfully so, especially in the United States, which has less restrictive privacy laws than in the EU and the EEA. Glasser says that the United States “[does not] really have...an omnibus privacy rule” that strictly applies to commercial practices or private businesses. Glasser also notes that, “Unless you are in a specific sector of the law, like children or health care, there is no consumer law that protects consumer data or…[our] personal information.”
In 2018, the California Consumer Privacy Act (CCPA) came into effect, which provides for: “The right [for an individual] to know about the personal information a business collects about them and how it is used and shared; The right to delete personal information collected from them (with some exceptions); The right to opt-out of the sale of their personal information; and The right to non-discrimination for exercising their CCPA rights,” according to State of California Department of Justice’s Website. The State of California Department of Justice also states that “Businesses are required to give consumers certain notices explaining their privacy practices.”
We must remember that the CCPA is a California state law, although many businesses are applying it as a nationwide standard, and there is likely to be a greater number of state laws that follow suit. Despite the fact that there are severe penalties for violating it, these fines are marginal for large corporations; not all businesses follow the law, especially the ones that think they can get away with it and where the hefty fines hardly scathe them.The greater consequence for companies is the erosion of consumer trust. Glasser states: Businesses “need to think about things beyond breaking the law,” but also think about whether their personal data collection activity “would be detrimental to [their] brand reputation.” Businesses “are going to have a much harder problem rebuilding [their] reputation” after people learn about a company’s use of personal information, according to Glasser.
Will people continue to use certain websites or give out certain information if they know how their personal information is being used? As we now know, our personal information is not safe. We are being tracked everywhere, both on and off-line. Unless you live completely off-the-grid, you can’t avoid it.
Remember: It’s your information. You don’t have to give it out if you don’t want to. “You can at least put some controls in place” as to what information you share, "but once it’s out there, it’s out there."
Rachel Glasser’s Advice and Tips for Users:
• Read Privacy Policies. Before you register on a website, understand how it is going to use your data. Look for categories about: What information is it going to collect about you and what will it do with that information? Who will they share it with?
• See How You Can Opt Out. Companies supposed to allow people to, but not all of them do nor do they make it easy for you to.
• Know What You’re Getting Back for Giving Up. “If you’re not satisfied with that, then don’t give [your information] up. Otherwise, you can’t just fight the power.”
• Ask Retail Stores Why They Want Your Information in the First Place. You aren’t required to give your phone number or e-mail address after every purchase.
• With Regard to Social Media…Facebook, Instagram, Snapchat, Gmail, and TikTok are some of the least secure.
More Resources on Information on Data Handling/Privacy:
• Read media posts in the industry you’re in/interested in.
• Talk to people in your field.