In July 2018, California became the first state to enact a digital privacy law that provides protections for consumers to control how their information is collected and used by companies. While some businesses may see the regulation as too restrictive, supporters say it is necessary to protect customers in the digital world.
We’ve been using the internet for decades, but the concept of privacy still lacks a modern application to the online world. Digital privacy, therefore, remains a legal frontier.
Though the internet and social media have been used by the public for decades, the concept of privacy still lacks a modern application to the online world. Digital privacy, therefore, is still very much a legal frontier.
“The exposure helps people understand what social media companies are doing with their information,” Hoffmeister said.
And yet, there is so much left for consumers to learn about the capability of companies to breach their privacy.
What Is Privacy?
Historically, courts have looked to the Fourth Amendment to the Constitution for privacy protections and have interpreted its meaning in many ways:
Freedom from government surveillance
Privacy in one’s home
Freedom of thought
Control over personal information
Protection from embarrassment
The right to be left alone
American courts rely on legal precedents when applying the law to new cases, and some legal experts have argued that the law provides little precedent for a quickly evolving digital world. Hoffmeister believes otherwise.
“You don’t want the law to be too cutting edge, but you don’t want the law to be too far behind,” he said. “Antiquated rules aren’t capturing what we have going on.”
Attorney Mark A. Smith, who specializes in invasion of privacy, said the line between public and private spaces is becoming increasingly blurred.
“We expect that when we post pictures or about activities we did that day, it’s only for our friends and family to see, but that’s not really true,” Smith said.
That’s because companies can collect and use data if they have users’ consent. People consent to sharing their data when they post on a social media platform by agreeing to a website’s “Terms and Conditions” or enabling third parties to track browser activity.
Hoffmeister and Smith agree that posting on a private profile counts as consent.
“When you share anything on social media, you lose your constitutional right to a reasonable expectation of privacy,” Hoffmeister said. “You might set your Facebook page to private, with the hope of controlling who can see your information, but the gray area comes when applying for a job,” because employers can make some hiring choices based on a person’s digital footprint.
Hoffmeister said a reasonable expectation includes sending private messages to one other person, though that privacy is not absolute.
Smith called the law “very unsettled.”
“You’re applying for a privilege to work at a particular place, and they have to do their due diligence — are you consenting to that by applying?” he said. “It’s a very subjective set of circumstances that have to be dealt with on a case-by-case basis. It’s the quintessential gray area.”
In general, people enjoy a reasonable expectation of privacy in their home or private spaces. But just because a person is accessing the internet in the privacy of their home doesn’t mean they still have the same protections.
However, the Civil Rights Act of 1964 prevents employers from discriminating based on race, religion, gender or nationality. More recent federal statutes prohibit discrimination based on age, disability, genetic information, sexual orientation and other personal information.
In addition to employees, Hoffmeister said specific groups may be monitored for potentially offensive or criminal activity. Students, employees or people who have been convicted of a crime may be surveilled by social media monitoring companies or law enforcement officials. Though Americans may be bothered by the idea of surveillance, Hoffmeister pointed out that — according to the Fourth Amendment — it’s not an invasion of privacy.
“Law enforcement has always done undercover work,” he said. “Now that criminals are going online, so law enforcement is going online too.”
However, internet users often overlook privacy policies or use web browsers without making themselves fully informed about where their information is being stored and shared.
“Information is the new oil,” Hoffmeister said. “But people don’t realize just how much their information is worth to companies.”
Because of its international implications, the GDPR applies to any entity that collects and retains personal data from anyone in the EU, even if that company operates in the United States. For that reason, many American companies have implemented the regulations, including for their American consumers.
Further protection is offered for sensitive personal data:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Under the GDPR, companies can collect personal and sensitive data, but disclosure is required for a company to collect, store and use any personal data from any user. There is no equivalent U.S. federal law.
Four Ways to Take Charge of Your Digital Privacy
“Consumers should take it upon themselves to manage their privacy. Don’t wait for a law to be passed.”
— Professor Thaddeus Hoffmeister, faculty member at University of Dayton’s School of Law
Hoffmeister recommended that people who share personal information on digital platforms take the time to understand where their information is going and who will ultimately have ownership of it.
Know what to look for in the Terms and Conditions.
Though it’s tempting to scroll through and click “accept,” consumers should look for answers to these key components about their personal information:
Ownership: Who owns your information and content? How can it be used? Is there an opportunity to opt out?
Erasure: Do you have the right to delete your information? How long is your information stored on the website?
Collection: What information is being collected and stored about you?
Access: How can you see the information being collected on your behalf?
Disclosure: Is personal information shared with third parties? For what purposes?
Clear out cookies and fully close a browser after every session.
Cookies are used to track browser data while users are on a particular site. After leaving a site, cookies enable a third party to follow a user’s behavior and create opportunities for companies to display ads for a previously viewed site. Most cookies are disabled after a user completely closes a browser — meaning they have quit the app or exited out of the session — but can be more effectively disabled manually.
Understand why that information is being collected
See who has access to the collected information
Tell companies to delete their information
Prohibit companies from selling or sharing their data
Receive the same quality of service as other consumers if they opt out of data collection
Potentially sue a company if data privacy is breached
More heavily protect personal information about children under the age of 16
“If California passes a privacy law, that only applies to their residents,” Hoffmeister said. “But if 1 in 9 Americans is from California, then Facebook has to take their laws into account. Right now, California is leading the way, and their laws will eventually become the default.”
Government interest in the digital space isn’t going away, so what does that mean for digital companies in the next decade?
“Big platforms will survive, but up-and-coming platforms will be challenged by regulations,” Hoffmeister said.
If increased regulations persist, new social media platforms may struggle to find footing in a regulated environment, while seasoned companies such as Facebook can adapt to new privacy requirements like the GDPR without losing a substantial amount of revenue.
“They can band together if they decide they want change,” Hoffmeister said. “It will be very hard to go up against deep pockets, but it’s ultimately a positive outcome of the hearings from this summer.”