How Much Privacy Do You Have Online?

In July 2018, California became the first state to enact a digital privacy law that provides protections for consumers to control how their information is collected and used by companies. While some businesses may see the regulation as too restrictive, supporters say it is necessary to protect customers in the digital world.

We’ve been using the internet for decades, but the concept of privacy still lacks a modern application to the online world. Digital privacy, therefore, remains a legal frontier.

Though the internet and social media have been used by the public for decades, the concept of privacy still lacks a modern application to the online world. Digital privacy, therefore, is still very much a legal frontier.

Thaddeus Hoffmeister, professor at the University of Dayton’s School of Law, said the hearings with Facebook and Cambridge Analytica in the summer of 2018 sparked a much-needed public discourse about the scope of digital privacy and power.

“The exposure helps people understand what social media companies are doing with their information,” Hoffmeister said.

And yet, there is so much left for consumers to learn about the capability of companies to breach their privacy.

What Is Privacy?

Historically, courts have looked to the Fourth Amendment to the Constitution for privacy protections and have interpreted its meaning in many ways:

  • Freedom from government surveillance
  • Privacy in one’s home
  • Freedom of thought
  • Control over personal information
  • Protection from embarrassment
  • The right to be left alone 

American courts rely on legal precedents when applying the law to new cases, and some legal experts have argued that the law provides little precedent for a quickly evolving digital world. Hoffmeister believes otherwise.

“You don’t want the law to be too cutting edge, but you don’t want the law to be too far behind,” he said. “Antiquated rules aren’t capturing what we have going on.”

Attorney Mark A. Smith, who specializes in invasion of privacy, said the line between public and private spaces is becoming increasingly blurred.

“We expect that when we post pictures or about activities we did that day, it’s only for our friends and family to see, but that’s not really true,” Smith said.

Many state and federal laws protect specific classes of online data: health information, financial transactions, and personal information about children younger than 13. But otherwise, a person’s online accounts — including social media, browsing history and personal data — can be mined by advertisers.

That’s because companies can collect and use data if they have users’ consent. People consent to sharing their data when they post on a social media platform by agreeing to a website’s “Terms and Conditions” or enabling third parties to track browser activity.

Hoffmeister and Smith agree that posting on a private profile counts as consent.

“When you share anything on social media, you lose your constitutional right to a reasonable expectation of privacy,” Hoffmeister said. “You might set your Facebook page to private, with the hope of controlling who can see your information, but the gray area comes when applying for a job,” because employers can make some hiring choices based on a person’s digital footprint.

Hoffmeister said a reasonable expectation includes sending private messages to one other person, though that privacy is not absolute.

Smith called the law “very unsettled.”

“You’re applying for a privilege to work at a particular place, and they have to do their due diligence — are you consenting to that by applying?” he said. “It’s a very subjective set of circumstances that have to be dealt with on a case-by-case basis. It’s the quintessential gray area.”

In general, people enjoy a reasonable expectation of privacy in their home or private spaces. But just because a person is accessing the internet in the privacy of their home doesn’t mean they still have the same protections.

However, the Civil Rights Act of 1964 prevents employers from discriminating based on race, religion, gender or nationality. More recent federal statutes prohibit discrimination based on age, disability, genetic information, sexual orientation and other personal information.

In addition to employees, Hoffmeister said specific groups may be monitored for potentially offensive or criminal activity. Students, employees or people who have been convicted of a crime may be surveilled by social media monitoring companies or law enforcement officials. Though Americans may be bothered by the idea of surveillance, Hoffmeister pointed out that — according to the Fourth Amendment — it’s not an invasion of privacy.

“Law enforcement has always done undercover work,” he said. “Now that criminals are going online, so law enforcement is going online too.” 

However, internet users often overlook privacy policies or use web browsers without making themselves fully informed about where their information is being stored and shared.

“Information is the new oil,” Hoffmeister said. “But people don’t realize just how much their information is worth to companies.”

What Is Personal Information?

In May 2018, the European Union began enforcing the General Data Protection Regulation (GDPR), which standardizes information collection and strengthens rights for internet users.

Because of its international implications, the GDPR applies to any entity that collects and retains personal data from anyone in the EU, even if that company operates in the United States. For that reason, many American companies have implemented the regulations, including for their American consumers.

The GDPR defines personal data as “any information [relating] to an identified or identifiable natural person.”

  • Name
  • Address
  • Date of birth
  • Credit card numbers
  • Government ID
  • Email address
  • Account numbers
  • Location data
  • Pseudonymous data

Further protection is offered for sensitive personal data:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Health information
  • Genetic data
  • Biometric data

Under the GDPR, companies can collect personal and sensitive data, but disclosure is required for a company to collect, store and use any personal data from any user. There is no equivalent U.S. federal law.

Four Ways to Take Charge of Your Digital Privacy

“Consumers should take it upon themselves to manage their privacy. Don’t wait for a law to be passed.”

— Professor Thaddeus Hoffmeister, faculty member at University of Dayton’s School of Law

Hoffmeister recommended that people who share personal information on digital platforms take the time to understand where their information is going and who will ultimately have ownership of it.

Know what to look for in the Terms and Conditions.

Though it’s tempting to scroll through and click “accept,” consumers should look for answers to these key components about their personal information:

Ownership: Who owns your information and content? How can it be used? Is there an opportunity to opt out?

Erasure: Do you have the right to delete your information? How long is your information stored on the website?

Collection: What information is being collected and stored about you?

Access: How can you see the information being collected on your behalf?

Disclosure: Is personal information shared with third parties? For what purposes?

Tip: If a privacy policy is unclear or concerning, look for contact information to reach the company’s privacy officer or customer support. 

Clear out cookies and fully close a browser after every session.

Cookies are used to track browser data while users are on a particular site. After leaving a site, cookies enable a third party to follow a user’s behavior and create opportunities for companies to display ads for a previously viewed site. Most cookies are disabled after a user completely closes a browser — meaning they have quit the app or exited out of the session — but can be more effectively disabled manually.

Tip: Visit Google’s support page to learn how to disable cookies on your personal device. 

Take advantage of customizable settings.

When purchasing or updating devices and platforms, consumers should take an inventory of any settings changes.

Tip: Instructions for adjusting privacy settings may be explained on a support page for a given platform, including FacebookInstagramGoogle Chrome and Windows 10.

Use digital tools to better understand consumer rights.

The Federal Trade Commission offers guidance on managing consumers’ online privacy and protecting children on the web. Residents of U.S. territories and all 50 states can learn more about the state laws that dictate online privacy by searching for each state’s consumer protection office.

Tip: The Usable Privacy Policy Project has a search tool where users can explore annotated versions of privacy policies for contextual information about how a site is managing their personal data.

The Future of Privacy Regulations

There is no general federal digital privacy law; everything that exists now has been enacted at the state level, or only protects specific information at the federal level.

States that take a proactive approach to digital privacy legislation may shape future regulations at the federal level, pushing legal trends toward increased protections for consumers.

The most recent state law was enacted in California. According to a report in The New York Times, the California Consumer Privacy Act of 2018 will be implemented in 2020 and gives consumers the right to the following:

Know what information is being collected

Understand why that information is being collected

See who has access to the collected information

Tell companies to delete their information

Prohibit companies from selling or sharing their data

Receive the same quality of service as other consumers if they opt out of data collection

Potentially sue a company if data privacy is breached

More heavily protect personal information about children under the age of 16

“If California passes a privacy law, that only applies to their residents,” Hoffmeister said. “But if 1 in 9 Americans is from California, then Facebook has to take their laws into account. Right now, California is leading the way, and their laws will eventually become the default.”

Government interest in the digital space isn’t going away, so what does that mean for digital companies in the next decade?

“Big platforms will survive, but up-and-coming platforms will be challenged by regulations,” Hoffmeister said.

If increased regulations persist, new social media platforms may struggle to find footing in a regulated environment, while seasoned companies such as Facebook can adapt to new privacy requirements like the GDPR without losing a substantial amount of revenue.

With so much media coverage of the GDPR and congressional hearings about Facebook and Cambridge Analytica’s data collection, increased exposure may lead to increased legal literacy and help Americans be more proactive about seeking legal protections online.

“They can band together if they decide they want change,” Hoffmeister said. “It will be very hard to go up against deep pockets, but it’s ultimately a positive outcome of the hearings from this summer.”

Citation for this content: University of Dayton’s online J.D. degree.