Demystifying the Language of Privacy by Tim Sleath
Data privacy has always been a hot topic, but with new laws coming next year, the landscape as we know it today is going to change. There are two things that will affect pretty much everyone next year.
First, the General Data Protection Regulation, five years in the making, comes into effect in May, 2018. This has widespread changes to the language of consent, a requirement for dedicated “data protection officers” in companies, and definitions of personal data.
Second, a recently-leaked draft regulation would tighten the e-privacy (aka “cookies”) directive that came into force in 2011. This new regulation is expected to become law alongside and in support of the GDPR.
What’s more, these E.U. regulations have a global effect and intersect with some existing US laws in a confusing way, but which can be unravelled one step at a time.
Global businesses must explain via their privacy notice how they obtain, use and store their users’/customers’ data. But how to do so when the laws are in flux and changing the terminology that must be used? The first step is to understand the different definitions in play.
As it stands today, with regard to personal information, there are two types of data: (1) data that clearly pertains to and can be readily used to identify an individual; (2) data that can’t identify an individual.
The former type is called personal data in the E.U., and Personally Identifiable Information (PII) in the U.S. The latter type may be referred to as impersonal, non-personal or anonymous data. The law is also quite simple. In the E.U., if you’re using anonymous data, no rules apply to USE of that data — you can do what you want. (There may be some rules on storing information on a user’s device, but that’s another story.) However, if you’re using personal data, the laws are pretty clear.
In the U.S., there aren’t any specific laws on PII use (unless you’re operating in healthcare or finance), so advertising or media entities can legally do what THEY like, provided it doesn’t fall foul of the FTC Act. That act is about trade practices, not personal data, but is often invoked due to “unfair” (a company is doing something unreasonable, which causes harm to the consumer) or “deceptive” (a company is saying they do one thing, but, in fact, doing another) business practices. I have deliberately omitted the laws on children and students — we’ll come back to that shortly.
The E.U. also has a subset of personal data called “special categories”; the U.S. has “sensitive PII” for things like medical history, political and sexual bias. Both the E.U. and the U.S. require consent to use such data.
Let’s look at examples of what falls into which buckets. Personal data includes phone number, credit card number, name, email address, physical address. Note: while most people might expect “sensitive PII” to cover credit card number, rather than political affiliation, that’s not the case.
Non-personal data includes cookie id, device id, user agent. These aren’t personal data — yet.
Interestingly, the IP address is a slightly grey area. If you’re an ISP, an IP address is personal, otherwise it’s not. (In Germany, however, the IP address is always considered personal, regardless of the entity using it.)
The confusion starts with the imminent E.U. General Data Protection Regulation (GDPR), which will go into effect in May, 2018. However, GDPR will have a global impact. Why? Let’s say a Dutch consumer raises a case with their Data Protection Authority (DPA) that their data protection rights have been infringed by a U.S. company. The DPA, and ultimately European Court of Justice, will be able to bring legal action.
The GDPR changes the the boundaries that we’re used to, so that everything about or related to a person becomes personal data. This sounds fair, but it means that IP address, user agent and the like become personal data. This is important because personal data requires some kind of permission to be used.
Under E.U. rules, “permission” means either the user has given their consent, or there is some other legitimate interest that covers the usage. What constitutes “legitimate interest” is something of a grey area.
A real curveball comes from another U.S. law called Children’s Online Privacy Protection Rule, or COPPA. Within its wording, COPPA includes reference to the fact that for young people, cookie IDs are PII. What this means is that the same information changes its classification, depending on whether the user is aged 13 or younger. (Of course, from a cookie id, IP address or user agent, it’s not clear if the user is 8 or 80, which makes COPPA problematic in operation.)
So the question becomes: How do we work under these new conditions? We know things will change in the E.U. in 18 months, that “personal data” will cover more than it covers now and that PII only applies to children in the U.S.
The time to start preparing for these changes is now. If your firm works with online data but doesn’t have someone thinking about information regulation, you should find someone. (The GDPR mandates data protection officers for companies that use online user data as a fundamental part of their business, so you’ll probably need one in 2018 anyway.) As for the privacy notice — that’s easy, as long as you can be honest about what data you actually collect, rather than just classing it as non-personal or anonymous data. Because pretty soon, that distinction simply won’t exist.