What is your privacy worth? How much would you charge to sell or lease your personal information? For how long would you allow your information to be used? How would you ensure that your information is used only for the purposes described to you when you sold it?
These questions seem implausible, since very few informed people would knowingly or willingly sell their personal information to total strangers. But personal information is exchanged with total strangers every day, every hour, every minute. Facebook, LinkedIn, Twitter and scores of other social media sites ask for, and receive, personal information on every user. And with geo-tagging becoming a common user feature, your online identity becomes easier to track and your online behavior easier to predict.
While many web sites often use your personal information for purposes other than those originally disclosed in the terms of service, legal protections have historically been inconsistent and vary from nation to nation, and even state to state in the U.S.
This reality appears to be changing.
The European Union released additional guidance in December 2015 that seeks to strengthen citizens’ rights on how personal information is used. The General Data Protection Regulation enables additional controls for citizens to access and manage the disposition of personal information disclosed online. One of the most important provisions is the “right to be forgotten.” When a covered user no longer wants personal information to be used or retained, service providers must offer methods for confirmed deletion. Another important provision is the right to know when personal information for covered users is compromised. New rules provide guidance on the severity of compromises and simplify the notification process that should <theoretically> reduce bureacratic compliance and costs to businesses.
But the most important aspect of the regulation, in my opinion, is that these provisions apply to all businesses that offer services in the EU. Referred to as European rules on European soil, organizations based outside of the EU must offer the same protections to EU citizens, regardless of where those organizations are based. As these rules expand, non-EU organizations and companies will be subject to these provisions.
What about the U.S.? Don’t we have similar protections?
The simple answer is, no. The U.S. does not have any single or comprehensive federal legislation regulating the collection and use of personal information, even with the explosion of breaches in recent years. Forty seven states, the District of Columbia, Puerto Rico, the U.S. Virgin Islands and Guam have enacted legislation requiring notification to individuals of compromises to personal information. These laws, while certainly a decent start, only require notification after a breach has been identified and reported. Thirty one states and Puerto Rico have enacted legislation that requires certain entities to dispose of personal information. But these laws are inconsistent and difficult to enforce. Some only apply to paper records, others only to employers, and still others only apply to financial services institutions, healthcare organizations and businesses or tax preparation services. This patchwork of federal and state laws leads to gaps, overlaps and contradictions and gives malicious actors many vulnerable targets.
In 2014 and 2015 in the U.S. alone, more than 212 million citizens were affected by breaches that compromised individual identities by releasing names, social security numbers, birth dates, street addresses, credit card numbers, and even employment information. And with more devices becoming Internet-aware, these numbers will continue to climb.
What can I do to protect my online identity and privacy?
With few comprehensive and consistent legal protections, you have to protect yourself when browsing Internet sites and services.
- First, check the privacy settings on all browsers and applications, whether on your work stations or mobile devices. Default settings typically enable the sharing of personal information, so it’s up to you to change them.
- While you’re inspecting the privacy settings, check your location services. Geo-tagging exposes your physical movements and locations visited, and can be used to predict travel and even spending habits.
- Review the cookie settings on all of your browsers. Some browsers allow third party cookies, again by default, so check your browser cookie stores and enable the “Do Not Track” feature, if available.
- Obscure your online identity. Not only should you rotate your passwords among sites and change your passwords regulary, you should use different identities when online. Using different user names, email addresses and devices can increase the difficulty of tracking your online activities.
- Finally, and most obviously, use caution when sharing your personal information online. Provide only information that is pertinent to specific online transactions. Avoid providing critical personal information, such as social security numbers and bank account numbers, unless you clearly understand the terms under which this information may be used. If you no longer subscribe to a service, delete your associated accounts and ask for confirmation that your account and all associated information are in fact deleted. Some services offer this confirmation, while others may require a call to customer service.
Sharing personal information is often described as a convenience. In many cases, sharing certain information with reputable services saves time and even money. But always remember: Convenience enabled by technology brings with it many risks. Understand and manage the risks to minimize your online exposure.