China recently joined the European Union and Brazil in passing a personal data protection law. Scheduled to go into effect on 1 November 2021, the Personal Information Protection Law (PIPL) will require app designers to allow users to decide whether and how their data will be used and requires consent be obtained from individuals to use their data. Foreign companies doing business with China will also be subject to these requirements.
Similarly, Europe’s General Data Protection Regulation (GDPR) dictates how governments must protect their citizens’ privacy and hands greater control of personal data over to individuals. This includes requiring companies to get permission from customers to share their data and giving users the right to obtain, delete, and control the use of their personal data. In the United States, there currently is no federal law regulating data privacy. While a patchwork of state laws govern data privacy in the U.S., including the California Consumer Privacy Act (CCPA), they do not offer comprehensive data protection.
What Should Data Privacy Laws Include?
While data privacy laws can vary, they tend to come with similar requirements. According to a recent report from Thorin Klosowski, the editor of privacy and security topics at Wirecutter, a product review website owned by The New York Times Company, data privacy laws should include four basic protections:
- Data gathering and sharing privileges: Data privacy laws should give users a fundamental right to see the data that has been collected, to request the data be deleted, to easily transfer data between services, and to instruct companies not to sell or share their data with third parties. “To get an idea of how this kind of regulation works in practice, we looked at what it’s like to request information in California under the CCPA,” writes Klosowski, “which tends to require that you click through at least one form on every single website you interact with (and for some third parties you may not even know exist).”
- Opt-in consent: Users should have a right to opt-in to having their data sold to third parties. “You shouldn’t have to spend hours opting out of the collection of your private data through every service you use,” he writes.
- Minimization of user data: Data privacy laws should limit the amount of data companies can collect. Organizations should only be allowed to collect the data they need to provide users with a service.
- Nondiscrimination and no data-use discrimination: Data privacy laws should prevent companies from discriminating against or punishing users who exercise their rights. “For example, the company can’t charge someone more for protecting their privacy, and the company can’t offer discounts to customers in return for their giving up more data,” Klosowski writes. “This regulation should also include clarification about civil-rights protections, such as preventing advertisers from discriminating against certain characteristics.”
As data privacy laws take effect across the globe, organizations need to prepare for them. While data laws are still evolving, organizations can stay ahead of them by ensuring they are in compliance with these basic requirements.
Data Privacy Engineering
In addition to protecting your own network, your organization needs to ensure that the products and systems it develops take data privacy into account. This means limiting the data they collect, determining how your organization retains and uses that data, and ensuring you are applying all relevant regulations — which can all help build consumer trust.
IEEE has partnered with the International Association of Privacy Professionals (IAPP) to provide the IEEE | IAPP Data Privacy Engineering Collection to organizations. This unique training is designed to further educate your technical professionals tasked with developing products so they understand, maintain, and protect data privacy throughout the R&D process. The program provides access to tools that allow your technical workforce to implement policies and processes for designing products that take ethical personal data use into consideration right from the start. Learners will understand how to:
- recognize the benefits and challenges of emerging technologies and how to use them while respecting customer privacy
- establish organizational privacy practices for data security and control
- learn practical knowledge and insights to address corporate privacy challenges
- leverage the knowledge gained to develop products that take data privacy into account
Contact an IEEE Account Specialist today to learn more.
Klosowski, Thorin. (6 September 2021). The State of Consumer Data Privacy Laws in the US (And Why It Matters). Wirecutter/New York Times.
Lomas, Natasha. (20 August 2021). China Passes Data Privacy Protection. Tech Crunch.