We’re reaching out to let you know about upcoming changes to
the Online Privacy Policy. These changes will make it easier to understand how
we collect and use data to create great online experiences for you.
Our new updated Online Privacy policy, effective June 30,
2018, includes:
• More details about the information we collect from you,
how we collect the information, how we make use of the information, and how we
may share the information.
• A link to the new Privacy Notice for EU Residents,
which governs the handling of information about EU residents under the new
European Union General Data Protection Regulation (GDPR) (effective May 25,
2018).
• Our new Statement Regarding Cookies and Other Tracking
Technologies providing more details about the cookie and tracking
technologies we use and how they work (effective May 25, 2018).
Thank you for being part of our Internet community.
Sincerely,
Your friends
First of all, I must tell all
you subscribers, regular readers and fans that I’ve already sold all your
personal information so if you ever wonder why you are getting ads for
outrageous deals on impossible items of immense worth, that was me.
Secondly, Happy GDPR Day!
I, for one, am so glad that all
my privacy is protected now.
The European Union has a new law
on the books for protecting data privacy. It’s the General Data Protection Regulation more commonly called the GDPR.
This Friday, it goes into effect in the EU’s 28 member states.
It’s not just the household
names of the Internet like Facebook that will have to comply. Health care
providers, insurers, banks and any other company dealing in sensitive personal
data will also be on the hook.
The regulation expands the scope
of what companies must consider personal data, and it requires them to closely
track the data they’ve stored on EU residents. If someone in the EU wants a
company to delete his or her data, send copies of the data, or correct an error
in the data, companies have to comply.
The law goes even further than
that. EU residents can now object to specific ways companies are using their
data, saying that they don’t mind if a company keeps the data as long as it
stops using the info for a particular purpose.
What’s more, the law requires
companies to notify users within 72 hours of a data breach -- something very
few companies currently do.
Information privacy, or data
privacy (or data protection), is the relationship between the collection and
dissemination of data, technology, the public expectation of privacy, and the legal
and political issues surrounding them.
Privacy concerns exist wherever
personally identifiable information or other sensitive information is
collected, stored, used, and finally destroyed or deleted – in digital form or
otherwise.
Improper or non-existent
disclosure control can be the root cause for privacy issues.
Data privacy issues may arise in
response to information from a wide range of sources, such as:
- ·
Healthcare records
- ·
Criminal justice investigations and proceedings
- ·
Financial institutions and transactions
- ·
Biological traits, such as genetic material
- ·
Residence and geographic records
- ·
Privacy breach
- ·
Location-based service and geolocation
- ·
Web surfing behavior or user preferences using
persistent cookies
- ·
Academic research
The challenge of data privacy is
to utilize data while protecting an individual’s privacy preferences and their
personally identifiable information. The fields of computer security, data
security, and information security design and utilize software, hardware, and
human resources to address this issue. Since the laws and regulations related
to Privacy and Data Protection are constantly changing, it is important to keep
abreast of any changes in the law and to continually reassess compliance with
data privacy and security regulations. Within academia, Institutional Review
Boards function to assure that adequate measures are taken to insure both the
privacy and confidentiality of human subjects in research.
How will the EU enforce the GDPR?
Each member state of the EU will
have its own enforcement mechanism, with one GDPR supervisor per country.
Residents can make complaints to
the governing body in their respective country. Companies found in violation of
the law will face fines that could be very steep. The maximum fine for a GDPR
violation is 20 million Euros or 4 percent of a company’s annual global revenue
from the year before, whichever is higher.
When does the GDPR take effect?
Friday. The regulation was
ratified in 2016 and organizations were given a two-year “implementation period”
to prepare. This grace period ends on May 25, 2018, when enforcement begins in
earnest.
Does this law apply only to companies based
in the European Union?
No -- and this is why it’s major
international news. The GDPR applies to any organization that collects,
processes, manages or stores the data of European citizens. This includes most
major online services and businesses that collect, process, manage or store
data. Because of this, the GDPR essentially sets a new global standard for data
protection.
What kind of data does the GDPR protect?
The regulation applies to a
broad array of personal data, including a person’s name and government ID
numbers. It also protects information that can show a person’s activity both
online and in the real world. That includes location information, as well as IP
addresses, cookies and other data that lets companies track users as they
browse the Internet.
How will this affect Facebook and other
social-media companies?
Many large online services and
social-media companies are updating their privacy policies and terms of service
to prepare for the new legislation. Facebook’s response is sure to be closely
scrutinized by European regulators, given the Cambridge Analytica scandal as
well as past concerns about the company's data collection.
These include the kerfuffle in
2007 over the company’s controversial Beacon advertising program that broadcast
user activity on partner sites. And don’t forget user uproar when Facebook and
its subsidiary Instagram claimed to own user profile data and photos. The GDPR
makes it much clearer that these kinds of activities aren't OK.
How will this affect me, a non-EU resident?
Facebook, Microsoft, Twitter,
Apple and others have all offered users beyond the European Union some
additional rights over their data.
But those rights don't have the
force of law behind them, which means you can’t file a complaint against
Microsoft for violating the GDPR if you aren’t a EU resident. While you enjoy
these rights only as long as a company says you do, it does show that the
European regulations are reshaping the way major companies approach user data.
The other way this affects you
is with the barrage of privacy policy updates you’ve likely received over the
past few months. Many companies crafted new privacy policies in advance of the
GDPR going into effect, and then they told you about it all at the same
time.
How does the regulation affect hacks and
breaches?
The GDPR requires companies that
have lost control over customer data, or that’ve been hacked, to notify users
within 72 hours. That’s one of the rules that carries the maximum penalty. For
instance, if Facebook was found to have failed to comply, it could be liable
for a $1.6 billion penalty (based on its 2016 annual revenue of $40 billion).
Are there special protections for minors?
The GDPR requires businesses and
organizations to obtain parental consent
to process the personal data of children under the age of 16.
Does the US have any legal equivalent to
the GDPR?
No. Most states have their own laws
governing data breaches and notification requirements, and most apply to only a
limited type of data: Social Security numbers and health or financial
information.
The SEC recently issued guidance
on how public companies should disclose breaches and risks.
Californians could be voting on
a data privacy law this year, the California Consumer Personal Information
Disclosure and Sale Initiative. That would let residents request copies
of their data from companies, find out which third parties companies have sold
their data to, and ask companies not to sell or share their personal data.
Data Privacy Day began in the United States and Canada in January
2008 as an extension of the Data Protection Day celebration in Europe.
Data Protection Day commemorates the Jan. 28, 1981, signing of
Convention 108, the first legally binding international treaty dealing
with privacy and data protection. Data Privacy Day is observed annually on Jan.
28.
The National Cyber Security Alliance (NCSA) officially leads the Data
Privacy Day campaign and is advised by a distinguished advisory
committee of privacy professionals to help the campaign align with the
most current privacy issues in a “thoughtful and meaningful way”.
Data Privacy Day is the
signature event in a greater privacy awareness and education effort.
Year-round, NCSA educates consumers on how they can own their online presence
and shows organizations how privacy is good for business. NCSA’s privacy
awareness campaign is an integral component of STOP. THINK. CONNECT. ™ - the
global online safety, security and privacy campaign.
The Data Protection Directive (officially Directive 95/46/EC on the
protection of individuals with regard to the processing of personal data (PII
(US)) and on the free movement of such data) was a European Union directive
adopted in 1995 which regulates the processing of personal data within the
European Union. It is an important component of EU privacy and human rights
law.
The General Data Protection Regulation, adopted in April 2016, has
superseded the Data Protection Directive and became enforceable starting on 25
May 2018.
Now don’t you feel better
knowing all that? Sure we had a bunch of fun posting all this stuff about
ourselves and our kids and where we lived and what we ate and who were our
friends and what our political and religious feelings were, so hey, no take
backs. And though that photo of you might have been 20 years ago and you might
have fudged a bit on your weight, it doesn’t matter. The bad guys will hack
into your computer and you will fall for their ‘too good to be true’ deals.
On a similar front, yesterday I
walked to the mailbox and retrieved my usual array of ‘Burger coupons’ and ‘Pizza
delivery specials’ and ‘we have a pair of illegal aliens who will come to your
house and clean out your nasty toilet while casing the place’ when I see this
envelope from Wells
Fargo. You know that bank with the western stagecoach (very American)
and horses (like Budweiser) and special accounts you never ordered? Since I
don’t have a Wells
Fargo account I figured it was just one of those ‘how would you like to
change your bank’ deals. After throwing away all the other junk mail, I opened
the non-descript envelope with the Wells
Fargo logo in the upper left corner. I noticed that my name was not on
the address so I figured it was a scam…. And I was right. It seems, according
to the letter, that almost $10k was deposited in ‘my account’ but not enough
cash was included so the bank had to cover $900 to balance the deposit. Wow!
These guys are swell. An 800 number was printed to call for more information.
Okey Dokey. Think about this.
Someone magnanimous person(s) put $9+ grand in my invisible account with a bank
I don’t use and all I have to do is call this number to find out how I can
withdraw it and have a big party. There was no signature of a bank official and
no address or usual corporate stuff at the bottom of the page. There was no
reference to an account number. The page looked like it could have been printed
on an ink jet printer but properly folded.
Beware Boys & Girls!