This is not the first incident where privacy has become a huge concern. At Ehline Law Firm, we strive to provide law firms with relevant resources, from legal to best ethical practices. In this article, we will look at Jake’s Law: the balance of safety and privacy case, as well as privacy advocates’ reactions to the reversal of the pro-privacy decision, tracking the vaccinated, remote learning, and the Federal Aviation Administration’s desire to implement a single drone policy.
The Unfortunate Death of Jake Owen: An Accident That Changed the Law in Maryland
In 2011, a Baltimore family of four cruised down the Baltimore Beltway in their family car when suddenly a distracted driver rear-ended them at 62 mph. Owen’s family was in the lane leading to Interstate 695 at 3 PM on a Wednesday when a sport utility vehicle crashed into the rear of the sedan. This caused a chain reaction that led to a four-car collision involving two other vehicles.
The accident’s impact was so severe that five-year-old Jake Owen lost his life in the back of the car. His nine-year-old sister, Alexandra, suffered from a broken leg, while Jake’s father had a broken shoulder requiring surgery. Fortunately, Jake’s mom was safe and had no apparent injuries.
The negligent driver, Devin Xavier McKeiver, was a 23-year-old resident of West Baltimore. He also suffered minor injuries from the accident and received treatment at a nearby hospital. McKeiver was then released from the hospital the same night.
Upon investigation, law enforcement authorities found McKeiver had no criminal driving records. However, preliminary tests indicate that the driver was speeding and distracted by his cell phone before the collision.
Although quick justice saw McKeiver receive a fine of $1,000, the family members and others in the state started wondering whether it was true justice served. The surviving family members argued that a $1,000 fine for killing their child and injuring two family members in an accident due to negligence was not enough.
Enactment of Jake’s Law
Jake Owen’s father was a restaurant consultant who assisted in the takeover of Baltimore Brewing Company, while his wife, Susan, worked in corporate communications. Not only that, but Jake’s parents were part of a closely-knit community that promoted and focused on raising kids safely in an urban setting.
The family was part of a group of two dozen families working to raise their kids together. Jake’s friend’s family members included influential people, such as the chief Baltimore mayoral spokesman at the time and the City Councilman. None of them was pleased with the mere $1,000 fine that McKeiver had to pay for negligent manslaughter.
Jake’s parents soon set out to create a non-profit change organization to bring changes to the existing legal system. They wanted to protect the community from any accidents in the future. The organization’s first initiative was introducing Jake’s Law, a set of punishments for distracted drivers, discouraging them from overspeeding and using their cellphones while behind the wheel.
Finally, in April 2014, the state decided to pass Jake’s Law to close the loophole in the pre-existing law where drivers would escape with just a small fine even after injuring and killing others. Jake’s law would see offenders in jail for up to one year and fined $5,000 to discourage distracted driving. The law would also deduct 12 points from a distracted driver’s driving license for serious accidents.
The Dangers of Distracted Driving
According to the CDC, nine people die daily due to distracted drivers. More than 424,000 people suffer from injuries in accidents as a result of distracted driving. Studies find that drivers aged between 15 and 20 years are more likely to face distractions than drivers 21 years and older.
Visual, manual, and cognitive are the three main types of distraction while on the road and behind the wheel. Some distractions can include texting while driving, talking on the phone, listening to music, taking your eyes off the road, talking with the passengers in the car, and using the GPS navigation system.
Although widespread knowledge of the risks of distracted driving is widespread, accidents are steadily increasing yearly.
Distracted Driving Accidents and Jake’s Law
The main objective of Jake’s Law is to establish a deterrent effect. The law follows the theory of implementing stricter consequences to reduce unfavorable activities. For example, people will most likely not talk on their phones if they know there are severe fines or jail time for such an act.
Jake’s law supports the victims in punishing distracted drivers. It also increases the victims’ chances of success in court. Injured parties in Maryland can file negligent claims for a distracted driving accident against the negligent driver.
To successfully bring a negligent case against a distracted driver, the plaintiff must prove that the driver violated the law, the violation caused injuries to the plaintiff, and the injuries sustained are the ones the law was trying to prevent in the first place. Jake’s law satisfies the last condition as the law purely exists to prevent injuries from distracted driving, and victims can use Jake’s Law to bring a negligence claim against the distracted driver.
In Maryland, talking on the phone while driving was already illegal. However, with the enactment of Jake’s Law, victims can benefit as the seriousness of this law could bring the jury to have little to no sympathy for the distracted driver.
Some say this is a step in the right direction. Others believe that there is a need for even stricter consequences. They argue that lawmakers should take the law even further by requiring negligent drivers to provide their mobile phone data to help law enforcement determine what was happening a few seconds before the accident.
Privacy advocates refuse to support pushing for laws that may compromise an individual’s privacy. They argue that providing mobile phone data to law enforcement breaches the fourth amendment rights, protecting U.S. citizens from unreasonable searches or seizures.
However, an exciting turn occurred when a U.S. court changed its verdict on a privacy case. Let’s check out the details.
Privacy Court Case: Reversal of Pro-Privacy Decision
In May 2015, a U.S. court surprised everyone after reversing their previous pro-privacy decision in U.S. vs. Davis. This case challenged the use of location data obtained without search warrants.
Quartavious Davis had gone on a three-month robbery spree without getting caught. However, with the help of obtaining his cell phone location, law enforcement authorities could get a hold of Davis. The convict appealed to the court of appeals, where the court ruled in favor of the defendant, Quartavious Davis, as the data collection without any warrant violated the defendant’s fourth amendment rights.
However, in 2015, circuit judges overturned the previous ruling. They stated that the defendant’s phone location data was the property of the phone carrier rather than Davis’s property. The decision vacated by the court was a huge setback for many legal professionals, including law school professors.
In 2012, U.S. vs. Jones was a case where the judges ruled that the police had no right to attach a tracking device under the defendant’s car without a warrant. The privacy community eagerly awaited a similar ruling to apply to cellphone data searches. However, the overturned verdict in the U.S. vs. Davis was detrimental to private protection for more mobile devices.
The new ruling insists that Davis had no ownership of third-party business records and that his network provider was creating, storing, and maintaining records, which meant that the network provider had total control of that data.
However, many legal experts suggest that the court’s ruling in Davis’s case should not be understood as justifying cellphone tracking location. The court was careful in making its decision based on several arguments. The judges stated that Davis was using an older cell phone. This meant he was not tracked in real-time, as the cellphone would connect to one signal tower at a time, only registering that location. The tracking lacked the GPS precision available in the newer versions of mobile phones.
That said, there is a probability that lower courts misinterpret this ruling. It could leave smartphone users vulnerable. Legal experts believe that the ruling applied to technology five years ago. The government could exploit this ruling to its advantage. The ruling still does not address the legality of warrantless phone tracking. Several state courts have said that it is unconstitutional, while some courts are willing to allow warrantless phone tracking.
Covid-19 and Rights of Citizens: Tracking the Vaccinated
The federal government’s swift action to collect citizens’ data from stemming the deadly pandemic has now raised privacy concerns among residents. Public health experts suggest the need for tracking vaccinations across the country. There is also a need to identify weak spots in the community where it lacks vaccinations for its citizens. However, the backlash came when the government announced sharing private data that included an individual’s name, address, race, and other personal information.
Healthcare advocacy organizations such as the American Medical Association urged medical providers to increase their efforts in collecting complete personal information. The first data on vaccinated residents sent to the CDC (Centers for Disease Control and Prevention) lacked race and ethnicity.
The association argued that the race and ethnicity information would allow the public health department to target specific communities. It would help allocate resources accordingly to ensure the swift delivery of healthcare services. However, there are concerns among immigration advocacy groups that argue that the data could be used for deportation purposes.
Public Health vs. Privacy
The CDC states that it requires identifiable data to monitor the vaccination progress in the country. This allows the health department to administer proper doses. Health departments from many states have already populated the database with copious amounts of information. However, most of the data does not contain personally identifiable data.
The Health Insurance Portability and Accountability Act (HIPAA) protects residents by ensuring personal information remains confidential. Unfortunately, this act, including state medical laws, has loopholes that allow public health entities to obtain data without the need for patient permission.
Some states allow their residents to opt-out of data sharing and restrict access to their personal data by a third party. These states have contracts with the CDC to ensure their residents’ privacy and still provide the relevant information to help combat the spread of COVID-19.
The medical providers hand over patient information to the CDC’s Covid-19 Data Clearinghouse, where the system shields the personally identifiable data before sending the remaining information to other databases. The data remains on an Oracle cloud server, with authorized users having access to the data.
Many believe that the system offers complete privacy, but privacy advocates argue that there is a risk of breach.
Data Clearinghouse Breach Risk
Privacy attorneys believe that the system put in place is a great initiative that keeps citizens’ privacy intact, but there is still a risk of a data breach. They argue that even the most secure systems in the United States have gone through security breaches in the past. Cyber attacks are becoming common in the country and are putting residents and their personal information at risk.
However, sharing healthcare data without personally identifiable information after receiving a COVID-19 vaccine and sending it to the national database will not increase the risk of identity theft. This is because there are many other sources, such as an employer’s system, where an individual’s data with personally identifiable information is available.
Citizens Fearing Privacy Breach
Immigrant advocates are the ones that are particularly afraid of unrestricted data sharing among agencies. This fear could dent the federal government’s objective to help curb the spread of COVID-19. Residential addresses and other bio-related information can help Immigration and Customs Enforcement track down immigrants, arrest them, and deport them back to their country.
The United States Department of Health and Human Services often shares personal data with the immigration department, increasing the risk of deportation for immigrants and thus raising fear of getting vaccinated.
There Is No Single Framework
Although the federal government requires personal information alongside vaccination details of the individual, some state governments are not providing complete details to the federal government.
States have their own databases with dashboards that simply display the number of doses administered throughout the state and the number of doses shipped to them. Some states go further with providing data by collecting information such as doses of each vaccine and the number of doses administered according to age and sex.
Most state laws prohibit healthcare providers from disclosing personal data without the individual’s prior consent. However, some states have exceptions to this law, such as sharing information for public health purposes. Several states provide redacted data to ensure their residents’ privacy and help the federal government achieve its goal of preventing the spread of COVID-19.
California was able to renegotiate the information-sharing agreement and limit the data sharing to information that would an individual’s identity an individual. New York also negotiated similar terms with the CDC where they would not share any data that the government could use to document citizenship.
Health attorneys understand the need for data sharing to combat the next pandemic effectively. Many believe that there are ways to share important information without risking an individual’s privacy.
Remote Learning and Privacy Concerns
As COVID-19 started spreading violently across the country, many institutions, workplaces, and even schools went on full lockdown indefinitely. To cater to children’s educational needs, teachers and schools embarked upon the challenge of implementing remote learning solutions such as Zoom for conferencing and Babel or Brainpop for learning platforms.
However, with the remote learning solutions in place, many are starting to wonder about introducing new privacy questions. More than one state governor expedited the implementation of remote learning tools. They waived the privacy provisions in the contracts between educational institutions and technological companies.
The need for continuing education with the least disruption has led to the speedy implementation of remote learning tools without privacy considerations. Even tech companies have temporarily made privacy concerns acute by offering their premium products for free.
Many teachers are bypassing vetting procedures for such products by introducing them on platforms for teachers and students quickly. They are not considering that these tech companies are offering premium products for free for a short period. Eventually, schools and students must pay for them, especially when they provide their credit card information during signup. There are privacy concerns, too, for programs that aren’t vetted.
Although the use of technology feels unprecedented, and teachers and school administrators are quickly implementing them to minimize disruptions, educational institutions must inform parents and their children about how the tech companies might use the data. Educational leaders must refer to the guidelines mentioned in the Children’s Online Privacy Protection Act before deciding on and implementing new technology.
Privacy experts are seriously concerned about school leaders’ frenetic approach to adopting new technologies. They suggest that educational institutions must be fully aware of and evaluate these technologies first. They must understand the privacy implications and then consider their implementation while guarding students’ privacy at the same time.
In 2020, the co-chair of the Parent Coalition for Data Privacy, Cheri Kiesecker, spoke out about how schools and parents should work together to reduce the amount of data collected and distributed by large tech companies.
This wasn’t the first time Kiesecker spoke against tech companies collecting data. In 2018, before the pandemic, Kiesecker showed concern about data collection by tech companies. She said it could potentially result in bullying, identity theft, and other ways of targeting students. Kiesecker’s organization surveyed in 2019 about student privacy protection, and the majority of the schools on the survey received a “C” grade or lower, suggesting a poor rating.
Data is an individual’s identity, and it is also a form of social currency. The school’s speed of implementing technological products to continue education remotely is concerning, as student privacy could get worse and have long-term consequences.
Challenges in Balancing Speed and Privacy
There is a real challenge whereby schools are hurrying to implement new technological solutions to help students catch up without prioritizing their privacy. Those schools that were slow to implement remote learning tools are now on that bandwagon, and the concerns are that they will end up using an app that may not be safe somewhere along the line.
Some schools are trying to find a balance between speed and privacy. They are signing up for new products while at the same time negotiating a contract to help save time. These flexible approaches are what is essentially required. But at the same time, there is a need for legal experts to guide such approaches.
Some states, including California and Connecticut, have clearinghouses that critically examine remote learning tools before schools can implement them. While states like New York are stringent in vetting technological products by letting each district vet a new product individually before allowing schools to implement them.
In 2016, the enactment of the student privacy law meant that companies entering into a partnership with schools were not allowed to use the data beyond the company’s stated function.
However, in March 2020, in Connecticut, the governor waived the law temporarily to ensure quick and quality remote educational opportunities during the pandemic. Some advocates of the 2016 privacy law understand the need to waive the law to ensure the continuity of quality education, but schools must notify parents, and transparency is equally important.
The director of education policy, Sara Kloek, stated that companies that have already been offering remote educational tools for several years are working to comply with privacy requirements. What’s concerning is the introduction of newer companies and those companies that aren’t even designed for education.
The decision to shut down educational institutions came without any notice and was certainly implemented immediately. Schools did not have the time to plan and consider privacy concerns when introducing remote learning tools. This lack of pre-planning and immediate implementation could point to possible mistakes made by the schools.
Concerns Over Camera Control
During the pandemic, Zoom became the leading conference call and meeting application. Zoom also stormed educational institutions with its free subscription for all K-12 schools. It quickly became a resource for educators in enhancing the quality of the “outside classroom environment.” The educational product by Zoom, explicitly made for schools, is in line with the privacy guidelines of the Family Educational Rights and Privacy Act (FERPA), which is not available in its other product lines.
There is a serious concern over using other educational applications by the Parent Coalition for Data Privacy that does not follow the FERPA guidelines. They suggest that parents should cover up their children’s webcams. This concern arose when in 2019, there was a complaint filed against a company that would allegedly activate the webcam whenever they wanted.
Some educators are not sure about the protocols for using remote learning tools. For example, teachers do not know whether they need parents’ permission to invite children below 13 to join Facebook Live sessions for educational purposes. Some schools want to implement rules for teachers and students to follow while on camera to reduce inappropriate behavior and ensure a conducive learning environment.
Lack of Awareness of Student Data Privacy
One of the most concerning facts about student data privacy is the lack of awareness among parents about the laws that protect children from predatory activity or the different forms of digital marketing.
When asked about FERPA and other privacy laws, parents did not know their existence. Although parents play a huge role in protecting their children from any threat to their privacy data, teachers are also key figures in protecting student data privacy.
Districts are educating teachers on following the best practices for student data privacy protection. However, the progress remains slow.
The Chief Technology Officer for the California Elementary School District, Antonio Romayor, explains how the lack of awareness of the complexities of student data privacy can lead to serious issues for educational institutions. For example, a school employee that uses their personal laptop on a public network while accessing the district’s data could lead to a data breach due to an unsuspecting virus or malware. Another example could be the risk of stolen data when parents or students share their log-in information with identifiable data via a text message.
Romayor is actively creating resources to ensure those district employees are aware of the privacy policies and practices. He also ensures that families know federal and state laws on student data privacy by sending letters to them in multiple languages.
Andrea Bennett, the executive director responsible for I.T. in education in California, is also in favor of sending parents as much information as possible via post. This is because some parents who do not have active internet connections or do not check the school websites or social media platforms to keep updated might be in the shadows of privacy concerns.
In Maryland, parents have already been protesting against the school system for the past few years as they want the schools to shed some light on the contract they signed with Google, especially about student data.
The distribution of Chromebooks in schools for years is becoming a concern for parents as they slowly realize the data privacy implications. More schools are now issuing the devices to students who have not yet received them, and parents want to know whether Google is deleting students’ data per the district’s policy.
Concerned parents in Maryland banded together and wrote a letter to the district stating that the lockdown in the state is now converting droplets of information into virtual firehouses as more students spend time in front of their screens at home without teacher oversight.
There is still a long way to go to eliminate these logistical and technological issues associated with technological implementation in K-12 education during the pandemic. Educational institutions might feel speedy implementation of remote learning tools can minimize educational disruptions caused by the lockdown. However, privacy experts suggest taking time to understand the best approach to using technology while protecting student data privacy.
Linnette Attai, a recognized expert and the founder of PlayWell, LLC, a global privacy compliance consulting firm, suggests the need to pay closer attention and avoid rushing technology implementation. If schools can cope without technology in certain aspects, they should consider changing traditional teaching methods rather than forcefully implementing new technologies.
FAA’s Desire to Introduce a Single Drone Policy
Unmanned aerial systems, robotics, and autonomous technology are rising, and the industry is set to grow by $63.6 billion in 2025. Unfortunately, state and local laws conflict with the Federal Aviation Administration (FAA) narrative that the organization is in charge of the national airspace. This has also led to serious challenges after the FAA’s desire to introduce a single drone policy.
In 2012, Congress passed a law that required the FAA to incorporate drones into the national airspace. The idea was that drones have military applications that the U.S. military can take advantage of. However, the public’s concern about the exponential increase in the domestic usage of drones is forcing states to introduce laws targeting drone operations.
Several states prohibit the use of drones for flight, weaponry purposes, and surveillance through the introduction of laws. In 2015, a total of 168 bills affecting drone use were considered, and 20 states enacted 26 of those bills. The problem here is that several laws are conflicting with federal laws, creating an emerging issue of whether federal government law preempts state and local laws.
The United States Constitution is pretty clear about the preemption of state laws in article VI, clause 2. It states that if a court finds that federal law preempts state law, then that state law is immediately considered void. There are two types of preemption; these are express and implied preemption.
Express preemption is when Congress states explicitly that federal legislation invalidates state and local laws. Currently, two preemptions exist, including the exclusive sovereignty and regulation of the United States airspace to the FAA and that states cannot dictate pricing, routes, and airline services to air carriers.
Implied preemption is when there is an intent to preempt state law, which is usually determined on a case-by-case basis. The laws in the aviation field are complex, and there may be some preemptions. However, the United States Supreme Court maintains that states cannot enact laws within this field. The FAA also considers drone restrictions on flight altitude, path, and navigable airspace an invasion of its authority.
Federal Laws Preempting State and Local Laws
To prevent any confusion among the federal, state, and local governments’ responsibilities, the FAA Reauthorization Act of 2016 or the FRA highlights all the federal preemptions about the use of drones in U.S. airspace.
- Section 2142(a) of the FRA establishes the preemption of state and local laws pertaining to the design, development, and manufacturing of a drone. It includes training, airpath, operations, airspace, and more.
- The FRA section 2142(b) clarifies the situation where preemption of state law is impossible. This includes the illegal acts resulting from the use of drones, such as harassment, wrongful death, injuries, and more.
The FRA is Congress’s bold attempt to create a single national drone policy by giving superiority and control to the FAA over all other laws (state and local government laws) about drone operations.
With so much power handed over to the FAA, several criticisms are making the rounds. For one, section 2142 (a) stops the local governments from introducing laws or rules that ban private property trespassing. There is also a concern over whether a single federal law would cater to state and local government needs.
The FAA also believes that state and local government attempts to regulate and control aircraft flights create significant air safety concerns. If there are many bodies involved in introducing laws regulating drone operations, there is a serious risk of having divided control over navigable airspace.
The FAA argues that considering local laws and their restrictions into the single airspace framework could put a dent in the FAA’s ability to control airspace and create challenges in delivering smooth traffic control. This affects the FAA’s flexibility to ensure safety in the United States airspace. The navigable airspace must remain free of any state and local law interference.
The CEO of the Association for Unmanned Vehicle Systems International, Brian Wynne, believes that the state and local laws pertaining to the regulation of drone operations will clash with federal jurisdiction, leading to a complex patchwork of laws. It will not only result in confusion regarding where commercial drone operators could fly but also put a serious dent in safety.
Another major concern regarding federal, state, and local governments giving their input and regulating drone operations is the fact that it would create challenges for the drone industry, negatively affecting its growth. Many also argue that there is no need for state and local governments to introduce drone-related laws as there are already existing laws at such a level that they cover the points mentioned in section 2142(b) of the FRA.
However, there are arguments by FAA opponents that the patchwork of laws may not be as bad as they are trying to convey. A senior political analyst, Jay Stanley, talks about drone operations and compares them with quality of life issues such as noise, safety, and privacy and suggests that local governments can easily deal with these issues by introducing local legislation. Many legal experts believe that there are a few property-rights grabs that Congress has introduced, and the FRA is one of the bigger ones.
There are certain laws that states enact which are susceptible to preemption. However, states can challenge and litigate in court. Until the matter reaches court, there will always be a legal ambiguity on preemptions of state laws. Although the FRA attempts to resolve the inadequate regulatory guidelines at the federal level, states are also considering how they can navigate this confusing regulatory environment.
For example, Arizona Senate Bill 1449 aims to strike the perfect balance between safety and privacy concerns and the commercial usage of drones. The Arizona legislature preempts local governments from regulating drone operations but allows the recreational and commercial use of drones, subject to FAA regulations.
States with a favorable regulatory environment will boost the drone industry and become a suitable environment for the industry to thrive. However, state governments and legislators are responsible for avoiding introducing laws that can restrict drone operations as it can cause the drone industry to plummet and slow down economic progress.
There is a need for state legislators to find that sweet spot between the privacy and safety concerns of the citizens and commercial and recreational drone use. State legislators must approach this concern cautiously before enacting laws.
Consumer Data Privacy and Security Act of 2020: Top 10 Highlights
Senator Jerry Moran introduced the Consumer Data Privacy and Security Act of 2020, or the CDPSA, in March 2020. The act takes important points from different federal legislation to create a single federal data-privacy framework that would address the shortfalls in the current data-privacy framework.
Unlike the California Consumer Privacy Act (CCPA), the CDPSA is much more suitable for smaller and medium-sized businesses due to the favorable threshold. It also implements similar rights to the CCPA but exempts “small businesses” from compliance obligations.
In many ways, the CDPSA covers the shortfalls of the CCPA and improves the legislation about data privacy.
Let’s go over the top 10 highlights of the CDPSA.
- Favorable definition of “small business”: Prior to CDPSA, the definition of “small business” included businesses with a turnover of less than $25 million with no annual requirements. The CDPSA definition of “small business” introduces higher qualification thresholds that require more than 500 employees or gross receipts of more than $50 million for the past three years. However, it does require covered entities to conduct due diligence on service providers, which is a resource-intensive endeavor.
- Civil enforcement action: State Attorneys General have the authority to bring action against those enjoying violative practices and enforce strict adherence to the CDPSA. It also has the right to impose a civil penalty, and several factors help determine these penalties.
- Preventing state laws: Because many state laws are impeding the effective implementation of new technological products, the CDPSA prohibits state privacy laws. However, the CDPSA does not preempt state laws pertaining to the privacy of student groups as mentioned in FERPA, general standards of public safety, laws discouraging discrimination, criminal procedure, and notification laws.
- Preventing federal laws: Just like how the CDPSA prevents state laws pertaining to the privacy and security of personal data, it also does the same for federal laws. That said, there are certain laws that the CDPSA exempts, such as FERPA, HIPAA, COPPA, GLBA, HITECH, and more.
- Federal trade commission: The federal trade commission is responsible for providing resources for the effective administering of the CDPSA.
- Small business exemptions: Under the CDPSA, small businesses are exempt from the right to access and also the right to accuracy. There is also an exception for service providers that qualify as “small businesses.”
- Consent: The CDPSA recognizes two types of consent; these are implicit consent and express affirmative consent. An example of implicit consent is one where it is simply assumed that the person has given their consent to collect and process personal information when they received a notice to provide consent at a reasonable time, but they failed to decline the request. Express affirmative consent is when data collected or processed or distributed to third parties is not for a person’s permissible purpose. This type of consent is only valid when it is clearly stated, responds to prior notice, and cannot arise from inaction.
- Privacy policies and notices: Under the CDPSA, all the covered entities must make sure that their privacy policies are transparent by making them available to the public. These policies must also be in clear and easy-to-understand language. The covered entity is under the obligation to share previous versions of privacy policies with the public and also provide any notices for changes in the policy. However, there is no specific deadline or the number of versions mentioned under the CDPSA.
- Personal information processing: There are guidelines under the CDPSA that mention how a covered entity must gather and process data. The two ways include the individual providing their consent and that carrying out data collection or its processing is for a permissible purpose. There are ways a third party can also gather and process personal data without directly taking a person’s consent. Third parties can collect and process an individual’s personal information if the covered entity sends a notice to the individual, the individual agrees to the collection and processing of data, and these activities are carried out for a limited permissible purpose.
- Permissible purpose: Under the CDSPA, covered entities and service providers have the right to personal data without the concerned person’s consent as long as it is reasonably necessary and limited to a permissible purpose. Permissible purposes include the provision of service in a signed contract, within legal bounds; prevention of fraud; protecting the covered parties, including the individuals’ rights; carrying out research; and for the operational purposes of the covered entities.
The ones that drafted the CDPSA are clearly up to date on the important trends arising in the privacy industry. The legislation not only provides robust privacy rights to individuals but also holds entities accountable for violation of these rights by imposing strict penalties. It even improves upon the current privacy framework by understanding its shortfalls and introducing relevant clauses to address them. It strikes the perfect balance between SMEs’ compliance cost and the privacy protection provided to individuals.
We’ve gone over several privacy concerns in regard to drones, remote learning, tracking the vaccinated, and mobile phone tracking. Let’s quickly view some privacy policy samples to see what a privacy policy looks like.
Privacy Policy Samples
In this section, we will go over two different privacy policies to understand what a privacy policy covers and the differences between the two.
LaTurner Privacy Policy
Serving as a U.S. representative, Jacob Andrew Joseph LaTurner is an American politician and a member of the Republican Party. Here is an example of LaTurner’s website and its privacy policy that outlines how the website collects data and discloses the information for advertisement purposes. It contains nine sections: an introduction, collecting information, cookies and other technologies, information use and sharing, third-party features, email signups, security, your California privacy rights, and children.
Let’s summarize the gist of these sections to see what a politician’s website privacy policy contains.
Introduction
This section introduces the aim of the privacy policy and the user’s agreement to the policy by visiting the website.
Collecting Information
There are two ways the website collects information, and they are:
- Voluntary information: This is personal information that users provide, and it may include names, addresses, geographic locations, and other relevant data. Users voluntarily provide this data when seeking further information about the LaTurner campaign or the website, during registration, or when making a purchase. It may also collect payment information to complete the requested service when conducting transactions over the website. Suppose the visitor requests information straight to their mobile. In that case, the team may collect data related to the visitor’s mobile, such as cell number, location, carrier’s name, and message content, among other details.
- Automatically generated information: The website collects non-identifiable information when a visitor visits it, including I.P. address, domain types, webpages the visitor viewed, and more. This information is usually collected through cookies and pixels. LaTurner’s team uses non-identifiable information to enhance their website’s user experience, and users have control over whether they want to share this information with the website.
Cookies and Other Technologies
The website does not use its own cookies and does not run its own advertisements. It has other companies providing cookies and placing advertisements to ensure the collection of non-identifiable information for LaTurner’s team for analysis. The team also uses another company to help process payments and transactions over the website.
- Google Analytics: Cookies help collect information, while the website has Google Analytics to help analyze the collected information. It evaluates how the visitors use the website and compiles a statistical report to let the team know how long a person spent on their website, whether they clicked on other pages for further details, and so on. Google Analytics studies website trends without collecting any identifiable information that would reveal the visitor’s identity.
- Disabling cookies: Users can click on the “help” toolbar on the website to accept or disable cookies, but it is important to note that visitors disabling cookies may not experience the full functionality of the website.
Information Use and Sharing
This section contains three parts, and they are as follows:
- Use of personal information: Here, the privacy policy explains how it is going to use the personal information provided by the visitor. The website may forward the information to a third-party company to successfully provide the product and information the visitor requires. The website also uses personal information to help respond to visitors’ inquiries or requests for information. The website may also provide information to law enforcement and attorneys when required.
- Use of non-identifiable information: Third-party companies use non-identifiable information to provide a better website experience and tailor advertisements accordingly. The website uses different web technologies that may require storing non-identifiable information.
- Third-party use of cookies: The website uses cookies to gather site-related trends and information to help improve the user experience and provide tools in the future.
Third-Party Features
This section deals with third-party experiences through third-party links and social media platforms.
- Third-party links: The website may have links to third-party websites to provide promotional offers to its visitors. The website is not responsible for any privacy practices of these third-party websites as they are not under LaTurner’s control.
- Social media platforms: Any information shared via email or social media platforms is at the risk of the visitor, and the website is not responsible for how social media platforms use this information as it is not under LaTurner’s control.
Email Signups
The website will forward your email and personal information to the relevant department to better assist you with your inquiries or requests for information. The information may also go into the archive for a period of time, and the LaTurner team can only use the information in accordance with the privacy policy.
Security
The website employs several security measures to help protect the visitor’s personal information, but the website is not responsible for the security of an individual’s information in case of any breach.
Your California Privacy Rights
In this section, the website mentions the California law for the rights of residents in that state. Californian citizens can request the details of information forwarded to third parties, and they can even request the name and address of third-party companies if they desire. The LaTurner team is responsible for responding to requests for information from Californian residents within 30 days of receiving the email.
Children
The website advises parents to monitor their children’s online activities as the LaTurner website does not knowingly collect information from children below the age of 13.
Jake n Jones Privacy Policy
Here is another example of a privacy policy, but it differs from the LaTurner privacy policy since Jake n Jones is a sports grille. The policy goes over how the eatery treats the personal information it collects from its customers who are using the Jake n Jones website.
Information Collected
Jake n Jones collects information from three channels, and these include:
- Visitors who purchase on the websites, use the online reservation system, or enter into the loyalty program provide their personal information.
- When a visitor enters any of the promotions offered on the website.
- When visitors fill up the contact form on the website to reach out to customer service for additional information or any other help about the products or services.
There are two versions of the website: one for desktop and the other one for mobile users. The mobile version of the website uses a visitor’s geographic location to show visitors a nearby Jack n Jones store.
Cookies and Information Collected
The website uses cookies to collect a user’s non-identifiable information for security, analytics, and operations purposes. This information includes your I.P. address, referring URLs, location, user browser preferences, and more.
Use and Disclosure of Information
The website receives, collects, and stores non-identifiable information using cookies on the company’s server logs. This information is then used for customizing content according to the visitor’s preferences, research purposes, improving services, administering rewards, and fulfilling the user’s request for services.
The company may disclose personal information if the user provides permission. It may also let third-party companies who provide Jack n Jones services access information to fulfill their service obligation. However, they are under the obligation to not disclose a user’s personal information beyond providing services.
Jack n Jones may also provide your information to law enforcement authorities and attorneys when required to. The company may also use the provided information for data analytics.
Your Information
Here, the company mentions the users’ rights. The visitors can contact the support team at Jack n Jones to delete their account, review or edit their data, or even opt out of marketing emails if they wish.
Confidentiality and Security
The website has reasonable security measures to prevent data misuse, theft, and alteration. In the event of a security breach, the company will fulfill all legal obligations by disclosing information about the breach. Although the company ensures a safe and secure website, the user understands that no method of transmission over the internet guarantees 100% security.
Children’s Privacy
The website does not knowingly collect information from children under the age of 13. If the company realizes that they have unknowingly collected information about a child, the company will delete it immediately.
The website provides an email address to report any incidence of a child visiting the website and provides information to help the company delete the data.
Sale of Company-Bankruptcy
This section is a bit different than what we saw on LaTurner’s website.
In the event of a sale or transfer of assets, the company will also hand over user data to the new owner of the company. In the event of bankruptcy, the company does not have control over the treatment of personal information thereafter.
Retention of Your Information
For the purpose of processing, the company retains information for as long as required. The company may retain transaction details until the claim period expires.
United States
The company maintains all information within the United States, and if you’re interacting on the website from outside the United States, you’re governed by the U.S. and this privacy policy. Visiting the website from abroad is consent for the transfer of your personal data to the U.S.
Policy Updates
Jack n Jones has the right to update the privacy policy, and the company will share the update on its website. The consumer must check the website periodically to stay aware of the updated privacy policy. The company will treat the continuous use of the website as the individual’s consent to the latest privacy policy.
Both websites have similar and different sections on privacy protection, but both contents is primarily different. The way LaTurner collects information is different than the three sources of information collection for Jack n Jones. Another stark difference is how Jack n Jones mentions privacy concerns after the sale of the company or during bankruptcy since it is an eatery business.
If you are looking to become a contributor or associate at Ehline law firm to help draft a privacy policy for your business, or are a victim of a personal injury accident and looking to find a trusted attorney for legal representation, contact us at + (213) 596-9642 or send us an email at info@ehlinelaw.com.
Citations: