Hi dear reader, if you are a fan of paid surveys online, I’m sure you sometimes wonder if your privacy or personal data is safe.
Also, we give you solutions to keep your privacy safe when answering paid surveys online.
Let’s get started
Cookies are essential to the modern Internet.
As a necessary part of web browsing, HTTP cookies help web developers give you more personal, convenient website visits.
Cookies let websites remember you, your website logins, shopping carts, and more.
Cookies are text files with some pieces of data — like a username and password —to identify your computer as you use a computer network, and improve your web browsing experience.
Data stored in a cookie comes with a unique ID to you and your computer.
When the cookie goes between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.
A cookie cannot contain any virus or produce any damage to your device.
Some cookies are strictly necessary for an optimum operation of a website.
Others have different functionalities like favoring the navigation between sites, allowing a site to remember your preferences, or detecting if you have visited the site previously.
By its origin, cookies can be:
First-party cookies: It is the visited site the one setting them.
Third-party cookies: Cookies set by a server from another domain, although always with the authorization of the visited site.
All internet users can freely choose if they authorize a site to drop ‘cookies’ on their device or not. One way to do this is through the settings of the web browser, the user can delete all the already dropped cookies and choose if he accepts them or not.
Source Kaspersky (What are Cookies?)
Also, We use both session cookies and persistent cookies.
In the USA we do not have a central federal level privacy law, like the EU’s GDPR.
There are instead several vertically-focused federal privacy laws, as well as a new generation of consumer-oriented privacy laws coming from the states.
Back in the last century when databases were the height of computer technology, Congress and others were (rightly) concerned about the potential misuse of personal data held by the government. Congress passed the landmark US Privacy Act of 1974, which contained important rights and restrictions on data held by US government agencies, and should look very familiar to data pros in the year 2019. I’ll list them here because they’re the first references that I know of to everything that followed:
Extra points if you noticed the Privacy by Design principles embedded in this innovative 70’s era of privacy law!
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was landmark legislation to regulate health insurance. It is a very complex law with lots of moving parts but included both data privacy and security sections. The data protection part of HIPAA is found in The Security Rule. HIPAA also laid down data confidentiality requirements that can be found in, wait for it, The Privacy Rule.
If you’ve ever filled in a form at your doctor’s office allowing spouses and other family members to review or see your health information — what HIPAA refers to as protected health information (PHI) — you’ve been seeing the Privacy Rule in action.
The Privacy Rule contains a convoluted list of rules on who gets to see PHI. But in short, a healthcare provider or “covered entity” more or less has permission to use patient data if it’s related to “treatment, payment, and health care operations.” However, using the data for marketing purposes or selling the PHI requires explicit authorization.
HIPAA’s minimum requirement is a good example of PbD principles applied to sharing of PHI. It says that covered entities that share data for marketing purposes other than the ones mentioned above should limit who gets to see it. Health organizations are supposed to evaluate their data and practices, and put in place safeguards to limit “unnecessary or inappropriate” access to PHI. In effect, role-based access for PHI.
Back in the early days of the early Internet, circa 2000, the Children’s Online Privacy Protection Act (COPPA) took a first step at regulating personal information collected from minors. The law specifically prohibits online companies from asking for PII from children 12-and-under unless there’s verifiable parental consent.
Updates to COPPA’s regulatory rules a few years ago effectively expanded the reach of the law and broadened the type of personal information to be protected, including screen names, email addresses, video chat names, as well as photographs, audio files, and street-level geo coordinates.
These updates also extend privacy and security coverage to third parties that use the children’s data. The originating website operator must take “reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.”
Another late 90s legislation, Gramm-Leach-Bliley Act (GLBA) is an enormous slab of banking and financial law that has buried in it important data privacy and security requirements. Its protections of personal information are a major improvement over previous consumer financial data laws — see the Fair Credit Reporting Act (FCRA).
Overall, Gramm- Leach-Bliley Act protects nonpublic personal information (NPI), which is defined as any “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available” — essentially PII with an exception for any widely available financial information — for example, property records or certain mortgage information.
You may have noticed that banks periodically mail out data privacy notifications, explaining the categories of NPI that are being collected and shared along with special opt-out instructions. That’s due to GLBA’s somewhat limited privacy protections. Consumers can opt-out if they don’t wish that information to be sent to a “non-affiliated” third party.
However, for third-party companies affiliated with the bank or insurance company — part of the, cough, “corporate family” — consumers have no legal privacy controls under GLBA to restrict the sharing of the NPI. That’s quite a large loophole, and GLBA is by no means a model for Internet-era privacy law.
In the USA we got several federal privacy laws and consumer-oriented privacy laws coming from the states.
In 2018, the California Consumer Privacy Act (CCPA) was signed into law. Its goal is to extend consumer privacy protections to the internet. It’s not an exaggeration to say the CCPA is the most comprehensive internet-focused data privacy legislation in the US, and with no equivalent at the federal level.
Under the CCPA, consumers have a right to access through a data subject access request (DSAR) the categories and specific pieces of personal information held by covered businesses. Businesses can’t sell consumers’ personal information without providing a web notice (“a clean and conspicuous link”) and allowing them to opt-out.
Like the GDPR, there is also a “right to delete” — with some exemptions — consumer personal information on request. The CCPA also gives consumers a limited right of action to sue if they’re the victim of a data breach. There’s a more general ability for the state Attorney General to sue on behalf of residents. Legislation is in the works to broaden consumers’ private right of action to sue on other grounds.
Another striking innovation within the CCPA is its very broad definition of personal information: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That covers a lot of ground and is similar to the GDPR’s expansive view of personal data.
To bring it back to “black letter law”, the CCPA also contains a long list of identifiers it considers personal information, including biometric, geolocation, email, browsing history, employee data, and more.
The CCPA also introduces “probabilistic identifiers”. Attorneys will be debating what this means, but it appears that data that give a greater than 50% chance of identifying someone will be treated the same as a deterministic identifier. Perhaps a combination of, say, Netflix viewing history and geolocation data may be enough to tip the scales. By the way, other states have picked up the probabilistic term in their laws (below).
California goes “meta” with its probabilistic identifiers.
While the focus — and rightly so —has been on extensive new privacy rights for consumers, there’s also a data security component to the CCPA. The law calls for companies to “implement and maintain reasonable security procedures”. What does that mean? No one’s sure, though there are strong hints that the California government is looking to the Center of Internet Security’s top 20 controls and the NIST Critical Infrastructure Security (CIS) Framework as baselines.
With no federal answer to GDPR on the horizon, several other states are taking a page from California’s book by drafting their regulations to give citizens increased control over their data. While most of these bills use CCPA as a framework, there are differences. We’ve even put together a cheat sheet at the end to compare the different proposed state laws. Let’s first look at two tough privacy proposals coming out of New York and Massachusetts
The proposed Data Privacy Law (S-120) shares a lot of the CCPA language. Consumer access to personal information? Check. Right to Delete? Check. Explicit notification of privacy rights, and a chance to opt-out of third-party sales of data? Check. A broad definition of personal information including probabilistic identifiers? Check.
There are a few important divergences from the CCPA, which include the right for consumers to sue for any violation of the proposed Massachusetts law. Consumers “need not suffer a loss of money or property as a result of the violation” to bring an action.
Attorneys point out that there’s an enormous potential exposure of Massachusetts companies to class-action lawsuits: plaintiffs can recover up to $750 per consumer. For example, in 2017, almost 400,000 Mass. residents were affected by data breaches, leading to possible exposure, if the law had been in effect, of almost $300 million for that year.
New York’s proposed S5642 (currently on hold) contains some of the hallmarks of CCPA. There’s a right to delete and request personal information. The definition of personal information — “any information related to an identified or identifiable person” — includes a very extensive list of identifiers: biometric, email addresses, network information, and more.
Unlike California and similar to Massachusetts, New York’s act has a private right of action for any violation of the law! And the law applies to all businesses without any revenue threshold, which differs from California and other states. This makes the proposed NY law quite strict.
The NY bill, though, only requires businesses to disclose to consumers the broad categories of information shared with third parties. Under some circumstances, consumers would have the right to request copies of specific information shared.
Another key difference is the proposed NY law imposes the role of data fiduciary”, forcing all NYS businesses to be legally responsible for the consumer data they hold. The NY act takes a very expansive view: “exercise the duty of care, loyalty and confidentiality expected of a fiduciary concerning securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker”. In short: consumers own the data.
The NY act also gives consumers the ability to correct inaccurate information, making it closer in spirit to the EU GPDR. None of the other clones, including California, go that far!
Hawaii’s SB 418 is similar to the CCPA, offering all of the same major rights and protections (potentially more, based on the current wording of the bill). While CCPA explicitly applies to websites that conduct business in the state of California, Hawaii’s SB 418 bill has no similar clause. In theory, websites based anywhere in the world could violate the law if they don’t offer adequate protection as outlined in the bill. However, the bill is likely to be amended in a later draft to focus solely on Hawaiian-based websites.
Maryland’s SB 613 is another bill with the potential to expand on the scope of CCPA in some areas. Businesses will have similar obligations to disclose information usage, though, to a lesser degree than under CCPA. And like California and Massachusetts, there’s also the use of a “probabilistic identifier” to refer to a certain type of personal information. Go, Maryland!
However, this bill goes beyond the scope of CCPA when it comes to disclosing third-party involvement. Under CCPA, companies only have to disclose if consumer information is being sold to a third party, but per Maryland’s SB 613, companies would have to disclose any information that is passed on to third parties, even if that data is transferred for free. This bill also prohibits websites from knowingly disclosing any personal information collected about children.
North Dakota’s HB 1485, which is currently in the state’s House of Representatives, is the most lightweight bill on this list. The only significant clause of HB 1485 would completely restrict websites from passing on any information to third parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.
The best way to protect your privacy is to avoid surveys scams
You need to recognize: if there is something too good to be true then it probably isn’t
In any legitimate survey panel, there is nothing to be afraid of, your privacy is safe and secure.
The key to keeping your privacy safe is to recognize and avoid fake surveys panels and offers.
There are federal and state laws that protect your privacy in the USA.
Never give your key personal data like credit cards number or social security numbers to any surveys panel even if it’s a reliable one.
Minnesota Attorney General: Avoid Survey Scams