The Internet and Data Privacy What Is Collected, How To Opt-Out of Cookies and Disable Data Collection Covering Social Media Platforms, Web Browsers, Operating Systems, Smartphone Apps and More

Facebook

In 2019, Facebook had 2.37 billion active monthly users with a revenue of over $60 billion³, making it one of the most popular and profitable social media platforms of all time. However, the company has faced legal ramifications regarding its data collection policies, most notably the Cambridge Analytica scandal of 2018. So, what sort of data does the company collect on over 72% of North Americans?

• Information They Collect: Since Facebook is a purely social app, they know a ton about their users personally, from the people they interact with to the groups they’re in, and even their “private” messages. Facebook knows exactly when users log on, for how long they’re logged in, and what comments, shares, and transactions they’ve made in that time.
  • Unique identifiers: The only unique identifiers that Facebook keeps are users' IP addresses, easy to cover up with a VPN.
  • Personal Information: Facebook is a wealth of personal information, most of which users enter themselves. The company keeps users’ names, phone numbers, payment information, email addresses, contact information from devices, as well as their stored videos and photos. Plus, they’ll keep the metadata of users’ photos and files.
  • Activity Data: In terms of activity, Facebook keeps track of connections and networks, messages, content, and videos watched, along with how users interact with different content and advertisements. They know exactly when people use their site and for how long.
  • Location Information: To figure out users’ location, Facebook uses sensor data from their devices.
  • Publicly accessible sources: Facebook doesn’t find data about users through publicly accessible sources, as they have all the data they need entered by users themselves.
• Why They Say They Collect Your Data: What does Facebook do with the data of billions of people? Well, the company claims they use it to personalize and improve their own products, like suggesting groups users might be interested in, showing users businesses nearby their current locations, or presenting them with, you guessed it, highly-targeted ads. Ever wondered why that concert you just looked up shows up everywhere you look on Facebook? That’s why. We do have to give the company some credit, though, as they do sometimes use their data for good, like to learn about migration patterns during crises to help relief efforts, for example.
• Third Party Sharing Policies: Facebook makes the majority of its money through its advertisers, so of course, they provide third parties with a ton of user data, aggregated so businesses can easily see the demographics of their customers and would-be customers. So while they can’t see a list of exactly who clicked on their ad, they can see that a woman aged 24 who lives in California interacted with it, for example. Facebook also provides data to researchers and academics, as well as law enforcement agencies, if requested⁴.

Amazon

The biggest e-commerce web site in the country and one of the largest businesses in the world, to say Amazon has disrupted retail would be like saying that the Model T disrupted the horse and buggy. And Amazon isn’t just selling us products and services; they’re also collecting our data, selling it to their third-party marketplace sellers like Starbucks, OfficeMax, Verizon and Eddie Bauer. Let’s take a closer look.

• Information They Collect: Aside from obvious data like the products we search for and order, the videos we’ve watched, our wish lists, product reviews, phone numbers, addresses, and more, Amazon also keeps track of our IP addresses, browser types, and other automatic information. If we’re on mobile, they’ll see exactly where we’re located as well as collecting the data from our mobile carrier, third parties, and credit history gleaned from the three major credit bureaus, Experian, TransUnion and Equifax. But just how does Amazon customize our product search results or determine pricing based on who is doing the search? For this purpose, Amazon uses the following data⁶:
  • Unique identifiers: Amazon logs a user’s IP address, browser type and operating system, which is pretty minimal compared to the other companies in this article.
  • Personal Information: They also know a user’s name, if they give it to them, their username, password, phone number, payment information, shipping address and email. These are all pretty standard and necessary for Amazon’s services, but we were surprised to find that they also have your Social Security Number and driver’s license number, as well.
  • Activity Data: Amazon logs our search terms, the videos we’ve watched on Prime, our purchase activity, any reviews we’ve written and our browsing history. Since Amazon is an e-commerce site and not a search engine or social media platform, they don’t need to log as much of your activity data, as the website isn’t as dependent on advertisement revenue as Google.
  • Location Information: That being said, they are aware of a user’s location via GPS and sensor data from their device.
  • Publicly accessible sources: To fill in the blanks, Amazon sources data from third party marketing partners, advertisers, and even credit history from credit bureaus.
• Why They Say They Collect This Data: Amazon makes its money pretty differently from social media companies like Facebook and Twitter, or even search engines like Google. The reason why Amazon is so profitable is because the actual purchase occurs on their platform, providing the majority of their revenue as opposed to money from advertisers. So as far as why they say they collect user data, it’s pretty simple— to improve their services and to prevent fraud. Amazon’s privacy policy is by far the shortest of any of the biggest tech companies, but with devices that are literally listening to your every move like the Echo Show smart display or the Echo Flex smart speaker, this seems a bit over-simplified.
• Third Party Sharing Policies: Since Amazon works with millions of Marketplace sellers, user information is shared with many third parties, from service providers like delivery men and marketing assistants to companies they co-brand products with like AT&T, Sprint and Northern Tool + Equipment. And while Amazon might send users promotional offers on behalf of other businesses, they don’t give them their names and addresses, and users can opt-out if they would like to. Basically, if it involves information going to third parties, Amazon lets users opt out.

Firefox

Mozilla Firefox is another popular browser available for on Windows, MacOS and Linux devices.

• Information They Collect: Firefox collects information such as:
  • Technical data: This includes OS, available memory, crashes and errors, outcome of automated processes like updates, safebrowsing, activation, version numbers, and more.
  • Interaction data: Firefox keeps everything from how many tabs the user uses plus their add-ons, or windows open; uses of specific Firefox features; session length, scrolls and clicks to the the status of discrete user preferences.
  • Web activity  and highly sensitive data: Firefox collects users’ specific web browsing history; general information about their web browsing history (such as categories of web pages visited over time), and potentially certain types of interaction data about specific web pages visited⁹.
• Why They Say They Collect Your Data: Firefox says they need this data to improve their service’s performance and stability, to suggest relevant content, to improve security, to create crash resorts, to measure and support marketing and more¹⁰.
• Third Party Sharing Policies: Firefox only shares user data with permission when processing or providing products or services to the user. They will share the data when it’s required by law, to prevent harm¹¹, or to support their “mission of being open”¹².

Opera

Opera is a lesser-known browser originally released in 1995. Today, it’s available in 42 languages on Windows, iOS, MacOS, Android and Linux operating systems.

• Information They Collect: Opera collects users’ usernames, emails, and social media accounts if they used them to sign in. They also collect browser data including bookmarks and speed dial entries. If the user participates in a promotional campaign, Opera will log their name, age, physical address and phone number. Finally, the company keeps anonymous usage statistics like device IDs, hardware specifications, O.S, environment configuration, feature usage data, info about the articles the user reads, general location, crash reports, cookies and the like.
• Why They Say They Collect Your Data: Opera uses this data to uphold users’ accounts, improve their services, provide relevant news, personal ads and more.
• Third Party Sharing Policies: Opera is one of the few companies to list all the third parties they share user information with, which includes Facebook SDK, Google AdMob and the DU Ad Platform¹⁵.

Windows

Windows is Microsoft’s operating system and includes desktop computers and mobile devices. While it originally dominated the market with over 90% of the market share, it’s still the most popular operating system for PCs, although the company has lost most of the market share to Android.

• Information They Collect: Windows operating systems collect data like content of messages, phone number of contacts, payment info, name, security code, family settings, current location, diagnostic data, support communications, personalized dictionaries, any files the user saves in OneDrive, reports related to malware, device, drivers, and software installed.
• Why They Say They Collect Your Data: Microsoft saves this data to help users communicate with people, buy items, keep kids safe, fix problems, help customers, show users stuff they might like, personalize ads and make systems safer¹⁸.
• Third Party Sharing Policies: Microsoft only shares this data to affiliates that they control as well as subsidiaries and vendors. They also comply with legal requests and will share information to protect customers’ lives¹⁹.  
• If you’re using MacOS or iOS, scroll up to read about Apple’s privacy policy. The same goes for Android devices; that falls under Google, which we covered above.

Apps

That accounts for the majority of major tech companies, browsers and operating systems, but there are also a few common apps that we took a look at, as well.

Kik

Kik is a messaging app that’s available for free on iOS and Android devices. It’s popular because it lets users register without requiring a phone number, instead relying on the person’s data plan or Wi-Fi to send messages, photos and more. But what data do they collect?

• Information They Collect: Kik keeps the information that the user gives them, which may or may not include their name, email address, phone number, birthday, and password hash. They also keep:
  • Profile information: Basically, this section is as detailed as the user wants it to be; if they fill it out, Kik would save their profile pictures, interests, emoji status, and more information.
  • Message content: The big draw of Kik is that they don’t save messages after they’ve been delivered; rather, all delivered messages including their attachments will be lost from the app.  
  • Conversation attributes: This includes group names, profile pictures, themes, administrators, and membership limitations.
  • Membership information: Kik notes whenever a user joins or leaves a public group.
  • Kik communications: This covers any communication between the user and the company, such as polls, surveys, and emails sent back and forth.
  • Kik wallet information: For users that use Kik wallet, the company will save the transaction value, recipient, and public wallet address.
  • Log and data usage information: While Kik deletes the content of messages after they’ve been delivered, they do keep the times and dates the messages were sent, who the user chatted with, their IP address, as well as how they use third-party websites or services through the apps, which could include everything from gifs to emojis.
  • Device information: The company will also log the user’s hardware model, O.S version, unique drive identifiers, and mobile network information.
  • Location information: Kik doesn’t log the user's precise location through GPS; rather, they can get the user's city and state from their IP address.
  • Device contacts and address book: Kik will only save this information with the user’s permission.
  • Bot chats: Kik will log the date, time, frequency of contents of users’ conversations with bots.
  • Kik code: Kik codes, scannable codes that allow users to connect with each other, are saved when the user uses them.
  • Kik transaction information: If the user performs transactions through Kik, the company will save the date and time of the transaction, account information, the account the user is transacting with, the public wallet address, balance and more.
  • Cookie information: Kik keeps track of web activity as well as browser and device information.
  • Local storage information: This could include a user’s photos and videos.
• Why They Say They Collect Your Data: Kik says that they collect this data to uphold their app and services, give users account notices, update the app, store user preferences, and speed up searches. They also use this data for billing, collection and advertising purposes.
• Third Party Sharing Policies: Kik shares this information to services used in their app, from analytics companies to GIF providers and bots. They also use tracking technology that could be associated with a user’s personal information or online activities²⁰.

Skype

Skype is a video messaging service that Microsoft also owns, so its privacy policies are the exact same as Outlook’s (scroll up to see it in detail).

Spotify

Last but not least, Spotify is a popular music and podcast streaming service available on desktop as well as mobile devices. For free, users can listen to their gigantic music library with ads, while the Premium service takes away the ads. Still, no matter which subscription you’re under, here’s what Spotify logs:

• Information They Collect: Spotify collects the following information:
  • User data: This includes the user’s username, email, phone number, birthday, gender, address, and country. Also, if they logged in through a third party like Facebook, LinkedIn will log their data as well.
  • Usage data: This covers type of plan, search queries including the date and time of any requests, streaming history, playlists, library content, browsing history, and the user’s interactions with the Spotify Service content and other users. Spotify uses this information to make inferences about the user’s interests and preferences. They also log information like photos, playlist titles, interactions with customer service, as well as technical data like URL information, cookie data, the user’s IP address, device type, browser type, non-precise location from their IP address, and more.
  • Plan verification data: If the user has a Premium Family or Premium Duo plan, Spotify may use a third party map app like Google Maps to verify their subscription address. However, this address won’t be used for advertising or any other purpose.
  • Voice data: This is only collected if the user uses voice control
  • Payment and purchase data
  • Contest, survey and sweepstakes data
• Why They Say They Collect Your Data: Spotify says that they collect this data to provide and personalize their service, detect fraud and fix issues. They also use this data for marketing, promotions and advertising, legal obligations and law enforcement requests, contractual obligations from third parties, etc.
• Third Party Sharing Policies: Spotify shares publicly available information with third parties, like the user’s name and username, profile picture, who they follow and are followed by, their recently played artists and their public playlists. They share this data with everyone from service providers and payment processors to advertising partners, Spotify partners, academic researchers, other Spotify group companies, law enforcement and data protection authorities, and purchases of other businesses²⁷.

How To Avoid and Reduce Data Collection

If we’ve proven anything so far, it’s that companies you use online log a lot of our data. Is browsing online privately truly possible? Well, not 100%, but there are a number of things you can do to reduce the amount of data about you online, both in the future and from the past.

Prevent Data Collection Moving Forward

While you can’t get rid of all data collection, there are actions you can take to lessen it, starting with your browser itself.

By Browser

Naturally, browsers log the majority of your web traffic and search queries, but most of them allow you to delete the data and cookies as soon as you close the browser, or at the end of the day for Safari. Cookies, by the way, are bits of information that websites send to your computer, stored in the web browser, that keeps track of all web activity²⁸ from site to site.

• Chrome: Go into “settings”, “content settings”, “cookies and other site data” then check off “block all cookies”. Also, turn the toggle on “clear cookies and site data when you quit Chrome”.
• Firefox: Click on “menu”, “preferences” then “cookies and site data”. Check off “delete cookies and site data when Firefox is closed”.
• Microsoft Edge: Click on “settings”, “privacy and services”, then “clear browsing data on close”. Then, check off everything that you want to be deleted when you close your browser.
• Opera: Hit “settings”, “privacy and security”, and then “cookies and site data”. Turn the toggle on next to “clear cookies and site data when you quit Opera”.
• Safari: Click “Safari”, “preferences”, “general”, then “remove history items after” and choose one day. Next, go to “privacy” and check off “block all cookies”.

Social Media

There’s no way to use social media without the companies logging a ton of your information, so the only way to prevent this data collection is simply to not use social media; see below where we give you instructions on how to deactivate your accounts.

General Tips For Digital Privacy

Okay, now that you’ve got yourself as private as possible via your browsers and social media networks, here are a few general tips to stay private online.

• Use a VPN: If you’re on a public network, you’re much more susceptible to being hacked, which is why we recommend using a VPN, or Virtual Private Network, before connecting to the Internet. VPNs will completely encrypt your web traffic and even replace your IP address, making you essentially invisible online.
• Avoid phishing scams: Phishing is one of the most common ways that hackers can access accounts. Typically, hackers send emails to people with fake links to log on to accounts, from which they take their usernames and passwords. Make sure the URL you are clicking on is legitimate (google.com vs. go0gle.com, for example), and as a general rule, don’t click on any unfamiliar links or emails.
• Use a password manager: Since we all have so many different accounts, people tend to use the exact same password or a variation on multiple accounts. The problem? If a hacker accesses one account, it’s easy for them to access others using the same information. To keep track of all your usernames and passwords without repeating, we recommend employing a password manager, which will store everything in an encrypted vault and perform a password audit. After picking out which passwords are old, weak or repeated, the manager will generate a long, unique and complicated password for each account. For more security, add two or multi-factor authentication to prevent unauthorized access.
• Read companies’ privacy policies: We know, we know; reading privacy policies (or any legal jargon, for that matter), can be a long and unforgiving process, but it’s your best bet to keep track of how your information is stored, sold and shared with third parties.
• Only give companies data when absolutely necessary: Sometimes, companies let you opt out of cookies; we often don’t realize this is an option. Try to only allow cookies when it’s absolutely necessary!
• Avoid store loyalty cards: Store loyalty cards are certainly a nice way to save some money, but they’re also a nice way for companies to track your information. The privacy-minded should avoid store-loyalty cards completely.
• Use cash rather than cards: Cards in general are trackable in a way that old-fashioned dollar bills simply aren’t.
• Use fake information on forms: Now, we don’t recommend using fake information on important forms, like government or medical forms. However, for signing up for something as inconsequential as a newsletter from a fast fashion website, there’s nothing wrong with using a fake email, name or phone number.
• Use browser extensions to block trackers: There are a number of browser extensions that prevent or reduce online tracking, like Privacy Badger²⁹, HTTPS Everywhere³⁰ and uBlock Origin³¹. There’s another extension that also blocks ads called Ghostery³².
• Opt out of data sharing: While there’s no magical button you can press to completely opt out of your data being shared with large companies, Simple Opt Out is a website with instructions to opt out of data-sharing from over 50 large companies, from Twitter to Mastercard to Amazon³³.
• Limit use of identifiers for ad targeting on mobile devices: On iOS devices, go into “settings”, then “privacy” and “advertising” and turn on “limit ad tracking”. On Android devices, go into “Google settings” then “ads” and toggle on “opt of our Internet-based ads”.
• Turn location off on mobile devices: There’s no reason for your device to constantly know your location. On an iOS device, go into “settings”, “privacy” and then “location services”, and toggle on “don’t allow”³⁴. For Android-users, click “settings” then “location” and turn off “use location”³⁵.
• Limit app permissions: In general, apps will try to gain as much information about you as possible; make sure to go into your settings and limit this information to what is strictly necessary to run their service.

Delete Past Collected Data

We cleared our data from the major browsers as well as social media networks, and here’s how we did it.

By Browser

• Chrome: Click “Chrome” then “more” and “more tools”, then choose the time range of “all time”. Check off the information you want deleted and click “clear data”³⁶.
• Firefox: Click on “Firefox” then “library”, “history”, “clear recent history”. Choose your time range and what information you want deleted, then click “clear now”³⁷.
• Microsoft Edge: Hit “Edge”, “settings and more”, “settings,”“privacy and services” then “clear browsing data”. Choose what you want to clear, the types of data and the time range, and hit “clear now”³⁸.
• Opera: Choose “Opera” then hit Ctrl + H. Click “clear browsing data” and select what you want to delete and the time range, and then hit “clear data”³⁹.
• Safari: Hit “Safari” then “history” and “clear history”⁴⁰.

By Social Media Network

Social media accounts, by their very nature, contain a ton of our personal information, so in order to get your data deleted, you’ll need to completely deactivate your accounts. Here’s how!

• Facebook: Click the down arrow at the top right corner, then click “settings”, “your Facebook information”, “deactivation and deletion”, “delete account”, “continue to account deletion”, “enter password”, “continue”, and finally “delete account”⁴¹.
• Twitter: Hit “Twitter”, “settings and privacy”, “account”, “deactivate account”, “ deactivate @username” and enter your password. Then, click “deactivate account”⁴².
• Instagram: Go to the “delete your accounts” page⁴³ and select an option to answer why you are deleting your account. Next, re-enter your password and click “permanently delete my account”⁴⁴.
• LinkedIn: Click “LinkedIn”, “me”, “settings and privacy”, “account”, “account management”, “change”, “closing your LinkedIn account” and choose a reason why. Then, hit “next”, enter your password and click “close account”⁴⁵.

Data Privacy Statistics

Given that 90% of all adults in the United States used the Internet as of 2019⁴⁶, data breaches are something that could affect nearly all of us at some point in our lives. Even more so, out of the adult Internet users in the U.S, 28% say that they are online “almost constantly,” while 45% say they’re online several times a day⁴⁷, which makes for literally millions of opportunities for sensitive information to be revealed to someone it shouldn’t. On top of that:

• 81% of people think they have little to no control over how companies collect data
• 79% of people are very concerned about how companies use their data
• 59% say that they have little to no understanding of data use⁴⁸.

Hopefully, our data privacy guide can help people understand exactly how companies use their data and how to take back control. While using the Internet necessitates relinquishing some data, we can definitely decrease the amount significantly.

Data Collection Laws

Security.org’s Chief Editor Gabe Turner isn’t just a security expert; he’s also a lawyer with a strong grip on the laws surrounding data collection, including international, federal, and state legislation. Here’s what’s legal and what’s not when it comes to data privacy.

International

Even if you’re based in the United States like us, any business that has customers in the European Union must adhere to what’s called the General Data Protection Regulation⁴⁹ (GDPR). The GDPR refers to “personal data”, which they define as “any information relating to an identified or identifiable natural person”⁵⁰. Some examples of personal data include:

• Location data
• Names
• Identification numbers
• Gender
• Age
• Job
• Employer
• Address
• Phone number
• Email address

Now that we know what “personal data”, the GDPR protects, here’s a summary of their requirements for companies online⁵¹:

• Transparency and communication: Companies have to explain clearly exactly how they process user data and how people can request to have their data removed or altered. They’re also required to respond to these requests quickly and adequately.
• Right of access: People have the right to know about the source of their personal data, the purpose of why the company has processed it, the length of time the data will be held, and more. People can also access their personal data.
• Accuracy: If information is inaccurate or incomplete, people have the right to correct that information.
• Right to object: People can object to companies processing their data unless they have a legitimate reason to, like a legal obligation.
• Right to be forgotten: Otherwise known as the right to erasure, the right to be forgotten means that people can request to have data deleted at any time. However, there are exceptions, like if this request prohibits the company’s right to freedom of expression.
• Data portability: The company must store the data in a way that’s easily shareable and easily understood. In addition, if the user requests the data must be sent to a third party the company must comply, even if it’s a competitor.
• Right to restrict processing: Finally, users can change the way that the company processes their data, be it removing it from their site if it’s inaccurate or no longer needed.

Even though large tech companies like Google and Amazon are based in the United States, because they have customers in the E.U, the GDPR applies.

State

This is America, which means that every state has their own rules and regulations for their residents, and data privacy is no exception. Note, this isn’t a complete list of every state’s data privacy laws, but a general overview. Find out where your state lies when it comes to protecting your online privacy.

• Alabama: According to the Alabama Data Breach Notification Act of 2018, certain entities have to tell people when there's been a data breach involving their sensitive personally identifying information or PII⁵⁵.
• Alaska: Passed in 2009, the Alaska Personal Information Protection Act says that users need to be alerted when breaches involving their PII have occurred. This act also puts restrictions on the use of personal and credit information and requirements for proper disposal of records containing PII, among other things⁵⁶.
• Arizona: Arizona’s Data-Breach Notification Law requires companies to let their users know if there has been a data breach involving their PII⁵⁷.
• Arkansas: Under the Arkansas Personal Information Protection Act, entities that collect PII must use “reasonable security procedures” to protect this information. However, they only have to alert users of data breaches if they’ve affected over 1,000 people and have a “reasonable likelihood of harm”⁵⁸.
• California: California is by far the most advanced state when it comes to protecting their residents’ digital privacy under acts such as:
  • Digital Privacy Rights for Minors: Websites can’t market products or services to minors if the minors aren’t allowed to buy them yet, like alcohol.
  • Online Privacy Protection Act of 2003: Any business that collects PII through a website must have a conspicuous privacy policy that it adheres to, identifying the PII they collect and the third parties they share it with.
  • Confidentiality of Medical Information Act: Individuals can maintain their own medical information on medical apps⁵⁹.
  • Data Security Breach Reporting: Any business or agency that releases unencrypted PII of more than 500 Californians must let them know⁶⁰.
• Colorado: Colorado has laws regarding the proper disposal of PII, and laws requiring “reasonable security measures” to protect it. Like most states, Colorado requires that companies notify people when their PII was compromised⁶¹.
• Connecticut: Connecticut’s General Statutes says that certain types of businesses must display privacy policies explaining how they will protect customer PII and share it with third parties⁶². In addition, companies must disclose to residents when their PII has been compromised as well as notify the Office of the Attorney General⁶³.
• Delaware: The Delaware Online Privacy and Protection Act states that businesses must notify people of a security breach of their PII within 60 days⁶⁴.
• Florida: In Florida, businesses need to alert people of security breaches if they’ve affected at least 500 people within 30 days⁶⁵.
• Georgia: The Law of Georgia on Data Protection provides guidelines for data processing. Data should be kept for the shortest amount of time possible and then should be deleted, destroyed, locked or stored anonymously⁶⁶. Businesses also must notify people of security breaches as soon as possible⁶⁷.
• Hawaii: Hawaii’s Health Care Privacy Harmonization Act says that identifying health information should be protected and anonymized⁶⁸. Also, businesses and government agencies need to alert consumers if their PII has been compromised⁶⁹.
• Idaho: Companies need to tell people if their PII has been exposed within 24 hours of the breach⁷⁰.
• Illinois: People must be notified of a security breach as quickly as possible, and businesses need to take “reasonable security measures” to protect their data⁷¹.
• Indiana: Indiana’s Security Breach Notification Statute says that residents have the right to know when their PII has been breached⁷².
• Iowa: In Iowa, businesses must alert people of PII security breaches that affect over 500 residents; the government allows five days between the breach and the customer notification⁷³.
• Kansas: In Kansas, businesses must tell people of security breaches as soon as possible if they affect over 1,000 consumers. In addition, they must also alert national reporting agencies⁷⁴.
• Kentucky: If there’s a security breach of PII, businesses must notify people as quickly as possible⁷⁵.
• Louisiana: If businesses don’t tell Louisiana residents of a breach, they could face a violation fee of up to $5,000⁷⁶.
• Maine: An Act to Protect the Privacy of Online Customer Information says that to sell or access PII, providers need affirmative consent from customers, which they can revoke at any time. However, there are exceptions to this rule, like a lawful court order. Businesses also must take reasonable measures to protect the PII⁷⁷. In addition, providers must alert customers of security breaches if they affect over 1,000 people at a time “without reasonable delay”⁷⁸.
• Maryland: The Personal Information Protection Act says that consumer data should be reasonably protected, and consumers should be notified of a breach within 45 days⁷⁹.
• Massachusetts: Businesses must report security breaches or unauthorized usage of PII within 10 business days⁸⁰. Massachusetts also requires that businesses have an information security program to protect consumer data, which lays out specific requirements regarding passwords, encryption and more⁸¹.
• Michigan: If a security breach of unencrypted information can cause substantial losses or injuries, businesses must alert consumers within three business days⁸².
• Minnesota: Minnesota is one of the few states where only government data breaches need to be reported, not breaches from privately-owned businesses⁸³.
• Mississippi: Businesses must notify consumers of a security breach of PII “without reasonable delay”⁸⁴.
• Missouri: Businesses must tell people of breaches that expose PII⁸⁵.
• Montana: Businesses must tell Montana residents if their PII has been compromised “without reasonable delay”⁸⁶.
• Nebraska: Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 says that businesses must alert customers of security breaches of PII as soon as possible⁸⁷.
• Nevada: Once they know they no longer need it, businesses must destroy customers’ PII. Beforehand, they must protect the PII using “reasonable security measures”, and if they use a payment card, they must adhere to the Payment Card Industry Data Security Standard. Finally, businesses must alert people of security breaches as soon as possible⁸⁸.
• New Hampshire: Businesses must notify people of a PII breach as quickly as possible⁸⁹.
• New Jersey: New Jersey businesses also have to let consumers know if their PII was breached as soon as possible⁹⁰.
• New Mexico: New Mexico’s Data Breach Notification Act requires businesses to tell people if their PII has been exposed in a security breach. It also sets requirements for the secure storage and disposal of PII⁹¹. In addition, the Consumer Information Privacy Act says that consumers can request their PII and get it deleted if they request. At anytime, consumers can also opt-out of the sale of their PII; to sell their information with a third party, businesses need the explicit consent of consumers, after they tell them exactly what is collected, how it will be used and sold, and more information⁹².
• New York: The Empire State’s Information Security Breach and Notification Act says that customers have the right to know as quickly as possible when their PII has been exposed in a security breach⁹³.
• North Carolina: North Carolina’s Identity Theft Protection act says that people must be notified of PII breaches “without reasonable delay”⁹⁴.
• North Dakota: In North Dakota, businesses must notify consumers over PII breaches when 250 or more are affected as soon as possible⁹⁵.
• Ohio: The Ohio Protect Act is a program that incentivizes businesses to strengthen their cyber security, preventing breaches in the first place⁹⁶, while the Security Breach Notification Act says that they must alert consumers if their PII has been breached within 45 days⁹⁷.
• Oklahoma: Oklahoma’s Security Breach Notification Act says that people should be alerted of security breaches as soon as possible⁹⁸.
• Oregon: Businesses need to tell consumers of security breaches only if they affect more than 250 Oregon residents⁹⁹.
• Pennsylvania: The Keystone state’s Breach of Personal Information Notification Act requires that businesses tell customers of PII breaches “without unreasonable delay”¹⁰⁰.
• Rhode Island: The Rhode Island Identity Theft Protection Act says that businesses must provide “reasonable security” for PII and must notify customers of breaches that will increase their risk of identity theft “without unreasonable delay”¹⁰¹.
• South Carolina: South Carolina businesses must notify consumers of security breaches with PII within 60 days¹⁰².
• South Dakota: Businesses must tell people of security breaches involving their PII within 60 days¹⁰³.
• Tennessee: The Tennessee Identity Theft Deterrence Act says that businesses must notify residents of breaches of unencrypted data within 45 days¹⁰⁴.
• Texas: The Texas Identity Theft Enforcement and Protection Act says that if there’s a security breach involving 250 people or more, they must be notified within 60 days. In addition, businesses need to get consumers’ consent when obtaining or transferring personal information. The PII must then be protected with “reasonable procedures” and must be destroyed after the business is done using it¹⁰⁵.
• Utah: Utah’s Protection of Personal Information Act says that businesses must implement reasonable procedures to protect PII and destroy it when done. Security breaches must be disclosed to consumers within 20 days¹⁰⁶. In addition, the Electronic Information of Data Privacy Act says that law enforcement agencies must obtain a search warrant to access location information, stored or transmitted information from an electronic device. They also must obtain a warrant before getting any information about the device’s owner from their computing service provider. Even if they get the warrant, the agency must destroy this information as soon as they’re done with it¹⁰⁷.
• Vermont: Under the Security Breach Notice Act, businesses must alert Vermont consumers of a data breach within 45 days¹⁰⁸.
• Virginia: Virginia’s Personal Information Privacy Acts ensures that businesses can only sell customer data to third parties with their consent¹⁰⁹. It’s also required that businesses notify customers when their unencrypted information is compromised as soon as they can¹¹⁰.
• Washington: If a breach affects over 500 Washington residents, businesses must let them know within 30 days¹¹¹.
• West Virginia: In West Virginia, the Consumer Credit and Protection Act says that businesses must notify people of a security breach as soon as possible¹¹².
• Wisconsin: In Wisconsin, businesses only have to destroy customer PII if it’s related to health conditions, financial accounts or tax returns. They also have to notify people if there is a security breach of PII¹¹³.
• Wyoming: Finally, Wyoming requires businesses to notify customers of security breaches involving PII as soon as possible¹¹⁴.

As you can see, most of the states only have security breach notification laws, which require them to tell their customers if there was a breach of their PII, or personally identifiable information. However, two states, California and Maine, took things to a new level with some recently passed bills, which we’ve spotlighted:

• California Consumer Privacy Act: Similar to the GDPR, this act ensures that Californians know how their personal information is being collected, sold, and shared. If they want, they can prevent the sale of personal information, access it online, or delete it completely¹¹⁵.
• Maine’s Act To Protect the Privacy of Online Consumer Information: Companies can’t use, sell or share customer information unless they’ve consented to it, it’s essential to provide their service, to comply with the law, and a few other exceptions. They also must take “reasonable measures” to protect this information¹¹⁶.

Is Private Browsing Really Private?

We’ve all heard of private browsing before, but is it really private? Well, the short answer is no; during private browsing sections, cookies can still be shared with third parties who can track our web activity as we bounce from site to site. However, for someone sharing a device with another person, private browsing will work, as the browser itself won’t retain cookies, files downloaded, browsing history or search records. Keep in mind that different browsers have different privacy modes, so be sure to check your browser settings before using it to surf the web¹¹⁷.

How To Browse Privately by Browser

Want to turn on a private browsing section? Here’s how, on the most popular browsers available:

• Chrome: Press “more” then “new incognito tab/ window”¹¹⁸.
• Firefox: On Android¹¹⁹ or desktop¹²⁰, press “menu” then “new private tab/ window”. On iPhones¹²¹, tap the tab icon at the bottom of the screen then click on the purple mask button. From there, tap on the plus tab to open a private tab.
• Microsoft Edge: Click “settings and more” then “new Inprivate window”¹²².
• Opera: On a mobile device, click the three dots in the upper right hand corner¹²³. On a desktop computer, click “file” then “new private window”¹²⁴.
• Safari: Strangely, there’s no private mode for Safari on Androids, but on iPhones and other iOS devices, click “new page button” then “private” then “done”¹²⁵. On desktops, hit “file” then “new private window”¹²⁶.

Recap

Compared to Europe, the United States has a long way to go when it comes to protecting consumer’s online privacy, however, with a few simple steps, you can greatly reduce the amount of data that companies have on you. Hopefully in the near future, the United States can adapt a federal law similar to the GDPR to ensure that customers are more in control of their data.

Sources

1. https://www.emarketer.com/content/us-time-spent-with-media-2020
2. https://policies.google.com/privacy?hl=en-US
3. https://www.socialmediatoday.com/news/facebook-reaches-238-billion-users-beats-revenue-estimates-in-latest-upda/553403/
4. https://www.facebook.com/full_data_use_policy
5. https://twitter.com/en/privacy
6. https://www.amazon.com/gp/help/customer/display.html?nodeId=201909010
7. https://www.apple.com/legal/privacy/en-ww/
8. https://www.google.com/chrome/privacy/
9. https://wiki.mozilla.org/Firefox/Data_Collection
10. https://www.mozilla.org/en-US/privacy/firefox/
11. https://www.mozilla.org/en-US/privacy/
12. https://www.mozilla.org/en-US/about/manifesto/
13. https://support.microsoft.com/en-us/help/4468242/microsoft-edge-browsing-data-and-privacy
14. https://privacy.microsoft.com/en-us/privacystatement
15. https://www.opera.com/privacy
16. https://www.apple.com/legal/privacy/en-ww/
17. https://www.linuxfoundation.org/privacy/
18. https://privacy.microsoft.com/en-US/windows10privacy
19. https://privacy.microsoft.com/en-us/privacystatement
20. https://www.kik.com/privacy-policy/
21. https://privacy.microsoft.com/en-us/privacystatement
22. https://www.microsoft.com/en-us/trust-center/privacy
23. https://drive.google.com/file/d/1kbKRzabSzzHzPNh6D9KXISGqBVVWccYQ/view?usp=sharing
24. https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report
25. https://www.newyorker.com/magazine/2015/10/12/the-network-man
26. https://www.linkedin.com/legal/privacy-policy#collect
27. https://www.spotify.com/legal/privacy-policy/
28. https://us.norton.com/internetsecurity-privacy-what-are-cookies.html
29. https://privacybadger.org/
30. https://www.eff.org/https-everywhere
31. https://github.com/gorhill/uBlock#ublock-origin
32. https://www.ghostery.com/
33. https://simpleoptout.com/
34. https://support.apple.com/en-us/HT207092
35. https://support.google.com/accounts/answer/3467281?hl=en
36. https://support.google.com/chrome/answer/2392709?co=GENIE.Platform%3DDesktop&hl=en
37. https://support.mozilla.org/en-US/kb/delete-browsing-search-download-history-firefox
38. https://support.microsoft.com/en-us/help/10607/microsoft-edge-view-delete-browser-history#:~:text=Here's%20how%20to%20clear%20your,select%20Choose%20what%20to%20clear
39. https://www.opera.com/case-studies/clean-browser-and-remove-trackers
40. https://support.apple.com/guide/safari/clear-your-browsing-history-sfri47acf5d6/mac
41. https://www.facebook.com/help/224562897555674?helpref=search&sr=2&query=delete%20data&search_session_id=971a965d87ac7b7e512284e9bede41b2
42. https://help.twitter.com/en/managing-your-account/how-to-deactivate-twitter-account
43. https://www.instagram.com/accounts/remove/request/permanent/
44. https://help.instagram.com/370452623149242
45. https://www.linkedin.com/help/linkedin/answer/63/closing-your-linkedin-account?lang=en
46. https://www.pewresearch.org/internet/fact-sheet/internet-broadband/
47. https://www.pewresearch.org/fact-tank/2019/07/25/americans-going-online-almost-constantly/
48. https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/
49. https://ec.europa.eu/info/law/law-topic/data-protection/eu-data-protection-rules_en
50. https://gdpr.eu/eu-gdpr-personal-data/
51. https://gdpr.eu/data-privacy/
52. https://www.cfr.org/report/reforming-us-approach-data-protection
53. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
54. https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/financial-privacy
55. https://oit.alabama.gov/621-breach-notification/#:~:text=The%20Alabama%20Data%20Breach%20Notification,personally%20identifying%20information%20(PII)
56. http://law.alaska.gov/department/civil/consumer/4548.html
57. https://www.azag.gov/consumer/data-breach/faq
58. https://arkansasag.gov/consumer-protection/identity/column-one/security-or-data-breach/#:~:text=The%20Arkansas%20Personal%20Information%20Protection%20Act%20was%20recently%20amended%20to,likelihood%20of%20harm%20to%20consumers
59. https://oag.ca.gov/privacy/privacy-laws
60. https://oag.ca.gov/privacy/databreach/reporting#:~:text=California%20law%20requires%20a%20business,)%20%5Bagency%5D%20and%20California%20Civ
61. https://coag.gov/resources/data-protection-laws/
62. https://www.cga.ct.gov/current/pub/chap_743dd.htm
63. https://cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b
64. https://delcode.delaware.gov/title6/c012c/index.shtml
65. http://www.leg.state.fl.us/Statutes/index.cfm?App_mode=Display_Statute&URL=0500-0599/0501/Sections/0501.171.html
66. https://matsne.gov.ge/en/document/download/1561437/5/en/pdf
67. https://eits.uga.edu/access_and_security/infosec/pols_regs/docs/0506regsession_sb230.pdf
68. https://portal.ehawaii.gov/government/hawaii-legislature/hawaii-revised-statutes/
69. https://cca.hawaii.gov/id-theft-information-business-briefing/
70. https://legislature.idaho.gov/statutesrules/idstat/title28/t28ch51/sect28-51-105/
71. http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67#:~:text=(a)%20A%20data%20collector%20that,%2C%20acquisition%2C%20destruction%2C%20use%2C
72. https://www.in.gov/attorneygeneral/3037.htm
73. https://www.iowaattorneygeneral.gov/for-consumers/security-breach-notifications
74. https://ag.ks.gov/in-your-corner-kansas/your-identity/how-can-i-guard-against-a-data-breach#:~:text=Kansas%20law%20requires%20any%20person,the%20security%20of%20the%20system
75. https://apps.legislature.ky.gov/LAW/STATUTES/STATUTE.ASPX?ID=43326
76. https://www.ag.state.la.us/Page/DataBreach
77. https://www.mainelegislature.org/legis/bills/bills_129th/billtexts/SP027501.asp
78. https://legislature.maine.gov/statutes/10/title10sec1348.html#:~:text=If%20a%20person%20discovers%20a,defined%20in%2015%20United%20States
79. https://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx
80. https://www.mass.gov/info-details/massachusetts-law-about-privacy
81. https://www.mass.gov/doc/201-cmr-17-standards-for-the-protection-of-personal-information-of-residents-of-the/download
82. http://www.legislature.mi.gov/(S(wsp40etjcg3tp4340xahqykk))/mileg.aspx?page=GetObject&objectname=mcl-445-72
83. https://www.revisor.mn.gov/statutes/cite/13.055
84. http://billstatus.ls.state.ms.us/documents/2010/pdf/HB/0500-0599/HB0583SG.pdf
85. https://ago.mo.gov/civil-division/consumer/identity-theft-data-security/data-breaches
86. https://dojmt.gov/consumer/data-breaches-businesses/
87. https://ndbf.nebraska.gov/sites/ndbf.nebraska.gov/files/legal/87-801%20to%2087-808%20Financial%20Data%20Protection.pdf
88. https://www.leg.state.nv.us/NRS/NRS-603A.html#:~:text=A%202017%2C%204079
89. http://www.gencourt.state.nh.us/rsa/html/xxxi/359-c/359-c-20.htm
90. https://www.njconsumeraffairs.gov/Statutes/Identity-Theft-Prevention-Act.pdf
91. https://www.nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf
92. https://www.nmlegis.gov/Sessions/19%20Regular/bills/senate/SB0176.pdf
93. https://ag.ny.gov/internet/data-breach
94. https://www.ncleg.net/EnactedLegislation/Statutes/HTML/ByArticle/Chapter_75/Article_2A.html
95. https://www.legis.nd.gov/cencode/t51c30.html
96. https://www.ohiobar.org/member-tools-benefits/practice-resources/practice-library-search/practice-library/2019-ohio-lawyer/ohios-data-protection-act/
97. http://codes.ohio.gov/orc/1349.19
98. https://www.ok.gov/OREC/documents/Security%20Breach%20Notification%20Act.pdf
99. https://www.doj.state.or.us/consumer-protection/id-theft-data-breaches/data-breaches/
100. https://www.legis.state.pa.us/cfdocs/legis/Li/uconsCheck.cfm?txtType=HTM&yr=2005&sessInd=0&act=0094
101. http://www.dlt.ri.gov/pdf/IdentityTheftRules41006.pdf
102. https://www.tba.org/index.cfm?pg=LawBlog&blAction=showEntry&blogEntry=29280
103. https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm
104. https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf
105. https://le.utah.gov/~2019/bills/hbillenr/HB0057.pdf
106. https://legislature.vermont.gov/statutes/section/09/062/02435
107. https://law.lis.virginia.gov/vacodepopularnames/personal-information-privacy-act/
108. https://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/
109. https://www.atg.wa.gov/data-breach-notifications
110. https://www.wvlegislature.gov/WVCODE/code.cfm?chap=46A&art=2A
111. https://datcp.wi.gov/Pages/Programs_Services/WIPrivacyLawsGeneral.aspx
112. https://wyoleg.gov/NXT/gateway.dll?f=templates&fn=default.htm
113. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
114. https://www.mainelegislature.org/legis/bills/bills_129th/billtexts/SP027501.asp
115. https://www.consumer.ftc.gov/articles/0042-online-tracking#Controlling_Online_Tracking
116. https://support.google.com/chrome/answer/95464?co=GENIE.Platform%3DiOS&hl=en&oco=1
117. https://support.mozilla.org/en-US/kb/private-browsing-firefox-android
118. https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history
119. https://support.mozilla.org/en-US/kb/private-browsing-firefox-ios
120. https://support.microsoft.com/en-us/help/4026200/microsoft-edge-browse-inprivate
121. https://blogs.opera.com/mobile/2019/01/opera-touch-private-mode-ipad/
122. https://blogs.opera.com/news/2014/10/how-to-open-private-window-opera-for-computers/
123. https://support.apple.com/en-us/HT203036
124. https://support.apple.com/guide/safari/browse-privately-ibrw1069/mac