How Much Control Do You Actually Have Over Your Private Data?

“Privacy” is the buzz of our era, but… what even is privacy? Different consumers, businesses, and regulators each have their own definitions and perspectives on the issue, while the law, too, is always evolving.

For the most part, in the U.S., the baseline rules are that you can do basically anything you want with data so long as you disclose your intentions to customers first, and as long as you don’t exceed the parameters of what you said you were going to do. (We’ll come back to disclosures in a bit.)

However, there are several detailed categories of specific information that are strictly protected by statute. At least, sometimes. The same piece of information about you isn’t always subject to the same rules. How “private” a piece of private data is depends not just on what it is, but on who’s collecting it, how, and why.

The privacy-related regulations and statutes put restrictions in place on those narrow data types, and specific entities that handle them, limiting sharing, selling, and use of that information — and carry enforcement mechanisms for when those limits are broken. Let’s break it down:

Health and Healthcare Data Image courtesy of Michael Kappel

The Health Insurance Portability and Accountability Act of 1996 or, much more commonly, HIPAA

What info is covered: The data covered includes individually identifiable health information, which includes basically everything in your medical records. It also includes billing information about your visits (because that includes procedure and treatment data), information in your insurer’s systems, conversations about your care that your medical professionals have with each other, and so on.

Covered entities can use your data to provide with services and for a few other purposes, but for the most part can not share your individually identifiable data without your consent.

A Privacy Policy Is Just A Promise Privacy policies don’t guarantee you privacy. They can say almost anything, except for in some particular industries we’ve noted here, and most of us will never read the details. Mostly, they’re just statements about what a business does or doesn’t plan to do with your data. We’ve tackled some common myths about privacy policies before, but in short: No federal law requires all online businesses to post a privacy policy, though some in certain industries (like banking) are required to do so

Privacy policies do not guarantee that your data will be kept private, but instead outline the circumstances in which it may be shared

Privacy policies do not have to be written incomprehensibly, but often are because that’s what happens when you cover your bases with legal language

A business does have to adhere to the terms of whatever their posted privacy policy is, if they have one.

HIPAA also gives you the right to access your own medical records and health information, the right to find out who else your records have been shared with, and the right to limit sharing, among other things.

For example, you can ask not to have your insurer notified about treatment you receive, if you’re paying for it out-of-pocket in full. Or you can ask to have corrections made to your records, to opt-out of your data being used for the limited marketing purposes permitted by HIPAA, or to get a report on when and why your health information was shared, if it was.

Who has to play nice: HIPAA is very explicit about which entities are covered. Health care providers — your doctors, nurses, dentists, and so on — are, as are the hospitals and clinics where they work. Health plans, including private insurers as well as government programs like Medicare and Medicaid, are also covered. Some, but not all, third-party businesses that work with medical records are also covered. There are online guides for consumers and practitioners both, designed to help you determine if someone getting information is covered or not.

Notably, the makers of many healthcare apps, personal devices, and tracking sites do not have to abide by HIPAA regulations — meaning a lot of data is out there already, leaky as heck and unregulated.

Who you complain to: The Department of Health and Human Services handles HIPAA complaints.



Banking, Credit, and Financial Services Data Image courtesy of thetruthabout

The Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA).

What info is covered: The important part of the GLBA (it’s a pretty big and sprawling law) for our purposes has to do with non-public personal information, or NPI.

The GLBA doesn’t say that you absolutely cannot disclose any NPI ever (though some categories, like account numbers, are heavily limited); it says that you must provide customers a notice saying which NPI you collect, how you use it, and who you share it with. And if you want to disclose it with third parties that aren’t part of the transaction or legally required, you have to provide an opt-out mechanism.

The privacy notice must be “clear and conspicuous,” and has to be made visible and readable both online or on-paper.

FCRA, meanwhile, is also huge and sprawling but applies to basically anyone that touches credit reports — so not just the agencies that generate them, but employers, landlords, lenders, and other entities that may ask for them.

You have the rights to know what information is in your credit file, to know what has been used against you in an adverse decision, and to dispute any errors. Agencies that compile your reports also have to obey certain guidelines about inaccurate, incomplete, unverifiable, or outdated information, and can only provide your file to someone with a “valid need.” Sharing your “consumer report” data outside of that valid need is a big no-no.

Who has to play nice: Financial institutions and credit reporting ones — but those categories may be broader than you think.

The GLBA limits what non-public personal information financial institutions may disclose to third parties. The category of “financial institution” is broader than just banks and credit unions, and covers anyone that’s “significantly engaged” in a long list of financial activities. So a business that brokers or services loans or collects debts — like a car dealership — may be covered, as may businesses that provide “advisory services,” wire transfers, or a bunch of other activities.

Meanwhile, the FTC has separate guidance on FCRA for employers, landlords, insurers, furnishers (the agencies that compile reports), people who maintain or destroy credit report records, and more.

Who you complain to: The Federal Trade Commission, or potentially your state attorney general.



Phone Use Data Image courtesy of Alan Bruce

The Communications Act and the Telephone Records and Privacy Protection Act of 2006

What info is covered: Your phone company — landline, wireless, or IP based — collects customer proprietary network information (CPNI) when you make calls. That data includes what number you call, what number you receive a call from, how long a call lasts, where you called from (if using a cellular network) and also data about services you use — including 411, voicemail, or anything else you can see on your phone bill.

There are three circumstances in which your phone company can use, share, or allow access: when required by law (as when the cops subpoena records or the NSA collects them), with your approval, or to provide the service you’re paying for to you.

Additionally, since Jan. 2007, it is now a federal criminal violation to fraudulently obtain phone records. Get caught doing it and you’re subject to fines, jail time, or both.

Who has to play nice: Phone companies — all of them, no matter what tech they’re using (wireless, VoIP, or copper-wire).

Who you complain to: The Federal Communications Commission.

Cable TV Data Image courtesy of geetargeek

The Communications Act — specifically, the Cable Communications Policy Act of 1984 , although some other sections of the much-amended and much-updated Communications Act apply as well.

What info is covered: There are two categories of data at play. One is personally identifiable information (PII) cable companies gather, like your Social Security number. That needs to stay private, but isn’t unique to your cable company. The other category is data that is unique to your cable company: CPNI, customer proprietary network information.

Cable operators can connect both PII and CPNI from you in order to provide you with and bill you for the services you subscribe to. They may also use that data in order to detect if you’re pirating cable or in some other way gaining “unauthorized reception” to services, and they can aggregate your contact info into subscriber lists unless you tell them not to.

Among the CPNI that your modern cable company can collect from you is a whole big pile of data about your viewership habits, along with all your standard billing and account info. However, the law bars them from using that data in an individualized, identifiable way. Instead, “activity data” — when you watch cable, what you buy from on-demand, how long you stay with a channel, if you’re using the remote control or a phone to control it, and so on — is used in a “de-identified” way with your name and address stripped.

The most informative document for learning what your cable operator collects and how they use it is actually going to be that specific company’s customer privacy notice, not the law; the Cable Act makes those be pretty detailed and so your operator will have one for you to Google.

Who has to play nice: Cable companies that provide you TV through coaxial or fiber optic cable.

Satellite TV companies are not covered under the same FCC regulations as cable companies. However, the privacy policies for both DirecTV (PDF) and Dish Network (PDF) are clear about what other limitations of the Communications Act apply to what they can do with PII and CPNI they collect from you.

Streaming app versions of your cable company’s service are not yet held to the same privacy standard, but may be very soon, if the FCC votes to adopt its current set-top box proposal on Sept. 29.

Who you complain to: The Federal Communications Commission

Internet Use Data Image courtesy of Pam

What law(s) cover this info: None

What info is covered: If you’re over 13, none of it… yet.

The FCC is currently considering a proposal that would subject internet service providers (the Comcasts, Charters, and Verizons of the world) to restrictions similar to those under which cable TV operators and phone companies must operate.

The proposed regulation would not limit what content providers, app makers, or affiliated services like advertising trackers, could do with your browsing data. It would, however, limit what your ISP could do with its access to your internet use data.

The proposal is meeting with strong pushback from the broadband and wireless industries, which want to be able to run and explore pay-for-privacy schemes that require consumers to opt-in and pay a fee to keep certain information unsold.

Who has to play nice: Nobody

Who you complain to: Nobody’s really the right place for those complaints right now, but if the proposal passes and survives legal challenges, it may eventually be the FCC.

Childrens’ Internet Use Data Image courtesy of Steve Tanner

The Children’s Online Privacy Protection Rule, better known as COPPA

What info is covered: Personal information, collected online, pertaining to children under age 13. “Personal information” includes anything that can be a unique identifier: social security number, home address, phone number, screen name, geolocation information, a photo, or anything else that could tie an account to a single, particular child.

Entities covered by the rule must:

Post privacy policies

Provide notice to, and obtain consent from, parents about privacy practices

Give parents the option of letting kids’ data be used internally but not shared with third parties

Permit parents access to review their kids’ data or have it deleted

Keep kids’ data confidential and secure

Limit the retention of kids’ data after it is no longer needed and take “reasonable measures” to prevent it from unauthorized access or use

Who has to play nice: Commercial websites and online services, including mobile apps, that collect, use, or disclose personal information from children under age 13. That means services explicitly directed to children, as well as sites that have “actual knowledge” that they may be collecting data from children under age 13.

(This is why you often see an age gate at site or app registration asking you to confirm that you are 13 or over. You confirming that lets the site off the hook from having any actual knowledge that it has served — or shared data from — any user covered by the law.)

Who you complain to: The Federal Trade Commission.



Everything Else Image courtesy of Mike Saechang

There are huge swaths of unregulated data collection and data use out there. It seems like basically every week we find some new story about driving data or computer parts becoming yet another data point in the arsenal of facts marketers can assemble against us. And as we collectively transition more and more into the “internet of things” era, pervasive data collection is not going to stop or slow down.

For the most part, the agency tasked with figuring out whether those data uses are harmful, misleading, or proper is the FTC.

In general, the FTC is your first go-to for consumer privacy issues. The commission is also busily investigating the implications of the big data world: although there are very few new regulations about the massive sea of connected data in which we all swim, the FTC is working hard to try to enforce the old regulations in the new world. If the collection or use of big data is discriminatory or misleading, the FTC may be able to act.

The FTC is also starting to investigate whether all those notifications to consumers actually work. Study after study has shown that the vast majority of consumers do not read the terms of service for sites they use, and the ones that exist are so long and complicated that most of us literally cannot take the time to parse them all.