What does Privacy Edge actually look for?

Privacy Edge focuses on analyzing page activity that could signal a privacy risk. We report on the activity of 3rd parties on your site’s pages in terms of 5 data points:

  1. Fingerprinting activity,
  2. Form data flow from your site to other domains,
  3. “Young domains” that are less than 365 days old,
  4. Requests that have SSL or certificate issues, and finally
  5. Countries where 3rd party domains are located.

We show your privacy risks in relation to your previous inspections and we provide a comparison of what we see across all sites we’ve inspected. Your privacy risks will vary across inspections and pages. You will want to ensure that the third parties you are doing business with are operating within your privacy expectations.

How often is my site inspected?

Lokker will work with you to develop the appropriate cadence for inspections. We will likely start with daily inspections for the first week and then taper off inspections to once a week.

What if I have more than one site?

We can inspect as many sites as you’d like to monitor and provide simple controls to select which site report you would like to review in your Lokker dashboard.

What is required for Privacy Edge implementation on my site?

Privacy Edge requires nothing to be installed on your site for inspections to run. We visit your pages in an automated manner and inspect both the behavior of scripts operating client side along with a detailed analysis of the network traffic. Your site does need to be public-facing for Privacy Edge to operate.

Why is consumer privacy important to protect?

Consumer privacy is important to protect primarily because your customers expect you to deal openly and fairly with them, so it’s the right thing to do, ethically speaking. If you are a company, you probably also have a legal responsibility to protect certain customer information, though the specifics vary depending on what jurisdiction you are in and what kind of personal data you are handling. In some cases, the only regulations you have to worry about are ones that require you to notify affected individuals if you have a data breach. In other cases, your responsibility to protect customer information begins even before you collect the data. If a company has an incident such as a data breach that discloses customer information, or if your customers discover that you haven’t been protecting their data, it can expose your business to lawsuits and fines and can cause serious damage to your brand. If you are knowingly or unknowingly leaking customer information to your competitors (which is possible in the case of some third-party web apps), you are effectively handing your customers over to your competitors, which is generally considered to be a poor business practice.

What is personally identifiable information (PII)?

Personally identifiable information (PII) is information that, either by itself or in combination with other information, can be linked to a specific individual. PII is a broad category, encompassing many data elements.

What are the challenges in managing PII?

The main challenges in managing PII are:

  1. Knowing what PII you are collecting, where it is, and what you are doing with it
  2. Understanding and complying with any laws, regulations, and industry standards that apply to the PII you have or plan to collect.
  3. Communicating clearly and accurately to individuals regarding their PII you have and what you are doing with it.
  4. Where required or appropriate, obtaining consent from individuals to collect their PII.
  5. Ensuring, where relevant, that you do only what you are allowed to do with their PII based on applicable laws and regulations and what they have consented to.

What is GDPR and why is it important?

The GDPR (General Data Protection Regulation) is the law governing the handling of personal data about individuals within the European Union (EU) and the European Economic Area (EEA). It took effect in 2018 and applies not only within the EEA but also to organizations outside the EEA that offer goods and services to individuals within the EEA or monitor these individuals’ behavior.

 

The GDPR is important because it has specific requirements you must follow in order to collect personal data, including specific notice language you must post and in some cases, opt-in consents you must obtain before you collect the personal data.

 

The GDPR restricts what you can do with the data once you have collected it. It requires you to satisfy certain conditions in order to transfer personal data to countries outside the EEA, which can complicate things for multi-national organizations.

 

The GDPR applies to almost all organizations within the EEA, with few exclusions. It even applies to organizations outside the EEA, if they are offering goods or services to people within the EEA or monitoring these individuals’ behavior.

 

The GDPR is also important because it is being used as a model for privacy laws in other nations and jurisdictions, such as the recently passed California Privacy Rights Act (CPRA).

What federal laws protect consumer privacy in the US?

So far, there is no federal law in the US that protects consumer privacy across the board, though the topic has been discussed for decades.  Instead, we have:

  1. The Federal Trade Commission, which has the ability to enforce promises made by companies about the privacy and security of their customers’/website users’ data.
  2. Specific protection around the collection of personal data of children under 13 (the Children’s Online Privacy Protection Act (COPPA)).
  3. Healthcare sector regulations, including:
    • The HIPAA Privacy and Security Rules, as modified by the HITECH Act (provides a baseline for the privacy and security of health data);
    • GINA (the Genetic Information Nondiscrimination Act);
      The Confidentiality of Substance Use Disorder Patient Records Rule (42 CFR Part 2); and
    • FDA regulations protecting data collected in clinical trials and adverse reports
  4. Financial sector regulations, including:
    • The Gramm-Leach-Bliley Act;
    • FCRA (The Fair Credit Reporting Act); and
    • The FTC Red Flags Rule
  5. Educational regulation (the Family Educational Rights and Privacy Act (FERPA))
  6. Regulations relating to government and law enforcement access to personal data, though these tend to be more focused on ensuring access than restricting it:
    • The Electronic Communications Privacy Act (ECPA);
    • The Communications Assistance to Law Enforcement Act (CALEA);
    • The Foreign Intelligence Surveillance Act (FISA); and
    • The USA Patriot Act

If you are operating in the United States, it is critical to work with your legal counsel to determine which regulations apply to your business and how you are classified under those regulations as your responsibilities may vary depending on your classification.

What does the US Privacy Act require?

The Privacy Act of 1974 regulates federal agencies that maintain record systems containing information about individuals. It requires such agencies to follow a code of fair information practices and provide notice to the public about the systems of records they maintain. It also prohibits disclosure of information about an individual contained in those records without the consent of the individual unless the disclosure falls under an exemption within the Privacy Act. The Privacy Act regulates federal agencies, not private organizations unless they are using or maintaining such a system on behalf of a federal agency.

Which US states have consumer privacy laws?

The state data privacy landscape in the US is dynamic. Most states have some sort of privacy law that applies when a data breach occurs, but momentum is building for more comprehensive privacy laws, and the situation will continue to evolve rapidly unless and until federal-level regulations are put in place The International Association of Privacy Professionals (IAPP) maintains this resource about comprehensive state privacy laws: https://iapp.org/resources/article/state-comparison-table/

What is the California Consumer Privacy Act (CCPA)?

The CCPA gives California residents the right to control how businesses collect their personal information and what they do with it.

These rights include:

  1. The right to know what information a business is collecting about them, and how the business is using and sharing it;
  2. The right to delete, which requires a business to remove personal information collected about them;
  3. The right to opt-out of the sale of their personal information by the business that collected it; and
  4. The right to non-discrimination, meaning that a business is not allowed to deny services or charge higher prices because an individual has exercised any of these rights.

If you are a business, the CCPA may require you to make changes to your websites, as well as have processes in place for handling consumer requests. For more information, visit the State of California’s official CCPA page: https://oag.ca.gov/privacy/ccpa

Who enforces the CCPA?

The California Attorney General enforces the CCPA and can act with or without having received consumer complaints. Private individuals can also sue businesses under the CCPA for data breaches in certain circumstances.

What is the California Privacy Rights Act (CPRA)?

The CPRA, which was enacted in November 2020 and will take effect on January 1, 2023, expands on existing California privacy laws (such as the CCPA) to set a new baseline for protection of personal information of California residents. It adds more protection for “sensitive” categories of data (which includes not only identifiers such as Social Security Numbers, credit card numbers, and precise geolocation as well as personal characteristics such as race/ethnicity, religious beliefs, sexual orientation, and health information). In many ways, the CPRA brings California’s privacy legal framework closer to the GDPR; it adds more rights with respect to an individual’s data, requires businesses to be more cautious in their use of it, and creates an independent enforcement authority (the California Privacy Protection Agency) with investigative, rulemaking, and enforcement powers.  It’s worth noting that the passage of the CPRA also extended the CCPA exemption for business-to-business information, and employee information, to the effective date of the CPRA, January 1, 2023.

How does the CPRA differ from the CCPA?

The CPRA gives individuals in California more rights with respect to their personal information than the CCPA does, bringing California’s privacy law much closer to the European model laid out in the GDPR.

Specifically, it does the following:

  1. Establishes an independent agency, the California Privacy Protection Agency (CPPA), with investigative, rulemaking, and enforcement powers to oversee privacy protection (under CCPA, this all came under the California Attorney General’s office).
  2. Makes changes to which businesses are regulated (a business now needs to handle information of 100,000 or more consumers or households rather than 50,000 or more under the CCPA), but the use no longer has to be “commercial;” deriving 50% or more of a business’s revenue from “sharing” consumer PI will also bring a business under it even if it is not a sale.
  3. Defines a subset of consumer personal information called “sensitive” personal information, which includes (unless it’s already publicly available):
    • Social Security, Drivers’ License, State ID Card, or Passport number.
    • Financial account login and access credentials.
    • Precise geolocation information.
    • Racial or ethnic origin, religious or philosophical beliefs, or union membership.
    • Contents of mail, email, and text messages unless the business was the intended recipient.
    • Genetic data.
    • The processing of biometric data to uniquely identify a consumer.
    • Information about a consumer’s health.
    • Information about a consumer’s sex life or sexual orientation.
  4. Gives consumers rights to limit the use and disclosure of their sensitive personal information to certain specified purposes, including the purposes for which it was disclosed, and requiring businesses to give notice of how it is going to be used so consumers can limit it.
  5. Expands data breach liability to situations where an email address, in combination with a password or security question answer which would permit access to the account, is exposed.
  6. Instructs the California Attorney General (and then the new CPPA) to issue regulations requiring regular audits and risk assessments for businesses conducting activities that present a significant risk to privacy or security and submit them to the CPPA.
  7. Defines “profiling” and creates opt-out rights with respect to it, as well as the right to receive meaningful information about the profiling process and its likely effect on the individual.
  8. Adds a right to correct inaccurate personal information.
  9. Clarifies that “sharing” personal information is treated the same way as selling it.
  10. Clarifies the rules around children’s data, increases fines for handling it in violation of the regulations, and calls for regulations to create specifications for an opt-out signal that allows children or their parents to specify that a consumer is under 13 or between 13 and 16 years old.
  11. Requires businesses to inform consumers of how long they plan to retain each type of personal information and prohibits retaining it longer than necessary for the purpose for which it was collected.
  12. Extends the exemption covering employee and business to business data until January 1, 2023.
  13. Adds new contractual and direct obligations on service providers, defines “contractors” and requires specific contract language, and adds a category of “third parties”.
About Lokker

Privacy isn’t just a legal problem, it’s a technological one that is built into modern cloud infrastructure. Point-in-time scans and consent management platforms aren’t nearly enough to address today’s privacy issues.

With Lokker, you can see and control all browser transactions, including third parties interfacing directly with your web users’ browsers.  These transactions are usually invisible to you.  Lokker replaces this layer without perceptibly affecting the website.  It provides 24/7 inline detection and prevention of third-party access to your users so you can choose to block, allow, or anonymize your users’ outbound information in real-time, again without affecting the functionality.