Taking a Proactive Approach to Consumer Data Privacy

Given the current pandemic circumstances, nearly everyone in the world is using the internet in some capacity. However, online privacy concerns may not be at the forefront of everyone’s minds. Many states and countries have implemented privacy regulations to help protect consumer’s information, but there must also be a proactive data privacy approach from the individual consumer.

Most websites you will visit track your online activity, and the technologies they have implemented can follow you from one site to another and compile this information into a database. When you visit different websites, the site may save information about your visit, called "cookies". These cookies may include information such as login or registration identification, user preferences, online shopping cart contents, etc. Your browser saves the information and sends it back to the web server whenever the browser returns to the website. Legitimate websites use “first-party cookies” to make special offers to returning users and to track the results of their advertising. However, there are some cookies, called “third-party cookies”, which send data about you to an advertising agency, who then shares your data with other online marketers. These third-party cookies include "tracking cookies" which use your online history to deliver other ads. This is the reason that when you search for a certain product on one website, you start seeing ads and similar items on other sites that you visit.

To minimize your exposure to these cookies, you can enable a do not track (DNT) setting within your browser. DNT helps keep your online activity from being followed across multiple sites by advertisers. However, there are no regulations in place that require individual websites to respect this request and no consequences are in place for those that do ignore your preference.

This is where regulations such as the General Data Protection Regulation (GDPR) within the European Union and the California Consumer Privacy Act (CCPA) come into play to help protect individuals’ information. The primary goal of both GDPR and CCPA is to give control to individuals over their personal data. Some of the rights that these regulations cover are:

• The right to know what information is being collected about you and how it is used
• The right to delete the personal data that was collected (with some exceptions)
• The right to opt-out of your personal data being sold to third parties

Knowing what information is being collected and how it is used should be important to individuals. However, most people (myself included) sometimes just click the “I accept” button without fully understanding what they are agreeing to. This was the issue with the Chinese TikTok and the Russian FaceApp applications in recent years. These apps collected data on users just like other popular apps do, but were accused of going too far.

Cybersecurity experts had found that some information that was being collected by TikTok was not necessary for the app to function. Furthermore, the app was accessing iPhone user’s clipboards every few seconds, even if the app was only running in the background. The app’s developers have since removed this issue, but concerns remained due to the fact that the app’s developer ByteDance is headquartered in China, a leading US cyber adversary that often utilizes laws to allow for government inspectors to access the data held by private organizations within China.

Back in 2019, privacy concerns arose surrounding FaceApp, a mobile phone application that allows users to upload photos and watch themselves age instantaneously. As the app rapidly gained popularity, cybersecurity experts warned that FaceApp’s terms of service agreement showed the company holds “perpetual, irrevocable” rights over its users’ app-generated selfies. Additionally, FaceApp creates these age-advancing photos by sending your selfie to cloud servers for modification, rather than having the modification take place on your device. Because FaceApp’s developers are headquartered in Russia, another top US cyber adversary, similar concerns immediately arose about how these selfies were being used and the privacy implications for individuals using the app. FaceApp’s privacy policy has been recently updated to reflect more stringent privacy controls.

With cyberattacks becoming a more frequent occurrence, individuals must take action to better protect themselves and their information. This can be accomplished using a multi-faceted approach. First, you should know and understand what information you are giving to others before granting consent. Second, limit your online footprint through the use of a Virtual Private Network (VPN), and adjust settings within applications when possible to restrict the types of information that is collected. Third, ensure that you follow the best practices when creating and updating your passwords for various accounts. A strong password should be unique and not recycled between accounts and websites, contain a mixture of upper case, lower case, numbers, and special characters, not use personal information, and should be relatively long. Passwords become harder to crack with each character that is added, so longer passwords are harder to crack than shorter passwords. An additional level of security should be enabled, when possible, with multi-factor authentication (MFA). The easiest way to implement MFA is through your phone, where a special code will be sent once your username and password are entered. This added level of security ensures that the person who created the account and added the MFA token (phone) is the actual user. However, this can be compromised if someone does not have a PIN required to unlock their phone. Lastly, review and update settings periodically on websites that you have granted permission to share your data with. Privacy controls may have been updated since the last time you looked, and you might now have the ability to lock down your data further. Companies often update terms, conditions, and privacy policies. When these changes occur, you should review them to make sure that any changes they have made are consistent with what you would like to be shared. Our team of cybersecurity experts are on standby, ready to assist with any further data privacy questions you may have!