The California Privacy Rights Act (CPRA) is a data privacy law that was passed in California in November 2020 as an extension and expansion of the California Consumer Privacy Act (CCPA).
The CPRA introduces new privacy rights for consumers and additional obligations for businesses. The law is expected to go into effect on January 1, 2023.
Why Do We Need CPRA?
The CPRA came about to address some of the shortcomings of the CCPA and to provide Californians with more control over their personal data.
It aims to bring California’s data protection regulations more in line with the EU’s General Data Protection Regulation (GDPR).
CPRA strengthens the rights of consumers and introduces stricter obligations for businesses in handling personal data, thereby improving overall data protection.
How Does CPRA Affect Me?
If you’re a California resident, the CPRA offers you extended data protection rights. These include the right to correct inaccurate personal data, the right to opt out of automated decision-making technology in certain cases, and stronger protections for sensitive personal information.
If you’re a business that collects, processes, or sells the personal data of California residents and meets certain thresholds, you need to comply with the CPRA. It’s important to note that these obligations apply regardless of where your business is located, so long as you handle the data of California residents.
How Can I Stay Safe and Compliant?
If you’re a California resident, you should familiarize yourself with the new rights introduced by the CPRA. Ensure you exercise your data protection rights and be careful when providing personal data online.
If you’re a business, here are the steps you need to take to comply with the CPRA:
Understand the scope of the CPRA: The CPRA introduces several new rights and obligations, so it’s important to familiarize yourself with them.
Review and update your privacy policy: Make sure your privacy policy is up-to-date and clearly explains how you collect, use, and share personal data.
Implement secure data practices: The CPRA requires businesses to implement reasonable security procedures and practices to protect personal data.
Develop a process to respond to consumer rights requests: The CPRA strengthens consumer rights, including the right to access, delete, and correct their data. Businesses must be able to efficiently and effectively respond to these requests.
Stay updated: The CPRA also establishes a new enforcement agency, the California Privacy Protection Agency (CPPA). Businesses should monitor updates from the CPPA for any changes to the regulations.
In Conclusion
The CPRA represents a significant step forward in the protection of consumer data rights in the United States. Whether you’re a consumer seeking to protect your personal data or a business needing to comply with these new regulations, understanding the CPRA and its implications is crucial.
CPRA FAQs for Beginners
Q: Who does CPRA apply to?A: The CPRA applies to for-profit businesses that collect and process personal data of California residents and meet certain thresholds. This includes businesses with gross revenues over $25 million, those that buy, sell or share the personal information of 100,000 or more California residents or households, and those that derive 50% or more of their annual revenue from selling or sharing consumers’ personal information.
Q: What types of personal data does CPRA protect?A: The CPRA protects personal information which is defined as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Q: What are the penalties for non-compliance with CPRA?A: Under the CPRA, fines for violations involving minors under the age of 16 are tripled. For other violations, the California Attorney General can impose penalties up to $7,500 per violation.
Q: What’s new in CPRA compared to CCPA?A: The CPRA introduces several new provisions, such as the creation of a dedicated enforcement agency (the CPPA), rights to correction, stronger rights to opt out of targeted advertising, and stricter consent requirements for sensitive personal information.
Q: When does CPRA go into effect?A: The CPRA is expected to go into effect on January 1, 2023.
In a world where social media platforms are constantly vying for user attention, Meta has made a bold move by launching Threads, a direct competitor to Twitter.
The app has made a splash, amassing millions of users within the first 12 hours of its release in the UK and US.
However, the European Union (EU) has put a pin in Meta’s plans for a pan-European launch due to concerns about compliance with the upcoming Digital Markets Act.
Threads, the new kid on the social media block, was officially introduced to the public on Apple and Google’s app stores at 11pm UK time on Wednesday, July 5th.
Interestingly, there’s no desktop version available yet. Meta’s founder, Mark Zuckerberg, expressed his vision for Threads as a “public conversations app with one billion-plus people on it,” a feat he believes Twitter has yet to achieve.
Threads is seen by many as Zuckerberg’s latest move in his ongoing rivalry with Twitter’s owner, Elon Musk, the billionaire behind PayPal and Tesla. This rivalry heated up recently when Twitter introduced a new rate-limiting policy for users who refuse to pay a monthly charge for verified status, a move that seemed to inadvertently trigger a self-inflicted distributed denial-of-service (DDoS) attack on Twitter’s own systems.
Threads aims to capitalize on Instagram’s massive user base for rapid growth. The strategy is simple: make it easy for Instagram users, especially high-profile celebrities and influencers, to sign up using their existing Instagram credentials. This allows them to “reserve” their accounts and protect their identities. Big names like celebrity chef Gordon Ramsay, reality TV star Kim Kardashian, and Formula 1 driver Lando Norris have already jumped on board.
When users sign up for Threads, they share a wealth of information from their Instagram profiles, including login information, account ID, name, username, profile information, followers, accounts they follow, age, and any violations of intellectual property or community guidelines. Like other Meta products, Threads also collects a wide range of personal data, from health and fitness information to financial data, contacts, content, browsing history, usage data, diagnostics, purchasing history, location, search history, identifiers, and sensitive information.
However, this cross-platform functionality is what has put the brakes on Threads’ European launch. The EU’s Digital Markets Act, set to be fully implemented in 2024, strictly prohibits sharing user data across different platforms. Violations could result in fines of up to 10% of annual global revenues for tech giants.
A representative from Meta confirmed that due to “upcoming regulatory uncertainty,” Threads will not be launched in the European Economic Area (EEA), which includes the 27 EU Member States, Iceland, Liechtenstein, and Norway.
The Irish Data Protection Commission, acting as the lead regulator for Meta in the EU, clarified that it has not blocked the EU launch but has been in dialogue with Meta about Threads’ use of data. They stated that Meta had not yet prepared Threads for an EU launch.
This development comes in the wake of a recent ruling by the Court of Justice of the European Union (CJEU) that has significantly impacted Meta’s legal basis for data processing to serve targeted ads to EU users. In May 2023, the Irish DPC also halted Meta from transferring Facebook user data from the EU to the US, imposing a fine of €1.2bn.
Angel Maldonado, CEO and founder of Empathy.co, a privacy-driven search platform, commented on the situation, stating that tech giants like Meta are operating under a misconception about data ownership. He argued that simply clicking a checkbox does not mean that consumers’ data belongs to these companies. He calledout these business models as “abusive, obscene and wrong.”
Maldonado further emphasized that the CJEU’s decision serves as a warning to Big Tech companies about the risks of personalized advertising business models and treating consumer data as a commodity. He said, “This ruling shows the tables are turning in favor of privacy. Common sense always prevails, and with regulatory bodies circling Meta, they’ll soon have to start playing within the bounds of fair play. Consumers must have the ability to hold, protect and control their own data before it gets processed for any other means.”
As the social media landscape continues to evolve, it’s clear that privacy concerns are becoming increasingly important. While Threads has made a strong debut in the UK and US, its future in the EU remains uncertain. As we wait to see how this story unfolds, it’s a good time to reflect on the data we share on social media and how it’s used.
In the meantime, if you’re looking for Twitter alternatives, there are several options available. Mastodon, for example, is a decentralized social network where users can create their own servers or join others. Gab is another alternative that emphasizes free speech and user privacy. Then there’s Hive Social, a recently established social media network that temporarily closed its servers to address deep structural privacy issues identified by ethical hackers.
Interesting Stats
Twitter Monthly Active Users: As of the first quarter of 2021, Twitter had 330 million monthly active users worldwide.
Instagram Monthly Active Users: As of June 2021, Instagram had reached a whopping 1 billion monthly active users.
Facebook (Meta) Monthly Active Users: As of the second quarter of 2021, Facebook had over 2.8 billion monthly active users.
Mastodon Users: As of 2021, Mastodon, a Twitter alternative, had over 4.4 million users.
Gab Users: Gab, another Twitter alternative, had over 4 million users as of 2021.
EU Digital Markets Act Fines: The upcoming EU Digital Markets Act could impose fines of up to 10% of a tech giant’s annual global revenues for violations.
Fine Imposed on Meta by Irish DPC: In May 2023, Meta was fined €1.2 billion by the Irish Data Protection Commission for transferring Facebook user data from the EU to the US.
Fun fact: Did you know that as of 2021, Twitter had over 330 million monthly active users? With Threads aiming to create a “public conversations app with one billion-plus people on it,” it’s clear that Meta is setting its sights high. Only time will tell if Threads can truly rival Twitter’s popularity and influence.
The General Data Protection Regulation, or GDPR, is a law that originated in the European Union (EU) and took effect on May 25, 2018.
It was designed to harmonize data privacy laws across all EU member states and to reshape how organizations worldwide approach data privacy.
The GDPR replaced the previous EU Data Protection Directive of 1995.
The key element of the GDPR is that it is built around the principle of privacy by default and by design. It requires organizations to handle personal data responsibly and transparently, providing individuals with significant control over their own information.
The GDPR applies to any business or organization worldwide that processes the personal data of EU residents.
Why Do We Need GDPR?
Before the GDPR, there was a patchwork of data protection laws across the EU, each with its own interpretations and implementations. These discrepancies made it difficult for companies to comply and for citizens to understand their rights.
The GDPR sought to provide a uniform set of rules to simplify the regulatory environment and bolster data protection.
With the advent of technology and the internet, our lives have increasingly moved online. This digital shift has allowed organizations to gather vast amounts of data about us. Such data, when mishandled or misused, can lead to significant privacy breaches.
The GDPR aims to protect against such threats by empowering individuals to control how their personal data is used.
How Does GDPR Affect Me?
If you’re an individual residing in the EU, the GDPR provides you with several rights:
Right to be Informed: Organizations must tell you what data is being collected, how it’s being used, how long it will be kept, and whether it will be shared with any third parties.
Right to Access: You have the right to request access to the data collected from you.
Right to Rectification: You can request to have inaccurate data amended.
Right to Erasure (or ‘Right to be Forgotten’): In certain circumstances, you can request for your data to be deleted.
Right to Restrict Processing: You can ask to restrict the processing of your data.
Right to Data Portability: You can ask for your data to be transferred to another organization or to you directly.
Right to Object: You can object to the processing of your data for certain purposes, such as direct marketing.
Rights Related to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling.
If you’re a business, especially one operating within the EU or dealing with the personal data of EU citizens, you need to comply with these regulations or risk severe penalties. Businesses need to ensure they have adequate data handling and data protection measures in place.
Table: GDPR Fines by Year (up to 2021)
Year
Number of Fines
Total Value of Fines (€)
2018
12
460,000
2019
190
417,000,000
2020
331
171,320,000
2021*
265
273,830,000
*Data for 2021 is up to September.
Top 5 Countries by GDPR Fines (up to 2021)
Country
Number of Fines
Total Value of Fines (€)
Italy
68
69,328,716
Germany
61
69,080,000
France
23
54,431,300
Spain
172
29,521,400
UK
23
44,221,000
Top 5 Violations Resulting in Fines (up to 2021)
Violation Type
Number of Fines
Non-compliance with data subject rights
281
Insufficient legal basis for data processing
215
Insufficient technical and organizational measures to ensure data security
145
Non-compliance with general data processing principles
105
Data breach notification obligations
94
Please note that the numbers and fines are indicative and vary greatly by case. Also, the categories of violation types may differ slightly among sources.
How Can I Stay Safe and Compliant?
If you’re an individual, the key to staying safe is understanding your rights under GDPR and being proactive. Carefully read privacy policies and terms of service before sharing your personal data. Use the rights granted to you by the GDPR, such as the right to access, rectify, or erase your data.
If you’re a business, here are some steps you can take to comply with GDPR:
Understand the Law: This might seem obvious, but understanding the nuances of the GDPR is crucial. Not all businesses are affected equally.
Hire a Data Protection Officer (DPO): If you’re a public authority, or if your core activities require large-scale monitoring or processing of sensitive data, GDPR mandates the appointment of a DPO.
Implement Data Protection by Design and Default: Incorporate data protection measures from the start of any system design, not as an addition.
Conduct Data Protection Impact Assessments: If your business is involved in high-risk processing, you’re required to conduct a Data Protection Impact Assessment (DPIA).
Maintain Documentation: Record your processing activities and maintain a clear policy on data retention periods.
Be Prepared for Data Breaches: You must notify the appropriate supervisory authority of a data breach within 72 hours of becoming aware of it.
Respect User Rights: Make sure systems are in place to respect the new user rights under GDPR, including the right to be forgotten and the right to data portability.
In Conclusion
The GDPR is not just another regulation. It represents a shift in how we view and handle data privacy.
By understanding the principles behind it and your rights and responsibilities under it, you can make the most of this law, whether you’re an individual wanting to protect your personal information or a business seeking to respect and protect your customers’ data.
Q: What types of personal data does the GDPR protect?A: The GDPR protects any information that can be used to directly or indirectly identify a person. This can range from names and email addresses to more complex data like IP addresses, genetic data, or even mental, economic, cultural, or social identity information.
Q: Who does GDPR apply to?A: The GDPR applies to all EU-based organizations, whether commercial business, charity, or public authority, that collect, store, or process the data of EU residents. It also applies to non-EU organizations that offer goods or services to, or monitor the behavior of, EU residents.
Q: What is ‘processing’ in the context of GDPR?A: ‘Processing’ refers to any operation performed on personal data. It includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
Q: What is the role of a Data Protection Officer (DPO)?A: A DPO ensures that an organization processes the personal data of its staff, customers, providers, or any other individuals (also referred to as data subjects) in compliance with the GDPR. Their tasks include informing and advising the organization and its employees about their obligations, monitoring compliance, providing advice regarding data protection impact assessments, and cooperating with supervisory authorities.
Q: What happens if a company doesn’t comply with the GDPR?A: Organizations can face hefty fines for GDPR non-compliance. These fines can be up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever is higher.
Q: How does the ‘Right to be Forgotten’ work?A: The ‘Right to be Forgotten’ or the ‘Right to Erasure’ means that the data subject can request the deletion of their personal data from an organization’s records. The organization must comply unless there’s a legitimate reason for retaining the data, such as for compliance with a legal obligation or for reasons of public interest.
Q: What is a Data Processing Agreement (DPA)?A: A DPA is a legally binding contract that states the rights and obligations of the data controller (the entity determining the purposes and means of processing data) and the data processor (the entity processing data on behalf of the controller) in terms of data processing. The GDPR requires a DPA whenever a data controller outsources data processing to an external data processor.
Q: How does GDPR affect businesses outside of the EU?A: GDPR has a global reach. It applies to any organization, regardless of its location, that processes the personal data of EU residents. This means businesses outside the EU must also comply with GDPR if they offer goods or services to, or monitor the behavior of, EU residents.
I hope this deep-dive Q&A helps further your understanding of the GDPR.
As one of the most popular video-sharing platforms globally, YouTube has managed to amass an incredible user base.
With over 2 billion logged-in monthly users, it comes as no surprise that the platform has also gathered an immense amount of personal data. But what kind of information does YouTube collect, and how is it used?
In this friendly-toned deep dive, we’ll explore the various types of data YouTube collects from its users and shed light on some examples.
Here’s a table that categorizes the data YouTube collects from its users and the level of sensitivity associated with each category:
Data Category
Examples
Level of Sensitivity
User-Provided Information
Name, email address, phone number, date of birth
High
Device Information
Hardware model, operating system, unique device identifiers, mobile network information
Medium
Usage Information
Videos watched, search queries, video interactions (likes, dislikes, comments, shares, subscriptions), duration and frequency of visits, interaction with ads
Medium
Location Information
IP address, GPS data, device sensor data
Medium
Cookies and Similar Technologies
Language preferences, saved settings, browsing history
Low
Please note that the level of sensitivity is subjective and may vary depending on individual perceptions and the context in which the data is used.
1.1 User-Provided Information When you create a YouTube account or use any Google services, you’ll typically provide some personal information such as your name, email address, phone number, and date of birth. This information allows YouTube to create and maintain your account, as well as provide you with a personalized experience.
1.2 Device Information YouTube collects data about the devices you use to access the platform, including hardware model, operating system, unique device identifiers, and mobile network information. This information helps YouTube optimize the user experience for different devices and provide relevant content based on your device’s capabilities.
1.3 Usage Information As you interact with YouTube, the platform collects information about your activity, such as:
Videos you watch
Your search queries
Your video interactions (likes, dislikes, comments, shares, and subscriptions)
The duration and frequency of your visits
Your interaction with ads
This data enables YouTube to analyse trends, improve its services, and offer personalized content and recommendations.
1.4 Location Information YouTube may also gather information about your geographical location through various means, such as IP addresses, GPS, or other sensors in your device. This information is used to provide location-based services, such as localized content and targeted advertisements.
1.5 Cookies and Similar Technologies Like most websites, YouTube uses cookies and similar technologies to collect and store information about your preferences and interests. This allows the platform to remember your settings, such as language preferences, and provide a more seamless experience.
2: Examples of Personal Data Collected by YouTube
Here are some examples of the personal data YouTube may collect from its users:
Data Category
Examples
User-Provided Information
Name, email address, phone number, date of birth
Device Information
Hardware model, operating system, unique device identifiers, mobile network information
Usage Information
Videos watched, search queries, video interactions (likes, dislikes, comments, shares, subscriptions), duration and frequency of visits, interaction with ads
Location Information
IP address, GPS data, device sensor data
Cookies and Similar Technologies
Language preferences, saved settings, browsing history
3: How YouTube Uses Personal Data
3.1 Personalization and Recommendations YouTube uses the personal data it collects to provide you with a more personalized experience. This includes tailoring video recommendations based on your watch history, search queries, and video interactions. It also helps YouTube suggest relevant channels for you to subscribe to, ensuring you get content that matches your interests.
3.2 Targeted Advertising YouTube’s parent company, Google, generates a significant portion of its revenue from advertising. By collecting personal data, YouTube can provide targeted ads to its users based on their interests, location, and demographics. This approach makes the ads more relevant and useful, which benefits both users and advertisers.
3.3 Security and Fraud Prevention The personal data collected by YouTube also plays a crucial role in maintaining the platform’s security. By analyzing user activity and patterns, YouTube can identify and prevent potential security threats, such as hacking attempts or fraudulent activities.
3.4 Improving Services YouTube continually works on improving its platform and services. To do this effectively, it relies on the data collected from its users. By understanding user behavior, preferences, and trends, YouTube can make informed decisions on new features and optimizations.
3.5 Legal Compliance In some cases, YouTube may use personal data to comply with legal obligations, such as responding to lawful requests for information from law enforcement agencies or regulatory bodies.
Conclusion
YouTube’s vast user base and extensive data collection practices may seem overwhelming. However, understanding what personal data is collected and how it is used can help users make more informed decisions about their online privacy.
YouTube primarily collects data to enhance user experiences, provide targeted advertising, maintain security, improve its services, and comply with legal obligations.
As a user, it’s essential to be aware of the privacy settings available on YouTube and other online platforms.
You can manage your privacy settings and control the data you share by accessing your Google Account settings. Additionally, you can limit the information collected by using privacy-focused browsers, virtual private networks (VPNs), or even browsing YouTube in incognito mode.
In conclusion, while YouTube does collect a considerable amount of personal data, it’s crucial to understand that this data collection primarily aims to provide a better user experience.
By staying informed and making use of privacy tools, you can enjoy the benefits of YouTube while maintaining control over your personal information.
Q1: How can I manage the personal data collected by YouTube?
A1: You can manage your personal data by accessing your Google Account settings. From there, you can control the data you share, review your activity, and update your privacy settings.
Q2: What are the privacy settings available on YouTube, and how can I adjust them?
A2: You can adjust your privacy settings by visiting your Google Account settings. Some options include controlling your ad personalization, managing your YouTube history (watch and search), and choosing your data sharing preferences with Google.
Q3: Can I use YouTube without providing any personal information? A3: Yes, you can use YouTube without signing in. However, you’ll have limited access to features, and your experience will not be personalized based on your interests.
Q4: How does YouTube handle the data of children or users under the age of 13?
A4: YouTube has a separate platform called YouTube Kids, designed for children. YouTube Kids has stricter data collection policies and complies with the Children’s Online Privacy Protection Act (COPPA). Content creators must designate whether their content is made for children, and data collection is limited for such content.
Q5: How long does YouTube retain my personal data?
A5: YouTube retains your personal data for varying durations depending on the type of data and its purpose. In general, YouTube retains your data for as long as your account is active, and for a reasonable period afterward to comply with legal obligations, enforce its terms of service, and resolve disputes. Some data, such as search history and watch history, can be deleted by the user at any time. If you choose to delete your account, YouTube will start the process of removing your data from its systems, but it may take some time to complete. Keep in mind that specific legal obligations might require YouTube to retain certain data for a longer period.
Q6: Can I request YouTube to delete my personal data?
A6: Yes, you can request the deletion of your personal data by visiting your Google Account settings. You can delete specific data or your entire account, which will remove your personal information from YouTube’s servers.
Q7: Are there any alternative video-sharing platforms with less data collection?
A7: There are several alternative video-sharing platforms with varying data collection policies. Some examples include Vimeo, Dailymotion, and PeerTube. However, it’s essential to review their privacy policies and data collection practices before using them.
Q8: How can I limit targeted advertising on YouTube?
A8: You can limit targeted advertising on YouTube by turning off ad personalization in your Google Account settings. This will prevent YouTube from using your personal data to show you personalized ads.
Q9: Does YouTube share my personal data with third parties, and if so, under what circumstances?
A9: YouTube may share your personal data with third parties in specific situations, such as with your consent, for external processing by trusted service providers, or for legal reasons (e.g., in response to a lawful request from a law enforcement agency).
Q10: What are some additional steps I can take to protect my privacy while using YouTube and other online platforms?
A10: You can use privacy-focused browsers (e.g., Brave or Firefox), enable browser extensions that block trackers and ads, use virtual private networks (VPNs) to mask your location and IP address, and browse YouTube in incognito mode to limit the collection of your personal data.
Q11: How can I access and download the personal data that YouTube has collected about me?
A11: You can access and download your personal data through Google’s “Takeout” service. Visit takeout.google.com, sign in to your Google Account, and select the data you wish to download. Once you’ve made your selection, click “Next” and choose a file type and delivery method to receive your data.
Q12: Can I opt-out of certain types of data collection on YouTube?
A12: While you can’t opt-out of all data collection on YouTube, you can manage your privacy settings and limit specific types of data collection, such as ad personalization and YouTube watch/search history. Visit your Google Account settings to control the data you share with YouTube and other Google services.
These questions and answers cover various aspects of YouTube’s personal data collection practices, privacy settings, data management, and alternative options for users who are concerned about their privacy.
