North America’s Reckoning with Privacy Online Is Looming

Jenelle Fulton-Brown
5 min readJan 28, 2021


The ongoing pandemic keeping everyone at home on their computers has shed even more light on the online privacy dilemma that begs more regulation, rather than leaving things in the hands of technology giants and their own internal policies.

Many people argue that tech corporations are becoming the gate-keepers of the internet. Opting out from a user agreement that doesn’t respect your privacy is no longer an option to many people, as you’ll find yourself left out from many services that we’ve become more and more dependent on to connect with family and friends and get work done.

The Washington Senate Democratic Caucus has been hard at work on an updated version of the Washington Privacy Act (WaPA) that has failed to pass by the House of Representatives back in 2019. The new act follows in the footprints of the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulations (GDPR).

Let’s have a more in-depth look at some of the mandates that all such regulatory efforts have in common and see how these new measures can impact your online privacy.

Which Data Is Protected?

Though the wording might be different for which data is protected by those different regulations, they all share similar scopes.

For instance, the WaPA pledges to protect users’ personal data, which can be linked to an “identified or identifiable natural person,” while the CCPA uses the term “personal information” to refer to any information that can be either directly or indirectly linked to a consumer or a household.

Canada follows suit with its Consumer Privacy Protection Act (CPPA), which is set to be one of the most strict data regulatory efforts in North America. It focuses on the concept of data depersonalization with harsh penalties on non-abiding companies and institutions.

There are some points that need more clarification, though. When the collected data is stripped off its traceable identifiers, is it included under the privacy acts or not? There is no specific wording in the proposed bills, but as long as the data are permanently non-attributable to a person or a household, companies can get a pass.


The regulatory frameworks also go into more detail, defining a number of exclusions that put the users’ greater good first.

For example, healthcare records and related information already have their own regulations in place, like the Health Insurance Portability and Accountability Act or the HIPAA to ensure the patients’ confidentiality and privacy. That’s why the health care institutions were exempt from the online privacy frameworks.

Furthermore, data related to the creditworthiness and essential data for federal and local government operations are also some of the more understandable exceptions that the previous frameworks agree on.

Rights and Obligations

Your online data can go back and forth between different servers, and in order to make the regulation process more focused, the privacy frameworks define two involved parties; the consumer and the controller.

For instance, the WaPA does a great job in summarizing consumers’ rights into five key points, which are:

  1. Right to access their own data
  2. Right to correction of any misinformation that relates to them
  3. Right to delete all the customer’s personal data from the controller’s servers
  4. Right to data portability gives the consumer the ability to migrate their data from one controller to another in a seamless way
  5. Right to opt-out from certain data processing practices that feed into targeted advertising, curated social media feeds, and selling of personal information

Canada’s CPPA adds another right related to providing consumers with more transparency regarding any algorithms that make predictions based on the users’ online activity.

There is an argument to be made about how curated social media feeds are making us more divided, as the AI’s main goal is to keep you hooked. The US capitol insurrection has brought such an issue to public attention, and we expect data regulators to study different routes to handle personalized content in a better way.

Furthermore, de-identification is also a big part of the data regulation movement. Companies are required to implement drastic measures on the administrative and operational scales to de-identify personal information.

This way, you’re getting the service delivered through the least possible data collection, and even the data involved can’t be traced back to you. The current profiling model keeps tabs on all your online activities, even across different websites and services operated by other companies.

Cross-app tracking is actually a case of a dispute between Apple and Facebook, with Apple introducing new privacy measures in its latest version of iOS14 that gives the user the option to opt-out. Specifically, a new cards feature was integrated to the App Store that gives the user a greater indication of the amount (and levels) of data collected by any app before you consider downloading it.

Of course, Facebook isn’t thrilled about such changes and claims that small businesses will be hit hard by such decisions when more and more people opt-out, and ad targeting becomes less effective.

Right now, tech giants handle privacy according to their own policies; that’s why the feud between Apple and Facebook raises the question: why do we let companies decide for us on a case-by-case basis when we can push bills that guarantee our own rights and privacy?


Canada’s CPPA makes it clear that consent is the pillar for data handling. Companies can no longer get away with ambiguous terms and conditions that users can’t understand. Consents to collect or handle data should be obtained through simple, direct language.

However, when it comes to enforcement, different regulatory frameworks take different approaches. For instance, both the CPPA and CCPA offer legal rights to consumers whose data were compromised in data breaches.

The data controller is obliged to keep users’ data safe and not disclose any of it to third parties. If these terms aren’t met, consumers can practice their legal rights and see such incidents through in courts.

On the other hand, the WaPA doesn’t offer consumers any right to action. Still, any efforts towards reform are a step forward in our book, as at least we have a baseline now for how data should be handled. Even if it’s not perfect, we’re moving on the right track.



Jenelle Fulton-Brown

⬅️ 10+ years in systems architecture and cybersec ➡️ Now raise awareness, teach and write about data privacy & infosec