Data and Customer Rights

Learning Outcomes

  • Discuss customer rights regarding their personal data

As more mobile devices, social media, applications and ecommerce websites weave themselves ever tighter into customer’s lives, more information is collected, and personal information shared to improve the consumer experience. This deeper infiltration into people’s privacy and lives raises concerns about privacy and the potential for data leaks, unauthorized use of data and even malicious cyberattacks all which increase the likelihood of identity theft.

With the ever-increasing risks involved as the economy and world move forward with technology, we’ll ask three questions: What constitutes personal data when it comes to customers? What is the current state of customer rights with regards to personal data? What is being done to have more protection and customer rights in the future?

Personal Data

Personal data means any information that can identify an individual person or customer. Sometimes it is called personal information or personally identifiable information (PII). In the U.S. according to the National Institute of Standards and Technology, which is a part of the U.S. Department of Commerce, personal data has been defined as:

any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.[1]

Additional specific examples of PII include:

  • Bank account numbers
  • Passport numbers
  • Credit Card numbers
  • Driver’s license number

This information also have the potential to be PPI because when combined they have the potential to disclose the identity of an individual.

  • Full Name
  • Home Address, City, State, Postcode, Country
  • Telephone/Mobile number
  • Age, birthdate, Gender or race
  • Web cookies (cookies record actions taken on individual computers and repot back to cookie website)

As you can see, much of this type of information about individuals is disclosed daily when searching, shopping and working online. So, what kind of protections and rights do customers have when it comes to their own data? First, we’ll look at the laws surrounding protection.

Practice Question

Consumer Data Privacy Legislation and Laws

As of the start of 2020, there are no overreaching data specific federal law enacted in the U.S., but in 2018, legislation was enacted in a few U.S. states (California & Vermont) to give new rights to customers about the collection of their personal information. Those law are as follows:[2]

  • California’s Consumer Privacy Act of 2018 went into effect Jan. 1, 2020 and has one of the most extensive online privacy laws in the U.S. which not only effects companies within the state’s borders, but also with any company doing business with CA residents. These consumer rights include the right to:
    • Know what personal information is being collected about them.
    • Know whether their personal information is sold or disclosed and to whom.
    • Say no to the sale of personal information.
    • Access their personal information.
    • Equal service and price, even if they exercise their privacy rights.
  • Vermont’s law which requires that data brokers disclose what data is being collected about individuals and allow them to opt out of data collection.

In 2019, some states introduced privacy and consumer data protection acts to the legislature and they are in various states of discussion. Those states included Maine, Nevada, Pennsylvania, Massachusetts, Hawaii, New York, and Maryland. It is important for a business to know the current laws surrounding consumer data protection as this is in constant flux and new laws may be passed in the future.

Learn More

To read a comprehensive list of each state’s legislation related to privacy and consumer data protection, follow this link to the National Conference of State Legislatures website.

European Union

Europe is taking the lead when it comes to consumer data privacy rights. In 2018, the E.U. enacted a more comprehensive consumer data privacy law called the General Data Protection Regulation (GDPR) law. The GDPR law clearly states how companies must protect personal data collected about E.U. citizens and extends its reach beyond the European boarders and encompasses any global business selling to or having EU customers. It also dictates the terms for violations of this law as fines that could cost 4 percent of a company’s global profits. A steep penality that has companies taking this law very seriously.  Watch this video to gain a more comprehensive understanding of GDPR.

You can also view a transcript for the video “What is GDPR?” here (opens in new window).

What rights is the GDPR enforcing for E.U. customers and consumers? It requires that:

  • Simple language be used to explain how collected data is going to be handled by a company.
  • Customers must give explicit consent to a company before it can do anything with the data.
  • Customers must be given the opportunity to request copies of data held by the company.
  • Customers must be given the opportunity to delete their company stored data entirely.
  • Companies must report data breaches to consumers within 72 hours.

This type of overarching data rights law is being considered around the world as to what does seem to work, and how can it be improved or modified to fit specific countries or states.

Future of Customer Data Rights

Could something like the GDPR work if enacted in the U.S.? Many would like to adopt these standards but there is a long road to travel to make this fit with the U.S. economy.

Learn More: Global GDPR

The US wants to copy Europe’s strict data privacy law—but only some of it. This video walks through exploring the possibility of having GDPR go global and some of the difficulties involved with doing so.

Practice Question

What is apparent for the future, is that customer data rights are an ever-evolving issue that will need to be updated and new laws considered as new technology emerges and the consumer landscape continues to evolve.

Learn More: Privacy vs. Monetization

Understand more how your personal data is being used by businesses and what the future may look like when it comes to your own data by watching this 17-minute TEDxBermuda talk given in 2015.

You can also view a transcript for the video “The Future of Your Personal Data” here (opens in new window).


  1. McCallister, Erika, Grance, Tim, Scarfone, Karen. Guide to Protecting the Confidentiality of Personal Identifiable Information (PII). Special Publication 800–122. Gaithersbueg, MD: U.S. Department of Commerce, 2010.
  2. Nicastro, Dom. “Examining Where 8 US States Stand on Consumer Data Privacy Laws.” CMSWire.com, August 30, 2019.