What is data privacy?

Data privacy generally means the ability of a person to determine for themselves when,
how, and to what extent personal information about them is shared with or
communicated to others. This personal information can be one's name, location, contact
information, or online or real-world behavior. Just as someone may wish to exclude
people from a private conversation, many online users want to control or prevent
certain types of personal data collection.

As Internet usage has increased over the years, so has the importance of data privacy.
Websites, applications, and social media platforms often need to collect and store
personal data about users in order to provide services. However, some applications and
platforms may exceed users' expectations for data collection and usage, leaving users
with less privacy than they realized. Other apps and platforms may not place adequate
safeguards around the data they collect, which can result in a data breach that
compromises user privacy.

Why is data privacy important?

In many jurisdictions, privacy is considered a fundamental human right, and data
protection laws exist to guard that right. Data privacy is also important because in order
for individuals to be willing to engage online, they have to trust that their personal data
will be handled with care. Organizations use data protection practices to demonstrate to
their customers and users that they can be trusted with their personal data.

Personal data can be misused in a number of ways if it is not kept private or if people
don’t have the ability to control how their information is used:

 Criminals can use personal data to defraud or harass users.

 Entities may sell personal data to advertisers or other outside parties without
user consent, which can result in users receiving unwanted marketing or
advertising.
  When a person's activities are tracked and monitored, this may restrict their
ability to express themselves freely, especially under repressive governments.

For individuals, any of these outcomes can be harmful. For a business, these outcomes
can irreparably harm their reputation, as well as resulting in fines, sanctions, and other
legal consequences.

In addition to the real-world implications of privacy infringements, many people and

countries hold that privacy has intrinsic value: that privacy is a human right fundamental
to a free society, like the right to free speech.

What are the laws that govern data

privacy?
As technological advances have improved data collection and surveillance capabilities,
governments around the world have started passing laws regulating what kind of data
can be collected about users, how that data can be used, and how data should be
stored and protected. Some of the most important regulatory privacy frameworks to
know include:

 General Data Protection Regulation (GDPR): Regulates how the personal data
of European Union (EU) data subjects, meaning individuals, can be collected,
stored, and processed, and gives data subjects rights to control their personal
data (including a right to be forgotten).

 National data protection laws: Many countries, such as Canada, Japan,

Australia, Singapore, and others, have comprehensive data protection laws in
some form. Some, like Brazil's General Law for the Protection of Personal Data
and the UK's Data Protection Act, are quite similar to the GDPR.

 California Consumer Privacy Act (CCPA): Requires that consumers be made

aware of what personal data is collected and gives consumers control over
 their personal data, including a right to tell organizations not to sell their
personal data.

There are also industry-specific privacy guidelines in some countries: for instance, in the
United States, the Health Insurance Portability and Accountability Act (HIPAA) governs
how personal healthcare data should be handled.

However, many privacy advocates argue that individuals still do not have sufficient
control over what happens to their personal data. Governments around the world may
pass additional data privacy laws in the future.

What are Fair Information Practices?

Many of the existing data protection laws are based on foundational privacy principles
and practices, such as those laid out in the Fair Information Practices. The Fair
Information Practices are a set of guidelines for data collection and usage. These
guidelines were first proposed by an advisory committee to the U.S. Department of
Health, Education, and Welfare in 1973. They were later adopted by the international
Organization for Economic Cooperation and Development (OECD) in its Guidelines on
the Protection of Privacy and Transborder Flows of Personal Data.

The Fair Information Practices are:

 Collection limitation: There should be limits to how much personal data can
be collected

 Data quality: Personal data, when collected, should be accurate and related to
the purpose it is being used for

 Purpose specification: The use for personal data should be specified

 Use limitation: Data should not be used for purposes other than what was
specified
  Security safeguards: Data should be kept secure

 Openness: Personal data collection and usage should not be kept secret from
individuals

 Individual participation: Individuals have a number of rights, including the

right to know who has their personal data, to have their data communicated
to them, to know why a request for their data is denied, and to have their
personal data corrected or erased

 Accountability: Anyone who collects data should be held accountable for

implementing these principles

What are some of the challenges users

face when protecting their online
privacy?
Online tracking: User behavior is regularly tracked online. Cookies often record a user's
activities, and while most countries require websites to alert users of cookie usage, users
may not be aware of to what degree cookies are recording their activities.

Losing control of data: With so many online services in common use, individuals may
not be aware of how their data is being shared beyond the websites with which they
interact online, and they may not have a say over what happens to their data.

Lack of transparency: To use web applications, users often have to provide personal
data like their name, email, phone number, or location; meanwhile, the privacy policies
associated with those applications may be dense and difficult to understand.

Social media: It is easier than ever to find someone online using social media platforms,
and social media posts may reveal more personal information than users realize. In
addition, social media platforms often collect more data than users are aware of.
Cyber crime: Many attackers try to steal user data in order to commit fraud,
compromise secure systems, or sell it on underground markets to parties who will use
the data for malicious purposes. Some attackers use phishing attacks to try to trick users
into revealing personal information; others attempt to compromise companies' internal
systems that contain personal data.

What are some of the challenges

businesses face when protecting user
privacy?
Communication: Organizations sometimes struggle to communicate clearly to their
users what personal data they are collecting and how they use it.

Cyber crime: Attackers target both individual users and organizations that collect and
store data about those users. In addition, as more aspects of a business become
Internet-connected, the attack surface increases.

Data breaches: A data breach can lead to a massive violation of user privacy if personal
details are leaked, and attackers continue to refine the techniques they use to cause
these breaches.

Insider threats: Internal employees or contractors might inappropriately access data if it

is not adequately protected.

What are some of the most important

technologies for data privacy?
  Encryption is a way to conceal information by scrambling it so that it appears
to be random data. Only parties with the encryption key can unscramble the
information.

 Access control ensures that only authorized parties access systems and data.
Access control can be combined with data loss prevention (DLP) to stop
sensitive data from leaving the network.

 Two-factor authentication is one of the most important technologies for

regular users, as it makes it far harder for attackers to gain unauthorized
access to personal accounts.

These are just some of the technologies available today that can protect user privacy
and keep data more secure. However, technology alone is not sufficient to protect data
privacy.

What steps does Cloudflare take to

protect privacy?
Cloudflare believes data privacy is core to the mission of helping build a better Internet.
Cloudflare products are built with privacy in mind, and Cloudflare has released a number
of services designed to protect online user privacy:

 1.1.1.1 is a free DNS resolver that does not track or store DNS queries (unlike
many other DNS resolvers, which may sell this information to advertisers)

 Cloudflare supports DNS over HTTPS, which completely encrypts DNS queries

 Cloudflare offers free SSL for any website that uses Cloudflare

 Project Galileo protects the privacy of important vulnerable organizations free

of charge
  Cloudflare Web Analytics enables businesses to analyze traffic to their
websites without compromising their users' privacy

Cloudflare also publishes a semi-annual transparency report on the requests we have

received to disclose information about our customers. The report includes a set
of warrant canaries. Additionally, the Cloudflare privacy policy can be reviewed here.

To learn more about Cloudflare's efforts to protect user privacy, see this blog post.