Over the past few years, we at Malwarebytes Labs have devoted thousands of words, dozens of blogs, and many podcast episodes to data privacy, which is why whenever Data Privacy Day rolls around each year, the biggest struggle we face is narrowing down all the information we want to share.

This Data Privacy Day—which we’re celebrating for the whole week—we’re going to streamline our advice to users. Data privacy itself, and the laws behind it, are cruelly complex, largely because every state in the US can largely take its own approach to data privacy, and because every country in the world does the same. Basic definitions for what type of data is protected do not often carry over from country to country or state to state, and it isn’t only until recently that faraway geographies started looking to one another for inspiration in passing data privacy laws at home.

Today, let’s remove the focus on the laws and the territories and the court cases and the differences between “personal information” and “personally identifiable information.”

Let’s instead look at what you, the user, should know most about data privacy and what you can do to protect yourself online.

1. You are not alone

In 2019, Malwarebytes surveyed nearly 4,000 individuals across 66 countries, asking them about their approaches to online privacy and cybersecurity. Do they care about online privacy? Do they do anything to protect their information online? Where do they admittedly fail?

The results were clear: Almost everyone, no matter their age or postal code, cares about online privacy.

A full 96 percent of respondents said they care about protecting their personal information, while 97 percent said they take steps in protecting their online data. Those steps include refraining from posting any sensitive personal data online, using cybersecurity software on their machines, running software updates regularly, and verifying the security of websites before making any purchases.

2. In the US, you have few legal options to assert your data privacy rights in court

Historically, the United States has approached data privacy legislation on a case-by-base basis, writing and passing laws that protect specific types of data collected by industry-specific companies.

There’s a law that protects health care data handled by health care providers (HIPPA). There’s a law protecting children’s data that applies to companies that knowingly market their products toward children (COPPA). There’s a law for video rental history, another for credit information, and another for banks, insurance companies, and certain financial institutions that collect personal information.

However, the sheer volume of these sector-specific data privacy laws has never coalesced into comprehensive, legal data protection for Americans. Instead, the laws interlink to form more of a net—holes included.

Now, individual states have tried to remedy this by passing their own, broader data privacy laws, but only California, Colorado, and Virginia have actually done so. It’s also important to remember that passage of these laws is not a clear success for people living in those states. Virginia’s state data privacy law, for instance, lacks the one pivotal right that privacy advocates have demanded for years—that if a company invades your data privacy rights, you can sue them over it.  

This idea, which is referred to as a “private right of action” is entirely absent in America’s national concept of data privacy, which means that, even if you think a company has invaded your digital privacy, there’s little you can do about it.

As we wrote before:

“If a company gives intimate menstrual tracking info to Facebook? Tough luck. If a flashlight app gathers users’ phone contacts? Too bad. If a vast network of online advertising companies and data brokers build a corporate surveillance regime that profiles, monitors, and follows users across websites, devices, and apps, delivering ads that never disappear? Welcome to the real world.”

When a certain type of data isn’t regulated by a certain law, consumers are left with little legal recourse, said Lee Tien, senior staff attorney for Electronic Frontier Foundation.

“In general, unless there is specific, sectoral legislation, you don’t have much of a right to do anything with respect to [data privacy],” Tien said.

Ouch.

There is one caveat though…

3. Companies cannot legally lie about how they handle your data

In the US, companies are bound by laws that prohibit “unlawful, unfair, or fraudulent” business practices, along with “unfair, deceptive, untrue, or misleading” advertising. Those laws also cover data protection practices.

So, if a company says it will not sell your data, but it does, that company has broken the law, and it can be hit with a lawsuit. This same principle applies when a German automaker lies to the public about its “clean diesel” engines, or when the world’s largest social media company allegedly violates a privacy decree it made many years prior.

While these types of lawsuits can be filed by individuals, their success is limited. If, say, an individual wants to sue a company because of a data breach, that individual must first show that they personally suffered harm. Because of the myriad variables involved in any data breach—the actual criminals who stole the data, the direct relation from a data breach to potential economic injury—such harm is exceedingly difficult to prove.

In 2017, for instance, an Uber driver failed to meet just this requirement when he sued the company for a data breach that affected up to 50,000 drivers.

The judge at his hearing told him:

“It’s not there. It’s just not what you think it is…It really isn’t enough to allege a case.”

Fortunately, there is yet another caveat. State Attorneys General, county District Attorneys, and city attorneys can sue a company for its deceitful business practices without having to show personal harm. 

Those lawsuits have worked.

4. Your data privacy rights are largely determined by your home address

Several years ago, the outlook on national data privacy legislation in the United States seemed hopeful.

In 2018, after the Guardian revealed how a political consultancy harvested the Facebook profiles of millions of unwitting users in a covert operation to sway the 2016 US presidential election, Congress responded. They called in Facebook CEO Mark Zuckerberg to testify. They peppered him with questions. They told him to his face that they would regulate his lurching social media behemoth.

Shortly after, Congress also invited Google, Alphabet, Twitter, and Facebook executives to explain what their companies were doing to curb Russian disinformation campaigns, and they balked at Google’s self-branded “error” in failing to disclose the microphones installed in its Nest home security products.

They were angry, and in America, anger gets laws passed. But since then, they’ve largely lost interest.

The oxygen in Washington DC is now taken up by other matters, and the bevvy of data privacy bills introduced both in the Senate and the House of Representatives have stalled, with no single bill leading the pack.

Users in America—and for many across the world—must now leave their data privacy rights to a roll of the dice. Do they live in a state or country that simply wants to expand data privacy rights? Or do they live somewhere else? And even if their local representatives want to pass new data privacy rights, will those representatives pass a strong enough bill to substantially improve people’s experiences online?

But now is not the time for defeatism. If anything, it’s more important than ever to take your data privacy rights into your own hands.

5. Take data privacy into your own hands with online tech tools

Filing a successful lawsuit—or waiting around for a government attorney to file one for you—is not the only way to protect your online privacy. Today, there are multiple online privacy tools that protect users from invasive online tracking, helping to put a wall between users and persistent online ads.

Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse, said that users can protect their online activity by using a number of both privacy-focused web browsers and tracker-blocking browser extensions. Though Privacy Rights Clearinghouse does not endorse any products, Stephens mentioned the web browsers Brave and Firefox Focus—which both automatically block online tracking—and the browser extension Disconnect, which the New York Times once chose as its favored anti-tracking tool.  

6. Beware of “data leakage”

Stephens had more advice for users that want to protect their online information: Do not trust any app to leave your private data alone.

“We have this naïve conception that the information we’re giving an app, that what we’re doing with that app, is staying with that app,” Stephen said. “That’s really not true in most situations.”

Stephens pointed to several examples of mobile apps that have, for no discernible reason, vacuumed up user data, like the flashlight app that collected mobile contacts. To avoid this problem, Stephens suggested users navigate the Internet on their mobile devices with a privacy-focused browser and not through any company-developed app.

“Quite frankly,” Stephens said, “I would not trust any app to not leak my data.”