Explore the world of online data privacy with this rich timeline. Revisit pivotal moments in our shared online history and discover actions that you can take today to increase your online safety. See an interactive version of this timeline at MyDataMyChoice.me


The Dawn of Data Privacy


The US Government Collects Data on American Citizens

Following President Lyndon Johnson’s decision to create a centralized database with every citizen’s information, citizens rise up in frustration.

Congress holds numerous hearings that a computerized national data bank could mean endless snooping and infringe on citizens’ rights. The project isn’t realized, however the Fair Credit Reporting Act of 1970, and the Privacy Act in 1974 are created.


The Internet Goes Public

Previously a military project, the Internet is opened up to the public. Entrepreneurs start earning money online.  Users with dial-up connections access content they’ve never found in a library. Communication flourishes.


sting cd twitter post

A Sting CD is the First Thing Sold on the Internet

On August 12, 1994, the internet enables the first e-commerce purchase. A Philadelphia resident uses his credit card to order a Sting CD on what is one of the first e-commerce websites. The purchase is encrypted with a program called PGP (“Pretty Good Privacy”).


Netscape Uses the First Cookie and Creates SSL

Netscape creates the first browser cookie. In 1994, it fulfills the same purpose as it does today: allowing companies to recognize users, track their activity on the Internet, and build a customer profile. Originally, Netscape created the cookie to recognize users who have already visited certain websites. The cookies are accepted by default. Users aren’t even notified of their existence.

Netscape also develops SSL (Secure Sockets Layer) as a way of securing communications between clients and servers on the Internet.

ACTION: Find out whether your browser is  tracking you. Check with Panopticlick.


Amazon and eBay Launch Their Websites

In July 1995, Jeff Bezos launches Amazon as an online bookstore. In the autumn of 1995, Pierre Omidyar also launches eBay. The two events are widely considered to be the real start of the dot com bubble.

ACTION: Tired of impulse purchases. Delete Your Account.

ACTION: Stop the bidding madness.  Adjust Your eBay Account (or just ask a trusted friend to change your password!)

The European Data Protection Directive Is Adopted

Following privacy concerns regarding the websites that started collecting customer data in the period of the first tech bubble, the European Union passes a directive governing the processing of personal data on October 24, 1995.


A New Way to Reach Your Audience

With the Internet, marketers suddenly have a new way to communicate to their potential customers.

Hotmail develops a free email service that opens up email addresses to the public (not just something for students or businesses anymore). Marketers can now reach thousands of prospects online.

A tweet linking an opinion article: "The president of the Electronic Privacy Information Center says the United States has made some progress but needs to do more."

Surfers Beware: The Electronic Privacy Information Center Reviews 100 Most Popular Sites

In 1997, the Electronic Privacy Information Center reviews a hundred of the Internet’s most popular sites only to realize that only 17 of them have an explicitly stated privacy policy.

Out of the 100 websites they examine, 24 are found to use cookies, and none of them allow users to access their data.

The Center concludes that data privacy will be one of the biggest challenges for the Internet, and they recommend creating privacy policies, enabling users to view their data and use the website anonymously should they wish to do so. Their goal is to add more transparency to the way data is collected and processed.

ACTION: Tired of being tracked by your browser? Block Invisible Browser Trackers.


PayPal Launches

PayPal launches as an online payment system and a money transfer tool used by e-commerce websites to process payments. The company regularly faces problems with regulations and fraud. To use PayPal, e-commerce websites have to share data with PayPal, and PayPal encrypted this sensitive financial information. It’s very similar to how PayPal operates today.


The DoubleClick Merger Scandal

Advertising giant DoubleClick plans to merge with data brokerage company, Abacus Direct.

DoubleClick uses the Dynamic Advertising Reporting and Targeting (DART) system to allow advertisers to move their ads, track the number of clicks, and select which ads will be displayed to whom. The information they collect includes: Browser type, OS, ISP, bandwidth, date and time, and the IP address of visitors.

A privacy scandal erupts when DoubleClick announces they want to deanonymize ads data, infringing on the privacy rights of millions of consumers whose behavior had been tracked.


Google Ads tweet announcing a guide for using Google Analytics and Google Ads.

Online Credit Card Fraud

In early 2000’s, online credit card fraud increases due to insecure protocols used to transmit financial information over the web. According to CyberSource, online retailers lose $1.5 billion in online revenue due to credit card fraud by the year 2000.


Google Launches AdWords

Google AdWords (now known as Google Ads) is initially released on October 28, 2000. It uses cookie technology and keywords searched for by users to decide which ads will be displayed across their (then still budding) advertising affiliate network.

ACTION: Tired of telling Google what you do? Delete your Google account.


The Patriot Act, Total Information Awareness, and Surveillance Following 9/11

Following 9/11, the USA starts developing technology that will enable the government to gather, analyze and store local and international data locally. The Patriot Act, passed six weeks after 9/11, lawfully broadens the surveillance powers given to the National Security Agency.

According to the New York Times’ 2005 reports, this decision allows the NSA to monitor “the international telephone calls and international e-mail messages of hundreds, perhaps thousands, of people inside the United States.”

ACTION: Learn more about the Patriot Act and how it may impact you.


The Creation of Network Advertising Initiative

Following the DoubleClick scandal and other data privacy concerns, a group of industry experts form the Network Advertising Initiative (NAI) and publish a set of principles in coordination with the Federal Trade Commission.

In 2002, the NAI releases guidelines for the use of web beacons (behavior tracking code). The code that is used to track visiting and tracking patterns and install cookies is supposed to ask for consent when personally identifiable information is transferred to a third party.

The NAI also advocates for transparency and allowing website visitors to clearly see which information is being collected, and how it’s being processed. Additionally, NAI-compliant ad networks are to give consumers a choice to opt out of being tracked and targeted with ads.

ACTION: You can opt-out of interest based advertising with NAI members.


MySpace Launches

In 2003, Chris DeWolfe, Tom Anderson and Jon Hart establish MySpace — the first major social network.  It is the largest social networking site in the world from 2005-2008.

MySpace only uses website and affiliate advertising to generate revenue. User data is collected from their website and their affiliate network to select ads for each visitor through behavioral targeting.

The Can Spam Law

Inboxes grow crowded as digital marketers email customers and spam becomes a very real problem. The Can Spam Law and the Data Protection Act require all businesses to include an opt-out option in email communications. The law makes it mandatory for commercial email senders to provide opt-outs, state their physical address, and identify ads.


A tweet thread talking about how Facebook started as "Facemash", a "Hot-or-Not" ripoff

Rampant Web Attacks

2004 sees rampant hacker attacks. Web software vulnerabilities are hacked to intercept sensitive data. Some of the methods used are Trojans, keystroke loggers, and malware.

Facebook is Born

On February 4, 2004, Mark Zuckerberg, Eduardo Saverin, and others team up and create Facebook.

Originally, Zuckerberg creates Facebook’s beta version – Facemash – as a dating and meetup site for college students. Their profiles contain personal information and photos, and users get to decide who’s hot – and who’s not. This site attracts more than 450 visitors within the first four hours of launching.

Harvard administration charges Zuckerberg with breaching security, copyright violations, and privacy violations as he uploaded photos and information about Harvard students without their consent.

The Payment Card Industry Security Standards Council (PCI) is Formed

With the threat of cyber attacks and the rise of online shopping’s popularity, the PCI is formed to ensure that businesses comply with the security standards necessary for safe online shopping.

Online Data Privacy Gains Traction

Late 2004

PCI Releases the First Unified Security Standard

PCI releases the new unified security standard which is supported by five major credit card brands (including Visa and MasterCard). Other merchants and organizations have to comply with the new security standard as to prevent the breaches of early 2004. 

This is the first security standard that required all merchants and website owners who processed more than 20,000 card transactions annually to be compliant with the regulations if they wanted to process payments online.


Facebook Launches the First News Feed

Facebook launches the first News Feed. Facebook is accused of breaching user privacy. The news feed is modified to allow users to adjust some privacy settings.


Facebook Tries to Share Online Purchasing Behavior

Facebook pilots Beacon, a program that sends notifications to users’ friends when they make purchases online. This would allow Facebook to offer targeted ads. Users respond to Beacon by filing a class-action lawsuit and the project is scrapped. (This is not the end of targeted advertising with Facebook.

Google introduces Street View

Google cars start roaming streets worldwide, capturing images to show in maps. Users are concerned with the level of detail shown in the images — streets, people, and homes are shown.

It is later revealed that Google cars also collected information from public Wi-Fi networks in 30 countries. Google starts blurring individuals’ faces and car license plates in an effort to protect their privacy. Users are invited to flag photos that may infringe on privacy.


Google Acquires DoubleClick

Google moves into online display advertising, with the $3.1Billion purchase of DoubleClick, the largest online advertising company. This includes acquiring DoubleClick’s ad software, as well as relationships with web publishers and advertisers.


Facebook Launches Social Login

Facebook launches a social login service, Facebook Connect. Users can now log into a variety of sites using their Facebook profile. The “partnered” websites can access details about the users’ Facebook profile, including their full name, photos, wall posts and friend lists.

Twitter, LinkedIn and Google+ follow with their own social logins in 2009, 2010 and 2011, respectively.

Consumers begin to worry about online privacy. “Single Sign-On (SSO)” logins allow social networks to share user data with third parties — usually in the service of advertising. Companies can legally target users with advertisements based on their behavior across several “partnered” websites.

ACTION: Find out what Facebook knows about you and how to change that.

ACTION: Learn how to delete your Google account.

ACTION: Delete yourself on other social networking sites.

Facebook Copyright Qualms

Following public outrage, Facebook modifies their terms of use to offer more data rights to users. (Facebook previously reserved the right to use all the content uploaded to the site by users.)

Facebook allows users to make their photos and videos private, but the default setting is still “public.” Status updates also remain public.

ACTION: Find out what Facebook knows about you and how to change that.

Appreciation Engine Begins!

In 2009, The Appreciation Engine (AE) is founded by Jeff Mitchell and Annabel Youens with a singular purpose: Use data to create a two-way relationship between businesses and consumers.

Vocal about their support of data privacy, AE has been steadily working on creating better marketing solutions that focus on customer experience.


Permission-Based Email Marketing

By 2009, email marketers realize that many of their emails aren’t even reaching their prospects’ inboxes.

Marketers realize the main reason for email subscription opt-outs is lack of relevance. Permission-based email marketing shows up, requiring interested users to opt-in to email marketing. The results are higher open rates, more interested email recipients, and (perhaps) less spam.


Birth of Instagram

In October of 2010, Kevin Systrom and Mike Krieger launch Instagram – a photo-sharing social network.


Google Buzz Privacy Violation

Google settles Federal Trade Commission (FTC) charges of deceptive practices and consumer privacy violations related to their social network, Google Buzz.

The FTC complains Google is violating its own privacy policies by using Gmail data for its Buzz network without consent. Google ignored Gmail users’ rights to decline being included in Buzz, and uploaded Gmail user data to Buzz regardless of whether someone chose to join the social network or not.

The settlement bans Google from future privacy misrepresentations, requires the company to implement a comprehensive privacy program, and makes regular privacy audits mandatory until 2031.


Google Introduces the Omnichannel Experience

Google announces that it will consolidate user data across a variety of Google platforms to offer a better customer experience. The program is implemented using Google Accounts, as opposed to scattered Google services users previously had to use. Now users can access everything from a single panel.

Google also updates their privacy policy and makes the data privacy changes clear to all users.


Facebook Acquires Instagram

In April, Facebook acquires Instagram for $1 Billion. The change in Terms of Use means all users agree by default to businesses paying Instagram to display their usernames, likeness, photos (with metadata), and behavior as a form of advertising.

Instagram’s competitors respond by creating privacy-friendly services.


Email Audience Segmentation and Targeting

Infusionsoft, an email marketing company, raise more than $71 Million, including $54 Million from Goldman Sachs, to keep working on a way to target email subscribers more accurately. In the early days, Infusionsoft tags email subscribers based on the websites they visit and the actions they take on them.

The DMA (Data & Marketing Association) reports that over 85% of marketers are segmenting their email lists.

The New Era of Data Privacy: the Good and the Bad


iCloud Under Attack

Hackers released not-so clothed pictures of celebrities stolen from their Apple iCloud accounts. The leak causes a huge uproar and prompts a review of cloud computing services with a special emphasis on private and personal data.

ACTION: Safari sends data to Apple while Chrome sends info to Google. If you’re not cool with that, try Firefox.


Experian Hack

Experian, one of the world’s largest credit agency data brokers is hacked. This means 15 million people who applied for Experian credit checks have their personal information exposed including their names, addresses, social security, driver’s license and passport numbers.

ACTION: Sign up for notifications to find out if any of your personal information has appeared in a data breach.


Canada’s Anti-Spam Law (CASL)

The transition period for the implementation of practices outlined in Canada’s Anti-Spam Law (CASL) ends. The law requires everyone who sends email for commercial purposes to get explicit subscriber consent for receiving the emails in the first place.


Equifax Hack

Personal information stored by the US credit bureau is stolen through a security vulnerability. This affects 145.5 Million customers. The stolen data includes social security, drivers license, names, data of birth, and addresses.

ACTION: Check if your information was hacked.


A tweet linking an opinion article: "The president of the Electronic Privacy Information Center says the United States has made some progress but needs to do more."

General Data Protection Regulation (GDPR)

EU’s General Data Protection Regulation (GDPR) comes into force. This regulation outlines how consumer data can be collected, analyzed, transferred, and stored. Businesses who in any way came into contact with EU citizens’ data have to follow the practices outlined in the regulation or face severe penalties.

ACTION: Find out more about your rights under the GDPR

ACTION: Find out if your business is GDPR compliant.


California Consumer Privacy Act (CCPA)

California follows the EU’s lead in 2018 by creating the CCPA. Similarly to GDPR, the CCPA also outlines how businesses can collect, store and transfer consumer data from Californian residents.

ACTION: Find out more about your rights under the CCPA.

At Least 21 Facebook Privacy Scandals

More than 21 Facebook privacy scandals take place in 2018. The most public of these scandals reveals that Cambridge Analytica, a British political consulting firm collected data from millions of Facebook user profiles and used it for political advertising. Facebook has been facing severe backlash due to these scandals, with consumers calling for stricter regulations when it comes to online data privacy.

ACTION: Find out what Facebook knows about you and how to change that.


Safer Sites with the HTTPS Protocol

Google announces that not having a SSL certificate (HTTPS protocol) will now impact the ranking of websites. SSL certificates allow a more secure connection from web server to browser. By requiring sites to use a HTTPS protocol, Google contributes to a more secure Internet.


Zoom Flaw Gives Hackers Access to Webcam

In an attempt to create a frictionless experience for Mac users, a feature in the video conferencing app Zoom causes a vulnerability that allows an attacker to access a user’s webcam feed without them knowing.

ACTION: Update your Zoom Privacy Settings

ACTION: Safely remove Zoom from your computer


First Cases of COVID-19 Reported to the World Health Organization

Now known as COVID-19, a new strain of coronavirus previously not encountered in humans breaks out in Wuhan, China. The virus is reported to the World Health Organization (WHO) in December after causing numerous cases of pneumonia.

As the number of cases drastically rises, 50 million people in Wuhan and nearby cities are placed under quarantine measures by the Chinese government to control the spread of the virus.

2020 and the Future: Protecting Your Rights


California Consumer Privacy Act (CCPA) Goes into Effect

Originally passed by the California State Legislature on June 28, 2018, the California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020.The CCPA defines California residents’ personal data rights, allowing them access to their personal data and giving them agency over how that data is collected, sold, and disclosed.        


World Health Organization Officially Classifies COVID-19 as a Global Pandemic

The COVID-19 virus spreads beyond China’s borders, causing outbreaks in countries throughout the globe. The World Health Organization classifies COVID-19 as a global pandemic due to the level of spread and severity of the outbreaks.Countries all over the world begin enacting quarantine and lockdown measures to prevent the spread of COVID-19 as the number of cases skyrockets. These measures include shutting down all non-essential businesses and schools, as well as enacting social distancing measures to prevent contact between people.

Zoom Privacy Concerns Increase as Daily User Count Balloons to Over 200 Million

As more and more countries put into place social distancing measures, the daily user count on the video conferencing app Zoom soars from 10 million in December to 200 million in March. Instances of uninvited participants showing up in and derailing private Zoom conferences make headlines and Eric Yuan, Founder and CEO of Zoom, puts out a statement in response to privacy and safety concerns on the app.

ACTION: Update your Zoom Privacy Settings

ACTION: Safely remove Zoom from your computer. 

Privacy Concerns Around COVID-19 Contact Tracing

Using smartphones to trace close physical interactions between individuals is proposed by public health experts and others in order to help mitigate the spread of COVID-19. For many, the idea raises concerns over privacy, freedom and civil liberties.

Schrems II Court Decision Concerning Data Transfers

A landmark ruling by the European Court of Justice in the case of Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (known as the Schrems II case) found that the EU-US Privacy Shield did not provide adequate protections for transferring data between the US and Europe and therefore was invalid effective immediately. The validity of Standard Contractual Clauses (SCCs) was upheld, but data exporters must verify on a case-by-case basis whether the SCC provides adequate protection, under EU law, of the personal data being transferred. If not, data exporters must provide additional safeguards.

Action: If you want to know more about the Schrems II ruling, check out the frequently asked questions document from the European Data Protection Board. If you’re an EU citizen, you can learn about your rights here.


New Data Privacy Laws and Existing Legislation under Review 

Following in the footsteps of the GDPR, many countries began reviews of their existing data privacy legislation in 2020 and 2021.


In late 2020 and early 2021, the Canadian government held an online public consultation on Privacy Act modernization, from which Justice Canada produced a report of the key findings. Additionally, building on Canada’s Digital Charter, the Digital Charter Implementation Act was proposed in November of 2020, aiming to modernize the protection of personal information in the private sector. The process of updating Canada’s privacy laws is still on-going, though individual provinces such as Quebec and British Columbia are passing their own privacy legislation.


In October of 2021, the Australian government released a draft of the Privacy legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021, which includes strict privacy requirements and tougher penalties enforced by the Office of the Australian Information Commissioner. 

United States

Multiple states proposed legislation to protect consumer data privacy in 2021, with two states signing legislation into law. On March 2, Virginia passed the Virginia Consumer Data Protection Act (VCDPA), building on the frameworks used in California’s legislation and the GDPR and giving consumers the ability to access and control their personal data collected by private businesses. On July 7, similar legislation was signed into law in Colorado, giving consumers the right to access their information and not have their information sold. 

Also of note, the New York Privacy Act (NYPA) also passed out of committee in May of 2021. The bill is broader in scope than other privacy legislation in the US, including consumer rights similar to the GDPR such as the right to access, correct and delete personal information. The NYPA is still pending.

Action: To read more about the pending consumer privacy legislation in the US, check out this article.

European Commission Adopts Updated SCCs

On June 4, 2021 the European Commission adopted two new sets of Standard Contractual Clauses (SCCs) that align with GDPR requirements and the Schrems II ruling. One SCC is for use between controllers and processors, while the other is for the transfer of personal data to third countries. The new SCCs provide a template for businesses to use so that they meet data protection requirements.

Action: The SCC for controllers and processors can be found here. The SCC for international data transfers can be found here.

iOS14.5 and 15

On April 26, 2021, Apple released iOS14.5 which included a privacy update that shook the mobile games marketing world. iOS1.5 did away with default sharing of a user’s Identifier for Advertisers (IDFA), a device-level identifier that advertisers used to track individuals’ interactions with mobile advertising campaigns, without collecting personal and identifying information. The end of IDFA meant that mobile advertisers had to adjust their marketing strategies on iOS. The mobile marketing world is still adapting to the change.

In September of 2021, iOS15 was released along with new privacy features. The update debuted Mail Privacy Protection, a new feature that would allow users to opt in to mail privacy features including masking their IP and blocking third parties from tracking email opens. Another feature called Hide My Email (available to iCloud+ users) allows users to create a “fake” email address for signups. Emails still go to the user’s inbox, but companies are unable to see the user’s real email address without their permission.

Cookieless future but not yet — Google pushes end of third-party cookies to 2023

After announcing that they would follow in the steps of Firefox and Safari by phasing out third-party cookies in the Chrome browser in 2022, Google announced in June of 2021 that they would be pushing the phase-out to mid-2023.

The Future: Protecting Your Rights

The  Future: Protecting Your Rights

From the time the Internet was a baby, regulators have had a hard time catching up with everything it can do. Personal data has been collected, stored, shared and sold without many limitations — by everyone from advertisers to hackers.

Change is happening.

We’re looking forward to a future where data is better protected, kept safe, and used to create improved experiences for customers. As major internet players begin to roll out programs and tools that protect your first-party data we’re all on our way to a more beautiful, safe and collaborative Internet.

ACTION: 11 Secrets That Will Make You More Secure On The Internet – a brilliant and super actionable list by Eric Barker.