Dave Nelson wasn’t going to let his audience sit quietly.

Despite leading a session at the Iowa Technology Summit on Tuesday, Nelson, president and CEO at information security firm Pratum, opened dialogue with the First Amendment of the U.S. Constitution.

It was a short lesson on constitutional rights that would fit right in at the average journalism convention: the government guarantees protection of speech from the government, Nelson said. It does not guarantee protection of speech from consequences.

“That’s a fundamental misalignment that’s impacting technology, because now people are thinking they can use technology to do all these things, and they have some fundamental protection that they don’t,” Nelson said. “We think about [the workplace], sporting events, public hearings, social media – all these things where people are spewing whatever vile they want, or whatever opinion they want, or whatever position they want.”

“This applies to you, you have to be involved. None of you can sit there in your seat and be apathetic to these issues, and expect anything to get better,” Nelson told his audience.

Before opening the floor to session attendees, Nelson highlighted three key regulations businesses should be wary of when conducting digital business.

Electronic Communications Privacy Act (ECPA), 1986

ECPA covers written and wire communication, and was originally written to updated the Federal Wiretap Act of 1968. ECPA, like other U.S. privacy laws, is too outdated to meaningfully offer guidance in the digital age, Nelson said.

Data stored in the cloud may legally be considered abandoned after it is more than 180 days old. Most cloud data contracts with users say the company will “do our best” to give users 24 hours’ notice before complying with law enforcement requests, Nelson said.

“That’s our long-term storage repository, that’s our backup disaster recovery,” Nelson noted. “All of that is, in the eyes of the federal government and the court system, fair game.”

Computer Fraud and Abuse Act (CFAA), 1984

This act was designed to only apply to a protected computer, Nelson said. Those computers were defined as a machine involved in interstate commerce or financial transactions – of course, in 1984, users weren’t using cell phones to manage investment accounts, or purchasing internet-connected refrigerators.

“We can’t legislate, we can’t govern on the status quo in a changing environment like what we have,” Nelson said.

General Data Privacy Regulation (GDPR), 2018

The European Union’s broad regulations of private data, which includes protection for internet users’ names, photos, IP addresses, geolocation and ethnicity. Via treaty, the U.S. has agreed to prosecute U.S. companies who fail to abide by the E.U.

This applies broadly to U.S. companies, from those who serve clients based in the E.U. over the web to those who send employees abroad with computers and create documents or content in the E.U. Under the GDPR, users’ names, photos, IP addresses, ethnicity and geolocation data is all protected personal information.

“We have a very, very narrow view of privacy and information, and they have a very broad view,” Nelson said. “If you’re a company that has any of this type of data on an E.U. citizen, you have issues.”