In this article, we discuss the various federal and state data privacy laws in the United States. This will help you fully comprehend the provisions of those laws and prepare your business for compliance.
Technology Advisor | Cybersecurity EvangelistUpdated: October 19, 2022
In the digital age, data privacy protection and regulation have become more critical than ever
It is now a matter of priority for most individuals, organizations, and governments across the globe. As a result, virtually every free country globally, including the United States, has introduced some form of data protection regulation or other to regulate how personal information is collected, stored, and shared. What control a data subject has over their personal information.
Although in the U.S, for example, there is no central all-encompassing federal data privacy law like the EU GDPR. However, several vertically-focused federal data privacy laws are targeting one sector of the economy or another, as well as a new generation of consumer-oriented privacy laws coming from the states. The U.S Federal Trade Commission (FTC) is the agency vested with the power to enforce those regulations at the federal level, while state attorneys do the same at the state level.
This article will take a detailed look at the various federal and state data privacy laws in the United States. Hopefully, this will help you fully comprehend the provisions of those laws and prepare your business for compliance.
The Privacy Act is a United States federal law enacted on December 31, 1974, to govern the collection, use, and dissemination of PII about individuals held by federal agencies.
It was created in response to concerns about how the creation and use of computerized databases might impact individuals’ privacy rights.
The Act only covers U.S. citizens and permanent residents. Thus, only a citizen or permanent resident can sue under the Privacy Act. In addition, the Act applies only to certain federal government agencies.
Privacy Act obligation: The privacy Act protects citizen’s privacy through the following rules and rights in the handling of personal data:
However, there are specific exceptions to the Act that allow personal information under certain conditions. These exceptions mean that individual privacy is not entirely guaranteed as the Act’s drafters might have wished. Furthermore, the Privacy Act only applies to records held by an “agency.” Therefore, the records maintained by courts, executive components, or non-agency government entities are not subject to the provisions in the Privacy Act, and there is no right to these records.
Penalties for violating the Privacy Act: The Privacy Act provides civil and criminal penalties for violating the Act’s provisions. The following are some of the applicable penalties for non-compliance:
HIPAA is a federal statute that was signed into law on August 21, 1996. It was created primarily to modernize the flow of healthcare information and stipulate how the confidentiality and integrity of personally identifiable information (PII) held by healthcare providers should be protected.
HIPAA is crucial because it ensures healthcare providers and related organizations implement adequate safeguards to protect sensitive personal health information.
HIPAA obligations: Healthcare providers are obligated to provide safeguards to protect the confidentiality, integrity, and availability of private health information (PHI). The following rules define the structure of everything related to HIPAA compliance requirements:
Patient’s rights: Patients have several rights under the HIPAA privacy rule, including access to their health records and the right to request corrections.
The right of access provides individuals with a legal, enforceable right to access and receive copies, upon request, of the information in their health records held by their healthcare providers. A patient also has the right to amend PHI for as long as the PHI is in a designated record set.
Penalties for violating HIPAA: All healthcare-related entities that collect, store, or share patient health information are expected to be in complete compliance with HIPAA. Non-compliance to the provisions of the law attracts stiff penalties. The most common type of violation stems from non-compliance with HIPAA privacy, security, or breach notification rules.
The penalties for non-compliance are based on the level of negligence. They can range from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail terms. Here is a list of HIPAA notable violations and fines from 2015-2021 and a list of those currently under investigation.
GLBA is a federal statute that was signed into law on November 12, 1999. The law requires financial institutions and other businesses that offer financial services and products to communicate to their customers how they protect and share their private information and the customer’s right to opt-out of any third-party data sharing.
GLBA compliance makes it mandatory for all financial institutions to have the policy to protect the confidentiality and integrity of customers’ information from any foreseeable threats.
GLBA obligations: Financial services providers are obligated to provide safeguards to protect the confidentiality, integrity, and availability of customer’s personal information by adhering to the following rules:
Penalties for violating GLBA: Failure to comply with GLBA attracts severe penalties for the financial institution and its employees.
COPPA is a United States federal law enacted on April 21, 2000, to regulate the online collection of personal information about children under 13 years of age.
The law protects children’s privacy by requesting parental consent to collect or use any personal information of children. It was created to increase parental involvement in children’s online activities in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without parental notification.
The Act applies to commercial websites and online services (including mobile apps) that are directed at children, as well as foreign websites that are directed at U.S children. It doesn’t apply to general audience websites unless they have specific services that attract children to their site.
COPPA obligations: Websites or mobile apps directed to children are obligated to adhere to fair information practices in the collection and use of personal information. The National Law Review has a detailed breakdown of the steps you need to take to comply with COPPA obligations:
Penalties for violating COPPA: The FTC has the authority to enforce COPPA compliance. According to the FTC, courts may fine violators of COPPA up to $42,530 in civil penalties for each violation. The amount of civil penalties a court assesses is dependent on several factors such as the enormity of the offenses, previous record of violation, the number of children involved, the amount and type of PI collected and how it was used, the size of the company.
The FTC has brought several actions against some online services companies for failing to comply with COPPA requirements, including actions against Google, TikTok, Lisa Frank, American Pop Corn Company, and others. Google has in recent times shifted responsibility for COPPA compliance onto YouTube kid’s content creators. This means that videos targeted at kids under 13 years can no longer carry behaviorally targeted ads.
FACTA is a federal statute signed into law on December 4, 2003, as an amendment to the Fair Credit Reporting Act.
It was primarily designed to cut down on the number of identity theft incidents and improve secure disposal or destruction of consumer information. The law also allows consumers to request and obtain a free credit report once every 12 months from each of the three consumer credit reporting companies in the U.S—Equifax, Experian, and TransUnion.
FACTA obligations: FACTA provides rules for financial service providers, lenders, credit reporting agencies, and all businesses with “covered accounts” to detect and protect consumers from fraud and identity theft. A “covered account” includes any account for which there is a foreseeable risk of identity theft.
One of such rules is the Red Flags Rule—which requires companies to put in place identity theft policies and procedures that would assess identity theft risk factors, test and implement those policies to detect and address identified risks, and train employees to ensure that those policies and procedures are correctly adhered to.
In addition to the Red Flags Rule, FACTA establishes rules concerning Fraud Alerts and Active Duty Alerts. Upon the request of a consumer (who believes they are about to be a victim of fraud or identity theft), the law requires consumer reporting agencies to place a fraud alert on their file so that no new credit line is opened in their name without explicit confirmation from you. An active duty alert requires the reporting agency to disclose such an alert with any credit report issued within 12 months of the request.
Penalties for violating FACTA: Both federal and state penalties may apply to FACTA violations:
CCPA is a state statute for residents of the state of California in the United States that came into force on January 1, 2020.
The CCPA is designed to give Californians control over their data. It is adjudged as the US’s most comprehensive data privacy legislation, similar to the E.U GDPR. The law applies to businesses in California that collect consumers’ data and can be described in any or all of the following ways:
CCPA consumer rights: The CCPA regulation empowers users with new data rights. To comply with the regulation, your organization must enable users to exercise their CCPA rights. For example, if you are a resident of California, you now have the right to:
Penalties for violating CCPA: Companies have 30 days to comply with the law once regulators notify them of a violation. If they fail to resolve the issue within the giving period, there’s a fine of up to $7,500 per record. Other applicable penalties include:
CDPA is a state statute for residents of the state of Virginia in the United States.
Like the California Consumer Privacy Act (CCPA), the CDPA is designed to give Virginia consumers more control over their data. This makes Virginia become only the second state to enact comprehensive privacy legislation.
Although the law takes effect on January 1, 2023, businesses are expected to begin evaluating their obligations to ensure they have sufficient time to comply. A company is subject to the CDPA if they either conduct business in Virginia or produce products or services that are targeted to Virginia residents and meet one of the following requirements:
CDPA obligations: The CDPA places several obligations for businesses processing personal data. These obligations include:
Consumer Privacy Rights: The CDPA enumerates the following privacy rights for Virginia consumers:
Penalties for violating CDPA: Companies have 30 days to comply with the law once regulators notify them of a violation. If they fail to resolve the issue within the giving period, there’s a fine of up to $7,500 per violation.
Many other upcoming state data privacy laws are currently undergoing legislative scrutiny and passage into law or awaiting executive sign-off. The table below summarizes the various upcoming and existing state data privacy laws.
State | Name | Businesses covered | Right to Delete? | Right to Access? | Right to Rectification? | Status |
---|---|---|---|---|---|---|
California | California Consumer Privacy Ac | Revenues over $25 million | Yes | Yes | No | In effect since January 1, 2020 |
Virginia | Virginia Consumer Data Protection Act | All | Yes | Yes | Yes | Takes effect on January 1, 2023 |
New York | New York Privacy Act | All | Yes | Yes | Yes | Pending |
Massachusetts | Massachusetts Data Privacy Law | Over $10 million | Yes | Yes | No | Pending |
Maryland | Maryland Online Consumer Protection Act | Over $25 million | Yes | Yes | No | Pending |
Hawaii | Hawaii Consumer Privacy Protection Act | All | Yes | Yes | No | Pending |
Table 1.0 Comparison of current and upcoming state data protection laws
There are a number of federal laws that are concerned with the protection of privacy. The first of these is the Privacy Act, which covers the protection of personally identifiable information (PII) when held by federal agencies. The Gramm-Leach-Bliley Act, better known as GLBA, deals with financial institutions and it specifies that these organizations need to communicate to customers how their data is going to be held and used. GLBA also requires the right for consumers to specify that their data should not be shared with third parties. COPPA, the Children’s Online Privacy Protection Act, specified the protection of PII relating to children under the age of 13.
GDPR is concerned with the protection of personally identifiable information that pertains to citizens of EU member states. However, US businesses are not exempted from the requirements of this set of rules. If a company in the USA deals with customers in the EU, issues of where and how data is stored and how that data can be used arise and these matters are governed by GDPR.
HIPAA is the Health Insurance Portability and Accountability Act, which is a federal law that was passed in 1996. The law specifies the obligations of businesses in the healthcare sector on how the data of patients is handled. This category of data is known as “personal health information,” or PHI. The law requires data holders to notify subjects if their data is disclosed. The law also allows data subjects the right to see and correct any information held about them. Although HIPAA only relates to data of US citizens that are involved with healthcare providers in the USA, data processing services outside of the USA would be liable under the law if they are contracted to hold or manage US healthcare patient data.