With the infusion of digital technologies in practically every aspect of modern society, data privacy is a rising concern. As consumer data gets passed between countless third parties, the risk of a data leak or breach increases exponentially. In 2021 alone, there were more than 817 major data breaches, impacting more than 53,000,000 Americans.
For hackers, personally identifiable information (PII) is their prime target. Those that successfully plunder this private user data can then sell it to other criminals, perform identity theft, launch phishing attacks, or perform account takeovers.
In response to this mounting threat, both the federal government and various states have implemented protective legislation. Below, we’ll primarily focus on US federal data privacy laws.
What Are the Data Privacy Laws in the US?
Although the American Data Privacy Protection Act (ADPPA) is progressing through the legislative process, America doesn’t have a singular, standardized data privacy law covering all forms of consumer data uses. Instead, it has a mixture of laws covering distinct industries or data categories in specific circumstances. According to the New York Times:
“Historically, in the US, we have a bunch of disparate federal [and state] laws. These either look at specific types of data, like credit data or health information, or look at specific populations like children, and regulate within those realms.”
Depending on the industry you operate in, the types of consumer data you interact with, or the ways you use that data, your business may be subject to one or several of these individual data privacy laws.
But what are they? Let’s review the more essential federal data privacy and protection laws.
The Federal Credit Reporting Act
The Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq, was established in 1970 to ensure that consumer reporting agencies practiced accurate, fair, and private usage of consumer information. Under these laws, consumers have the right to:
- Be notified and be provided the contact information to the involved agency if the information in their credit or consumer reports has been used against them.
- Request and obtain all information within the files held by a consumer reporting agency.
- Request a free credit report disclosure once every 12 months.
- Ask for a credit score.
- Dispute incomplete or inaccurate information.
- Request the correction or erasure of inaccurate, incomplete, or unverifiable information.
The US Privacy Act of 1974
Although this privacy law was established decades before the advent of the internet, it laid the initial groundwork for future digital privacy laws both in the US and abroad.
Passed in 1974, this law was designed to improve individual privacy protections by establishing rules and regulations that dictated how government agencies could collect, maintain, use, and disseminate personal information maintained in federal agency record systems. Lettered subsections of Code 5 U.S.C. § 552a(e) required that the government:
- A – Maintain only relevant and necessary information
- B – Collect information directly from the individual
- C – Inform individuals when asking to collect information
- D – Publish system of record notice
- E – Maintain accurate, relevant, timely, and complete records
- F – Review records prior to dissemination
HIPAA and HITECH
First established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was designed to create security controls for healthcare consumers’ protected health information (PHI) from being disclosed without a patient’s consent or knowledge.
It also provided health insurance coverage for workers between jobs and ensured “electronic health data was appropriately secured, access to electronic health data controlled, and an auditable trail of PHI activity maintained.”
This law was later enhanced with the addition of the HIPAA Privacy and Security Rules and the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. These addendums:
- Removed HIPAA loopholes
- Increased violation enforcement mechanisms
- Encouraged covered entities to transition to digital record-keeping
- Established notification rules in the event of a data breach
Gramm-Leach-Bliley Act (GLBA)
Enacted as law in 1999, the GLBA is a US data privacy law applicable to financial services companies that offer financial products or services. Under the GLBA, financial institutions—such as banks, savings and loans, credit unions, and insurance providers—are legally required to divulge their information-collecting and -sharing practices.
This act was designed to protect consumer financial data and determine how financial institutions could collect, store, maintain, use, and share financial records that contained sensitive data.
Fair and Accurate Credit Transaction Act of 2003
Sometimes referred to as the Red Flag Rules, FACTA was designed to establish requirements that specific firms must abide by, namely:
- Financial institutions that provide consumer transaction accounts
- Creditors that extend or renew credit
Firms subject to the rules must create a written identity theft prevention program (ITF) and identify covered accounts. According to FINRA, the program required relevant firms to take the following actions:
- Identify relevant red flags for covered accounts
- Detect red flags
- Respond appropriately to detected red flags via prevention or mitigation techniques
- Update the ITTP and red flags frequently to respond to changes in risk
Although this is a European data privacy law, it still impacts American organizations that sell products or services to Europeans.
The European Union’s General Data Protection Regulation (GDPR) repealed and replaced the older EU Data Protection Directive, and is considered to be a global benchmark for data privacy. Implemented in 2018, the GDPR was established to respond to the rise of Big Tech and Big Data, and to offer European residents stronger, more unified protections across the European economic market. The pan-European regime sets comprehensive rules and conditions around the collection, use and sharing of Europeans’ data. For example, according to Article 5.1-2, if you process such data, you’re required to:
- Process data in a manner that is lawful, fair, and transparent
- Limit data collection to explicitly specified purposes
- Collect and process only as much data as is absolutely necessary
- Keep person data that is accurate and up to date
- Only store data for as long as necessary
- Demonstrate compliance with GDPR
The GDPR also grants data subjects (i.e., individuals) the right to access and amend their sensitive covered data. Upon making the request, the data subject may ask the “data controller” (i.e., the organization or its representative that determines the data’s purpose and processing means) to take follow-up actions concerning their data, including:
- Deleting the data when it is no longer needed
- Correcting the data to ensure its accuracy and relevance
- Providing a copy of the data to individuals in a meaningful format
- Limiting data processing to lawful, fair and necessary purposes
- Transferring custody of the data to a different data controller
ADPPA—The New Data Privacy and Protection Law Proposed
A federal-level law stipulating data privacy and protections may soon be enacted. A bill proposing the American Data Privacy Protection Act is currently under discussion by members of Congress, and it enjoys bipartisan support. Crucially, ADPPA proposes a paradigm shift from existing data protection.
Instead of requiring consumers to explicitly consent to data collection and different uses, it adopts a “data minimization” strategy and proposes restricting these activities according to 17 acceptable purposes.
Notable differences between ADPPA and existing regulations include:
- The 17 explicitly allowed data collection and usage purposes (all others are automatically disallowed)
- Using data for targeted advertising is allowed but subject to restrictions, such as:
- Organizations cannot target minors with any form of advertising
- Sensitive data (e.g., health information, location, private messages) cannot be used for targeted advertising
- Companies would be prohibited from tracking consumers across third-party sites to build profiles
- A universal opt-out process created by the FTC
While ADPPA has not yet passed, it represents the growing data privacy and protection movement within the US that companies must adjust their practices to contend with. Furthermore, individual states would still be able to enact legislation adding more restrictions.
Data Privacy Laws—States
Starting with California a number of US states have enacted data privacy laws to provide state residents comprehensive GDPR-style protections. Currently, the five US state privacy laws are:
- California Consumer Privacy Act and Privacy Rights Act (CCPA/CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut’s Personal Data Privacy and Online Monitoring Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
Companies meeting certain threshold requirements in those states and that collect, use, monetize or share state residents’ personal information, must comply with a range of transparency, choice and accountability obligations. While the US state laws are not carbon copies of each other, and California’s is the most consumer-friendly, they all share a common set of themes, requirements and motivations.
Essentially, covered businesses are required to:
- Inform consumers about their personal information practices
- Disclose whether they sell consumer data or use it target individuals with personalized ads
- Offer data subjects the right to access, delete, correct, or port their data
- Provide the option for consumers to opt-out of the sale of their data
- Implement commercially reasonable security and contractual measures
As the aforementioned New York Times article notes:
California offers residents a limited right to take a company to court over CCPA/CPRA violations. “The regulations include a limited “private right of action”—the ability to sue a company—against certain types of data breaches. California also requires a “global opt-out” to remove one’s self from data sharing by device or browser, instead of being forced to opt-out on each site individually.”
And more states are following. While some are eyeing comprehensive reforms, others are looking to enhance pre-existing, narrower data privacy protections. These states are:
- New York
Who Enforces Privacy Protections in the US?
With no comprehensive federal data privacy laws on the books, the enforcement of the various consumer data privacy protections falls to a panoply of federal and state authorities. Typically one of three parties will enforce data privacy rules:
#1 The FTC
According to the FTC:
“The agency uses law enforcement, policy initiatives, and consumer and business education to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits of the ever-changing marketplace.”
Section 5 of the Federal Trade Act grants the FTC the authority to pursue privacy violations by way of business’ unfair or deceptive practices (UDAP).
The Federal Communications Commission is responsible for enforcing the Federal Communications Act. The Enforcement Bureau handles investigations and enforcement actions of FCC-regulated services that impact consumer protection and privacy.
#3 State Attorney Generals
State attorney generals don’t typically enforce federal data security or privacy violations. However, if a state has enacted its own data protections, the burden of enforcement falls on the AG.
Note: The California Privacy Rights Act of 2020 created the first dedicated privacy regulator in the US, the California Privacy Protection Agency. This agency enforces the CCPA and the CPRA in California.
DataGrail—Your Guide to Data Protection Compliance
The movement to uphold consumer data privacy is swelling across the country. Although there may not be comprehensive federal laws yet, there are still dozens of industry-, activity-, or state-specific laws you may be expected to abide by.
How, then, can you ensure compliance?
DataGrail’s integrated data privacy solution can help with that. Our data privacy platform creates a centralized location from which you can manage your company’s entire privacy program. With DataGrail, you can automate privacy requests with Request Manager and gain visibility and control over your data with the Live Data Map.
If you’re concerned about upholding various data privacy laws, DataGrail is the solution you’ve been waiting for. Request a free demo today.
Consumer Finance Protection Bureau. A Summary of Your Rights Under the Fair Credit Reporting Act. https://files.consumerfinance.gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf
Department of Justice. Overview of the Privacy Act Of 1974. https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition
FINRA. FTC FACT Act Red Flags Rule Template. https://www.finra.org/sites/default/files/Industry/p119095.pdf
FTC. Protecting Consumer Privacy and Security. https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security
GDPR. What Is GDPR, the EU’s New Data Protection Law? https://gdpr.eu/what-is-gdpr/
HIPAA Journal. Purpose of HIPAA. https://www.hipaajournal.com/purpose-of-hipaa/
New York Times. The State of Consumer Data Privacy Laws in the US (And Why It Matters). https://www.nytimes.com/wirecutter/blog/state-of-privacy-laws-in-us/
Statista. Annual number of data compromises and individuals impacted in the United States from 2005 to first half 2022. https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
Wired. Don’t Look Now, but Congress Might Pass an Actually Good Privacy Bill. https://www.wired.com/story/american-data-privacy-protection-act-adppa/