With the infusion of digital technologies in practically every aspect of modern society, data privacy is a rising concern. As consumer data gets passed between countless third parties, the risk of a data leak or breach increases exponentially. In 2021 alone, there were more than 817 major data breaches, impacting more than 53,000,000 Americans.
For hackers, personally identifiable information (PII) is their prime target. Those that successfully plunder this private user data can then sell it to other criminals, perform identity theft, launch phishing attacks, or perform account takeovers.
In response to this mounting threat, both the federal government and various states have implemented protective legislation. Below, we’ll primarily focus on US federal data privacy laws.
Although the American Data Privacy Protection Act (ADPPA) is progressing through the legislative process, America doesn’t have a singular, standardized data privacy law covering all forms of consumer data uses. Instead, it has a mixture of laws covering distinct industries or data categories in specific circumstances. According to the New York Times:
“Historically, in the US, we have a bunch of disparate federal [and state] laws. These either look at specific types of data, like credit data or health information, or look at specific populations like children, and regulate within those realms.”
Depending on the industry you operate in, the types of consumer data you interact with, or the ways you use that data, your business may be subject to one or several of these individual data privacy laws.
But what are they? Let’s review the more essential federal data privacy and protection laws.
The Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq, was established in 1970 to ensure that consumer reporting agencies practiced accurate, fair, and private usage of consumer information. Under these laws, consumers have the right to:
Although this privacy law was established decades before the advent of the internet, it laid the initial groundwork for future digital privacy laws both in the US and abroad.
Passed in 1974, this law was designed to improve individual privacy protections by establishing rules and regulations that dictated how government agencies could collect, maintain, use, and disseminate personal information maintained in federal agency record systems. Lettered subsections of Code 5 U.S.C. § 552a(e) required that the government:
First established in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was designed to create security controls for healthcare consumers’ protected health information (PHI) from being disclosed without a patient’s consent or knowledge.
It also provided health insurance coverage for workers between jobs and ensured “electronic health data was appropriately secured, access to electronic health data controlled, and an auditable trail of PHI activity maintained.”
This law was later enhanced with the addition of the HIPAA Privacy and Security Rules and the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act. These addendums:
Enacted as law in 1999, the GLBA is a US data privacy law applicable to financial services companies that offer financial products or services. Under the GLBA, financial institutions—such as banks, savings and loans, credit unions, and insurance providers—are legally required to divulge their information-collecting and -sharing practices.
This act was designed to protect consumer financial data and determine how financial institutions could collect, store, maintain, use, and share financial records that contained sensitive data.
Sometimes referred to as the Red Flag Rules, FACTA was designed to establish requirements that specific firms must abide by, namely:
Firms subject to the rules must create a written identity theft prevention program (ITF) and identify covered accounts. According to FINRA, the program required relevant firms to take the following actions:
Although this is a European data privacy law, it still impacts American organizations that sell products or services to Europeans.
The European Union’s General Data Protection Regulation (GDPR) repealed and replaced the older EU Data Protection Directive, and is considered to be a global benchmark for data privacy. Implemented in 2018, the GDPR was established to respond to the rise of Big Tech and Big Data, and to offer European residents stronger, more unified protections across the European economic market. The pan-European regime sets comprehensive rules and conditions around the collection, use and sharing of Europeans’ data. For example, according to Article 5.1-2, if you process such data, you’re required to:
The GDPR also grants data subjects (i.e., individuals) the right to access and amend their sensitive covered data. Upon making the request, the data subject may ask the “data controller” (i.e., the organization or its representative that determines the data’s purpose and processing means) to take follow-up actions concerning their data, including:
Looking to master the data privacy basics?
Read the Privacy Primer
A federal-level law stipulating data privacy and protections may soon be enacted. A bill proposing the American Data Privacy Protection Act is currently under discussion by members of Congress, and it enjoys bipartisan support. Crucially, ADPPA proposes a paradigm shift from existing data protection.
Instead of requiring consumers to explicitly consent to data collection and different uses, it adopts a “data minimization” strategy and proposes restricting these activities according to 17 acceptable purposes.
Notable differences between ADPPA and existing regulations include:
While ADPPA has not yet passed, it represents the growing data privacy and protection movement within the US that companies must adjust their practices to contend with. Furthermore, individual states would still be able to enact legislation adding more restrictions.
Starting with California a number of US states have enacted data privacy laws to provide state residents comprehensive GDPR-style protections. Currently, the five US state privacy laws are:
Companies meeting certain threshold requirements in those states and that collect, use, monetize or share state residents’ personal information, must comply with a range of transparency, choice and accountability obligations. While the US state laws are not carbon copies of each other, and California’s is the most consumer-friendly, they all share a common set of themes, requirements and motivations.
Essentially, covered businesses are required to:
As the aforementioned New York Times article notes:
California offers residents a limited right to take a company to court over CCPA/CPRA violations. “The regulations include a limited “private right of action”—the ability to sue a company—against certain types of data breaches. California also requires a “global opt-out” to remove one’s self from data sharing by device or browser, instead of being forced to opt-out on each site individually.”
And more states are following. While some are eyeing comprehensive reforms, others are looking to enhance pre-existing, narrower data privacy protections. These states are:
With no comprehensive federal data privacy laws on the books, the enforcement of the various consumer data privacy protections falls to a panoply of federal and state authorities. Typically one of three parties will enforce data privacy rules:
Since the 1970s, the Federal Trade Commission has been the foremost federal agency on privacy policy and enforcement.
According to the FTC:
“The agency uses law enforcement, policy initiatives, and consumer and business education to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits of the ever-changing marketplace.”
Section 5 of the Federal Trade Act grants the FTC the authority to pursue privacy violations by way of business’ unfair or deceptive practices (UDAP).
The Federal Communications Commission is responsible for enforcing the Federal Communications Act. The Enforcement Bureau handles investigations and enforcement actions of FCC-regulated services that impact consumer protection and privacy.
State attorney generals don’t typically enforce federal data security or privacy violations. However, if a state has enacted its own data protections, the burden of enforcement falls on the AG.
Note: The California Privacy Rights Act of 2020 created the first dedicated privacy regulator in the US, the California Privacy Protection Agency. This agency enforces the CCPA and the CPRA in California.
The movement to uphold consumer data privacy is swelling across the country. Although there may not be comprehensive federal laws yet, there are still dozens of industry-, activity-, or state-specific laws you may be expected to abide by.
How, then, can you ensure compliance?
DataGrail’s integrated data privacy solution can help with that. Our data privacy platform creates a centralized location from which you can manage your company’s entire privacy program. With DataGrail, you can automate privacy requests with Request Manager and gain visibility and control over your data with the Live Data Map.
If you’re concerned about upholding various data privacy laws, DataGrail is the solution you’ve been waiting for. Request a free demo today.
