A Guide to Federal and State Privacy Regulations

Unlike the EU, the United States doesn’t have one overarching privacy law to protect citizens’ personal information from being misused or falling into the wrong hands.

Instead, there is a patchwork of federal and state laws governing the collection, disclosure and use of personal data. These privacy laws also provide the standards businesses and organizations must meet in handling sensitive information, as well as the rights the individual has to access, view and request the deletion of their data.

This complex legal framework can seem daunting to companies that want to ensure they are compliant with the relevant privacy laws. Failure to do so can result in serious fines for companies both big and small, as well as reputational damage.

With this in mind, our guide to US privacy laws will look in more detail at the differences between the US and EU approaches to data protection before considering the major federal and state privacy laws in force.

What are the differences between EU and US privacy laws?

The EU’s General Data Protection Regulation (GDPR) law came into effect in 2018 and applies to any organization that manages the data of an EU citizen, regardless of the entity’s location. As such, its reach is extremely broad.

The requirements it places on organizations and the potential fines that are levied are substantial as well. The GDPR ensures that service providers can only collect, store and use an individual’s data with their consent. It also requires organizations to inform the user what personal data is being collected and to make sure that this data is accessible to them and may be deleted on request, the so-called ‘right to be forgotten’. These rules are consistently enforced and do not necessarily need to be instigated through litigation filed by an EU citizen.

By contrast, US privacy laws tend to be more targeted and enforcement can be patchy since it is often up to the individual to initiate legal action. What’s more, many of the US privacy laws don’t apply to organizations below a certain revenue threshold, or if they only handle a limited amount of personal data.

However, many states are now taking the lead on enacting more comprehensive data protection legislation, while Congress is now considering a bill – the American Data and Privacy Protection Act (ADPPA) – that would mandate federal protection of personal data.

Federal data privacy laws

For now, though, US federal privacy laws cover specific kinds of data. Here are some of the most significant federal laws and regulations concerning data privacy.

Privacy Act of 1974

This law applies to federal departments and agencies, namely how they handle the data they hold on US citizens.

The Privacy Act allows citizens access to their federal government records and to request corrections if there are inaccuracies. The measure also prohibits federal entities from sharing an individual’s records without their consent, although there are some exceptions.

Federal Trade Commission Act (FTC Act)

The Federal Trade Commission’s primary role is to regulate the financial practices of businesses, but it also ensures they handle customer and client data appropriately.

In particular, Section 5 of the FTC Act, which created the Federal Trade Commission, prohibits companies from committing “unfair or deceptive acts or practices” against their customers. It is this section of the FTC Act that Facebook ran afoul of in 2012 when the social media giant was ordered to pay a $5 billion fine for misleading its users about its privacy settings and for sharing user data with third parties without their consent.

Health Insurance Portability and Accountability Act (HIPAA)

The HIPAA prevents medical institutions from sharing the information it holds on individuals without their consent, whether that be to an insurance provider or even a relative. The law also compels medical providers to inform all their patients if it suffers from a data breach.

Children’s Online Privacy Protection Act (COPPA)

COPPA aims to protect children under 13 from online threats. It mandates parental consent with regards to the handling of data, since young children are not old enough to provide consent, and it limits the marketing to which children are exposed, among other restrictions.

However, while COPPA is comprehensive and the requirements relatively strict, most tech companies get around the law by claiming they do not render their services to minors under 13 years of age, with many children lying about their age and creating accounts regardless. As such, the companies do not have to comply and the responsibility falls on the parents.

State data privacy laws

There are other federal privacy laws in force as well, such as the Family Educational Rights and Privacy Act (FERPA), the Fair Credit Reporting Act (FCRA), and the Gramm-Leach-Bliley Act (GLBA), but many states have now moved to have more comprehensive privacy laws in place that supersede federal law in many respects. Here are several that have enacted far-reaching data privacy laws.

California Consumer Privacy Act (CCPA)

Largely modeled after the GDPR, the CCPA is perhaps the most robust state privacy law.

It ensures Californians can access all the data a company holds on them, and to request that it be deleted.

Notably, like the GDPR, the CCPA takes a broad definition of ‘personal data’ to include any information that could be linked directly or indirectly to you. This prevents companies from collecting your ‘behavioral’ data and creating a profile of you which they can then sell.

However, unlike the GDPR, it only applies to California businesses with annual revenues above $25 million that handle the data of more than 50,000 individuals, or whose revenues are largely derived from selling user data.

Virginia Consumer Data Protection Act (CDPA)

Virginia’s CDPA is similar to California’s privacy law in terms of citizen access to data and the right to be forgotten. It also only applies to entities that meet certain revenue or data handling thresholds.

Where the CPDA differs from the CCPA is that it neither created a regulatory authority nor does it allow residents to take legal action for alleged violations, meaning its enforcement potential is weaker.

Colorado Privacy Act (ColoPA)

ColoPA contains, in essence, many of the same provisions found in CCPA and CDPA but it takes an even broader definition of ‘personal data’, understood as any information an organization has that in any way relates to them. It also requires the consent of the user to process data that would place them in a certain sensitive category, such as the individual’s race, gender or religion.

In the absence of a data privacy regulatory body, ColoPA is enforced by the state attorney general.

Which privacy laws apply to my organization?

This is just a selection of some of the state-level privacy laws in force across the US. The legislative environment concerning data protection is fast-moving with many states, such as New York and Massachusetts, in the process of enacting comprehensive privacy laws.

This may leave many organizations wondering which regulations apply to them, and how to anticipate future regulatory requirements.

The three factors companies need to consider to understand which privacy requirements apply to them are the following:

1. Location

In consultation with a compliance partner, determine which state and federal laws concern your company’s activities.

2. Industry

From healthcare to retail and finance, different sectors have different data compliance standards. Ensure you are aware of all that apply to your activities.

3. Size

Revenues and the volume of data you handle is important. Alongside a compliance partner, determine whether your organization is subject to privacy laws based on your revenues and how much personal data you manage.

Vertikal 6 IT security services

Vertikal 6 can not only advise on your organization’s IT compliance requirements, we can also address them and ensure the protection of all the user data you manage.

Get in touch with us for a free strategy session to discuss your requirements.