Global Data Privacy Guide |
|
USA, District of Columbia (Federal Law) |
|
(United States)
Firm
Steptoe LLP
Contributors Updated 01 Mar 2022 |
|
What is the key legislation? | Unlike many other countries, the United States does not have a single, overarching privacy law regulating the processing of personal information. Instead, there is an array of federal and state laws that regulate different aspects of privacy in the United States. Instead of a single, overarching privacy law regulating the processing of personal information, the United States has an array of federal and state laws that regulate different aspects of privacy in the United States. Federal Law For instance, the Gramm-Leach-Bliley Act ("GLBA") and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") establishes privacy and data security requirements for entities in the health and medical sector. The Electronic Communications Privacy Act of 1986 ("ECPA")—composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act—establishes rules governing the privacy of electronic communications, including limits on disclosures by communications providers, prohibitions on access to communications content and non-content information, and restrictions on government access to stored communications and communications in transmission. Another key federal law is the Federal Trade Commission Act ("FTCA"), which prohibits “unfair” or “deceptive” acts or practices in commerce. The Federal Trade Commission ("FTC") has interpreted the “unfairness” prong of this Act as requiring companies to ensure reasonable security for the personal information of consumers. Other federal laws regulating privacy include (but are not limited to):
State Law All of the states and U.S. territories also have laws affecting privacy. All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have laws requiring businesses to notify affected individuals and (in some cases) regulators if they experience a breach of the security of personal information (with varying definitions of “personal information”). California was the first state to pass such a data breach reporting law. See California Database Security Breach Notification Act, S.B. 1386 (Cal. 2002), amending Cal. Civ. Code §§ 1798.29, 1798.82 & 1798.84. An increasing number of states also impose general requirements to implement reasonable security measures to protect personal information. See, e.g., Massachusetts Security Breach Notification Law, Mass. Gen. Laws ch. 93H, and Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq.; New York Stop Hacks and Improve Electronic Data Security Act, S.B. S5575B Many states also impose limits on the collection and processing of Social Security numbers. See, e.g., Virginia Personal Information Privacy Act, Va. Code Ann. § 59.1-443.2. States are also beginning to enact more overarching privacy laws affecting everything from the collection of personal information to the deletion of personal information and almost everything in between. The first such law was enacted by California as the California Consumer Privacy Act ("CCPA") which came into effect on January 1, 2020. The CCPA was recently amended by the California Privacy Rights Act ("CPRA"), which was enacted by voters via a ballot initiative. The CPRA will take effect on January 1, 2023, and will apply to data collected on or after January 1, 2022. Other states are expected to enact analogous legislation in 2021. In addition, Virginia and Colorado recently adopted similar laws. Virginia adopted the Virginia Consumer Data Privacy Act (“VCDPA”), which will become effective on January 1, 2023, and Colorado adopted the Colorado Privacy Act (“CPA”), which will become effective on July 1, 2023. Numerous other states are considering similar legislation. |
What data is protected? | Because the United States does not have a single, overarching privacy law, the definition of personal information depends on the applicable law or regulation. Similarly, there is no universal concept of “sensitive data” that may be subject to heightened protections. Because the United States does not have a single, overarching privacy law, the definition of personal information depends on the applicable law or regulation. In the state security breach notification law context, for example, the definition of personal information generally includes an individual’s name, Social Security number, driver’s license number, and financial account number. Notably, however, there is a trend toward broadening the definition of personal information in state breach notification laws to include health or medical information, online account information, and/or biometric information. In other contexts, such as FTC enforcement actions, the GLBA, HIPAA, or the CCPA the definition of personal information is broader. Certain laws apply only to electronic personal information, while others are more general. Similarly, there is no universal concept of “sensitive data” that may be subject to heightened protections, though certain types of information are generally protected more stringently, such as financial data in the security breach notification context, as well as background screening information, consumer report information, health information, children’s information, and Social Security numbers. This approach, however, may be starting to change, as the CPRA, VCDPA, and CPA will all provide heightened protection for “sensitive” categories of personal information or data. |
Who is subject to privacy obligations? | Generally, U.S. privacy laws apply to all processing of personal information by organizations subject to the jurisdiction of U.S. courts. Many U.S. privacy laws are limited to businesses in certain sectors (for example, the GLBA applying only to covered financial institutions, HIPAA applying to covered health care institutions and their business associates, etc.). There are also privacy laws that apply to the U.S. government. Unlike in some other jurisdictions, U.S. law does not formally distinguish between “controllers” and “processors” of personal information, though certain laws impose different obligations on companies based on whether they own the data or are considered to be service providers. Many U.S. privacy laws are limited to businesses in certain sectors. For example, the GLBA applies only to covered financial institutions. HIPAA applies to covered health care institutions and their business associates. There are also privacy laws, such as the Privacy Act of 1974 and the ECPA, that apply to the U.S. government. At the state level, laws such as the CCPA, the VCDPA, and the CPA, currently or will employ thresholds relating to an entity’s revenue and/or the number of residents whose personal information an entity collects and/or sells. |
What are the principles applicable to personal data processing? | Companies that own personal information may be required to notify individuals whose data they collect. There are also restrictions on the collection of certain data, such as state laws restricting the collection of Social Security numbers. Companies that own personal information may be required to notify individuals whose data they collect. Certain federal laws, such as the FCRA/FACTA, GLBA, HIPAA, and COPPA (including regulations implementing these laws), require organizations to provide privacy notices in certain circumstances. California’s Online Privacy Protection Act also requires organizations not otherwise subject to specific regulation to post conspicuous privacy policies if they collect personal information from individuals through a website or online service for commercial purposes. The CCPA requires covered entities to provide consumers with notice of the categories of personal information to be collected and the purposes of collection both in their privacy policies and at or before the point of collection. The VCDPA and CPA will have similar notice requirements. The CPRA will require covered entities also to include information about the sale and retention of personal information at the point of collection. There are also restrictions on the collection of certain data, such as state laws restricting the collection of Social Security numbers. |
How is the processing of personal data regulated? | U.S. privacy laws have not adopted the “finality principle” (i.e., that the use and disclosure of information be limited by the purpose for which it was originally collected); instead, companies usually describe their uses and disclosures of personal information collected from consumers in privacy notices. It is important to ensure that the uses of personal information, and the circumstances in which and entities to which it may be disclosed, are described accurately. A number of laws also restrict the disclosure of specific types of personal information. U.S. privacy laws have not adopted the principle that the use and disclosure of personal information are limited by the purposes for which it was originally collected (subject to various exceptions)—known in other jurisdictions as the “finality principle.” Instead, companies usually describe their uses and disclosures of personal information collected from consumers in privacy notices. If an organization would like to use previously collected personal information for a materially different purpose than those set forth in its privacy notice or to disclose it to entities or in circumstances different from what is stated in the privacy notice, the FTC and state attorneys general have said that the organization must first obtain consent to the new practice from the consumer. If an organization does not obtain such consent, then the new practice may be considered a deceptive trade practice under federal and state consumer protection laws. Where a privacy notice is required by law, an organization’s failure to abide by the requirements of the law could give rise to liability. A number of laws also restrict the disclosure of specific types of personal information. For example, the GLBA and HIPAA require an individual’s consent before making certain disclosures of personal information. At the state level, the CCPA permits consumers to restrict the sale of their personal information. The CPRA will also provide consumers with the ability to opt out of the sharing of their personal information with third parties for the purpose of “cross-context behavioral advertising.” The VCDPA and CPA provide consumers with similar rights. The CPRA, VCDPA, and the CPA will also limit the ability of covered entities to use personal data beyond purposes disclosed to residents. |
How are storage, security and retention of personal data regulated? | Though there is no comprehensive U.S. data security law, a variety of federal and state statutes and regulations impose obligations on businesses to provide security. In addition, U.S. privacy laws generally do not regulate the retention of personal information directly. However, the CCPA, allows California residents to request that businesses delete their personal information (subject to several important exceptions). The FTC has taken the view that not providing “reasonable” security for consumers’ personal information is an “unfair practice” under the FTCA, and has brought dozens of enforcement actions against companies on that basis. Companies must consult complaints and consent decrees from past cases to try to understand what constitutes reasonable or unreasonable security in the mind of the FTC. A variety of other federal statutes and regulations impose more specific security obligations on certain data owners and organizations that process personal information on their behalf. For example, the Safeguards Rule implemented pursuant to the GLBA requires financial institutions to “develop, implement, and maintain a comprehensive information security program” with “administrative, technical, and physical safeguards” to protect the security, confidentiality, and integrity of all nonpublic personal information. COPPA requires operators of commercial websites and online services to maintain the confidentiality, security, and integrity of “personal information” (as defined by the FTC’s implementing regulation) they collect from children. The Security Rule implemented pursuant to HIPAA prescribes detailed administrative, technical, and physical safeguards for covered entities and their service providers to protect the security, confidentiality, availability, and integrity of electronically protected health information. A number of state laws also impose general information security standards on companies that maintain personal information. California has enacted legislation requiring businesses to “implement and maintain reasonable security procedures and practices” to protect personal information about California residents from unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code § 1798.81.5(b). Massachusetts also requires businesses to develop and maintain a comprehensive written information security program, including specific elements. See Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq. Other states are also increasingly adopting specific data security requirements for personal information. In addition, U.S. privacy laws generally do not regulate the retention of personal information directly, though there are many records retention laws at the federal and state levels that require companies to retain records (including those that contain personal information) for a specified length of time or restrict the retention of records beyond a certain period. However, at the state level, the CPRA will place limits on a covered entity’s ability to retain personal information. In addition, the CCPA allows California residents to request that businesses delete their personal information (subject to several important exceptions) and the VCDPA and the CPA will afford consumers this right in 2023. |
What are the data subjects' rights? | There is no generally applicable law in the United States providing individuals the right to access or correct personal information about them held by a company, though there are specific laws that address access and correction rights, such as the Privacy Act of 1974, HIPAA, COPPA, and FCRA/FACTA. In addition, the CCPA provides residents with the right to ask businesses to access personal information as will the VCDPA and the CPA. The CPRA, the VCDPA, and the CPA will also provide consumers with the right to correct inaccurate personal information. There is no generally applicable law in the United States providing individuals the right to access or correct personal information about them held by a company, though there are specific laws that address access and correction rights. For example, the Privacy Act of 1974 requires federal agencies to provide individuals, upon request, with access to information about them, subject to certain exceptions, and allow individuals to request amendments to their records. The Privacy Rule enacted pursuant to HIPAA requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them, unless the covered entity has a valid reason to deny such access (e.g., where the PHI is subject to restricted access under other laws, or access to the PHI is reasonably likely to cause substantial harm to another person). A covered entity must either provide the requested access within thirty days of a request or explain its justification for denying access. The Privacy Rule also gives individuals the right to amend their PHI. COPPA allows parents or legal guardians to access their child’s personal information upon request, and revoke their consent and refuse the further use or collection of personal information from their child, or delete their child’s personal information. FCRA/FACTA requires Credit Reporting Agencies to provide individuals with information in their credit files upon request. Individuals may also dispute inaccurate information that appears in a credit report, and inaccurate or unverifiable information must be removed within thirty days of notice of the dispute. |
Are there restrictions on cross-border data transfers? | No, U.S. law does not restrict cross-border data transfers. |
Are there any notification requirements for data breaches? | There is no generally applicable federal breach notification law, but there are a number of targeted breach notification laws at both the federal and state levels, including: HIPAA and the HITECH Act The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the FTC apply to vendors of personal health records and third-party service providers pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act"). GLBA and Federal Interagency Guidance Several federal banking regulators—the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of Thrift Supervision—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice in 2005, interpreting the Safeguards Rule implemented pursuant to the GLBA to require financial institutions to develop and implement a response program designed to address incidents of unauthorized access to customer information processed in systems the institutions or their service providers use to access, collect, store, use, transmit, protect, or dispose of the information. The Guidance also contains breach notification requirements. State Breach Notification Laws All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have enacted breach notification laws requiring data owners to notify affected individuals and (in some cases) regulators in the event of unauthorized access to or acquisition of their personal information. Although some state breach laws require notification only if there is a reasonable likelihood that the breach will result in harm to affected individuals, other jurisdictions require notification of any incident that meets their definition of a breach. |
Who is the privacy regulator? | There is no single authority in the United States that regulates privacy law. At the federal level, the regulatory authority responsible for oversight varies based on the applicable law or regulation. The FTC is the primary federal privacy regulator and may bring privacy enforcement actions pursuant to section 5 of the FTCA to address a wide range of alleged violations by entities whose information practices have been deemed “deceptive” or “unfair.” These enforcement actions typically result in consent decrees that prohibit companies from future misconduct and often require biennial audits for up to twenty years. The FTC may also impose a fine on businesses that violate a consent decree. In the financial services context, various financial services and state insurance regulators have adopted standards pursuant to the GLBA regulating the collection, use, and disclosure of non-public personal information. In the healthcare context, the Department of Health and Human Services is responsible for the enforcement of HIPAA against covered entities. At the state level, attorneys general may bring enforcement actions for unfair or deceptive trade practices and enforce violations of specific state privacy laws. In California, in particular, the CPRA created a new privacy regulator called the California Privacy Protection Board to enforce the statute and the CCPA. The VCDPA will be exclusively enforced by the Virginia Attorney General while the CPA will be exclusively enforced by the Colorado Attorney General and Colorado district attorneys. Some state privacy laws also allow individuals to sue for damages when violations occur. |
What are the consequences of a privacy breach? | Violations of federal and state privacy laws generally can lead to injunctions and civil penalties, though several laws directed at surveillance activities and computer crimes also impose criminal sanctions. Violations of the ECPA or the Computer Fraud and Abuse Act ("CFAA") can lead to both civil liability and criminal sanctions. Many states have also enacted surveillance laws that provide for both civil liability and criminal sanctions in the case of a violation. Outside of the surveillance and computer crime context, the U.S. Department of Justice has the authority to criminally prosecute serious HIPAA violations. Privacy breaches have also led to civil lawsuits against breached companies by individuals or other entities affected by the breach, with varying degrees of success. The CCPA expressly provides California residents a private right of action for data breaches. |
How is electronic marketing regulated? | Several U.S. laws target electronic marketing, including commercial email, telemarketing, text message marketing, and fax marketing. Commercial email is regulated at the federal level by CAN-SPAM, which generally preempts state anti-spam laws. The TCPA and the Telemarketing and Consumer Fraud and Abuse Prevention Act, as well as regulations implemented by the FTC and the Federal Communications Commission ("FCC"), regulate telemarketing. There are also state laws regulating telemarketing activities. Text message marketing is regulated primarily by the TCPA and regulations implemented by the FCC, while fax marketing is regulated by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state laws. In 2021, the U.S. Supreme Court significantly narrowed the scope of a portion of the TCPA restricting the use of auto-dialer equipment to place calls and text messages. In the aftermath of the Supreme Court’s decision, Florida adopted a mini-TCPA law and other states are considering taking similar action. |
Are there any recent developments or expected reforms? | The California Consumer Privacy Act ("CCPA"), which took effect on January 1, 2020, establishes new rights on the part of California residents to control their personal information by requesting that companies disclose what personal information they collect, and for what purpose, and what types of entities they share the information with. The CCPA also gives California residents the right to request that companies delete their personal information (subject to important exceptions), and also that companies do not sell their personal information. Note: As noted above, the CCPA took effect on January 1, 2020. In addition to the rights described above, which are currently enforceable by the state attorney general, the CCPA also creates a private right of action that allows California residents to sue businesses, and obtain statutory damages, when a lack of adequate security leads to a breach of certain types of personal information. In November 2020, California voters passed the CPRA as part of a ballot initiative that amends the CCPA as described above. The substantive rights created by the CRPA will not become effective until January 1, 2023, and will only apply to information collected on or after January 1, 2022. In addition, as noted above, the CPRA creates a new California Privacy Protection Board which will be responsible for enforcing the CCPA and rulemaking. The CCPA and CPRA have led other states to adopt similar legislation. —As mentioned, Virginia recently adopted the VCDPA and Colorado recently adopted the CPA, which are substantively similar to the CCPA and CPRA. The VCDPA will come into effect on January 1, 2023, and the CPA will come into effect on July 1, 2023. Similar legislation is being considered in a number of additional states. |
Global Data Privacy Guide
USA, District of Columbia (Federal Law)
(United States) Firm Steptoe LLPContributors
Updated 01 Mar 2022Unlike many other countries, the United States does not have a single, overarching privacy law regulating the processing of personal information. Instead, there is an array of federal and state laws that regulate different aspects of privacy in the United States.
Instead of a single, overarching privacy law regulating the processing of personal information, the United States has an array of federal and state laws that regulate different aspects of privacy in the United States.
Federal Law
For instance, the Gramm-Leach-Bliley Act ("GLBA") and regulations implementing it establish requirements for how financial institutions protect consumers’ personal information. Similarly, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") establishes privacy and data security requirements for entities in the health and medical sector. The Electronic Communications Privacy Act of 1986 ("ECPA")—composed of the Wiretap Act, the Stored Communications Act, and the Pen Register Act—establishes rules governing the privacy of electronic communications, including limits on disclosures by communications providers, prohibitions on access to communications content and non-content information, and restrictions on government access to stored communications and communications in transmission.
Another key federal law is the Federal Trade Commission Act ("FTCA"), which prohibits “unfair” or “deceptive” acts or practices in commerce. The Federal Trade Commission ("FTC") has interpreted the “unfairness” prong of this Act as requiring companies to ensure reasonable security for the personal information of consumers.
Other federal laws regulating privacy include (but are not limited to):
- The Cable Communications Policy Act of 1984 ("Cable Act"), which amended the Communications Act of 1934, protects the personal information of customers of cable service providers;
- The Children’s Online Privacy Protection Act of 1998 ("COPPA"), which established rules for the collection, retention, and disclosure of personal information from children under 13 years of age online;
- The Communications Act of 1934, which requires telecommunications carriers to protect the confidentiality of proprietary information of, and relating to, other telecommunications carriers, equipment manufacturers, and customers;
- The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM"), which regulates unsolicited commercial email and generally preempts state anti-spam laws;
- The Drivers Privacy Protection Act of 1994 ("DPPA"), which protects the privacy of personal information contained in motor vehicle records;
- The Fair Credit Reporting Act ("FCRA"), which was amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACTA"), and limits the collection, use, maintenance, and dissemination of personal information assembled by Credit Reporting Agencies;
- The Family Education Rights and Privacy Act of 1974 ("FERPA"), which protects the privacy of student education records and applies to all schools that receive funds from the U.S. Department of Education;
- The Freedom of Information Act ("FOIA"), which provides for the disclosure of previously unreleased information and documents controlled by the federal government;
- The Privacy Act of 1974, which established rules for the collection, maintenance, use, and dissemination of information about individuals maintained in systems of records by federal agencies;
- The Telephone Consumer Protection Act of 1991 ("TCPA"), which amended the Communications Act of 1934 and bars most auto-dialed or prerecorded calls, texts, and faxes unless made with prior express consent; and
- The Video Privacy Protection Act of 1988 ("VPPA"), which generally prevents the disclosure of personally identifiable rental records of “prerecorded video cassette tapes or similar audiovisual material.”
State Law
All of the states and U.S. territories also have laws affecting privacy. All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have laws requiring businesses to notify affected individuals and (in some cases) regulators if they experience a breach of the security of personal information (with varying definitions of “personal information”). California was the first state to pass such a data breach reporting law. See California Database Security Breach Notification Act, S.B. 1386 (Cal. 2002), amending Cal. Civ. Code §§ 1798.29, 1798.82 & 1798.84.
An increasing number of states also impose general requirements to implement reasonable security measures to protect personal information. See, e.g., Massachusetts Security Breach Notification Law, Mass. Gen. Laws ch. 93H, and Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq.; New York Stop Hacks and Improve Electronic Data Security Act, S.B. S5575B
Many states also impose limits on the collection and processing of Social Security numbers. See, e.g., Virginia Personal Information Privacy Act, Va. Code Ann. § 59.1-443.2.
States are also beginning to enact more overarching privacy laws affecting everything from the collection of personal information to the deletion of personal information and almost everything in between. The first such law was enacted by California as the California Consumer Privacy Act ("CCPA") which came into effect on January 1, 2020. The CCPA was recently amended by the California Privacy Rights Act ("CPRA"), which was enacted by voters via a ballot initiative. The CPRA will take effect on January 1, 2023, and will apply to data collected on or after January 1, 2022. Other states are expected to enact analogous legislation in 2021. In addition, Virginia and Colorado recently adopted similar laws. Virginia adopted the Virginia Consumer Data Privacy Act (“VCDPA”), which will become effective on January 1, 2023, and Colorado adopted the Colorado Privacy Act (“CPA”), which will become effective on July 1, 2023. Numerous other states are considering similar legislation.
Because the United States does not have a single, overarching privacy law, the definition of personal information depends on the applicable law or regulation. Similarly, there is no universal concept of “sensitive data” that may be subject to heightened protections.
Because the United States does not have a single, overarching privacy law, the definition of personal information depends on the applicable law or regulation. In the state security breach notification law context, for example, the definition of personal information generally includes an individual’s name, Social Security number, driver’s license number, and financial account number. Notably, however, there is a trend toward broadening the definition of personal information in state breach notification laws to include health or medical information, online account information, and/or biometric information. In other contexts, such as FTC enforcement actions, the GLBA, HIPAA, or the CCPA the definition of personal information is broader. Certain laws apply only to electronic personal information, while others are more general.
Similarly, there is no universal concept of “sensitive data” that may be subject to heightened protections, though certain types of information are generally protected more stringently, such as financial data in the security breach notification context, as well as background screening information, consumer report information, health information, children’s information, and Social Security numbers. This approach, however, may be starting to change, as the CPRA, VCDPA, and CPA will all provide heightened protection for “sensitive” categories of personal information or data.
Generally, U.S. privacy laws apply to all processing of personal information by organizations subject to the jurisdiction of U.S. courts. Many U.S. privacy laws are limited to businesses in certain sectors (for example, the GLBA applying only to covered financial institutions, HIPAA applying to covered health care institutions and their business associates, etc.). There are also privacy laws that apply to the U.S. government.
Unlike in some other jurisdictions, U.S. law does not formally distinguish between “controllers” and “processors” of personal information, though certain laws impose different obligations on companies based on whether they own the data or are considered to be service providers.
Many U.S. privacy laws are limited to businesses in certain sectors. For example, the GLBA applies only to covered financial institutions. HIPAA applies to covered health care institutions and their business associates.
There are also privacy laws, such as the Privacy Act of 1974 and the ECPA, that apply to the U.S. government.
At the state level, laws such as the CCPA, the VCDPA, and the CPA, currently or will employ thresholds relating to an entity’s revenue and/or the number of residents whose personal information an entity collects and/or sells.
Companies that own personal information may be required to notify individuals whose data they collect. There are also restrictions on the collection of certain data, such as state laws restricting the collection of Social Security numbers.
Companies that own personal information may be required to notify individuals whose data they collect. Certain federal laws, such as the FCRA/FACTA, GLBA, HIPAA, and COPPA (including regulations implementing these laws), require organizations to provide privacy notices in certain circumstances. California’s Online Privacy Protection Act also requires organizations not otherwise subject to specific regulation to post conspicuous privacy policies if they collect personal information from individuals through a website or online service for commercial purposes. The CCPA requires covered entities to provide consumers with notice of the categories of personal information to be collected and the purposes of collection both in their privacy policies and at or before the point of collection. The VCDPA and CPA will have similar notice requirements. The CPRA will require covered entities also to include information about the sale and retention of personal information at the point of collection.
There are also restrictions on the collection of certain data, such as state laws restricting the collection of Social Security numbers.
U.S. privacy laws have not adopted the “finality principle” (i.e., that the use and disclosure of information be limited by the purpose for which it was originally collected); instead, companies usually describe their uses and disclosures of personal information collected from consumers in privacy notices. It is important to ensure that the uses of personal information, and the circumstances in which and entities to which it may be disclosed, are described accurately.
A number of laws also restrict the disclosure of specific types of personal information.
U.S. privacy laws have not adopted the principle that the use and disclosure of personal information are limited by the purposes for which it was originally collected (subject to various exceptions)—known in other jurisdictions as the “finality principle.” Instead, companies usually describe their uses and disclosures of personal information collected from consumers in privacy notices.
If an organization would like to use previously collected personal information for a materially different purpose than those set forth in its privacy notice or to disclose it to entities or in circumstances different from what is stated in the privacy notice, the FTC and state attorneys general have said that the organization must first obtain consent to the new practice from the consumer. If an organization does not obtain such consent, then the new practice may be considered a deceptive trade practice under federal and state consumer protection laws. Where a privacy notice is required by law, an organization’s failure to abide by the requirements of the law could give rise to liability.
A number of laws also restrict the disclosure of specific types of personal information. For example, the GLBA and HIPAA require an individual’s consent before making certain disclosures of personal information.
At the state level, the CCPA permits consumers to restrict the sale of their personal information. The CPRA will also provide consumers with the ability to opt out of the sharing of their personal information with third parties for the purpose of “cross-context behavioral advertising.” The VCDPA and CPA provide consumers with similar rights. The CPRA, VCDPA, and the CPA will also limit the ability of covered entities to use personal data beyond purposes disclosed to residents.
Though there is no comprehensive U.S. data security law, a variety of federal and state statutes and regulations impose obligations on businesses to provide security.
In addition, U.S. privacy laws generally do not regulate the retention of personal information directly. However, the CCPA, allows California residents to request that businesses delete their personal information (subject to several important exceptions).
The FTC has taken the view that not providing “reasonable” security for consumers’ personal information is an “unfair practice” under the FTCA, and has brought dozens of enforcement actions against companies on that basis. Companies must consult complaints and consent decrees from past cases to try to understand what constitutes reasonable or unreasonable security in the mind of the FTC.
A variety of other federal statutes and regulations impose more specific security obligations on certain data owners and organizations that process personal information on their behalf. For example, the Safeguards Rule implemented pursuant to the GLBA requires financial institutions to “develop, implement, and maintain a comprehensive information security program” with “administrative, technical, and physical safeguards” to protect the security, confidentiality, and integrity of all nonpublic personal information. COPPA requires operators of commercial websites and online services to maintain the confidentiality, security, and integrity of “personal information” (as defined by the FTC’s implementing regulation) they collect from children. The Security Rule implemented pursuant to HIPAA prescribes detailed administrative, technical, and physical safeguards for covered entities and their service providers to protect the security, confidentiality, availability, and integrity of electronically protected health information.
A number of state laws also impose general information security standards on companies that maintain personal information. California has enacted legislation requiring businesses to “implement and maintain reasonable security procedures and practices” to protect personal information about California residents from unauthorized access, destruction, use, modification, or disclosure. Cal. Civ. Code § 1798.81.5(b). Massachusetts also requires businesses to develop and maintain a comprehensive written information security program, including specific elements. See Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 Mass. Code Regs. 17.00 et seq. Other states are also increasingly adopting specific data security requirements for personal information.
In addition, U.S. privacy laws generally do not regulate the retention of personal information directly, though there are many records retention laws at the federal and state levels that require companies to retain records (including those that contain personal information) for a specified length of time or restrict the retention of records beyond a certain period. However, at the state level, the CPRA will place limits on a covered entity’s ability to retain personal information. In addition, the CCPA allows California residents to request that businesses delete their personal information (subject to several important exceptions) and the VCDPA and the CPA will afford consumers this right in 2023.
There is no generally applicable law in the United States providing individuals the right to access or correct personal information about them held by a company, though there are specific laws that address access and correction rights, such as the Privacy Act of 1974, HIPAA, COPPA, and FCRA/FACTA. In addition, the CCPA provides residents with the right to ask businesses to access personal information as will the VCDPA and the CPA. The CPRA, the VCDPA, and the CPA will also provide consumers with the right to correct inaccurate personal information.
There is no generally applicable law in the United States providing individuals the right to access or correct personal information about them held by a company, though there are specific laws that address access and correction rights. For example, the Privacy Act of 1974 requires federal agencies to provide individuals, upon request, with access to information about them, subject to certain exceptions, and allow individuals to request amendments to their records.
The Privacy Rule enacted pursuant to HIPAA requires covered entities to provide individuals, upon request, with access to the protected health information (PHI) about them, unless the covered entity has a valid reason to deny such access (e.g., where the PHI is subject to restricted access under other laws, or access to the PHI is reasonably likely to cause substantial harm to another person). A covered entity must either provide the requested access within thirty days of a request or explain its justification for denying access. The Privacy Rule also gives individuals the right to amend their PHI.
COPPA allows parents or legal guardians to access their child’s personal information upon request, and revoke their consent and refuse the further use or collection of personal information from their child, or delete their child’s personal information.
FCRA/FACTA requires Credit Reporting Agencies to provide individuals with information in their credit files upon request. Individuals may also dispute inaccurate information that appears in a credit report, and inaccurate or unverifiable information must be removed within thirty days of notice of the dispute.
No, U.S. law does not restrict cross-border data transfers.
There is no generally applicable federal breach notification law, but there are a number of targeted breach notification laws at both the federal and state levels, including:
HIPAA and the HITECH Act
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the FTC apply to vendors of personal health records and third-party service providers pursuant to the Health Information Technology for Economic and Clinical Health Act ("HITECH Act").
GLBA and Federal Interagency Guidance
Several federal banking regulators—the Office of the Comptroller of the Currency, Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of Thrift Supervision—issued Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice in 2005, interpreting the Safeguards Rule implemented pursuant to the GLBA to require financial institutions to develop and implement a response program designed to address incidents of unauthorized access to customer information processed in systems the institutions or their service providers use to access, collect, store, use, transmit, protect, or dispose of the information. The Guidance also contains breach notification requirements.
State Breach Notification Laws
All 50 states and four territories (Washington, D.C., Puerto Rico, U.S. Virgin Islands, and Guam) have enacted breach notification laws requiring data owners to notify affected individuals and (in some cases) regulators in the event of unauthorized access to or acquisition of their personal information. Although some state breach laws require notification only if there is a reasonable likelihood that the breach will result in harm to affected individuals, other jurisdictions require notification of any incident that meets their definition of a breach.
There is no single authority in the United States that regulates privacy law. At the federal level, the regulatory authority responsible for oversight varies based on the applicable law or regulation. The FTC is the primary federal privacy regulator and may bring privacy enforcement actions pursuant to section 5 of the FTCA to address a wide range of alleged violations by entities whose information practices have been deemed “deceptive” or “unfair.” These enforcement actions typically result in consent decrees that prohibit companies from future misconduct and often require biennial audits for up to twenty years. The FTC may also impose a fine on businesses that violate a consent decree.
In the financial services context, various financial services and state insurance regulators have adopted standards pursuant to the GLBA regulating the collection, use, and disclosure of non-public personal information. In the healthcare context, the Department of Health and Human Services is responsible for the enforcement of HIPAA against covered entities.
At the state level, attorneys general may bring enforcement actions for unfair or deceptive trade practices and enforce violations of specific state privacy laws. In California, in particular, the CPRA created a new privacy regulator called the California Privacy Protection Board to enforce the statute and the CCPA. The VCDPA will be exclusively enforced by the Virginia Attorney General while the CPA will be exclusively enforced by the Colorado Attorney General and Colorado district attorneys. Some state privacy laws also allow individuals to sue for damages when violations occur.
Violations of federal and state privacy laws generally can lead to injunctions and civil penalties, though several laws directed at surveillance activities and computer crimes also impose criminal sanctions. Violations of the ECPA or the Computer Fraud and Abuse Act ("CFAA") can lead to both civil liability and criminal sanctions. Many states have also enacted surveillance laws that provide for both civil liability and criminal sanctions in the case of a violation. Outside of the surveillance and computer crime context, the U.S. Department of Justice has the authority to criminally prosecute serious HIPAA violations.
Privacy breaches have also led to civil lawsuits against breached companies by individuals or other entities affected by the breach, with varying degrees of success. The CCPA expressly provides California residents a private right of action for data breaches.
Several U.S. laws target electronic marketing, including commercial email, telemarketing, text message marketing, and fax marketing.
Commercial email is regulated at the federal level by CAN-SPAM, which generally preempts state anti-spam laws.
The TCPA and the Telemarketing and Consumer Fraud and Abuse Prevention Act, as well as regulations implemented by the FTC and the Federal Communications Commission ("FCC"), regulate telemarketing. There are also state laws regulating telemarketing activities.
Text message marketing is regulated primarily by the TCPA and regulations implemented by the FCC, while fax marketing is regulated by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state laws.
In 2021, the U.S. Supreme Court significantly narrowed the scope of a portion of the TCPA restricting the use of auto-dialer equipment to place calls and text messages. In the aftermath of the Supreme Court’s decision, Florida adopted a mini-TCPA law and other states are considering taking similar action.
The California Consumer Privacy Act ("CCPA"), which took effect on January 1, 2020, establishes new rights on the part of California residents to control their personal information by requesting that companies disclose what personal information they collect, and for what purpose, and what types of entities they share the information with. The CCPA also gives California residents the right to request that companies delete their personal information (subject to important exceptions), and also that companies do not sell their personal information.
Note: As noted above, the CCPA took effect on January 1, 2020. In addition to the rights described above, which are currently enforceable by the state attorney general, the CCPA also creates a private right of action that allows California residents to sue businesses, and obtain statutory damages, when a lack of adequate security leads to a breach of certain types of personal information. In November 2020, California voters passed the CPRA as part of a ballot initiative that amends the CCPA as described above. The substantive rights created by the CRPA will not become effective until January 1, 2023, and will only apply to information collected on or after January 1, 2022. In addition, as noted above, the CPRA creates a new California Privacy Protection Board which will be responsible for enforcing the CCPA and rulemaking.
The CCPA and CPRA have led other states to adopt similar legislation. —As mentioned, Virginia recently adopted the VCDPA and Colorado recently adopted the CPA, which are substantively similar to the CCPA and CPRA. The VCDPA will come into effect on January 1, 2023, and the CPA will come into effect on July 1, 2023. Similar legislation is being considered in a number of additional states.