Global Data Privacy Guide |
|
USA, Wisconsin |
|
(United States) Firm Michael Best & Friedrich LLP Updated 20 Jun 2022 | |
What is the key legislation? | The United States has a sectoral approach to privacy protection. There is no overarching privacy law, rather, legislation has evolved around different economic sectors or areas of concern. Medical Privacy
Federal Policy for the Protection of Human Subjects (the Common Rule) Financial Privacy
Consumer Privacy
Privacy in the Workplace
U.S. Government
Children’s Privacy
Online Privacy
Biometric Privacy
Other Privacy Acts
|
What data is protected? | The data protected depends on the legislation. HIPAA protects protected health information ("PHI"). Protected health information is health information (other than employment records that are not maintained on behalf of a health plan) that identifies (or could be used to identify) the individual and is created, received, maintained, or transmitted by a health care provider, health plan, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual. Such information is so broadly defined that 18 types of identifying information must be removed before such information is considered “de-identified” and, therefore, no longer considered protected health information under the HIPAA safe harbor de-identification standard. The HIPAA Privacy Rule also establishes conditions for use or disclosure of PHI for research purposes and how individuals will be informed of such uses and disclosures. The Federal Policy for the Protection of Human Subjects, known as the “Common Rule” was published in 1991 and codified in separate regulations by federal departments and agencies. The FDA has human subject protection regulations that are separate from, but similar and compatible to the extent possible to, the Privacy Rule’s research provisions. GLBA protects nonpublic personal information ("NPPI"), which is personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. FCRA provides protections relating to consumer reports. Consumer Report is a communication by a Consumer Reporting Agency pertaining to a consumer’s: (1) creditworthiness; (2) credit standing; (3) credit capacity; (4) character; (5) general reputation; (6) personal characteristics; or (7) mode of living that is used or expected to be used in whole or in part for the purpose of serving as factors in establishing the consumer’s eligibility for credit or insurance, employment, or any other permissible purpose under the FCRA. Consumer Reporting Agency is any person or organization that assembles or evaluates information about consumers for the purpose of furnishing consumer reports to third parties for a fee. FACTA amended the FCRA with provisions to improve the accuracy of credit-related records and provides consumers the right to one free credit report per year from the credit reporting agencies. It also created the Disposal Rule, which requires any individual or entity using a consumer report or information derived therefrom to dispose of that information in a way that prevents unauthorized access and misuse of that data. The Red Flags Rule promulgated under FACTA addressed identity theft, allowing consumers to place fraud alerts in their credit files. Certain provisions relating to data security were amended by the Red Flag Program Clarification Act of 2010. FACTA also promulgated the Affiliate Marketing Rule. Dodd-Frank, created the Consumer Financial Protection Bureau ("CFPB") to oversee the relationship between consumers and financial product and service providers; among other things, it provides CFPB with authority to enforce against “abusive acts and practices” relating to consumer financial products or practices. FTC Act protects against unfair and deceptive practices in commerce (does not apply to banks and other federally regulated financial institutions, common carriers, or communications industries). FERPA protects education records, which includes all records that are directly related to the student and maintained by the school or on the school’s behalf. COPPA protects the collection and use of children’s information by commercial website operators. CalOppa was the first state law to require website owners and operators that collect personally identifiable information from California residents to conspicuously post a privacy notice that identifies categories of personally identifiable information collected and the third parties with whom that information is shared, describes the process by which consumers review and request changes to their personally identifiable information, if such a process exists, and the process by which material changes to the privacy policy are made along with the policy’s effective date; CalOppa had national implications because of the borderless nature of the internet. The ECPA protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. ECPA, Title I, known as the ("Wiretap Act"), prohibits the intentional actual or attempted interception, use, disclosure, or procurement of any person to intercept or endeavor to intercept any wire, oral, or electronic communication. SCA, which is Title II of the ECPA, protects against unauthorized acquisition, alteration, or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided. FISA provides standards and procedures for use of electronic surveillance to collect foreign intelligence within the United States. NYDFS Cybersecurity Regulation imposes cybersecurity rules on covered financial organizations to protect customer information and require them, among other things, to conduct regular security risk assessments, maintain policies and procedures for cybersecurity, and make annual certifications of compliance to the New York Department of Financial Services. |
Who is subject to privacy obligations? | It depends on the legislation. HIPAA applies to covered entities (defined as a health plan, a health care clearinghouse, and a health care provider who transmits health information in an electronic form in connection with a standard transaction) and to business associates of covered entities. A business associate is a person (or entity) that creates, receives, maintains or transmits protected health information for a function or activity of the covered entity, including the provision of legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services to or for such covered entity. A covered entity can be the business associate of another covered entity. GLBA applies to Financial Institutions which are entities that are “significantly engaged” in financial activities. Financial Institutions broadly include banks, credit unions, securities firms, insurance companies, check cashing services, credit counselors, and several other types of entities. CCPA applies to any for-profit entity doing business in California that meets one of the following requirements:
FCRA applies to:
FACTA applies to financial institutions and creditors. FERPA applies to educational institutions that receive federal funding. COPPA applies to operators of commercial websites and online services directed to children under 13 years old and general audience websites and online services that know that they are collecting personal information from children under 13 years old. FISA orders target parties for surveillance where foreign intelligence gathering is a significant purpose of the investigation and where there is probable cause that the party to be monitored is a foreign power or an agent of a foreign power; provides immunity to telephone companies. Other acts apply to those individuals, entities or institutions collecting, with access to, storing or disclosing the type of data or information governed by the laws and regulations or engaging in acts governed by such laws and regulations. The NYDFS Cybersecurity Regulation applies to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, the Insurance Law or the Financial Services Law. |
What are the principles applicable to personal data processing? | The collection of data generally is not regulated. However, COPPA does regulate the collection of data belonging to children under 13 years of age. COPPA requires website operators and providers of online services directed at children under 13 years old to:
|
How is the processing of personal data regulated? | It depends on the legislation. HIPAA prohibits the use or disclosure of protected health information without an individual’s authorization, except in limited circumstances. HIPAA permits disclosure without authorization where the use is for treatment, payment, and health care operations and for other various public policy-related purposes. All of the recently enacted, effective and or pending state consumer data privacy laws (including the CCPA/CPRA, the CPA, the CTDPA, the UCPA and the VCDPA requires covered businesses to generally inform residents of their state about the personal information categories collected and the business purposes for which their personal information is used. If a business sells and/or shares personal information to third parties, the rights of the consumer (e.g., to opt-out of the sale) and methods to exercise such rights must also be provided. GLBA requires financial institutions to provide initial and annual privacy notices to their customers that describe their privacy practices, including the information they collect and with whom they share it. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information. FCRA restricts the use of consumer reports for only the following Permissible Purposes:
If using a consumer report for employment purposes, an employer or potential employer must obtain prior written consumer authorization and make a clear and conspicuous written notification to the consumer before obtaining the report in a document consisting solely of the disclosure that a consumer report may be obtained by the employer. FACTA: The Affiliate Marketing Rule prohibits a person from using consumer “eligibility information” received from an affiliate for marketing purposes, unless: COPPA requires that a privacy notice must be available via links on the website home page and any other page where personal information of children under 13 years old is collected. The privacy notice must disclose:
CalOppa requires website owners and operators that collect personally identifiable information from California residents to conspicuously post a privacy notice that identifies categories of personally identifiable information collected and the third parties with whom that information is shared, describes the process by which consumers review and request changes to their personally identifiable information, if such a process exists, and the process by which material changes to the privacy policy are made along with the policy’s effective date. |
How are storage, security and retention of personal data regulated? | It depends on the legislation. HIPAA requires covered entities and business associates to create and monitor administrative, physical and technical safeguards on protected health information to protect the security, confidentiality, and integrity of the information and to protect against threats to security or unauthorized uses or disclosures of the protected health information. Certain safeguards are mandatory and the failure to impose is viewed to be a violation of HIPAA (regardless of whether information has been breached). Other safeguards must be appropriate to the size and complexity of the business and the nature and scope of its activities; however, documentation of the implementation (or decision not to implement) must be maintained. Similarly, records of the covered entity’s (and business associates) protocols, policies, and disclosure, use, and breach of protected health information must be maintained for 6 years following implementation. Unlike the new laws in Colorado, Virginia, Utah and Connecticut, the CCPA establishes a private right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk. The new laws that will take effect in the states of Colorado, Virginia, Utah and Connecticut each require Controllers to “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue”. GLBA: Safeguards Rule requires financial institutions to maintain security controls to protect the confidentiality and integrity of nonpublic personal information. It requires the development and implementation of an information security program that contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of a financial institution’s customer information. Safeguards must be appropriate to the size and complexity of the business and the nature and scope of its activities. COPPA requires website operators and providers of online services directed at children under 13 years old to:
|
What are the data subjects' rights? | It depends on the legislation. HIPAA provides individuals a right to access their protected health information. Access includes the right to inspect or obtain a copy of the protected health information. Access must be provided no later than 30 days following the individual’s request (the government strongly encourages faster response). Certain information can be excluded from the right of access, including psychotherapy notes and information compiled for use in a civil, criminal, or administrative action or proceeding. If an individual requests an electronic copy of protected health information that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested format so long as it is readily producible in such format. A reasonable, cost-based fee can be charged for copies; however, the fee that can be charged is restricted and may not include the cost of retrieving the protected health information. In addition, an individual can request an accounting of disclosures of his/her protected health information. Such accounting must be provided within 60 days of receipt of the request. The first accounting in a 12-month period must be free; thereafter, a cost-based fee may be imposed. HIPAA provides the right to request an amendment to or a restriction of their protected health information. The covered entity must act on the request within 60 days of receipt (there is a limited extension right on this deadline). The covered entity must advise the individual of the approval or denial of the request. If an amendment request is denied, the individual has an opportunity to rebut the covered entity’s decision and a record of the denial and rebuttal must be appended to the protected health information in question and all such information must be included on later disclosures of such protected health information. Civil money penalties may be imposed for denying patients access to medical records. The CCPA/CPRA, the CPA, the CTDPA, the UCPA and the VCDPA each provide consumers with a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information. FCRA requires users of consumer reports to provide consumers with access to their consumer reports and an opportunity to dispute them or correct any errors. If a user takes any adverse action against a consumer based on a consumer report, the user must notify the consumer. Consumers are entitled to a free annual credit report from each of the three national consumer credit agencies. COPPA requires website operators and providers of online services directed at children under 13 years old to:
|
Are there restrictions on cross-border data transfers? | No. |
Are there any notification requirements for data breaches? | Yes. It depends on the legislation. HIPAA/HITECH requires an individual to be notified about the breach without unreasonable delay and no later than 60 calendar days following the date the breach is discovered. Discovery is nuanced because it means the date anyone in the organization has discovered the issue, not when it is reported to the privacy or security officer. Notice must also be provided to the Office of Civil Rights. The timing of such notice depends upon the number of individuals affected. If fewer than 500 individuals are affected, notice must be within 60 calendar days of the end of the year in which the breach occurred. If 500 or more individuals are affected, the covered entity must provide notice without unreasonable delay and no later than 60 calendar days following discovery. Further, if 500 or more individuals are affected by the breach, the press must also be notified of the breach. Certain breach notification requirements are enforced by the FTC through the Health Breach Notification Rule, applicable to certain businesses not covered by HIPAA. The Health Breach Notification Rule is applicable to a vendor of personal health records ("PHRs"); a PHR-related entity; or a third-party service provider for a vendor of PHRs or PHR-related entity. State Notification Laws: All states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have data breach notification laws, which generally have provisions regarding who must comply (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information); and varying requirements to notify regulators. |
Who is the privacy regulator? | It depends on the legislation. HIPAA is generally regulated by the Office of Civil Rights, an agency under the U.S. Department of Health and Human Services. However, provisions of HIPAA also fall under the Internal Revenue Service and the Department of Labor, who have the ability to identify issues on an audit. Similarly, state attorneys general have the power to bring an action for a violation of HIPAA. GLBA is regulated by the various prudential regulators for each financial institution: FDIC for banks; National Credit Union Administration ("NCUA") for credit unions; Securities and Exchange Commission ("SEC") for securities firms and broker-dealers; CFPB for non-depository financial institutions and depository institutions with more than USD $10 Billion in assets. The Federal Trade Commission ("FTC") also has certain enforcement authority. FCRA: CFPB has rulemaking authority for FCRA. FCRA is regulated by the various prudential regulators for each financial institution: Federal Deposit Insurance Corporation ("FDIC") for banks; NCUA for credit unions; CFPB has enforcement authority over non-depository institutions and depository institutions with more than USD $10 Billion in assets; FTC and CFPB share enforcement authority over those entities that do not have a specific federal financial regulator; State attorneys general enforce FCRA for insurance companies, along with FTC; SEC enforces for securities firms and broker-dealers. CFPB has rulemaking authority for FACTA, but FTC retained responsibility after Dodd-Frank for “red flag” and “disposal” data security rules and rulemaking under FACTA relating to certain motor vehicle dealers. The FTC Act is regulated and enforced by the FTC. COPPA is regulated by the FTC. CCPA, CalOPPA, and California Shine the Light are regulated by the California Attorney General. The state consumer data privacy laws in Colorado and Connecticut provide for the Attorney General to enforce their state laws and allow the company in question 60 days to cure an alleged violation. Virgina, Utah and California allow only 30 days to cure an alleged violation. The State Data Breach Notification laws are regulated by each state's respective attorney generals. |
What are the consequences of a privacy breach? | It depends on the legislation. HIPAA: There are notice requirements and depending upon the level of culpability (ranging from “did not know” to willful neglect), penalties imposed by the government can currently range from USD $110 to in excess of USD $55,010 per violation (with a cap of USD $1,650,300) for all violations of an identical provision in a calendar year). In addition, the notice requirements listed under #9 apply. The state attorneys general also has the ability to pursue a HIPAA breach. There is no private right of action under HIPAA, but a breach may trigger rights under a state privacy law. HIPAA also provides for criminal penalties. The Department of Justice is responsible for criminal prosecutions. Certain breach notification requirements are enforced by the FTC through the Health Breach Notification Rule, applicable to certain businesses not covered by HIPAA. California requires the provision of 1 year of free credit monitoring; some states provide penalties from USD $100-$500.000. CCPA provides a private right of action for California residents impacted by a data breach that resulted from a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. It provides for statutory damages of between USD $100-$750 or actual damage, whichever is greater. In Connecticut, a violation of the CTDPA is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act. As such, entities may face civil penalties up to $5,000 per willful violation. The penalties imposed under the CTDPA are roughly in line with the other states’ consumer data privacy laws. For example, California’s CPRA imposes a civil penalty of $2,500 for each violation or $7,500 for each intentional violation, while Utah’s UCPA enforces actual damages to the consumer and up to $7,500 per violation in civil penalties. Similarly, Virginia’s CDPA law imposes civil penalties of up to $7,500 for each violation. Colorado’s CPA does not specify the penalty amounts, but civil penalties could be up to $20,000 for each violation with a maximum penalty of $500,000 for any related series of violations. |
How is electronic marketing regulated? | Marketing is regulated by various laws generally based on the media, e.g. email or telephone. HIPAA: Without individual authorization, entities subject to HIPAA are prohibited from utilizing protected health information to engage in marketing activities. For this purpose, “marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. The HIPAA Privacy Rule carves out exceptions to the definition of marketing for communications; (i) made to describe health-related products or services, or the payment for such products or services provided by, or included in a plan of benefits; (ii) communications made for the treatment of an individual; and (iii) communications made for case management and care coordination of an individual, to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual. Controlling the Assault on Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM") regulates anyone who advertises products or services by electronic mail directed to or originating from the United States; provides a mechanism to send emails. CAN-SPAM, among other things:
Telephone Consumer Protection Act of 1991 ("TCPA") regulates telemarketing and other types of messaging via telephone calls, facsimile, text and otherwise from businesses to consumers, using an automatic telephone dialing system or artificial or prerecorded voice. Also prohibited are such communications to emergency lines, hospitals and other health care facilities, and other specified restrictions. Various types of consent, depending upon the circumstances, are required to exempt such communications from the scope of the TCPA. The FTC and the Federal Communications Commission ("FCC") have certain overlapping responsibilities with respect to TCPA. In addition, the Junk Fax Prevention Act of 2005 regulates faxes; the Telemarketing and Consumer Fraud and Abuse Prevention Act and the Telemarketing Sales Rule, including the Do Not Call Registry promulgated thereunder, regulate telemarketing. California Shine the Light requires a business to disclose certain types of consumer information that they have shared with third parties for the direct marketing of that third-party. |
Are there any recent developments or expected reforms? | Privacy and data security laws are constantly evolving. HIPAA: The Office of Civil Rights is currently engaged in “Phase II” to improve its auditing standards and target what areas should be a focus for the agency as it monitors HIPAA compliance among covered entities and business associates. Cybersecurity continues to be an area of focus, including the inherent tension between government access to information and privacy and cybersecurity in the context of the Internet of Things ("IoT"). California Privacy Rights Act: The CPRA amends and expands the CCPA and set to go into effect on January 1, 2023, with an enforcement date of July 1, 2023, and will apply to businesses outside of California, including Wisconsin. The CPRA applies to an entity that does business in California and meets one of the below thresholds:
CPRA introduces prohibitions and limitations on the “sharing” of personal information. “Sharing” is defined broadly to mean “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.” CPRA also contains data minimization, purpose limitation, and storage limitation requirements. CPRA establishes a new regulatory authority, the California Privacy Protection Agency ("CPPA"), which has investigative, enforcement, and rulemaking powers. |
Global Data Privacy Guide
The United States has a sectoral approach to privacy protection. There is no overarching privacy law, rather, legislation has evolved around different economic sectors or areas of concern.
Medical Privacy
- Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations (the Privacy and Security Rules)
- Health Information Technology for Economical and Clinical Health Act ("HITECH")
- Food and Drug Administration ("FDA")
Federal Policy for the Protection of Human Subjects (the Common Rule) Financial Privacy
- Gramm-Leach-Bliley Act ("GLBA")
- Fair Credit Reporting Act ("FCRA"), amended by the Fair and Accurate Credit Transactions Act of 2003 ("FACTA") and Red Flag Program Clarification Act of 2010
- Federal Trade Commission Red Flags Rule
- Dodd-Frank Wall Street Reform and Consumer Protection Act
Consumer Privacy
- Federal Trade Commission Act, Section 5
-
Effective Date January 1, 2023: California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") which amends and expands the CCPA; Virginia Consumer Data Protection Act ("CPDA")
-
Effective July 2023: the Colorado Privacy Act ("CPA") and the Connecticut Data Privacy Act ("CTDPA")
-
Effective December 2023: the Utah Consumer Privacy Act (“UCPA”)
- Controlling the Assault on Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM")
- Telephone Consumer Protection Act of 1991 ("TCPA")
- Junk Fax Prevention Act of 2005
- Telemarketing and Consumer Fraud and Abuse Prevention Act
- Fair Debt Collection Practices Act
- Do Not Call Implementation Act
- State Deceptive Trade Practices Acts Education Privacy
- Family Educational Rights and Privacy Act ("FERPA")
Privacy in the Workplace
- National Labor Relations Act and other federal statutes as well as state laws
U.S. Government
- The Privacy Act of 1974
- Computer Matching and Privacy Protection Act of 1988
- E-Government Act of 2002
Children’s Privacy
- Children’s Online Privacy Protection Act of 1998 ("COPPA")
Online Privacy
- California’s Online Privacy Protection Act ("CalOPPA")
Biometric Privacy
- Illinois Biometric Information Privacy Act ("BIPA")
- Texas Business Code 503.001
- Washington 19.375 RCW
Other Privacy Acts
- Electronic Communications Privacy Act of 1986
- Stored Communications Act ("SCA")
- Foreign Intelligence Surveillance Act of 1978 ("FISA"), as amended
- California Shine the Light law
- NYDFS Cybersecurity Regulation
The data protected depends on the legislation.
HIPAA protects protected health information ("PHI"). Protected health information is health information (other than employment records that are not maintained on behalf of a health plan) that identifies (or could be used to identify) the individual and is created, received, maintained, or transmitted by a health care provider, health plan, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual. Such information is so broadly defined that 18 types of identifying information must be removed before such information is considered “de-identified” and, therefore, no longer considered protected health information under the HIPAA safe harbor de-identification standard. The HIPAA Privacy Rule also establishes conditions for use or disclosure of PHI for research purposes and how individuals will be informed of such uses and disclosures. The Federal Policy for the Protection of Human Subjects, known as the “Common Rule” was published in 1991 and codified in separate regulations by federal departments and agencies. The FDA has human subject protection regulations that are separate from, but similar and compatible to the extent possible to, the Privacy Rule’s research provisions.
GLBA protects nonpublic personal information ("NPPI"), which is personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.
FCRA provides protections relating to consumer reports. Consumer Report is a communication by a Consumer Reporting Agency pertaining to a consumer’s: (1) creditworthiness; (2) credit standing; (3) credit capacity; (4) character; (5) general reputation; (6) personal characteristics; or (7) mode of living that is used or expected to be used in whole or in part for the purpose of serving as factors in establishing the consumer’s eligibility for credit or insurance, employment, or any other permissible purpose under the FCRA. Consumer Reporting Agency is any person or organization that assembles or evaluates information about consumers for the purpose of furnishing consumer reports to third parties for a fee.
FACTA amended the FCRA with provisions to improve the accuracy of credit-related records and provides consumers the right to one free credit report per year from the credit reporting agencies. It also created the Disposal Rule, which requires any individual or entity using a consumer report or information derived therefrom to dispose of that information in a way that prevents unauthorized access and misuse of that data. The Red Flags Rule promulgated under FACTA addressed identity theft, allowing consumers to place fraud alerts in their credit files. Certain provisions relating to data security were amended by the Red Flag Program Clarification Act of 2010. FACTA also promulgated the Affiliate Marketing Rule.
Dodd-Frank, created the Consumer Financial Protection Bureau ("CFPB") to oversee the relationship between consumers and financial product and service providers; among other things, it provides CFPB with authority to enforce against “abusive acts and practices” relating to consumer financial products or practices.
FTC Act protects against unfair and deceptive practices in commerce (does not apply to banks and other federally regulated financial institutions, common carriers, or communications industries).
FERPA protects education records, which includes all records that are directly related to the student and maintained by the school or on the school’s behalf.
COPPA protects the collection and use of children’s information by commercial website operators.
CalOppa was the first state law to require website owners and operators that collect personally identifiable information from California residents to conspicuously post a privacy notice that identifies categories of personally identifiable information collected and the third parties with whom that information is shared, describes the process by which consumers review and request changes to their personally identifiable information, if such a process exists, and the process by which material changes to the privacy policy are made along with the policy’s effective date; CalOppa had national implications because of the borderless nature of the internet.
The ECPA protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers. ECPA, Title I, known as the ("Wiretap Act"), prohibits the intentional actual or attempted interception, use, disclosure, or procurement of any person to intercept or endeavor to intercept any wire, oral, or electronic communication.
SCA, which is Title II of the ECPA, protects against unauthorized acquisition, alteration, or blocking of electronic communications while in electronic storage in a facility through which an electronic communications service is provided.
FISA provides standards and procedures for use of electronic surveillance to collect foreign intelligence within the United States.
NYDFS Cybersecurity Regulation imposes cybersecurity rules on covered financial organizations to protect customer information and require them, among other things, to conduct regular security risk assessments, maintain policies and procedures for cybersecurity, and make annual certifications of compliance to the New York Department of Financial Services.
It depends on the legislation.
HIPAA applies to covered entities (defined as a health plan, a health care clearinghouse, and a health care provider who transmits health information in an electronic form in connection with a standard transaction) and to business associates of covered entities. A business associate is a person (or entity) that creates, receives, maintains or transmits protected health information for a function or activity of the covered entity, including the provision of legal, actuarial, accounting, consulting, data aggregation, management, administration, accreditation, or financial services to or for such covered entity. A covered entity can be the business associate of another covered entity.
GLBA applies to Financial Institutions which are entities that are “significantly engaged” in financial activities. Financial Institutions broadly include banks, credit unions, securities firms, insurance companies, check cashing services, credit counselors, and several other types of entities.
CCPA applies to any for-profit entity doing business in California that meets one of the following requirements:
- Has a gross revenue greater than USD $25 million;
-
Annually buys, receives, sells, or shares the personal information of more than 50,000 consumers, households, or devices for commercial purposes (this will increase to 100,000 consumers, households under the CPRA); or
-
Derives 50% or more of its annual revenues from selling consumers’ personal information (CPRA will add revenues from sharing personal information)
-
VCDPA applies to any for-profit entity operating in Virginia that meets the following requirements:
-
Does business in Virginia OR Produces products or services targeted to Virginia residents
-
And meet either of the following:
-
Processes data of 100,000 or more consumers OR
-
Processes data of 25,000 or more consumers
-
and
-
Derives at least 50% of revenue from sale of data
-
-
-
The CPA applies to a for-profit company that does business in Colorado that meets the following requirements:
-
Produces or delivers commercial products OR services intentionally targeted to Colorado residents
-
And meet either of the following:
-
Processes data of 100,000 or more consumers OR
-
Processes data of 25,000 or more consumers
-
and
-
Derives revenue or receives discount from sale of data
-
-
-
The UCPA applies to a company doing business in Utah that meets the following requirements:
-
Produces or delivers commercial products OR services intentionally targeted to Colorado residents
-
And meet either of the following:
-
Processes data of 100,000 or more consumers OR
-
Processes data of 25,000 or more consumers
-
and
-
Derives at least 50% of revenue or receives discount from sale of data
-
-
-
The CTDPA applies to a company doing business in Connecticut that meets the following requirements: Conduct business in Connecticut OR produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:
-
Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions
-
Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.
-
FCRA applies to:
- Consumer Reporting Agency: any person or organization that assembles or evaluates information about consumers for the purpose of furnishing consumer reports to third parties for a fee.
- Reseller: a Consumer Reporting Agency that assembles and merges information contained in the database of another consumer reporting agency or multiple consumer reporting agencies concerning any consumer for purposes of furnishing such information to any third party, and does not maintain a database of the assembled or merged information from which new consumer reports are produced.
- Furnisher: an entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report.
FACTA applies to financial institutions and creditors.
FERPA applies to educational institutions that receive federal funding.
COPPA applies to operators of commercial websites and online services directed to children under 13 years old and general audience websites and online services that know that they are collecting personal information from children under 13 years old.
FISA orders target parties for surveillance where foreign intelligence gathering is a significant purpose of the investigation and where there is probable cause that the party to be monitored is a foreign power or an agent of a foreign power; provides immunity to telephone companies.
Other acts apply to those individuals, entities or institutions collecting, with access to, storing or disclosing the type of data or information governed by the laws and regulations or engaging in acts governed by such laws and regulations.
The NYDFS Cybersecurity Regulation applies to any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, the Insurance Law or the Financial Services Law.
The collection of data generally is not regulated. However, COPPA does regulate the collection of data belonging to children under 13 years of age.
COPPA requires website operators and providers of online services directed at children under 13 years old to:
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children; and
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents).
It depends on the legislation.
HIPAA prohibits the use or disclosure of protected health information without an individual’s authorization, except in limited circumstances. HIPAA permits disclosure without authorization where the use is for treatment, payment, and health care operations and for other various public policy-related purposes.
All of the recently enacted, effective and or pending state consumer data privacy laws (including the CCPA/CPRA, the CPA, the CTDPA, the UCPA and the VCDPA requires covered businesses to generally inform residents of their state about the personal information categories collected and the business purposes for which their personal information is used. If a business sells and/or shares personal information to third parties, the rights of the consumer (e.g., to opt-out of the sale) and methods to exercise such rights must also be provided.
GLBA requires financial institutions to provide initial and annual privacy notices to their customers that describe their privacy practices, including the information they collect and with whom they share it. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to "opt-out" if they don't want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
FCRA restricts the use of consumer reports for only the following Permissible Purposes:
- As ordered by a court or federal grand jury subpoena
- As instructed by the consumer in writing (written consent)
- For extension of credit as a result of an application from a consumer or the review or collection of a consumer’s account
- For underwriting insurance as a result of an application from a consumer
- For employment purposes, including hiring and promotion decisions, where the consumer has given written permission
- Where there is a legitimate business need in connection with a business transaction initiated by the consumer
- To review a consumer’s account to determine whether the consumer continues to meet the terms of the account
- To determine a consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status
- For use by a potential investor or servicer, or current insurer, in a valuation or assessment of the credit or prepayment risks associated with an existing credit obligation
- For use by state and local officials in connection with the determination of child support payments, or modifications and enforcement thereof
- To make prescreened unsolicited firm offers of credit or insurance
If using a consumer report for employment purposes, an employer or potential employer must obtain prior written consumer authorization and make a clear and conspicuous written notification to the consumer before obtaining the report in a document consisting solely of the disclosure that a consumer report may be obtained by the employer.
FACTA: The Affiliate Marketing Rule prohibits a person from using consumer “eligibility information” received from an affiliate for marketing purposes, unless:
the consumer is first given a clear, conspicuous, and concise written notice explaining eligibility information about that consumer received from an affiliate may be used for marketing purposes;
the consumer is first given a reasonable opportunity and reasonable and simple method to “opt-out,” or prohibit the use of the eligibility information for marketing purposes; and the consumer has not opted out.
COPPA requires that a privacy notice must be available via links on the website home page and any other page where personal information of children under 13 years old is collected. The privacy notice must disclose:
- The name, address, telephone number, and email address of all operators collecting or maintaining personal information through the site or service (or, after listing all such operators, provide the contact information for one that will handle all inquiries from parents);
- A description of what information the operator collects from children, including whether the operator enables children to make their personal information publicly available, how the operator uses such information, and the operator’s disclosure practices for such information; and
- That the parent can review or have deleted the child’s personal information and refuse to permit its further collection or use, and state the procedures for doing so.
CalOppa requires website owners and operators that collect personally identifiable information from California residents to conspicuously post a privacy notice that identifies categories of personally identifiable information collected and the third parties with whom that information is shared, describes the process by which consumers review and request changes to their personally identifiable information, if such a process exists, and the process by which material changes to the privacy policy are made along with the policy’s effective date.
It depends on the legislation.
HIPAA requires covered entities and business associates to create and monitor administrative, physical and technical safeguards on protected health information to protect the security, confidentiality, and integrity of the information and to protect against threats to security or unauthorized uses or disclosures of the protected health information. Certain safeguards are mandatory and the failure to impose is viewed to be a violation of HIPAA (regardless of whether information has been breached). Other safeguards must be appropriate to the size and complexity of the business and the nature and scope of its activities; however, documentation of the implementation (or decision not to implement) must be maintained. Similarly, records of the covered entity’s (and business associates) protocols, policies, and disclosure, use, and breach of protected health information must be maintained for 6 years following implementation.
Unlike the new laws in Colorado, Virginia, Utah and Connecticut, the CCPA establishes a private right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk. The new laws that will take effect in the states of Colorado, Virginia, Utah and Connecticut each require Controllers to “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue”.
GLBA: Safeguards Rule requires financial institutions to maintain security controls to protect the confidentiality and integrity of nonpublic personal information. It requires the development and implementation of an information security program that contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of a financial institution’s customer information. Safeguards must be appropriate to the size and complexity of the business and the nature and scope of its activities.
COPPA requires website operators and providers of online services directed at children under 13 years old to:
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
It depends on the legislation.
HIPAA provides individuals a right to access their protected health information. Access includes the right to inspect or obtain a copy of the protected health information. Access must be provided no later than 30 days following the individual’s request (the government strongly encourages faster response). Certain information can be excluded from the right of access, including psychotherapy notes and information compiled for use in a civil, criminal, or administrative action or proceeding. If an individual requests an electronic copy of protected health information that the covered entity maintains electronically, the covered entity must provide the individual with access to the information in the requested format so long as it is readily producible in such format. A reasonable, cost-based fee can be charged for copies; however, the fee that can be charged is restricted and may not include the cost of retrieving the protected health information.
In addition, an individual can request an accounting of disclosures of his/her protected health information. Such accounting must be provided within 60 days of receipt of the request. The first accounting in a 12-month period must be free; thereafter, a cost-based fee may be imposed.
HIPAA provides the right to request an amendment to or a restriction of their protected health information. The covered entity must act on the request within 60 days of receipt (there is a limited extension right on this deadline). The covered entity must advise the individual of the approval or denial of the request. If an amendment request is denied, the individual has an opportunity to rebut the covered entity’s decision and a record of the denial and rebuttal must be appended to the protected health information in question and all such information must be included on later disclosures of such protected health information.
Civil money penalties may be imposed for denying patients access to medical records.
The CCPA/CPRA, the CPA, the CTDPA, the UCPA and the VCDPA each provide consumers with a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information.
FCRA requires users of consumer reports to provide consumers with access to their consumer reports and an opportunity to dispute them or correct any errors. If a user takes any adverse action against a consumer based on a consumer report, the user must notify the consumer. Consumers are entitled to a free annual credit report from each of the three national consumer credit agencies.
COPPA requires website operators and providers of online services directed at children under 13 years old to:
- Provide parents access to their child's personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child's personal information.
No.
Yes. It depends on the legislation.
HIPAA/HITECH requires an individual to be notified about the breach without unreasonable delay and no later than 60 calendar days following the date the breach is discovered. Discovery is nuanced because it means the date anyone in the organization has discovered the issue, not when it is reported to the privacy or security officer. Notice must also be provided to the Office of Civil Rights. The timing of such notice depends upon the number of individuals affected. If fewer than 500 individuals are affected, notice must be within 60 calendar days of the end of the year in which the breach occurred. If 500 or more individuals are affected, the covered entity must provide notice without unreasonable delay and no later than 60 calendar days following discovery. Further, if 500 or more individuals are affected by the breach, the press must also be notified of the breach. Certain breach notification requirements are enforced by the FTC through the Health Breach Notification Rule, applicable to certain businesses not covered by HIPAA. The Health Breach Notification Rule is applicable to a vendor of personal health records ("PHRs"); a PHR-related entity; or a third-party service provider for a vendor of PHRs or PHR-related entity. State Notification Laws: All states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have data breach notification laws, which generally have provisions regarding who must comply (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information); and varying requirements to notify regulators.
It depends on the legislation.
HIPAA is generally regulated by the Office of Civil Rights, an agency under the U.S. Department of Health and Human Services. However, provisions of HIPAA also fall under the Internal Revenue Service and the Department of Labor, who have the ability to identify issues on an audit. Similarly, state attorneys general have the power to bring an action for a violation of HIPAA.
GLBA is regulated by the various prudential regulators for each financial institution: FDIC for banks; National Credit Union Administration ("NCUA") for credit unions; Securities and Exchange Commission ("SEC") for securities firms and broker-dealers; CFPB for non-depository financial institutions and depository institutions with more than USD $10 Billion in assets. The Federal Trade Commission ("FTC") also has certain enforcement authority.
FCRA: CFPB has rulemaking authority for FCRA. FCRA is regulated by the various prudential regulators for each financial institution: Federal Deposit Insurance Corporation ("FDIC") for banks; NCUA for credit unions; CFPB has enforcement authority over non-depository institutions and depository institutions with more than USD $10 Billion in assets; FTC and CFPB share enforcement authority over those entities that do not have a specific federal financial regulator; State attorneys general enforce FCRA for insurance companies, along with FTC; SEC enforces for securities firms and broker-dealers. CFPB has rulemaking authority for FACTA, but FTC retained responsibility after Dodd-Frank for “red flag” and “disposal” data security rules and rulemaking under FACTA relating to certain motor vehicle dealers.
The FTC Act is regulated and enforced by the FTC.
COPPA is regulated by the FTC.
CCPA, CalOPPA, and California Shine the Light are regulated by the California Attorney General.
The state consumer data privacy laws in Colorado and Connecticut provide for the Attorney General to enforce their state laws and allow the company in question 60 days to cure an alleged violation. Virgina, Utah and California allow only 30 days to cure an alleged violation.
The State Data Breach Notification laws are regulated by each state's respective attorney generals.
It depends on the legislation.
HIPAA: There are notice requirements and depending upon the level of culpability (ranging from “did not know” to willful neglect), penalties imposed by the government can currently range from USD $110 to in excess of USD $55,010 per violation (with a cap of USD $1,650,300) for all violations of an identical provision in a calendar year). In addition, the notice requirements listed under #9 apply. The state attorneys general also has the ability to pursue a HIPAA breach. There is no private right of action under HIPAA, but a breach may trigger rights under a state privacy law. HIPAA also provides for criminal penalties. The Department of Justice is responsible for criminal prosecutions.
Certain breach notification requirements are enforced by the FTC through the Health Breach Notification Rule, applicable to certain businesses not covered by HIPAA.
California requires the provision of 1 year of free credit monitoring; some states provide penalties from USD $100-$500.000.
CCPA provides a private right of action for California residents impacted by a data breach that resulted from a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. It provides for statutory damages of between USD $100-$750 or actual damage, whichever is greater.
In Connecticut, a violation of the CTDPA is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act. As such, entities may face civil penalties up to $5,000 per willful violation. The penalties imposed under the CTDPA are roughly in line with the other states’ consumer data privacy laws. For example, California’s CPRA imposes a civil penalty of $2,500 for each violation or $7,500 for each intentional violation, while Utah’s UCPA enforces actual damages to the consumer and up to $7,500 per violation in civil penalties. Similarly, Virginia’s CDPA law imposes civil penalties of up to $7,500 for each violation. Colorado’s CPA does not specify the penalty amounts, but civil penalties could be up to $20,000 for each violation with a maximum penalty of $500,000 for any related series of violations.
Marketing is regulated by various laws generally based on the media, e.g. email or telephone.
HIPAA: Without individual authorization, entities subject to HIPAA are prohibited from utilizing protected health information to engage in marketing activities. For this purpose, “marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. The HIPAA Privacy Rule carves out exceptions to the definition of marketing for communications; (i) made to describe health-related products or services, or the payment for such products or services provided by, or included in a plan of benefits; (ii) communications made for the treatment of an individual; and (iii) communications made for case management and care coordination of an individual, to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual.
Controlling the Assault on Non-Solicited Pornography and Marketing Act of 2003 ("CAN-SPAM") regulates anyone who advertises products or services by electronic mail directed to or originating from the United States; provides a mechanism to send emails. CAN-SPAM, among other things:
- Prohibits false or misleading headers and deceptive subject lines
- Requires commercial emails to contain functioning, clearly and conspicuously displayed return email address that can be used to contact the sender
- Requires commercial emails to include clear and conspicuous notice and opportunity to opt-out of marketing emails with a cost-free mechanism for opting out
- Prohibits sending of commercial email to a person who has asked not to receive future commercial email
- Requires all commercial emails to include clear identification that message is commercial (unless the recipient has provided prior affirmative consent to receive the email; (2) valid physical postal address of the sender
- Requires commercial email containing sexually oriented material to include a warning label.
Telephone Consumer Protection Act of 1991 ("TCPA") regulates telemarketing and other types of messaging via telephone calls, facsimile, text and otherwise from businesses to consumers, using an automatic telephone dialing system or artificial or prerecorded voice. Also prohibited are such communications to emergency lines, hospitals and other health care facilities, and other specified restrictions. Various types of consent, depending upon the circumstances, are required to exempt such communications from the scope of the TCPA. The FTC and the Federal Communications Commission ("FCC") have certain overlapping responsibilities with respect to TCPA.
In addition, the Junk Fax Prevention Act of 2005 regulates faxes; the Telemarketing and Consumer Fraud and Abuse Prevention Act and the Telemarketing Sales Rule, including the Do Not Call Registry promulgated thereunder, regulate telemarketing.
California Shine the Light requires a business to disclose certain types of consumer information that they have shared with third parties for the direct marketing of that third-party.
Privacy and data security laws are constantly evolving.
HIPAA: The Office of Civil Rights is currently engaged in “Phase II” to improve its auditing standards and target what areas should be a focus for the agency as it monitors HIPAA compliance among covered entities and business associates. Cybersecurity continues to be an area of focus, including the inherent tension between government access to information and privacy and cybersecurity in the context of the Internet of Things ("IoT").
California Privacy Rights Act: The CPRA amends and expands the CCPA and set to go into effect on January 1, 2023, with an enforcement date of July 1, 2023, and will apply to businesses outside of California, including Wisconsin. The CPRA applies to an entity that does business in California and meets one of the below thresholds:
- Has annual gross revenues in excess of 25 million dollars.
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 100,000 or more consumers or households.
- Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.
CPRA introduces prohibitions and limitations on the “sharing” of personal information. “Sharing” is defined broadly to mean “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.”
CPRA also contains data minimization, purpose limitation, and storage limitation requirements.
CPRA establishes a new regulatory authority, the California Privacy Protection Agency ("CPPA"), which has investigative, enforcement, and rulemaking powers.