The shaping of modern data privacy laws like GDPR and CCPA is attributed to the need for more robust governance of digital data across varied channels and scenarios. In the United States, there are hundreds of federal and state laws, including several proposed and enacted privacy bills, to protect individuals' data privacy. The US data protection laws, spanning the nation's 50 states and territories, govern the collection, storage, processing, and disposal of personally identifiable information (PII). They obligate organizations to comply with prevalent data privacy standards concerning the handling of personal information.
This article surveys the US data privacy legislative landscape, overviewing the major laws and regulations in different states to help businesses navigate the maze.
US Data Privacy Laws: An Overview
Notably, there is no single, predominant US federal privacy law to protect data privacy, but there are nearly 20 sector-specific laws that are focused on industries like finance, healthcare, telecom, etc. These sectoral laws, such as the US Privacy Act of 1974, HIPAA, COPPA (The Children's Online Privacy Protection Act ), GLBA, and SOX, etc., have specific provisions for handling different types of personal data. This data could include personal health information, credit report, children's information, etc. In addition, the country has over 100 "State-Level" data privacy laws, including 25 privacy-focused laws in California alone. Some of these prominent US data protection laws include California Consumer Privacy Act (CCPA), New York SHIELD Act, New York Privacy Act, Nevada Privacy Law, Maine Privacy Law, etc.
At the federal level, the US Federal Trade Commission (FTC) oversees the enforcement of these data protection laws, but there is no overarching federal law to ensure compliance with privacy regulations in US. Therefore, a majority of data privacy regulation in the US is based on state-level laws. Due to conflicting or incompatible provisions in these laws, businesses might find it challenging to understand their obligations clearly. For instance, data breach notification is a standard provision in the US data privacy laws, but the definition of personal data and data breach varies. Also, data destruction or deletion standards may vary, a majority of data privacy laws compel organizations to destroy personal data on request.
Data Privacy Regulations in the US:
The following are some of the prominent data privacy laws in the United States:
1. California Consumer Privacy Act (CCPA)
CCPA, enacted in 2020, regulates the collection of California residents' personal data by companies. The California state privacy law, officially called Assembly Bill No. 375, empowers consumers in the state to exercise more control over their data.
- Right to know: CCPA allows consumers to request companies for disclosure of their personal information collected, used, shared, or sold.
- Right to delete: The law allows consumers to seek deletion of their personal information with a maximum notification time of 45 days.
- Right to opt-out: The consumers can request companies to stop selling their personal information, i.e., opt-out of sales and marketing campaigns.
- Right to non-discrimination: No company can discriminate against a consumer because they exercised their rights as per CCPA.
CCPA applies to all for-profit companies that conduct business in California and meet any of the following conditions:
- Gross annual revenue > $25 million.
- Generate 50% or more of their annual revenue by selling consumer's data.
- Purchase, collect or sell the data of more than 50,000 households, devices, or consumers.
Penalty Imposed By CCPA
CCPA imposes a penalty of $7,500 per episode of intentional violation and $2,500 per inadvertent violation. So if 1000 Californians, complain of violation, then the organization might be looking at a total penalty of USD $7.5 million.
You may like to read our article on Deciphered - The Basics of CCPA.
2. New York Privacy Act (NYPA)
The New York Privacy Act is among the latest data privacy laws in the US, which will guarantee every New York resident the right to access, control, and erase their personal data collected from them. The NY State Senate Bill S5642 obligates companies that collect information of New York residents to disclose their methods of de-identifying personal data.
- Section 1102 of the New York Privacy Act mandates companies to acquire consumers' expressed and documented consent before sharing or selling their personal data.
- Section 1103 obligates companies to notify the consumers of their rights as per the law. It also obligates them to allow customers the right to opt-in or opt-out.
- Section 1106 mandates that companies must maintain the required oversight to ensure compliance concerning de-identified data.
- Right to Deletion: NYPA empowers New York residents to request deletion of their personal data, and the company must delete it without undue delay.
The New York Privacy Act applies to legal entities, i.e., individuals or companies that conduct business in New York State or intentionally target products or services to New York state residents.
The law has provisions to impose civil penalties and damages based on the number of affected individuals, the extent of the violation, and the company's size and revenue. The act allows civil penalties of up to $5000 per violation. Therefore, for a data breach involving 1000 users, a penalty of USD $5 Million will be imposed.
3. Nevada Privacy Law
- Social security number
- Driver's license number
- Account number
- Health insurance identification number
- Email address or other unique identifiers with password
- Credit card or debit card number in combination with a password or access code
- NRS 603A.200 Destruction of certain records: The law mandates companies that maintain records with personal data or PII to take reasonable measures to ensure the destruction of records when they are no longer maintained.
- NRS 603A.210 Security measure: The data collector, including government agency, higher education institution, corporation, financial institution, retail operator, or any other business entity, shall maintain reasonable measures to protect the customers' personal data and PII.
- NRS 603A.220 Disclosure of breach: The data collector shall disclose any security breach and notify Nevada residents whose unencrypted personal data is believed to have been compromised.
The Nevada privacy law applies to all individuals and organizations that own and operate a website for business purpose or collect and maintain the personal data of consumers residing in Nevada.
The Nevada privacy law has provisions to impose civil action, reparation, injunction, and a civil penalty of up to $5000 for each violation.
4. Maine Privacy Law
The Maine privacy law 2020, formally known as An Act to Protect the Privacy of Online Customer Information, focuses on protecting the personal information of customers in Maine who use or have used broadband Internet access service. It defines the following as customer personal information:
- PII such as name, billing information, social security number, etc.
- Web browsing and application usage history
- Geolocation data
- Financial and health information
- Information on customer's children
- Device details
- IP address
- Customer consent: The law prohibits broadband Internet access service providers from using, divulging, selling, or allowing access to personal data without the customer's express consent.
- Security of personal information: Maine privacy law obligates providers to take reasonable measures to safeguard customer personal data from unauthorized access.
- Notification: The provider is responsible for notifying the customers of the provider's obligations and customers' rights through the point of sale medium and publicly accessible website.
The Maine privacy law applies to all broadband Internet access service providers who serve customers physically located and billed in the state.
Maine Privacy Law does not explicitly mention the quantum of penalty for non-compliance. Presently, any non-compliance or enforcement of private rights of action will be adjudicated in courts of law.
5. Washington Biometric Privacy Law
The Washington Biometric Privacy Law, officially known as House Bill 1493 ("H.B.1493"), was enacted in 2017 to govern how individuals and non-government organizations collect, use, and store "biometric identifiers" of Washington citizens. The law defines biometric identifiers as the data generated by automatic measurements of a person's biological traits like fingerprints, eye retinas, voiceprints, etc., which can identify that individual.
- Citizen's consent: The law mandates businesses to obtain individuals' explicit consent before collecting their biometric data. It obligates businesses to disclose how they use the biometric data and notify individuals of any changes in the use of their data.
- Non-disclosure of biometric identifiers: Individuals' biometric data cannot be sold, leased, or otherwise disclosed for a commercial purpose without express consent.
The Washington Biometric Privacy Law applies to all individuals and non-government entities who collect biometric data for commercial purposes.
Washington Biometric Privacy Law also is silent on penalties for non-compliance and does not include a private right of action. Although, the law allows for enforcement of private rights of action by the state's attorney general.
Read Complete Timeline
Consumers' "Right to Delete": What US Data Privacy Laws Entail?
A majority of data privacy laws in the United States, including CCPA and Virginia Consumer Data Protection Act (VCDPA), have provisions that allow individuals to request deletion of their data. This "right to deletion" obligates businesses to delete the consumers' personal information, with a few exceptions where companies can retain the information when they need to comply with federal regulations, cooperate with law enforcement agencies, defend legal claims, etc. Specific clauses and proposals, such as CCPA 999.313 (d) (2), in US privacy laws also mandate businesses to permanently erase the personal data on their system.
Briefly, this would mean businesses with a well-defined data erasure strategy would have a firm grip on their "data deletion" obligations. Nonetheless, navigating the maze of US data privacy laws is imperative for businesses to understand the "legislative patchwork" and play by the rules.