May 21, 2021
The shaping of modern data privacy laws like GDPR and CCPA is attributed to the need for more robust governance of digital data across varied channels and scenarios. In the United States, there are hundreds of federal and state laws, including several proposed and enacted privacy bills, to protect individuals’ data privacy. The US data protection laws, spanning the nation’s 50 states and territories, govern the collection, storage, processing, and disposal of personally identifiable information (PII). They obligate organizations to comply with prevalent data privacy standards concerning the handling of personal information.
This article surveys the US data privacy legislative landscape, overviewing the major laws and regulations in different states to help businesses navigate the maze.
Notably, there is no single, predominant US federal privacy law to protect data privacy, but there are nearly 20 sector-specific laws that are focused on industries like finance, healthcare, telecom, etc. These sectoral laws, such as the US Privacy Act of 1974, HIPAA, COPPA (The Children's Online Privacy Protection Act ), GLBA, and SOX, etc., have specific provisions for handling different types of personal data. This data could include personal health information, credit report, children’s information, etc. In addition, the country has over 100 “State-Level” data privacy laws, including 25 privacy-focused laws in California alone. Some of these prominent US data protection laws include California Consumer Privacy Act (CCPA), New York SHIELD Act, New York Privacy Act, Nevada Privacy Law, Maine Privacy Law, etc.
At the federal level, the US Federal Trade Commission (FTC) oversees the enforcement of these data protection laws, but there is no overarching federal law to ensure compliance with privacy regulations in US. Therefore, a majority of data privacy regulation in the US is based on state-level laws. Due to conflicting or incompatible provisions in these laws, businesses might find it challenging to understand their obligations clearly. For instance, data breach notification is a standard provision in the US data privacy laws, but the definition of personal data and data breach varies. Also, data destruction or deletion standards may vary, a majority of data privacy laws compel organizations to destroy personal data on request.
Data Privacy Regulations in the US:
The following are some of the prominent data privacy laws in the United States:
1. California Consumer Privacy Act (CCPA)
CCPA, enacted in 2020, regulates the collection of California residents’ personal data by companies. The California state privacy law, officially called Assembly Bill No. 375, empowers consumers in the state to exercise more control over their data.
CCPA applies to all for-profit companies that conduct business in California and meet any of the following conditions:
Penalty Imposed By CCPA
CCPA imposes a penalty of $7,500 per episode of intentional violation and $2,500 per inadvertent violation. So if 1000 Californians, complain of violation, then the organization might be looking at a total penalty of USD $7.5 million.
You may like to read our article on Deciphered - The Basics of CCPA.
2. New York Privacy Act (NYPA)
The New York Privacy Act is among the latest data privacy laws in the US, which will guarantee every New York resident the right to access, control, and erase their personal data collected from them. The NY State Senate Bill S5642 obligates companies that collect information of New York residents to disclose their methods of de-identifying personal data.
The New York Privacy Act applies to legal entities, i.e., individuals or companies that conduct business in New York State or intentionally target products or services to New York state residents.
The law has provisions to impose civil penalties and damages based on the number of affected individuals, the extent of the violation, and the company's size and revenue. The act allows civil penalties of up to $5000 per violation. Therefore, for a data breach involving 1000 users, a penalty of USD $5 Million will be imposed.
3. Nevada Privacy Law
The Nevada privacy law applies to all individuals and organizations that own and operate a website for business purpose or collect and maintain the personal data of consumers residing in Nevada.
The Nevada privacy law has provisions to impose civil action, reparation, injunction, and a civil penalty of up to $5000 for each violation.
4. Maine Privacy Law
The Maine privacy law 2020, formally known as An Act to Protect the Privacy of Online Customer Information, focuses on protecting the personal information of customers in Maine who use or have used broadband Internet access service. It defines the following as customer personal information:
The Maine privacy law applies to all broadband Internet access service providers who serve customers physically located and billed in the state.
Maine Privacy Law does not explicitly mention the quantum of penalty for non-compliance. Presently, any non-compliance or enforcement of private rights of action will be adjudicated in courts of law.
5. Washington Biometric Privacy Law
The Washington Biometric Privacy Law, officially known as House Bill 1493 (“H.B.1493”), was enacted in 2017 to govern how individuals and non-government organizations collect, use, and store “biometric identifiers” of Washington citizens. The law defines biometric identifiers as the data generated by automatic measurements of a person’s biological traits like fingerprints, eye retinas, voiceprints, etc., which can identify that individual.
The Washington Biometric Privacy Law applies to all individuals and non-government entities who collect biometric data for commercial purposes.
Washington Biometric Privacy Law also is silent on penalties for non-compliance and does not include a private right of action. Although, the law allows for enforcement of private rights of action by the state's attorney general.
Consumers’ “Right to Delete”: What US Data Privacy Laws Entail?
A majority of data privacy laws in the United States, including CCPA and Virginia Consumer Data Protection Act (VCDPA), have provisions that allow individuals to request deletion of their data. This “right to deletion” obligates businesses to delete the consumers’ personal information, with a few exceptions where companies can retain the information when they need to comply with federal regulations, cooperate with law enforcement agencies, defend legal claims, etc. Specific clauses and proposals, such as CCPA 999.313 (d) (2), in US privacy laws also mandate businesses to permanently erase the personal data on their system.
Briefly, this would mean businesses with a well-defined data erasure strategy would have a firm grip on their “data deletion” obligations. Nonetheless, navigating the maze of US data privacy laws is imperative for businesses to understand the “legislative patchwork” and play by the rules.
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|