Compliance and Privacy Laws in the U.S.

Although the United States does not have a federal law like the EU General Data Protection Regulation (GDPR), there are plenty of state laws and compliance regulations that guide businesses and individuals to handle data and personal privacy.

Companies collect private information as a course of business, and due to widespread data breaches, hacking incidents, and ransomware attacks, government officials are enacting laws to protect victims. 

Federal Laws

The Federal Trade Commission (FTC) is the government agency that handles complaints of fraud, identity theft, and other deceptive trade practices. As listed with CSO Online, the FTC enforces laws pertaining to: 

• “Failing to implement and maintain reasonable data security measures.

• Failing to abide by any applicable self-regulatory principles of the organization’s industry.

• Failing to follow a published privacy policy. 

• Transferring personal information in a manner not disclosed on the privacy policy.

• Making inaccurate privacy and security representations (lying) to consumers and in privacy policies. 

• Failing to provide sufficient security for personal data.

• Violating consumer data privacy rights by collecting, processing, or sharing consumer information is a violation of the FTC’s consumer privacy framework or national privacy laws and regulations.

• Engaging in misleading advertising practices.”

CSO Online lists some additional privacy laws at the federal level as: 

• “The Children’s Online Privacy Protection Act (15 USC §6501 et seq.), also known as COPPA, which governs the collection of information about minors.

• The Health Insurance Portability and Accounting Act (HIPAA - P.L.104-191), which governs the collection of health information.

• The Gramm Leach Bliley Act (15 USC § 6802 et seq.) governing personal information collected by banks and financial institutions.

• The Fair Credit Reporting Act (15 USC § 1681), which regulates the collection and use of credit information.”

California Privacy Laws

Inspired by the GDPR, California’s new California Consumer Privacy Act (CCPA) is by far one of the most comprehensive privacy acts to date. The bill was voted in November 2020, and it aligns with the GDPR in some major ways. The meat and potatoes of the act center on how businesses can collect, store, and use personal information. 

According to CSO Online, the highlights from this act include:

“The law applies to applies to businesses that collect information from California residents and meet at least one of the following thresholds: (1) have over $25 million in annual gross revenue; (2) buy, receive, sell, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or (3) derive 50 percent or more of their revenue from the sale of consumers’ personal information.”

“The legislation’s provisions ‘grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared.’”

The law doesn’t go into effect until January 1, 2023, giving businesses plenty of time for compliance. 

Nevada’s Privacy Laws

Nevada’s Senate Bill 220 is even stricter than the California Act and went into effect in May 2019. One of the big highlights from this one includes the right for consumers to opt-out of having their personal information sold by a business that collected it. 

Nevada’s bill requires website owners to be upfront about the type of information they are collecting, and according to CSO Online it must include “categories of information collected, the categories of third parties with which the data is shared, a description of the process consumers may use to review and request changes to their covered information, a disclosure that third parties may track consumers’ online activities and the effective date of these notices.”

The penalty for violating the Nevada law is a fine of $5,000 per incident. However, violators must be given 30-day’s notice to fix the issue before receiving any punishment. 

Massachusetts Bill H.4806

Massachusetts signed into law Bill H.4806 in January 2019. This new privacy law addresses data breaches and the protection of state residents named in the data breach. It requires the disclosure of the parent company or entity to be included in data breach notifications.

For any data breach that involved social security numbers, the company must provide credit monitoring services free to the victims for at least 18 months.

According to CSO Online, data breach notifications must also include “the disclosure of the person responsible for the breach in breach notifications, the contact information of the entity that experienced the breach and the person who reported the breach, the type of personal information compromised, whether the breached entity maintains a written information security program, and a sample copy of the notice sent to state residents.”

The Bottom Line

All 50 states are enacting new, stronger laws to protect consumers and guard the privacy of sensitive, personal information shared with businesses and government agencies. 

As our country experiences more data breaches and cyberattacks, the trend of tightening up these laws to better secure personal security will most likely continue.