The Compliance Teams Guide to Data Privacy Regulations in the U.S.

Privacy laws in the United States are not tied to a central set of rules and regulations like the GDPR in the European Union. Instead, both federal and state legislatures have passed privacy laws that target specific fields of privacy concerns. This has led to many rules and regulations that compliance teams must parse to determine what must be followed for their organization, especially as states legislate to fill the data protection gaps left behind by federal law. The following is a broad overview of some of the federal and state privacy laws that compliance teams often must consider for citizens, lawful residents, and minors in the United States.

Federal U.S. Data Privacy Laws

U.S. Privacy Act of 1974

A major privacy law at the federal level, passed in response to new concerns over the handling of personal data in computerized databases by the government. This landmark legislation laid foundational rules and regulations for personal data of citizens and permanent residents held by US government agencies. Important rules included:

• The Right of US citizens to access and copy data held by government agencies
• The Right of US citizens to correct any errors contained in their data
• Minimization principles, for the “least and necessary” data collection by government agencies to fulfill their roles
• Restrictions for data access that mandate a need-to-know basis
• Restrictions on information sharing between federal and non-federal agencies, except under special conditions

While the law was a great step forward for privacy law at the federal level, the unclear and narrow language of the law led to uneven application due to interpreted exceptions as well as written exemptions, such as for law enforcement purposes.

Gramm-Leach-Bliley Act (GLBA)

Passed in 1999, GLBA came into effect on July 1^st, 2001. The legislation included privacy laws due to concerns for personal data handled by financial institutions that provide loans, insurance, and financial advice. The primary focus of the GLBA data regulations is protection of nonpublic personal information (NPI). Important rules included:

• Security of private or sensitive information against unauthorized access
• Notification to customers of private information shared between financial institutions and non-affiliated third parties, with the option to opt out
• Audit trail of user and employee activity to record attempts to access protected records and sensitive information

In practice, the GLBA privacy protections have proven to be limited for data protection in the information age. While customers are notified of their data privacy on a regular basis by financial institutions, and can opt-out of sharing NPI to non-affiliated third parties, this same data control does not exist for third-party companies under the same corporate umbrella as the financial institution.

Health Insurance Portability and Accountability Act (HIPAA)

Passed in 1996, HIPAA came into effect on April 14^th, 2003. This complex, landmark legislation established national standards for health insurance regulation, including numerous rules for data privacy and security for protected health information (PHI). The simplest way to describe the HIPAA rules for PHI is a principle of governed access. For example, a covered entity such as healthcare provider or musician has permission to access PHI for treatment, payment, and healthcare operations, but the use of that same information for marketing is limited under strict authorizations.

As extensive as the rules are regarding PHI access for covered entities, the HIPAA also has limits for data privacy in the information age due to its focus on communication between covered entities and their patients/customers. As a result, new kinds of health data are not retroactively protected under the letter of the law, such as the health data collected by a fitness tracker or the vaccination status for COVID-19.

Children’s Online Privacy Protection Act (COPPA)

Passed in 1998, COPPA came into effect in April, 2000 and was then amended in 2013. This legislation focused on the regulation of personal data collected from minors 12 and under by online companies for websites and services. Any operators of such websites or services must account for regulations such as the following summarized by the FTC:

• Post a clear and comprehensive online privacy policy describing their information practices for personal information collected online from children
• Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children
• Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents)
• Provide parents access to their child’s personal information to review and/or have the information deleted
• Give parents the opportunity to prevent further use or online collection of a child’s personal information
• Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security
• Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use
• Not condition a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity

The amendments to COPPA in 2013 expanded these regulations to cover new kinds of personal data, such as geolocation, as well as expanding coverage to third parties that also use the children’s data from said operators. As a result, operators must take reasonable steps to release this information only to companies capable of keeping it secure and confidential.

U.S. Data Privacy Regulations by State

California

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are amongst the most comprehensive (and possibly verbose) data privacy regulations at the state level. CCPA was signed into law in 2018 and went into effect in 2020, while the CPRA was approved by ballot measure in 2020 and will go into effect by July 1^st, 2023. The CPRA amends the CCPA to further strengthen the regulations.

The CCPA covers businesses, service providers, and third parties, while the CPRA will expand the coverage to contractors. The CCPA establishes the following rights for consumers that reside in California, as defined by state tax regulations:

1. The right to know (request disclosure of) personal information collected by the business about the consumer, from whom it was collected, why it was collected, and, if sold, to whom
2. The right to delete personal information collected from the consumer
3. The right to opt-out of the sale of personal information (if applicable)
4. The right to opt-in to the sale of personal information of consumers under the age of 16 (if applicable)
5. The right to non-discriminatory treatment for exercising any rights
6. The right to initiate a private cause of action for data breaches

The CPRA will add two additional consumer rights: the right to correct inaccurate personal information, and the right limit use and disclosure of sensitive personal information.

Failure to comply with the CCPA (and the additional CPRA regulations in the future) can lead to civil penalties, damages, non-monetary relief, and even injunctions sought by California’s Attorney General.

Colorado

The Colorado Privacy Act was signed into law in 2020 and will take effect in June 2023. It is also comparable to the CCPA and CPRA, but also borrows terms and ideas from the GDPR of the European Union. It protects “personal data” of consumers who are Colorado residents. As with the VCDPA, differences from the CCPA and CPRA can be found in the details. The most notable example of such differences are the blanket exemptions written into the law, which includes:

• Data collected for Colorado health insurance law purposes
• Data-collecting entities or collected data already covered by certain existing laws, such as COPPA
• Data rendered anonymous or placed under pseudonyms
• Data maintained and used by a consumer reporting agency
• Data used for employment records purposes

State laws with stated exemptions such as these especially depend on a complementary review of federal data privacy laws.

Connecticut

The Connecticut Data Privacy Act (CTDPA) was signed into law in 2022 and goes into effect July 1, 2023. CTDPA is similar to other states’ privacy regulations, but is most similar to Virginia’s VCDPA and Colorado’s CPA in that it is more consumer-oriented in its focus. The law applies to businesses servicing or targeting residents of Connecticut and, during the preceding calendar year either:

• Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions
• Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data

CTDPA excludes personal data processed only for payment transactions; businesses processing debit or credit card payments only to the extent necessary to complete a sale are not subject to this law’s requirements. Of note, there is no revenue annual threshold included in CTDPA, meaning an entity would not fall under compliance requirements due to its annual revenue alone.

Connecticut consumers are provided 5 rights under CTDPA:

1. Right to access –  the right to confirm whether or not an entity holds their personal data, except in instances where this access would reveal a trade secret
2. Right to correct – the right to correct any inaccurate personal data held by an entity
3. Right to delete – the right to delete any personal data about themselves
4. Right to data portability – the right to receive a copy of their personal data held by an organization in a portable, usable format the consumer can use to transmit their personal data with ease
5. Right to opt out – the right to choose to not have their personal data processed for the purposes of targeted advertising and sales

Hawaii

Bill SB 418 was referred to committee in 2019, in efforts to set data privacy standards at the state level like the CCPA and CPRA. Differences in the letter of the law can be found here as well. The most notable difference, in the current draft of the bill, is the broader application of SB 418 to websites. While the CCPA states explicitly that it applies to websites based in the state of California, the absence of such language in SB 418 leaves open the legal question of whether websites based anywhere in the world would be subject to Hawaii’s data privacy laws in the future.

While the bill is likely to be amended to follow the CCPA more closely in coverage, compliance teams must account for broadly written laws that will more likely apply to the personal data in possession than not.

Massachusetts

The Massachusetts Information Privacy and Security Act (MIPSA) was referred to committee in February of 2022. If passed and signed into law, MIPSA aims to fill the same gaps in state law for data privacy as the CCPA and CPRA does for California. Again, the finer details are important to note for differences. MIPSA covers entities, with an annual global gross review of 25,000 million dollars or more, conducting business in Massachusetts or offering goods and services that target or monitor Massachusetts residents, and has one of the following qualifiers:

• The intent and the means for processing the personal information of 100,000 consumers or more
• Is a data processor that processes a consumer’s personal information on behalf of a covered entity

The bill for this act, S.46, also lays out the following Massachusetts consumer rights:

• Access to their personal information collected and processed by the covered entity
• Receive information on the use of their personal information
• Obtain a copy of the personal information retained
• Request that the covered entity stop collecting their personal information, correct mistakes contained within, or delete inaccuracies
• Receive sufficient notice of the means of personal information collection and the risks associated with said collection in a privacy policy
• If 13 years of age or older, issue a grant or denial of the covered entity’s ability to collect their personal information, with an annual opportunity to amend this decision

Legislation in committee may or may not become law, but preparation for future compliance is still an important consideration for compliance teams.

Maryland

Bill SB 0613 was referred to committee in 2019, also in efforts to set data privacy standards in the state like the CCPA and CPRA. The notable difference in this bill can be seen in its scope for third-party disclosure. While the CCPA requires disclosure if personal data is sold to a third party, SB 0613 also requires disclosure if the personal data is given to a third party for free. In addition, websites are prohibited from knowingly disclosing the personal information of children.

New York

A multitude of bills in New York have been referred to committee in the field of data privacy. However, current law in the state includes the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, passed in 2019 and in effect as of March 2020. This narrowly focused law amended existing NY law on data breach notification.

The New York SHIELD Act expanded the definitions of “private information” and “breach”, expanded the covered entities from only parties that conducted business in New York to any person or business that owns or licenses private information of a New York resident, and raised standards for data security requirements. These requirements include:

• Adapt reasonable safeguards to protect private information
• Implement a data security program
• Designate an employee to oversee cybersecurity operations

These new requirements do have some overlap with existing federal law, but the expansion of covered entities has significant impact on compliance. Major companies will more likely than not have private information of New York residents, due to the state being a major player in the U.S. economy. As a result, New York SHIELD Act regulations are a major consideration for compliance teams. To avoid potential violations without incurring higher costs, compliance teams can proactively enact a company-wide security standard for personal data that complies with this state law, just as they would for GDPR.

North Dakota

North Dakota is a good example of lightweight regulation at the state level and clarifications on state and federal law obligations. In September 2000, after the GLBA was signed, the North Dakota Department of Banking and Financial Institutions petitioned the FTC to determine if the state’s Disclosure of Customer Information law was superseded, altered, or affected by the GLBA. For context, the state had newly amended a statute stating that financial institutions in the state are “free simply to comply with the federal requirements” of the GLBA.

The FTC answered in June 2001 that North Dakota financial privacy law is not preempted by the GLBA because it is “not inconsistent” with federal law. In its letter back to the state, the FTC clarified that “Congress established the privacy protections in the GLB Act as a ‘floor’, or minimum protection for consumer privacy, that could be exceeded by the states.”

That statement from the FTC helped set the precedent for state and federal data privacy laws to follow, as well as the legal compliance at both federal and state levels that must be accounted for in the U.S. by compliance teams.

Utah

The Utah Consumer Privacy Act (UCPA) was signed into law in 2022 and will go into effect on December 31, 2023. Under UCPA, businesses that control or process Utah consumers’ personal data must uphold new rights afforded to those consumers. This act does not include a requirement to conduct personal data assessments for some types of processing activities, so it’s considered one of the most business-friendly privacy acts in the United States.

Utah consumers have the right to:

1. Know or confirm processing activity
2. Access personal data
3. Obtain a copy of personal data in a portable and readily usable format
4. Delete personal data
5. Opt out of target advertising and sales of personal information
6. Avoid discrimination as a result of exercising their rights under UCPA

UCPA is enforceable only by the Utah Attorney General and does not create a private right of action for individual consumers. This legislation applies to any entity that:

1. Conducts business in Utah or produces products or services target to Utah residents
2. Has an annual revenue of $25M+
3. Annually controls or processes personal data of at least 100,000 Utah residents, or controls/processes the personal data of at least 25,000 Utah residents and derives over 50% of its gross revenue from the sale of personal data

Virginia

The Virginia Consumer Data Protection Act (VCDPA) was signed into law in 2021 and will go into effect in 2023. It is like the CCPA and CPRA in coverage and intent but written more concisely. There are also notable differences in regulations compared to California’s data privacy laws:

• Consumers must opt-in to the collection and use of their sensitive data for processing
• Data Protection Impact Assessments are required for any processing involving targeted advertising, data sales, profiling, or sensitive data; or any data processing that presents a “risk of harm”
• The addition of a “Do Not Sell My Personal Information” link on websites is not required

The VCDPA covers entities that do business in the state of Virginia or sells products and services to Virginia residents if one of the following also applies:

• The entity controls or processes personal data of 100,000 or more Virginia residents
• The entity controls or processes personal data of at least 25,000 Virginia consumers and earns at least 50 percent of their revenue by selling personal information

How Can Classify360 Help Your Compliance Teams?

A “Set it & Forget it” Mentality

Once you tell Classify360 your data set is subject to a regulation it can be automatically managed on an ongoing basis. Your organization has then created a culture of compliance, therefore not needing to manually review data. Privacy regulations are always increasing across states and nations, even by the federal government. As more are introduced, Classify360 can account for these and automatically be added to your organization’s workflow.