Unlike the European Union and many countries, the US does not have a holistic, comprehensive federal law generally regulating privacy and the collection, processing, disclosure and security of “personal information” (typically defined as information that identifies, relates to, describes, is reasonably capable of being linked to, a particular individual). Rather, a patchwork of sectoral federal and state laws regulate the collection, processing, disclosure and security of personal information (“PI”), depending on the industry of the organization, the nature of the PI in question and the purposes for processing the PI. However, at the state level California has passed comprehensive consumer privacy law, though it carves out data governed by some but not all pre-existing sectoral laws, and other states have followed with similar regimes, or are considering similar legislation. The result is the need for data controllers to catch up with these new laws and prepare for likely further evolution in US data regulation. An overview of the current state of US data privacy and protection law follows.
Federal Privacy Laws
Sectoral Privacy Laws
The US has several federal privacy laws that are limited in application either to specific industries or specific types of PI. The following are brief descriptions of the most consequential of such federal privacy laws.
The Health Insurance Portability and Accountability Act of 1996, Pub.L. 104-191 (“HIPAA”), is a federal law that establishes national standards to protect certain health-related PI from being disclosed without the patient’s consent or knowledge. The HIPAA Privacy Rule, promulgated by the US Department of Health and Human Services, went into effect in 2003 and regulates the use and disclosure of protected health information (“PHI”) in healthcare treatment, payment and operations by covered entities and business associates of covered entities. The HIPAA Security Rule also went into effect in 2003 and complements the Privacy Rule. Unlike the Privacy Rule, which regulates PHI regardless of how it is maintained, the Security Rule deals specifically with electronic medical records. It specifies administrative, physical, and technical safeguards required for compliance. More information on HIPAA is available here.
The Fair Credit Reporting Act, 15 USC §1681, et seq. (“FCRA”), is a federal law that requires that “consumer reporting agencies” adopt reasonable procedures regarding the confidentiality, accuracy, relevancy, and proper use of PI included in consumer reports sold for purposes of determining eligibility for employment, for credit or insurance underwriting, and for certain other purposes described in the FCRA. The FCRA also includes several protections for consumers, including the right: to be told if PI in a credit report has been used against the consumer; to know what is in the file that a consumer reporting agency maintains about the consumer; to obtain the consumer’s credit score; and to dispute incomplete or inaccurate PI and to have such PI removed or corrected. The FCRA also imposes certain obligations on users of consumer reports and on furnishers of PI to consumer reporting agencies, to the extent such PI is intended to be used in a consumer report. More information on the FCRA is available here.
The Gramm-Leach-Bliley Act of 2002, Pub.L 106-102 (“GLBA”), is a federal law that, among other things, regulates the collection, use, disclosure and security of “nonpublic personal information” (“NPI”) collected by financial institutions. There are three components of the GLBA’s regulation of the privacy of NPI: the Privacy Rule, the Safeguards Rule and certain prohibitions on “pretexting.” The Privacy Rule requires financial institutions to provide consumers with an initial privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must include certain information and disclose the consumer’s right to opt out of NPI being shared in certain contexts. The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the financial institution is prepared for and protects NPI. Finally, certain provisions in the GLBA make it a crime to obtain or attempt to obtain NPI by making false, fictitious or fraudulent statements or representations to an employee, agent or customer of a financial institution.
The Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (“FERPA”), is a federal law addressing the privacy of students’ educational records. FERPA applies to any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives funds under an applicable program of the US Department of Education, and requires them to pass-through certain safeguards to their data processors. FERPA serves two primary purposes: it gives parents or eligible students more control over their educational records, and it prohibits educational institutions from disclosing “personally identifiable information in education records” without the written consent of an eligible student, or if the student is a minor, the student’s parents. An eligible student is one who has reached 18 or attends a school beyond the high school level.
The Video Privacy Protection Act, 18 U.S.C. § 2710 (“VPPA”), was enacted to prevent the wrongful disclosure of video tape rental or sale records. The VPPA is interpreted to also apply to similar audio visual materials, including video games, DVDs and streaming content. The VPPA prohibits any “video tape service provider” from disclosing rental information outside the ordinary course of business, and certain other limited circumstances, absent express, time-limited, written consent, and limits data retention.
The Cable Communications Policy Act of 1984, 47 USC 151, et seq. (“Cable Act”), restricts cable operators from systematically collecting PI from consumers without giving prior notice and obtaining their consent. The Cable Act also prohibits disclosure of PI to third parties without consent (except for government requests pursuant to court order, or disclosures necessary for the fulfillment of cable services) and grants cable subscribers the right to inspect and correct errors in the cable operator’s databases.
The Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”), is a federal law that regulates telemarketing calls, auto-dialed calls, prerecords and artificial voice, and text messages and unsolicited faxes. It also specifies several technical requirements for fax machines, autodialers, and voice messaging systems—principally through provisions requiring that identification and contact information of the entity using the device is contained in the message. The TCPA has complex consent requirements and exceptions, and a private right of action that has led to an avalanche of litigation.
The Privacy Act of 1974, 5 USC § 552a (the “Privacy Act”), is a federal law primarily applicable to federal government agencies, contractors, and employees that seeks to: restrict disclosure of PI maintained by agencies; grant individuals increased rights of access to agency records maintained on themselves; grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete; establish a code of “fair information practices” with statutory requirements for collection, maintenance, and dissemination of records.
Prohibitions on Unfair or Deceptive Acts and Practices Relating to Privacy
Section 5 of the Federal Trade Commission Act, 15 USC §41, et seq. (the “FTC Act”), prohibits deceptive or unfair commercial practices by those subject to the jurisdiction of the Federal Trade Commission (“FTC”). Under Section 5, the FTC has aggressively pursued privacy and data security cases in myriad areas, including against social media companies, mobile app developers, data brokers, ad tech industry participants, retailers, and companies in the “Internet of Things” space.
In order to prove a privacy or security allegation under Section 5, the FTC must show that a company’s conduct is “deceptive” or “unfair.” A representation, omission, or practice is deceptive if it is likely to mislead consumers acting reasonably under the circumstances and is material to consumers – that is, it would likely affect the consumer’s conduct or decisions with regard to a product or service. The FTC has challenged deceptive claims about privacy and security that appear in privacy policies, user interfaces, FAQ pages, company web sites, and product packaging, and has deemed the failure to give meaningful notice of material data practices to be deception by omission. The FTC has challenged claims about what PI a company collects, how it uses the PI, how long it keeps the PI, with whom it shares the PI, the ability of consumers to exercise choices with respect to the PI, and the level of security provided for the PI. Because Section 5 unfairness requires a showing of actual harm not outweighed by a benefit to consumers or completion, it has rarely been used for privacy matters, but has been established as the basis for requiring data controllers to maintain reasonable security of PI.
Similarly, under §§1031 and 1036 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), it is unlawful for any provider of consumer financial products or services (or a service provider to such a provider) to engage in any unfair, deceptive or abusive act or practice. The Dodd-Frank Act also provides the Consumer Financial Protection Bureau with rule-making authority and, with respect to entities within its jurisdiction, enforcement authority to prevent such unfair, deceptive, or abusive acts or practices in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.
State Privacy Laws
Changes in US consumer privacy law passed in late 2020, and to date, will require most US businesses to make material changes to their data privacy compliance and information governance programs by January 1, 2023 (July 1, 2023, in the case of Colorado). The laws described below are generally enforceable only by the state attorney general or other state regulator, though BIPA provides for a private right of action (discussed below), as does the CCPA/CPRA for certain types of data breaches.
Holistic State Privacy Laws
The California Privacy Rights Act, Cal. Civ. Code §1798.100, et seq. (the “CPRA”) is a comprehensive rework of California’s paradigm-shifting California Consumer Privacy Act (the “CCPA”), which was enacted in 2018. The CPRA was enacted through a ballot initiative in 2020, and will go into full effect on January 1, 2023. It amends the CCPA in several material ways to, among other things, eliminate the existing carve-outs for data collected from job applicants, employees and contractors, and for data of persons representing another business in connection with a business-to-business (B-to-B) transaction or communication. Those carve-outs expire on January 1, 2023, and further legislative extensions are unlikely since the CPRA prohibits legislative amendments that do not “enhance” privacy, though there could ultimately be somewhat different rules for these non-consumer data subjects. There are, however, a number of exceptions, including data governed by some but not all other privacy laws. More information on the CCPA is available here and more information on the CPRA is available here.
In March 2021, the Virginia governor signed into law the Virginia Consumer Data Protection Act, Va. Code Ann. §59.1-571, et seq. (the “CDPA”), thus becoming the second state in the US to enact a holistic data privacy law that regulates the collection, use and disclosure of the “personal data” (broadly defined to include most information that would be PI under the CCPA/CPRA) of its residents generally, but excluding data subjects outside of an individual or household context and does not include persons acting in an employment or B-to-B context. Like the CCPA/CPRA, certain already regulated data, such as PHI, is also exempt from CDPA. Set to go into effect on January 1, 2023, the CDPA is in many ways similar to the CPRA, but it also shares some additional concepts inspired by the European Union’s General Data Protection Regulation (“GDPR”). However, it is sufficiently dissimilar to each of those laws that a business developing a strategy for compliance with the CDPA will not be able to rely solely on its CPRA and/or GDPR compliance efforts in complying with the CDPA. More information on the CDPA is available here.
The Colorado Privacy Act, Col. Rev. Stat. §6-1-1301, et seq. (the “CPA”), is in large part modeled on the CDPA, but with CCPA/CPRA influences, such as a broader definition of “sale” and requiring companies to look for and honor global privacy signals. It uses the categories of controller and processor as does the CDPA and the GDPR. More information on the CPA is available here.
Online Privacy Protection Acts
These laws generally require privacy policies to disclose:
- The categories of PI the operator collects through the web site and the categories of third parties with whom the operator shares that PI;
- The process, if any, the operator maintains for consumers to review and request changes to PI it collects;
- How the operator responds to browser “do not track” signals or other mechanisms that provide consumers to exercise choice regarding the collection of PI; and
- Whether other parties may collect PI about an individual’s online activities over time and across different web sites when a consumer uses the operator’s web site.
Nevada has amended its law to add a “do not sell” opt-out requirement, and a requirement for the registration of certain data brokers. California and Vermont also have data broker registration laws.
Biometric Privacy Laws
The most significant US law regulating the use of biometric information is the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”), regulates the collection, storage and sale of any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s biometric identifiers (such as a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry) and used to identify an individual. BIPA provides for a private right of action for violations, and BIPA litigation has taken off recently due in part to a series of decisions from both the Illinois Supreme Court and the federal Courts of Appeal favoring plaintiffs. BIPA will continue to have a material impact on the privacy landscape because of the scope of biometric information it protects and the routine ways in which this data is now collected. More information on BIPA is available here.
Other State Data Privacy and Protection Laws
In addition to the state laws discussed above, some states have laws that are similar in scope to several of the federal laws discussed above, including HIPAA, FCRA, VPPA (some that also govern non-video content consumption), GLBA, as well as laws prohibiting unfair or deceptive acts or practices. Then there are state laws regarding call and video recording, passive monitoring, employee privacy, educational technology targeting students, automated license plate readers, collection of driver’s license or DMV data, collection of certain identification in connection with certain purchase transactions, social media access and geolocation tracking. All US states and territories have laws requiring reasonable security of PI, and security breach notification under certain circumstances, but there is great diversity in the scope and mandates of those laws.