Blog Post
U.S. data privacy laws: discover all you need to know
Unlike other countries, the U.S. doesn’t currently have a singular data privacy law that covers the protection of personal data. Instead, there is a patchwork blanket of laws across several states and industries, including the Health Insurance Portability and Accountability Act (HIPAA), California Privacy Rights Act (CPRA) and Virginia Consumer Data Protection Act (VCDPA). This means that for customers located across a large number of U.S. states, companies can use, sell and share collected data without notifying you. By extension, they don’t need to notify you if your data is breached or collected by unauthorized parties. If your data is shared with third parties, they can further share that data without notifying you.
However, data privacy is increasingly becoming a concern across the U.S. as more states develop their own data protection laws. In Ground Labs’ 2021 U.S. consumer survey, 39% of respondents said they would like to see increased government regulations around data privacy. Similarly, other industry research shows that 90% of consumers believe the way their data is treated directly reflects how they are treated as customers, and 91% won’t buy from a company if they don’t trust how their data will be used.
Current U.S. data privacy laws
California
California’s CCPA and CPRA are the most comprehensive internet-focused data privacy legislation in the U.S., with no equivalent at the federal level. Only California residents have rights under the CCPA. The combination of these laws give the consumer a right to access and delete, as well as the opportunity to opt-out of data collection. Both exclude de-identified data, publicly available information, and aggregate information.
You can only sue businesses under the CCPA if certain conditions are met. The type of personal information that must have been stolen is your first name (or first initial) and last name in combination with any of the following:
- Your social security number
- Your driver’s license number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to identify a person's identity
- Your financial account number, credit card number, or debit card number if combined with any required security code, access code, or password that would allow someone access to your account
- Your medical or health insurance information
- Your fingerprint, retina or iris image, or other unique biometric data used to identify a person's identity (but not including photographs)
Virginia
The VCDPA protects consumers, which it defines as Virginia residents and expressly excludes “any person acting in a commercial or employment context.” Unlike California, where the B2B and employee exclusions have been the subject of several statutory amendments, Virginia has chosen not to leave those potential compliance hurdles up in the air. It protects personal information (PII) or any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal information does not include publicly available information that is from federal, state, or local government records, such as professional licenses and public real estate/property records. The VCDPA requires that controllers obtain consent before processing a consumer’s sensitive data, defined as including “personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;” genetic or biometric data processed for the purpose of uniquely identifying a natural person; the personal data collected from a known child; and precise geolocation data.
Colorado
The Colorado Privacy Act (CPA) protects consumers defined as “Colorado residents as well as any controller that conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado.” The scope of the law is broader in some senses and narrower in others compared to the CCPA and is slightly broader than the CDPA. Unlike the CCPA, the CPA does not include any revenue thresholds. It protects personal data, which is defined as information that is reasonably linkable to an individual. Because the CPA based itself on prior U.S. laws, it excludes de-identified data and publicly available data.
U.S. data privacy laws in progress
There are a number of U.S. data privacy laws that are in the beginning stages of development, including:
Utah
On March 3, the Utah House of Representatives unanimously passed a consumer privacy bill which the Utah Senate passed earlier this year. The law, Senate Bill (SB) 227, sets guidelines regarding the right of access and deletion of consumers’ data and how to exercise those rights. Amendments to SB 227 also stipulate that information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a healthcare professional is considered sensitive data. The bill applies to all organizations who conduct business in Utah or produce products or services targeted to Utah residents, has an annual revenue of $25 million or more, and satisfies one or more enumerated
Massachusetts
The Massachusetts data protection law is legislation that stipulates security requirements for organizations that handle the private data of residents. It replaces earlier legislation requiring organizations to notify individuals when a security breach puts their data at risk. The Massachusetts data protection law includes requirements for encryption of personal data, retention and storage of both digital and physical records and more. It also includes provisions to make sure that any associated third-party providers who have access to the data maintain the same standards.
New York
The New York Privacy Act obligates companies to disclose their methods of de-identifying personal data and install safeguards for personal data sharing. It also empowers consumers with the right to know the details of the entities having access to their data. It’s expected that future rights for New York residents will include right to notice, opt-in consent, access to data and data correction and deletion.
North Carolina
At present, North Carolina does not have a general privacy act or any general constitutional right to privacy. In addition, North Carolina common law only recognises two of the four traditional common law claims for invasion of privacy: appropriation of one's likeness and intrusion upon seclusion. Under their Identity Theft Protection Act, businesses that own or license personal information of residents of North Carolina or any business have to notify the affected individuals of a breach. A new amendment to this act proposes new data security obligations for businesses handling personal data and expands the definitions of both 'personal information' and 'security breach'.
Pennsylvania
Pennsylvania legislators introduced a comprehensive consumer data protection bill modeled on the California Consumer Privacy Act. Notably, unlike the CCPA, the Pennsylvania bill would apply to professional and employment-related information.
Under the proposed bill, Pennsylvania consumers would have a right to (1) request disclosure of personal information collected by a business; (2) have their personal information deleted; (3) request information about personal information sold or used for business purposes by a business; and (4) decline or opt out of sale of personal information to third parties.
This potential privacy law also extends protection to minors, as businesses would not be able to sell personal information of minor consumers without the consent of their parents.
California Children Privacy
Most businesses under the federal law bar minors from using their service and never ask a new user if they are a child. With the new law, consumers between 13 and 16 years of age must affirmatively authorize the sale of their personal information. If the child is under the age of 13 years old, a parent or guardian must affirmatively authorize the sale of information. Instead of fines, the California attorney general would be responsible for enforcement of the state’s rules, with potential action including litigation or fines.
Get ahead of developing U.S. data privacy laws
The list of data compliance laws to monitor and understand is growing each year. Though many of them overlap in expectations, their minute differences make it paramount to examine each thoughtfully and ensure compliance. Consider investing in data discovery to reinforce your organization’s data privacy. Our data discovery offerings, like Enterprise Recon, have the ability to scan all of your organization’s surfaces to locate and categorize over 300 data types.
Make a commitment to meet upcoming U.S. data privacy requirements today by scheduling a meeting with a data compliance expert.