Current US Personal Data Protection Laws and Regulations
Recently, we see a lot of news about the success of data-driven businesses throughout the media. Using data not only improves efficiency, but also has the potential to transform business and its industrial structure. Companies believe that if they could access to data all over the world through the Internet, it isn’t difficult for their business to dominate the world. However, companies that are looking for a successful business model using data strategies into their business are busy dealing with personal data protection regulations that have been legislated one after another in many countries. Each country has a different legal system and legal culture, and so is the regulatory issues related to the topic of personal data protection. In the U.S., which we will introduce on in this article, there is no comprehensive federal law that is equivalent to the Japanese Law "Act on the Protection of Personal Information" or the EU's GDPR, but there are numerous regulations of handling of personal data in specific fields and by state. The following is a broad view of the laws and regulations regarding personal data protection in the United States.
Federal Law
Laws on the handling of personal data in specific fields at the federal level are the following.
■Public Sector
With respect to the public sector, The Privacy Act of 1794[i] governs the collection, storage, use, and sharing of personally identifiable information of U.S. citizens. However, the Privacy Act only applies to federal agencies and does not affect the handling of consumer personal data in business sectors.
■Private Sector
[The Gramm Leach Bliley Act, GLBA, ii]
GLBA is a regulation that establishes specific privacy and security standards for banks, insurance companies, and other financial institutions with the goal of protecting personal financial information. Covered financial institutions are required to comply with security regulations, disclose use and disclosure to non-affiliated third parties, and provide privacy notices regarding Non-Public Personal Information (NPI) about natural persons who are "consumers" or "customers.
[The Fair Credit Reporting Act(FCRA), iii]
The Fair Credit Reporting Act (FCRA) limits the use by consumer reporting agencies such as credit bureaus, medical information bureaus, and tenant screening agencies, of consumer reports containing personal credit information, such as a consumer's creditworthiness, credit ratings, credit limits, characteristics, general reputation, personality characteristics, and living situation. Using reports are limited to credit, evaluating employment and insurance eligibility evaluations.
[The Health Insurance Portability and Accountability Act (HIPAA), iv]
This federal law, enacted in 1996, establishes privacy and security rules for the handling of personal information in the healthcare area. Identifiable private health information is referred to as protected health information (PHI) and is subject to the Privacy Rule and the Disclosure Rule for health plans, health care providers, and health care clearinghouses (intermediaries that receive electronic health record information and electronically submit health care claims to insurance companies). Privacy rules for PHI use and disclosure and security rules for retention and transfer of electronic PHI are stipulated.
[The Telephone Consumer Protection Act (TCPA), v]
To protect consumers from telemarketing, the TCPA regulates calls and messages from contact centers to consumers' phones and cell phones, including automated dialing, automated messaging, and automated faxing.
[The Family Educational Rights and Privacy Act (FERPA), vi]
Federal law protecting students' educational records and privacy. Disclosure of educational records and personal information is prohibited unless authorized by the students, parents or guardians.
[The children's Online Privacy Protection Act (COPPA), vii]
This act sets forth rules for online service providers regarding the collection, use, and disclosure of identifiable personal information of children under the age of 13. In recent years, the scope of personal information has been expanded to screen names, e-mail addresses, chat names, etc. Without the parent’s consent, YouTube was using cookies to collect personal information from children. The issue is still fresh in our minds.
*************************
State Law
In addition to proceed on privacy protections in specific areas, California, New York, other states, are moving to expand legislation protecting personal information. Below we highlight state laws that have been enacted and are now being considered.
■Enacted
[California Consumer Privacy Act (effective January 1, 2020), viii]
This is currently the most comprehensive privacy law in the United States that focuses on protecting personal information on the Internet. It broadly defines Personal Information as any information that identifies, relates to, describes, connects, and can be reasonably traced directly or indirectly to a state resident or household.
A new consumer right for state residents is the right to stop companies from disclosing, deleting, and selling their personal information to third parties (opt-out right). Companies are required to explain the new categories of personal information collected, sold or disclosed, the source of the information, the third parties with whom the personal information is shared and its category, the purpose of these activities, and the opt-out method.
However, regarding healthcare and financial sectors, the federal laws precede and HIPAA and GLBA apply.
On November 3, 2020, the Consumer Privacy Right Act (CPRA), or Proposition 24, which amends the CCPA and reinforces consumer rights, was passed by a majority vote. The CPRA expands the scope of personal information to include "sensitive personal information" and gives consumers the right to modify their personal information and limit it from sharing. The CPRA is expected to be implemented beginning January 1, 2023.
An Act relating to Internet privacy, Senate Bill 220 (ix), which was enacted three months earlier than the CCPA in Nevada, requires certain entities to create a "designated request contact" for consumers. It also stipulated those entities should respond to consumers within 60 or 90 days in request of opt-out. Unlike the CCPA, consumers' personal information collected offline is not covered by Senate Bill 2020.
Another state regulates the handling of online data under state law. This is Maine's "An Act to Protect the Privacy of Online Customer Information"(x). One major difference from the two privacy laws mentioned above is that Maine's privacy law only covers Internet Service Providers (ISPs).
1.1 Under debate
The New York Privacy Act (S5642) (xi), proposed in New York State, was not approved by the state legislature, but was described in the media as "stricter," "bolder," and "drastic". This is because it expanded the scope to personal data. They also introduced the innovative concept that companies retaining personal data have "data fiduciaries". S 5642, if passed, is said to have a wider scope than the CCPA.
In Hawaii, a bill like the CCPA, the Hawaii Consumer Privacy Protection Act (SB 418) (xii), has been introduced and passed first reading in 2019. However, SB 418 currently targets websites all over the world, and could be amended in the future to limit it within websites in Hawaii (xiii).
Other privacy policies under consideration that are like the CCPA include "The Maryland Online Consumer Protection Act" (SB 613) (xiv), "The Massachusetts Data Privacy Act" (The Massachusetts Data Privacy Law, S-120) (xv), and "The North Dakota Bill," HB 1485 (xvi).
In the United States, in addition to California and the other states mentioned above, Florida (xvii), Illinois (xviii), and Washington (xix) are also working on their own state laws regarding personal information protection. Unlike the Japanese legal culture, in the United States, states are free to enact laws if they do not violate the Constitution. However, state-by-state privacy policies are inconvenient for business and may pressure to the establishment of comprehensive federal legislation.
*The information in this article is based at the time of publication. The article does not represent our official views or opinions. We are not responsible for any damage caused by using this article.
i https://www.justice.gov/opcl/overview-privacy-act-1974-2015-edition
ii https://www.govinfo.gov/content/pkg/PLAW-106publ102/html/PLAW-106publ102.htm
iii https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf
iv https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html
v https://www.fcc.gov/sites/default/files/tcpa-rules.pdf
vi https://www.law.cornell.edu/uscode/text/20/1232g
vii https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-section6501&edition=prelim
viii https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act
ix https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Overview
x https://www.mainelegislature.org/legis/bills/bills_129th/billtexts/SP027501.asp
xi https://www.nysenate.gov/legislation/bills/2019/s5642#:~:text=Enacts%20the%20NY%20privacy%20act,new%20office%20of%20privacy%20and
xii https://www.capitol.hawaii.gov/Archives/measure_indiv_Archives.aspx?billtype=SB&billnumber=418&year=2019
xiii https://www.varonis.com/blog/us-privacy-laws/
xiv http://mgaleg.maryland.gov/mgawebsite/legislation/details/sb0613?ys=2019rs
xv https://malegislature.gov/Bills/191/SD341
xvi https://www.legis.nd.gov/assembly/66-2019/bill-actions/ba1485.html
xvii https://www.bytebacklaw.com/2020/01/analyzing-the-2020-florida-consumer-data-privacy-act/
xviii https://www.bytebacklaw.com/2020/01/analyzing-the-2020-illinois-data-transparency-and-privacy-act/
xix https://www.bytebacklaw.com/2020/01/2020-washington-privacy-act-released/