The Landscape of U.S. Data Privacy Laws

While data privacy is a catalyst for change, the United States has long had a patchwork of regulations that continually evolve on a state-by-state basis.

Below is a rundown of current and emerging data privacy and protection regulations within the United States (U.S.). We have compared multiple states that have proposed, introduced, passed, or signed any privacy legislation to protect consumers’ data with our State-by-State Data Privacy Comparison Chart.

U.S. Data Privacy History

Privacy Act (1974)

The Privacy Act of 1974 was one of the first privacy laws in the United States. It deals with how “personally identifiable data” is collected, used, and distributed. This new policy only referred to the federal agencies, which means corporations are not required to follow these regulations.

FTC – Federal Trades Commission

The Federal Trades Commission (FTC) is an independent law enforcement agency that protects consumers. Section 5 of the FTC Act forbids companies from activities that are considered “deceptive” or “unfair”. There has to be a clear violation of business policy or a strong likelihood of a substantial injury to a consumer for the FTC to take any action.

Sector-Based Privacy Laws
Sector-based privacy laws are detailed regulations primarily focused on information about a group or individuals within a sector. For example, the Children’s Online Protection of Privacy Act (COPPA) restricts the collection of children’s data under 13 years old. In comparison, the Health Insurance Portability and Accountability Act (HIPAA) protects patients’ health and medical-related data, which requires specific disclosures and informed consent to share the information.

Gramm-Leach- Bliley Act (GLBA) (1999)

The Gramm-Leach- Bliley Act is a U.S. Federal law that controls how financial institutions manage people’s private data. There are three areas of this law: The Financial Privacy Rule regulates how personal financial data is disclosed and collected; the Safeguards Rule makes it a requirement for financial institutions to protect data by implementing a security program; the Pretexting provisions forbid using false pretenses to access private data. Financial institutions under this Act are also responsible for giving customers written notice explaining their data-sharing process and practice.

Fair Credit Reporting Act (FCRA)

The Fair Credit Reporting Act protects data stored by consumer reporting agencies (medical information companies, renters screening services & credit bureaus). It also doesn’t allow for consumer report information to be shared without a specific purpose for that data. In addition, consumers must be alerted when an adverse action has occurred because of the reports when the information is for insurance, credit, or employment purposes.

Status of State-Based Data Privacy Laws

California (CCPA)

In 2018, the California Consumer Privacy Act (“CCPA”) was signed into law and had been in effect since July 1, 2020. It is considered to be the most comprehensive data privacy regulation in the U.S. Under CCPA, there are new penalties and liability for personal information collected, sold, and disclosed. Additionally, consumers have the right to access and deletion of information through a data subject access request.

California (CPRA)

The CPRA, an amendment to the California Consumer Privacy Act of 2018 (CCPA), will go into effect in January 2023, with retroactive oversight into a company’s data practices as far back as January 2020. CPRA amends the CCPA to create additional consumer privacy rights, such as the right of correction and the right to limit the use and disclosure of sensitive personal information. It also establishes the California Privacy Protection Agency (CPPA), shifting rulemaking and enforcement authority from the Attorney General to the new state regulatory agency.

Virginia (CDPA)

The Virginia Consumer Data Privacy Act (CDPA) was signed into law on March 2, 2021, and will go into effect on January 1, 2023. It requires opt-in consent when processing sensitive data and third-party usage, data protection assessments, and consumer rights compliance (access, correction, portability, opt-out of sale, and deletion). Failure to comply with VA privacy data law can also result in steep fines for businesses.

Fast Facts about US Data Privacy Regulations

  • Currently, California & Virginia are the only two states that have passed their data privacy laws.
  • California is the only state which will have a regulatory agency SOLELY devoted to privacy.
  • CCPA establishes significant penalties for non-compliance and violation of consumer privacy
  • Data Breach Notifications statutes are common across all 50 states; if there is a breach of sensitive information, companies are mandated to report it to the consumers of those states whose data was impacted – along with the regulatory authorities. But keep in mind that sensitive data is defined differently across each state with some commonalities. For example, in some states, your mother’s maiden name is covered while in other states it’s not deemed as sensitive.
  • CPRA and the NY Shield Act require high-risk data processors to perform Risk Assessment and Cyber Security Audits.
  • California & Virginia requires businesses to own data inventory and map business flows to respond to any data rights requests.
  • Washington, Maryland, New York, Hawaii, Massachusetts, Florida, Colorado, Texas, and a growing number of states are in the process of passing their own consumer data privacy laws. Most of them have drawn heavily from the GDPR and CCPA in the design of their new privacy laws.

Check out a comprehensive comparison of US Privacy Regulations here – and get a 1:1 demo to learn how to build a future-proof privacy program to adapt to current and emerging data privacy and protection regulations.