Data Privacy Laws in the US
Federal data privacy laws in the US
There are no federal data privacy laws in the US. The proposed American Data Privacy Protection Act (ADPPA) is as close as US residents have been to such a law. The first federal consumer privacy bill to pass committee markup, ADPPA was approved 53-2 by the Committee on Energy and Commerce on July 20, 2022.
The ADPPA failed to progress to the House and Senate floors by the adjournment of the 117th Congress on January 3, 2023. The American Data Privacy Protection Act is currently being updated and redrafted in anticipation of further attempts at getting it signed in to federal law.
There may not be any comprehensive federal data privacy laws in effect, but that’s not to say there aren’t any federal laws protecting consumers’ personal and sensitive data. There’s also the Federal Trade Commission (FTC), whose responsibilities overlap in many places with data privacy protection.
These are some of the major consumer data privacy laws in effect at the federal level in the US:
Fair Credit Reporting Act (FCRA)
The FCRA governs the collection and use of credit information, requiring data held and processed by FCRA-compliant companies to be accurate. The problem is that the vast majority of data brokers simply operate outside the FCRA.
Health Insurance Portability and Accounting Act (HIPAA)
HIPAA regulates the collection and processing of health information nationwide. Health information is among the most sensitive data that can be associated with an individual. Data brokers still push the boundaries of this law with some of them sharing health-related information.
Children’s Online Privacy Protection Act (COPPA)
COPPA specifically regulates the collection of information relating to minors. This legislation is instrumental in not only protecting minors’ personal information from data brokers but also keeping social media platforms and tech giants at least somewhat in line.
Gramm-Leach-Bliley Act (GLBA)
The GLBA is aimed at protecting personal information that’s collected and processed by banks and other financial institutions. Financial data is extremely valuable on both the legitimate and black markets—it’s legislation like this that discourages the misuse of such data, even if only by law-abiding entities.
Family Educational Rights and Privacy Act (FERPA)
FERPA safeguards the privacy of student education records. This is another category of data that’s valuable to law-abiding marketers, black-hat hackers, and many people and companies in between.
State data privacy laws in the US
In the absence of a federal US data privacy law, the slack is being taken up by a growing patchwork of state data privacy laws. These laws vary considerably, leaving companies that do business across state lines with sometimes disparate compliance requirements to navigate.
With relatively few states having comprehensive data privacy legislation in place, the greater problem is that too many US residents have no law to lean on when taking steps to protect their data privacy. Here’s a quick rundown of some of the data privacy laws either currently in place or soon to come into effect:
California Privacy Rights Act (CPRA)
The California Consumer Privacy Act (CCPA) was the first comprehensive state data privacy law in the US, the CPRA was passed in November 2020 to amend the California Consumer Privacy Act (CCPA). The CPRA came into effect on January 1, 2023. The CCPA on which it is based was in large part inspired by the EU’s General Data Protection Regulation (GDPR).
Key points of comparison:
- Sensitive personal information – the Act includes an updated definition of sensitive personal information, making information like Social Security numbers subject to special protections.
- Third-party requirements – third parties inherit data protection and compliance obligations from the first parties that first collected the data.
- Breach liability – companies can be held liable for breaches involving login credentials or other information that can be used to gain unauthorized access to personal accounts.
Virginia’s Consumer Data Protection Act (VCDPA)
The VCDPA was passed on March 2, 2021, and came into effect on January 1, 2023. Inspired by both the EU’s General Data Protection Regulation (GDPR) and California’s CPRA, it shares many of the core provisions of both. These include giving residents the right to review, delete, and amend personal data held by companies.
Key points of comparison:
- Scope – the VCDPA applies to entities that do business in Virginia and control or process the personal data of at least 100,000 people as well as entities that generate at least 50% of their revenue by selling personal information and control process the personal data of at least 25,000 consumers.
- Sensitive data – companies that want to collect and process sensitive personal information have to get consumers to opt in. Other personal data collection can be done without explicit consent as long as the consumer is informed of the practice.
Colorado Privacy Act (CPA)
Colorado was the third state to enact a comprehensive data privacy law. The CPA was passed in June, 2020 and is due to come into effect on July 1, 2023. It builds on and contains elements of the GDPR, CPRA, and CDPA.
Key points of comparison:
- Scope – the CPA applies to entities that collect personal data from at least 100,000 residents or collect personal data from at least 25,000 residents and generate revenue by selling that data.
- Exemptions – entities collecting or handling personal data already covered by laws like COPPA and FERPA, data collected for state health insurance purposes, de-identified data, and employment information are all among the exemptions to the CPA.
Utah Consumer Privacy Act (UCPA)
The UCPA was enacted in March 2022 and came into effect on December 31, 2023. As the fourth such legislation in the US, it draws from the first three: the CPRA, CPA, and CDPA.
Key points of comparison:
- Scope – the UCPA applies to entities that generate more than $25 million in annual revenue and control or process the personal data of at least 100,000 consumers annually or derive at least 50% of their gross revenue from the sale of personal information and control or process the personal data of at least 25,000 consumers.
- Exemptions – the UCPA does not apply to governmental agencies, nonprofit organizations, employment-related personal data, HIPAA-protected health information, GLBA-regulated financial institutions, and FCRA-compliant entities.
Other state laws on the books or in the works
The above are just the first four comprehensive state data protection laws to be enacted. State like Connecticut (CTDPA), New York (NY SHIELD Act), New Jersey, Michigan, Pennsylvania, and Ohio also have active legislation in place. The list of states with inactive legislation is much, much longer.
Updated on: June 5, 2023