Guide to the Federal and State Data Privacy Laws in the USA

In the digital age, data privacy protection and regulation have become more critical than ever

It is now a matter of priority for most individuals, organizations, and governments across the globe. As a result, virtually every free country globally, including the United States, has introduced some form of data protection regulation or other to regulate how personal information is collected, stored, and shared. What control a data subject has over their personal information.

Although in the U.S, for example, there is no central all-encompassing federal data privacy law like the EU GDPR. However, several vertically-focused federal data privacy laws are targeting one sector of the economy or another, as well as a new generation of consumer-oriented privacy laws coming from the states. The U.S Federal Trade Commission (FTC) is the agency vested with the power to enforce those regulations at the federal level, while state attorneys do the same at the state level.

This article will take a detailed look at the various federal and state data privacy laws in the United States. Hopefully, this will help you fully comprehend the provisions of those laws and prepare your business for compliance.

Federal Data Privacy Laws

Privacy Act

The Privacy Act is a United States federal law enacted on December 31, 1974, to govern the collection, use, and dissemination of PII about individuals held by federal agencies.

It was created in response to concerns about how the creation and use of computerized databases might impact individuals’ privacy rights.

The Act only covers U.S. citizens and permanent residents. Thus, only a citizen or permanent resident can sue under the Privacy Act. In addition, the Act applies only to certain federal government agencies.

Privacy Act obligation: The privacy Act protects citizen’s privacy through the following rules and rights in the handling of personal data:

  • Citizens have a right to access any data held by government agencies; and a right to copy and correct any information errors
  • Government agencies must follow data minimization principles (relevant and necessary information to accomplish its purposes) or “fair information practices” when gathering and handling personal data
  • Sharing of information between other federal (and non-federal) agencies is restricted and only allowed under certain conditions
  • Individuals have a right to sue the government for violating its provisions

However, there are specific exceptions to the Act that allow personal information under certain conditions. These exceptions mean that individual privacy is not entirely guaranteed as the Act’s drafters might have wished. Furthermore, the Privacy Act only applies to records held by an “agency.”  Therefore, the records maintained by courts, executive components, or non-agency government entities are not subject to the provisions in the Privacy Act, and there is no right to these records.

Penalties for violating the Privacy Act: The Privacy Act provides civil and criminal penalties for violating the Act’s provisions. The following are some of the applicable penalties for non-compliance:

  • If an agency refuses to amend an individual’s record upon request, the individual can sue in civil court to have the record amended. The court can also award the individual reasonable attorney’s fees and other litigation costs to be paid by the agency
  • If any government agency employee willfully discloses PII, they will be fined a maximum of $5,000
  • If any agency employee willfully maintains a records system without disclosing its existence and relevant details as specified above, they can be fined a maximum of $5,000
  • Anyone who willfully requests an individual’s record from an agency under false pretenses can be fined a maximum of $5,000

The Health Insurance Portability and Accountability (HIPAA) Act 

HIPAA is a federal statute that was signed into law on August 21, 1996. It was created primarily to modernize the flow of healthcare information and stipulate how the confidentiality and integrity of personally identifiable information (PII) held by healthcare providers should be protected.

HIPAA is crucial because it ensures healthcare providers and related organizations implement adequate safeguards to protect sensitive personal health information.

HIPAA obligations: Healthcare providers are obligated to provide safeguards to protect the confidentiality, integrity, and availability of private health information (PHI). The following rules define the structure of everything related to HIPAA compliance requirements:

  • The Privacy Rule—This regulates the use and disclosure of PHI held by covered entities
  • The Security Rule—This outlines security controls that are organized into administrative (security policies and procedures, user training, and HR), physical (covers all aspects of physical security safeguards), and technical (covers all aspects of cybersecurity) precautions
  • The Breach Notification Rule requires covered entities to notify patients, HHS, and other key stakeholders when their unsecured PHI is impermissibly breached
  • The Omnibus Rule—The implication of this rule is that covered entities are responsible for any potential violations of business associates and contractors and need to take appropriate actions accordingly

Patient’s rights: Patients have several rights under the HIPAA privacy rule, including access to their health records and the right to request corrections.

The right of access provides individuals with a legal, enforceable right to access and receive copies, upon request, of the information in their health records held by their healthcare providers. A patient also has the right to amend PHI for as long as the PHI is in a designated record set.

Penalties for violating HIPAA: All healthcare-related entities that collect, store, or share patient health information are expected to be in complete compliance with HIPAA. Non-compliance to the provisions of the law attracts stiff penalties. The most common type of violation stems from non-compliance with HIPAA privacy, security, or breach notification rules.

The penalties for non-compliance are based on the level of negligence. They can range from $100 to $50,000 per violation, with a maximum fine of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail terms. Here is a list of HIPAA notable violations and fines from 2015-2021 and a list of those currently under investigation.

Gramm–Leach–Bliley Act (GLBA)

GLBA is a federal statute that was signed into law on November 12, 1999. The law requires financial institutions and other businesses that offer financial services and products to communicate to their customers how they protect and share their private information and the customer’s right to opt-out of any third-party data sharing.

GLBA compliance makes it mandatory for all financial institutions to have the policy to protect the confidentiality and integrity of customers’ information from any foreseeable threats.

GLBA obligations: Financial services providers are obligated to provide safeguards to protect the confidentiality, integrity, and availability of customer’s personal information by adhering to the following rules:

  • Financial Privacy Rule This requires financial institutions to provide each consumer with a privacy notice once a consumer relationship is established and annually after that. The privacy notice must explain the information collected about the consumer, including where and how the information is used, shared, and protected, and their rights to opt-out of third-party information sharing
  • Safeguards Rule The Safeguards require financial institutions to develop a written information security policy that describes how the company is prepared for and plans to continue to protect clients’ nonpublic personal information
  • Pretexting Protection GLBA prohibits the practice of pretexting—a form of social engineering attack that occurs when someone tries to access personal, non-public information without the proper authority to do so. Organizations covered by GLBA are required to implement safeguards against pretexting attacks

Penalties for violating GLBA: Failure to comply with GLBA attracts severe penalties for the financial institution and its employees.

  • A financial institution can be fined up to $100,000 for each violation and an amount that goes up to one percent of the company’s assets
  • Employees can also be fined up to $10,000 individually for each violation
  • If they don’t follow the safety policies and procedures in place, they may get a $1,000,000 fine and between 5-12 years of prison term

Children’s Online Privacy Protection Act (COPPA)

COPPA is a United States federal law enacted on April 21, 2000, to regulate the online collection of personal information about children under 13 years of age.

The law protects children’s privacy by requesting parental consent to collect or use any personal information of children. It was created to increase parental involvement in children’s online activities in response to a growing awareness of Internet marketing techniques that targeted children and collected their personal information from websites without parental notification.

The Act applies to commercial websites and online services (including mobile apps) that are directed at children, as well as foreign websites that are directed at U.S children. It doesn’t apply to general audience websites unless they have specific services that attract children to their site.

COPPA obligations: Websites or mobile apps directed to children are obligated to adhere to fair information practices in the collection and use of personal information. The National Law Review has a detailed breakdown of the steps you need to take to comply with COPPA obligations:

  • Post a clear and comprehensive online privacy policy describing their information practices for PI collected online from children under 13;
  • Make reasonable efforts (taking into account available technology) to provide direct notice to parents of the operator’s practices concerning the collection, use, or disclosure of PI from children under 13, including notification of any material change to such methods to which the parents have previously consented;
  • Obtain verifiable parental consent, with limited exceptions, before any collection, use, and disclosure of PI from children under 13;
  • Provide a reasonable means for a parent to review the PI collected from their child and to refuse to permit its further use or maintenance;
  • Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of the PI collected from children under 13, including by taking reasonable steps to disclose/release such PI only to parties capable of maintaining its confidentiality and security; and
  • Retain PI collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.
  • Operators are prohibited from conditioning a child’s participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity

Penalties for violating COPPA: The FTC has the authority to enforce COPPA compliance. According to the FTC, courts may fine violators of COPPA up to $42,530 in civil penalties for each violation. The amount of civil penalties a court assesses is dependent on several factors such as the enormity of the offenses, previous record of violation, the number of children involved, the amount and type of PI collected and how it was used, the size of the company.

The FTC has brought several actions against some online services companies for failing to comply with COPPA requirements, including actions against Google, TikTok, Lisa Frank, American Pop Corn Company, and others. Google has in recent times shifted responsibility for COPPA compliance onto YouTube kid’s content creators. This means that videos targeted at kids under 13 years can no longer carry behaviorally targeted ads.

Fair and Accurate Credit Transactions Act (FACTA)

FACTA is a federal statute signed into law on December 4, 2003, as an amendment to the Fair Credit Reporting Act.

It was primarily designed to cut down on the number of identity theft incidents and improve secure disposal or destruction of consumer information. The law also allows consumers to request and obtain a free credit report once every 12 months from each of the three consumer credit reporting companies in the U.S—Equifax, Experian, and TransUnion.

FACTA obligations: FACTA provides rules for financial service providers, lenders, credit reporting agencies, and all businesses with “covered accounts” to detect and protect consumers from fraud and identity theft. A “covered account” includes any account for which there is a foreseeable risk of identity theft.

One of such rules is the Red Flags Rule—which requires companies to put in place identity theft policies and procedures that would assess identity theft risk factors, test and implement those policies to detect and address identified risks, and train employees to ensure that those policies and procedures are correctly adhered to.

In addition to the Red Flags Rule, FACTA establishes rules concerning Fraud Alerts and Active Duty Alerts. Upon the request of a consumer (who believes they are about to be a victim of fraud or identity theft), the law requires consumer reporting agencies to place a fraud alert on their file so that no new credit line is opened in their name without explicit confirmation from you.  An active duty alert requires the reporting agency to disclose such an alert with any credit report issued within 12 months of the request.

Penalties for violating FACTA: Both federal and state penalties may apply to FACTA violations:

  • Federal government FACTA penalties can be up to $2,500 per violation
  • State FACTA penalties can be up to $1,000 per violation
  • Businesses that fail to truncate debit/credit card numbers during the printout of transaction receipts may be subject to the payment of statutory damages ranging from $100 to $1000 per violation
  • Class action lawsuits can be up to $1,000 for each consumer affected

State Data Privacy Laws

California Consumer Privacy Act (CCPA)

CCPA is a state statute for residents of the state of California in the United States that came into force on January 1, 2020.

The CCPA is designed to give Californians control over their data. It is adjudged as the US’s most comprehensive data privacy legislation, similar to the E.U GDPR. The law applies to businesses in California that collect consumers’ data and can be described in any or all of the following ways:

  • Derives 50% or more of its annual revenues from selling consumers’ personal information
  • Buys or sells the personal information of 50,000 or more consumers, households, or devices
  • Has annual gross revenues above $25,000,000

CCPA consumer rights: The CCPA regulation empowers users with new data rights. To comply with the regulation, your organization must enable users to exercise their CCPA rights. For example, if you are a resident of California, you now have the right to:

  • Sue a business if it fails to implement reasonable security measures and your data is compromised in a data breach
  • Know what personal data is being collected about you, and to be able to access it
  • Know whether your data is sold or disclosed and to whom
  • Not be discriminated against for exercising their privacy rights
  • Ask a business to delete your data
  • Opt-out of the sale of your data

Penalties for violating CCPA: Companies have 30 days to comply with the law once regulators notify them of a violation. If they fail to resolve the issue within the giving period, there’s a fine of up to $7,500 per record. Other applicable penalties include:

  • Payment of statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater, if the personal data of users is compromised in a data breach
  • A fine of upto $7,500 for each intentional violation and $2,500 for each unintentional violation
  • Liability may also apply in respect of businesses in overseas countries that ship items into California

Virginia Consumer Data Protection Act (CDPA)

CDPA is a state statute for residents of the state of Virginia in the United States.

Like the California Consumer Privacy Act (CCPA), the CDPA is designed to give Virginia consumers more control over their data. This makes Virginia become only the second state to enact comprehensive privacy legislation.

Although the law takes effect on January 1, 2023, businesses are expected to begin evaluating their obligations to ensure they have sufficient time to comply. A company is subject to the CDPA if they either conduct business in Virginia or produce products or services that are targeted to Virginia residents and  meet one of the following requirements:

  1. During a calendar year, control or process personal data of at least 100,000 consumers; or
  2. Control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data

CDPA obligations: The CDPA places several obligations for businesses processing personal data. These obligations include:

  • Limits on Collection and Use of Data: Businesses are required to limit the collection of personal data to “what is adequate, relevant, and reasonably necessary” for the purpose for which the data is processed
  • Purpose Limitations: Businesses are required to process personal data only for purposes reasonably necessary or compatible with the purposes disclosed in the business’ privacy policy
  • Consent for Processing Sensitive Data: Businesses are required to obtain the consumer’s permission before processing any sensitive data
  • Reasonable Security Controls: Businesses are required to implement and maintain good administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data
  • Data Protection Assessments: Businesses are required to conduct data protection assessments (DPAs) to evaluate the risks associated with particular data processing activities

Consumer Privacy Rights: The CDPA enumerates the following privacy rights for Virginia consumers:

  1. Right to Access
  2. Right to Rectification
  3. Right to Deletion
  4. Right to Data Portability
  5. Right to Object to Data Processing
  6. Right to be Free from Discrimination

Penalties for violating CDPA: Companies have 30 days to comply with the law once regulators notify them of a violation. If they fail to resolve the issue within the giving period, there’s a fine of up to $7,500 per violation.

Other State Laws

Many other upcoming state data privacy laws are currently undergoing legislative scrutiny and passage into law or awaiting executive sign-off. The table below summarizes the various upcoming and existing state data privacy laws.

StateNameBusinesses coveredRight to Delete?Right to Access?Right to Rectification?Status
CaliforniaCalifornia Consumer Privacy AcRevenues over $25 millionYesYesNoIn effect since January 1, 2020
Virginia Virginia Consumer Data Protection ActAllYesYesYesTakes effect on January 1, 2023
New YorkNew York Privacy ActAllYesYesYesPending
MassachusettsMassachusetts Data Privacy LawOver $10 millionYesYesNoPending
MarylandMaryland Online Consumer Protection ActOver $25 millionYesYesNoPending
HawaiiHawaii Consumer Privacy Protection ActAllYesYesNoPending

Table 1.0 Comparison of current and upcoming state data protection laws