Data privacy and protection are an increasingly important part of modern business. If you collect, store, or process data in the United States, you may be subject to certain US privacy laws. Creating a compliant privacy policy ensures that you won’t run afoul of regulations—or find yourself having to pay significant fines.
You may be familiar with European privacy laws (such as the General Data Protection Regulation) or the Chinese privacy law (the Personal Information Protection Law). These are overarching regulations which govern multiple territories, unlike the United States.
Currently, the United States does not have a comprehensive federal data privacy law in place, but that could change in the near future. If current legislation is approved by Congress and is signed into law, companies and nonprofits that collect, store, or process data in the United States will be affected, with only limited exemptions for small organizations. It’s important to stay on top of privacy laws. Here’s an overview of current US privacy laws.
Federal US data privacy laws
As noted above, the United States lacks a comprehensive privacy law. The following laws protect certain types of data in limited situations:
- COPPA: The Children’s Online Privacy Protection Act (COPPA) limits online data collection of children under 13.
- ECPA: The Electronic Communications Privacy Act protects wire, oral, and electronic communications against interception and recording, but falls short of protecting against many modern surveillance tactics.
- FCRA: The Fair Credit Reporting Act limits who can see a credit report, what kind of information credit bureaus can collect, and how that information can be collected.
- FERPA: The Family Educational Rights and Privacy Act protects student educational records.
- FTC Act: The Federal Trade Commission Act gives the FTC the power to discipline apps or websites that violate their own privacy policies.
- GLBA: The Gramm-Leach-Bliley Act regulates the collection and disclosure of consumers’ financial information and requires financial institutions to implement security programs and disclose how they share that data.
- HIPAA: The Health Insurance Portability and Accountability Act protects patient health information collected, processed, or stored by covered entities (doctors, pharmacies, hospitals, and more).
- VPPA: The Video Privacy Protection Act prevents the disclosure of VHS rental records. There are ongoing lawsuits around whether it applies to streaming companies.
As you can see, these privacy protections are piecemeal. The vast majority of your online data is not protected. That could change if the bipartisan American Data Privacy and Protection Act (ADPPA or the “Act”) is signed into law.
The Act “addresses manipulation through its prohibition on obtaining consent through deception or manipulation; breaches of confidentiality through added protections for ‘sensitive’ information and transfers of data as well as data security; and discrimination through extension of civil rights protection and algorithmic assessments.”
States with privacy laws
Currently, five states have their own comprehensive data privacy laws in place: California, Colorado, Utah, Virginia, and Connecticut.
Michigan, Ohio, Pennsylvania, and New Jersey have their own bills in committee. If passed, these states’ privacy laws could make the data protection landscape even more confusing. Companies will have to amend their privacy policies and data collection processes to comply with each individual state’s varied laws.
Who is subject to United States data protection laws?
Typically, any company that collects, stores and processes consumer data in California, Colorado, Utah, Virginia, and Connecticut must determine whether they need to comply with their privacy law requirements. For example, if your company targets customers in these states online, it’s important to ensure compliance if you cross the applicability thresholds. Penalties include fines (and, in California, damages if a lawsuit is brought), which can add up quickly. They may also be subject to increased supervision by the regulator, which in turn may require operational changes.
How to comply with US online privacy laws
Complying with US privacy laws can be confusing. First, you’ll need to determine whether you’re already collecting or plan to collect consumer data from California, Colorado, Utah, Virginia, and Connecticut.
Next, you must research each state’s online privacy laws. Unfortunately, each of the five states varies in its requirements: Utah is one of the least restrictive, while California is the most restrictive. Amend your internal privacy policies and public privacy notices to ensure that they’re compliant with requirements. Many companies incorporate these requirements into a nationwide privacy notice, while others may simply have state-specific notices for individual laws.
Finally, you’ll need to keep up on changes to the law, including whether Michigan, Ohio, Pennsylvania, and New Jersey pass their own policies. And if the ADPPA is passed, your privacy policy and notice will need to be amended once more.
Discover SixFifty’s privacy policy solutions
Keeping up with US privacy laws is a time-consuming task, especially when individual states keep passing separate laws. Fortunately, SixFifty’s comprehensive privacy documents will help your company stay compliant. Our proprietary legal technology combines automation technology with real legal expertise: just answer a few questions, download the generated document, and have your lawyers review. Best of all, we’ll stay on top of changes to privacy law, and notify you when it’s time to make a change. Reach out to schedule a demo today!
