Understanding U.S. Data Privacy LawsJan. 19, 2023 / My Data Removal Staff
Data privacy laws are what regulate how a person’s personal data are collected, used, processed, and shared. These laws are key for keeping your personal information safe. We have found that many people don’t care about their personal data being easily accessible, that is, until it is too late. We believe privacy laws should exist for everyone, not just those who are passionate about it or have been a victim.
Even if you aren’t familiar with specific data privacy laws in the U.S., you probably have at least heard about the struggles between consumers and companies in the debate about who can control, track, and sell individuals’ personal data.If you have never taken the opportunity to research data privacy laws, it might be unclear to you what your rights are. This article will outline the federal and state laws that protect your personal data with the intent that you can make better decisions about how to keep yourself and your data safe.
Comprehensive vs limited laws
Before we address the laws, it is helpful to understand the difference between comprehensive and limited privacy laws. In May 2018, the General Data Protection Regulation (GDPR) was enacted in the European Union. It is held as the gold standard of privacy protection laws. It is comprehensive, meaning that its definition of what qualifies as “data” is very broad and inclusive to all types of data, as well as how many rights the consumer has in controlling or accessing that data. In addition, comprehensive laws apply to all types of companies in all types of circumstances.
Limited laws typically have very narrow definitions of what qualifies as “data” and apply usually in only very specific situations. For example, some states only protect Personally Identifiable Information (PII), such as your social security number or driver’s license number, but not consumer data such as, such as individuals’ shopping habits or online browsing activity. In addition, limited privacy laws usually don’t always give individuals the right to request a company delete their data.
In the United States, there are very few federal laws protecting your private data, and many companies take advantage of this hands-off approach.While eight out of 10 Americans agree the federal government should establish laws to protect their personal data (2022 DataGrail research), currently there is no comprehensive privacy protection law that has made it into law. Of the federal laws that do exist, none of them comprehensively protect individuals’ information and rights, and each of these laws are applicable to only certain types of data in very specific situations.
While there are no comprehensive federal privacy laws, there is one bill currently in the legislative process. The American Data Privacy Protection Act (ADPPA) is a comprehensive privacy law that has made it further than any other bill. While it is currently stalled, it still is currently under consideration, and is the best chance for a comprehensive federal bill. You can read about this bill at Congress.gov.
The following is an overview of the current limited federal laws that govern the collection and use of various forms of information.
The Federal Trade Commission Act (FTC Act), which works to prevent unfair or deceptive trade practices
The Children's Online Privacy Protection Act (COPPA), which governs the collection of information about minors
The Health Insurance Portability and Accounting Act (HIPAA), which governs the collection of health information
The Gramm Leach Bliley Act (GLBA), which governs personal information collected by banks and financial institutions
The Fair Credit Reporting Act (FCRA), which regulates the collection and use of credit information
The Family Educational Rights and Privacy Act (FERPA), which protects the privacy of student education records
With the absence of federal action, the role of protecting consumers’ data has mainly fallen to the states. The majority of states have very limited laws, meaning their residents remain mostly unprotected. Only five states have comprehensive privacy laws. They are California, Colorado, Connecticut, Virginia, and Utah. It is beyond the scope of this article to list the laws for every state. If you would like to see the specifics, here is a list of current laws by state, including those with comprehensive and limited laws.
While only a handful of states have comprehensive laws, we are happy to see the trend that more and more state legislatures are moving to protect consumers. In 2022, 60 comprehensive privacy bills were considered across 29 state legislatures. (IAPP Privacy Matters). You can see the status of any legislation in your state here.
Data breach reporting laws
Of special note is that all 50 states have some form of data breach reporting laws. This means that no matter what state a company does business in, or where its customers reside, organizations must notify users if their data has been compromised by a breach. However, each state differs in the details, such as what constitutes a breach or when organizations are required to inform their users. For example, some states require notification only when measurable harm has already been discovered, not necessarily every time a breach occurs.
We recommend the following chart from the International Association of Privacy Professionals (IAPP) to see what your state’s data breach notification requirements are.
Data privacy and protection laws are critical for keeping your information safe. We remain hopeful that rights and protections for individuals will continue to improve with new state legislation. If a comprehensive federal law (similar to the EU’s GDPR) was passed in the United States, it would essentially put us out of work. But we believe in individuals’ right to control their data and individuals’ right to privacy so much, that this would be a win in our book.