Corporate Guide to U.S. Data Privacy Laws
Last updated April 25, 2023Despite numerous proposals over the years, there is not yet an overarching federal law that governs data privacy in the U.S. That may change in the near future as the American Data Privacy Protection Act (ADPPA) has made it further than any of its predecessors. Let’s look at current federal and upcoming state-level data privacy laws in the U.S. today.
U.S. Data Privacy Laws
The American Data Privacy and Protection Act (ADPPA) was introduced on June 21, 2022. It proposes a set of national standards for regulating the collection and use of consumers’ personal information by companies. The Congressional Research Service states that ADPPA will apply to most entities, including large data holders, nonprofits, service providers, and common carriers. If it becomes law, ADPPA will impose tight limitations on targeted advertising and the use of sensitive data that “identifies or is linked or reasonably linkable” to a person.Aside from ADPPA, several U.S. data privacy laws are already in effect. Below are current federal data privacy laws:
Privacy Laws | Description | Jurisdiction | Penalties for Non-Compliance |
Children’s Online Privacy Protection Rule (COPPA) | The Children’s Online Privacy Protection Rule (COPPA) regulates how website operators and online service providers collect and use information from children under 13 years of age. | COPPA applies to persons or entities under US jurisdiction. In addition, U.S. states and various federal agencies can enforce compliance on entities over which they hold jurisdiction. | According to the Federal Trade Commission (FTC), violators face civil penalties of up to $46,517 per violation. The FTC further states that it will seek civil penalties on a case-by-case basis, sometimes up to millions of dollars. |
Health Insurance Portability and Accountability Act (HIPAA) | The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient information, such as medical records and identifiable health data. | ‘Covered entities’ under HIPAA include health care providers such as doctors, health plan vendors like health insurance companies, and health care clearinghouses that process health information from other entities. | The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) determines the penalties for HIPAA violations. According to HIPAA Journal, the inflation-adjusted penalties for 2022 include:• Tier 1 (Lack of knowledge): Minimum of $127 to a maximum of $60,973 per violation, with a maximum penalty of $1.9 million per year• Tier 2 (Reasonable cause): Minimum of $1,280 to a maximum of $60,973 per violation, with a maximum penalty of $1.9 million per year• Tier 3 (Willful neglect): Minimum of $12,794 to a maximum of $60,973 per violation, with a maximum penalty of $1.9 million per year• Tier 4 (Offense resulting from willful neglect uncorrected within 30 days): Minimum of $60,973 to a maximum of $1.9 million per violation, with a maximum penalty of $1.9 million per year |
Gramm-Leach-Bliley Act (GLBA) | The Gramm-Leach-Bliley Act (GLBA) regulates how financial institutions and agencies use, protect, and share sensitive customer data. GLBA requires financial businesses to inform customers when sharing data with third parties as well as their right to opt out of such agreements. Lastly, GLBA requires financial players to have a written data security plan for protecting customers’ data. | GLBA applies to all financial institutions under the jurisdiction of the Federal Trade Commission. | FTC imposes the following penalties for violating GLBA:• Up to $100,000 per violation committed by financial entities• Up to $10,000 per violation committed by individual financial officers• Up to 5 years imprisonment for individuals found in violation |
Fair Credit Reporting Act (FCRA) | The Fair Credit Reporting Act (FCRA) is designed to keep consumer credit information accurate, fair, and private. Credit reports typically used in background checks must only be shared according to FCRA-specified purposes. Consumers must also be informed when background checks require a credit report and when an adverse action (such as a decision not to hire) results from it. | The FCRA applies to consumer reporting agencies and relevant companies collecting information, such as credit bureaus, tenant screening companies, or medical information providers. | FTC imposes the following penalties:• Companies found guilty of willful noncompliance must pay a minimum of $100 and a maximum of $1,000 to any affected consumer.• Persons proven guilty of obtaining credit reports under false pretenses must pay $1,000 or actual damages suffered by the consumer, whichever is greater. |
Family Educational Rights and Privacy Act (FERPA) | The Family Educational Rights and Privacy Act (FERPA) upholds the privacy of student education records. Parents and eligible students have more control over their records because FERPA prohibits institutions from sharing personally identifiable information (PII) in educational records without written consent from the student or (for minors) their parent. | FERPA applies to all public and private elementary, secondary, and post-secondary schools in the US. It also applies to state and local education agencies receiving funds from the US Department of Education. | The National Center for Education Statistics (NCES) states that non-compliance with FERPA can result in the withdrawal of US Department of Education funds from the offending school or agency.In addition, any third parties who disclose student records without authorization will be barred from accessing records for at least five years. Applicable state laws may also impose additional penalties on offenders. |
Forthcoming State Laws
2023 will see several state-level data privacy laws take effect across the U.S.:
- California Privacy Rights Act (effective January 1, 2023)
- Virginia Consumer Data Protection Act (effective January 1, 2023)
- Colorado Privacy Act (effective July 1, 2023)
- Connecticut Data Privacy Act (effective July 1, 2023)
- Utah Consumer Privacy Act (effective December 31, 2023)
This legislation serves as a prelude to additional state privacy bills in their respective legal pipelines. States with active bills currently being discussed in committee include Michigan, New Jersey, Ohio, and Pennsylvania. Privacy bills are also pending in Delaware, Illinois, Massachusetts, Missouri, New York, Rhode Island, and South Carolina, among others.These nascent data privacy laws give U.S. consumers the right to access, to be forgotten, to control how their data is shared, and to opt out of sales and automated decision-making. Given the number of current federal and pending state and national laws, businesses worldwide must remain continuously informed to maintain compliance and avoid hefty penalties.
Maintain Compliance With Treasure Data
Treasure Data Customer Data Cloud helps you ensure data privacy compliance with all global, national, and industry regulations (see Figure 1). Our enterprise customer data platform (CDP) provides users with everything they need to manage even the most complex privacy and consent landscapes quickly and easily.Figure 1. Treasure Data’s security certificationsUse Customer Data Cloud to:
- Collect and centralize customer data from all sources in one powerful platform
- Unify customer profiles using online + offline data
- Keep customers’ personally identifiable information (PII) safe
- Automate workflows for DSARs and privacy requests
- Keep global teams privacy-regulation compliant
- Manage permissions by region, organization, role, and more
- Integrate with authentication services for secure identification
- Create premium audit logs for monitoring activity
- And more
To discover how you can use Treasure Data’s customer data platform to comply with the latest regulations, download our white paper today.
Want to learn more?
Request a demo, call 1.866.899.5386, or contact us for more information.