Note: I wrote this post for Varonis, a data security vendor I worked for once upon a time. Published around 2018, it gained a lot of attention from legal wonks and, most gratifyingly from the World Economic Forum. Read on …
Contrary to conventional wisdom, the US does indeed have data privacy laws. True, there isn’t a central federal level privacy law, like the EU’s GDPR. There are instead several vertically-focused federal privacy laws, as well as a new generation of consumer-oriented privacy laws coming from the states.
Let’s take a tour of the US privacy laws and get a feel for the landscape. If you want to learn still more about the US legal landscape, download our amazing The Essential Guide to US Data Protection Compliance and Regulations.
Vertically-Focused US Data Privacy Laws
US Privacy Act of 1974
Back in the last century when databases were the height of computer technology, Congress and others were (rightly) concerned about the potential misuse of personal data held by the government. Congress passed the landmark US Privacy Act of 1974, which contained important rights and restrictions on data held by US government agencies, and should look very familiar to data pros in the year 2019. I’ll list them here because they’re the first references that I know of to everything that followed:
Right of US citizens to access any data held by government agencies. And a right to copy that data
Right of citizens to correct any information errors
Agencies should follow data minimization principles when collecting data – least information “relevant and necessary” to accomplish its purposes.
Access to data is restricted on a need to know basis – for example, employees who need the records for their job role.
Sharing of information between other federal (and non-federal) agencies is restricted and only allowed under certain conditions
Extra points if you noticed the Privacy by Design principles embedded in this innovative 70’s era privacy law!
HIPAA
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) was landmark legislation to regulate health insurance. It is a very complex law with lots of moving parts, but included both data privacy and security sections. The data protection part of HIPAA is found in The Security Rule. HIPAA also laid down data confidentiality requirements that can be found in, wait for it, The Privacy Rule.
If you’ve ever filled in a form at your doctor’s office allowing spouses and other family members to review or see your health information — what HIPAA refers to as protected health information (PHI) — you’ve been seeing the Privacy Rule in action.
The Privacy Rule contains a convoluted list of rules on who gets to see PHI. But in short, a healthcare provider or “covered entity” more or less has permission to use patient data if it’s related to “treatment, payment, and health care operations.” However, using the data for marketing purposes or selling the PHI requires explicit authorization.
HIPAA’s minimum necessary requirement is a good example of PbD principles applied to sharing of PHI. It says that covered entities that share data for marketing purposes other than the ones mentioned above should limit who gets to see it. Health organizations are supposed to evaluate their data and practices, and put in place safeguards to limit “unnecessary or inappropriate” access to PHI. In effect, role-based access for PHI.
COPPA
Back in the early days of the early Internet, circa 2000, the Children’s Online Privacy Protection Act (COPPA) took a first step at regulating personal information collected from minors. The law specifically prohibits online companies from asking for PII from children 12-and-under unless there’s verifiable parental consent.
Updates to COPPA’s regulatory rules a few years ago effectively expanded the reach of the law and broadened the type of personal information to be protected, including screen names, email addresses, video chat names, as well as photographs, audio files, and street-level geo coordinates.
These updates also extend privacy and security coverage to third parties that use the children’s data. The originating website operator must take “reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.”
GLBA
Another late 90s legislation, Gramm-Leach-Bliley Act (GLBA) is an enormous slab of banking and financial law that has buried in it important data privacy and security requirements. Its protections of personal information are a major improvement over previous consumer financial data laws — see the Fair Credit Reporting Act (FCRA).
Overall, Gramm- Leach-Bliley Act protects nonpublic personal information (NPI), which is defined as any “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available” — essentially PII with an exception for any widely available financial information — for example, property records or certain mortgage information.
You may have noticed that banks periodically mail out data privacy notifications, explaining the categories of NPI that are being collected and shared along with special opt-out instructions. That’s due to GLBA’s somewhat limited privacy protections. Consumers can opt-out if they don’t wish that information to be sent to a “non- affiliated” third party.
However, for third-party companies affiliated with the bank or insurance company — part of the, cough, “corporate family” — consumers have no legal privacy controls under GLBA to restrict the sharing of the NPI. That’s quite a large loophole, and GLBA is by no means a model for an Internet-era privacy law.
How Is Privacy on the Internet Handled?
The short answer is that it’s not! Outside of the industry-focused US federal laws described above, the Internet is a deregulated territory where tech and social media companies, in particular, have practiced an anything-goes philosophy. US states, though, are finally stepping in (see below) with their own data privacy laws, with California taking the lead.
You may be wondering under what statutes, if there are no general consumer privacy (and security) laws, has the US government been able to issue huge fines against Facebook, Uber, and PayPal?
Great question!
And the answer takes us to, drumroll please, the Federal Trade Commission or FTC. In brief, under the FTC Act of 1914, which brought this government agency into existence, companies are prohibited from engaging in “unfair or deceptive acts or practices” under its Section 5 powers. Once upon a time in mid-century America, the FTC began taking on — and this may come as shock to some — boldly false or misleading advertising by some of America’s leading consumer brands.
Facebook did not violate a data security law when the settled with the FTC. Instead, they engaged in “unfair and deceptive practices”.
It’s a short step from there to the FTC looking at misleading “representations” made by leading tech and social media companies about the privacy of the consumer data it collects. Like for example, Facebook, and the very bold way it told users in its apps and privacy notices that it won’t sell their data or that users could restrict access to data if they click on certain boxes.
In fact, the opposite was the case and the FTC filed an eight-count complaint in 2012 against Facebook, which it agreed to settle. This complaint was followed by the more recent and more publicized FTC complaint — for some of the very same violations — in which Facebook agreed to a $5 billion settlement. You can’t make this stuff up.
The alert reader may have realized that if a company doesn’t mention anything about data privacy on its web site, in its products, or in its advertising, then the FTC can’t do anything, at least under it “deceptive practices or acts” powers. And that would be right!
This is another way of saying that a general federal privacy law, like what’s being considered here, would force companies to have privacy policies and comply with them, rather than going through the FTC’s indirect (and imperfect) privacy enforcement mechanism.
EU vs. US Privacy Laws
As a reminder, the US doesn’t (yet) have a federal-level general consumer data privacy law, let alone a data security law. The EU with its General Data Protection Regulation (GDPR) has both! So we can’t really compare the two.
However, the Californian Consumer Privacy Act (CCPA), does come close to addressing consumer data privacy at least for California residents and it’s a great exercise to compare and contrast to the GDPR, like what we do below.
In brief, both the CCPA and GDPR give consumers the right to access, the right to delete, and the right to opt-out of processing at any time. They differ in that the GDPR grants consumers a right to correct or rectify incorrect personal data while the CCPA doesn’t. The GDPR also requires explicit consent — see the GDPR’s “condition for consent” article 7 — at the point when consumers hand over their data. In contrast, CCPA only asks that a privacy notice be made available on the website informing consumers they have a right to opt-out of certain data collection.
If the above tickles your inner legal eagle, then by all means refer to this comprehensive GDPR vs. CCPA comparison chart assembled by the law firm BakerHostetler.
New US State Data Privacy Laws
With the lack of direction in Washington, it’s not surprising that other states have taken a cue from California and drafted their own privacy laws. Before we look at individual CCPA “copycat” laws from New York, Massachusetts, and other states, let’s first review California’s privacy law, which is the envy of the nation.
California Consumer Privacy Act
In 2018, the California Consumer Privacy Act (CCPA) was signed into law. Its goal is to extend consumer privacy protections to the internet. It’s not an exaggeration to say the CCPA is the most comprehensive internet-focused data privacy legislation in the US, and with no equivalent at the federal level.
Under the CCPA, consumers have a right to access through a data subject access request (DSAR) the categories and specific pieces of personal information held by covered businesses. Businesses can’t sell consumers’ personal information without providing a web notice (“a clean and conspicuous link”) and giving them an opportunity to opt-out.
Like the GDPR, there is also a “right to delete” — with some exemptions — consumer personal information on request. The CCPA also gives consumers a limited right of action to sue if they’re the victim of a data breach. There’s a more general ability for the state Attorney General to sue on behalf of residents. Legislation is in the works to broaden consumers’ private right of action to sue on other grounds.
Another striking innovation within the CCPA is its very broad definition of personal information: “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” That covers a lot of ground and is similar to the GDPR’s own expansive view of personal data.
To bring it back to “black letter law”, the CCPA also contains a long list of identifiers it considers personal information, including biometric, geolocation, email, browsing history, employee data, and more.
The CCPA also introduces “probabilistic identifiers”. Attorneys will be debating what this means, but it appears that data that give a greater than 50% chance of identifying someone will be treated the same as a deterministic identifier. Perhaps a combination of, say, Netflix viewing history and geolocation data may be enough to tip the scales. By the way, other states have picked up the probabilistic term in their laws (below).
California goes “meta” with its probabilistic identifiers. (From the CCPA law)
While the focus — and rightly so —has been on extensive new privacy rights for consumers, there’s also a data security component to the CCPA. The law calls for companies to “implement and maintain reasonable security procedures”. What does that mean? No one’s sure, though there are strong hints that the California government is looking to the Center of Internet Security’s top 20 controls and the NIST Critical Infrastructure Security (CIS) Framework as baselines.
With no federal answer to GDPR on the horizon, several other states are taking a page from California’s book by drafting their own regulations to give citizens increased control over their personal data. While most of these bills use CCPA as a framework, there are differences. We’ve even put together a cheat sheet at the end to compare the different proposed state laws. Let’s first look at two tough privacy proposals coming out of New York and Massachusetts
Massachusetts Data Privacy Law
The proposed Data Privacy Law (S-120) shares a lot of the CCPA language. Consumer access to personal information? Check. Right to Delete? Check. Explicit notification of privacy rights, and a chance to opt-out of third-party sales of data? Check. A broad definition of personal information including probabilistic identifiers? Check.
There are a few important divergences from the CCPA, which include the right for consumers to sue for any violation of the proposed Massachusetts law. Consumers “need not suffer a loss of money or property as a result of the violation” to bring an action.
Attorneys point out that there’s enormous potential exposure of Massachusetts companies to class-action lawsuits: plaintiffs can recover up to $750 per consumer. For example, in 2017, almost 400,000 Mass. residents were affected by data breaches, leading to possible exposure, if the law had been in effect, of almost $300 million for that year.
New York Privacy Act
New York’s proposed S5642 (currently on hold) contains some of the hallmarks of CCPA. There’s a right to delete and request personal information. The definition of personal information — “any information related to an identified or identifiable person” — includes a very extensive list of identifiers: biometric, email addresses, network information and more.
Unlike California and similar to Massachusetts, New York’s act has a private right of action for any violation of the law! And the law applies to all businesses without any revenue threshold, which differs from California and other states. This makes the proposed NY law quite strict.
The NY bill, though, only requires businesses to disclose to consumers the broad categories of information shared to third parties. Under some circumstances, consumers would have the right to request copies of specific information shared.
Another key difference is the proposed NY law imposes the role of data fiduciary”, forcing all NYS businesses to be legally responsible for the consumer data they hold. The NY act takes a very expansive view: “exercise the duty of care, loyalty and confidentiality expected of a fiduciary with respect to securing the personal data of a consumer against a privacy risk; and shall act in the best interests of the consumer, without regard to the interests of the entity, controller or data broker”. In short: consumers own the data.
The NY act also gives consumers the ability to correct inaccurate information, making it closer in spirit to the EU GPDR. None of the other clones, including California, go that far!
Hawaii Consumer Privacy Protection Act
Hawaii’s SB 418 is similar to the CCPA, offering all of the same major rights and protections (potentially more, based on the current wording of the bill). While CCPA explicitly applies to websites that conduct business in the state of California, Hawaii’s SB 418 bill has no similar clause. In theory, websites based anywhere in the world could violate the law if they don’t offer adequate protection as outlined in the bill. However, the bill is likely to be amended in a later draft to focus solely on Hawaiian-based websites.
Maryland Online Consumer Protection Act
Maryland’s SB 613 is another bill with the potential to expand on the scope of CCPA in some areas. Businesses will have similar obligations to disclose information usage, though, to a lesser degree than under CCPA. And like California and Massachusetts, there’s also the use of a “probabilistic identifier” to refer to a certain type of personal information. Go Maryland!
However, this bill goes beyond the scope of CCPA when it comes to disclosing third-party involvement. Under CCPA, companies only have to disclose if consumer information is being sold to a third party, but in accordance with Maryland’s SB 613, companies would have to disclose any information that is passed on to third parties, even if that data is transferred for free. This bill also prohibits websites from knowingly disclosing any personal information collected about children.
North Dakota
North Dakota’s HB 1485, which is currently in the state’s House of Representatives, is the most lightweight bill on this list. The only significant clause of HB 1485 would completely restrict websites from passing on any information to third parties without the consent of users. There is no right to have information removed or deleted once consent has been granted.
US State Privacy Law Comparison
|
State |
Right to Delete? |
Right to Access? |
Right to Correct? |
Private Right of Private Action? |
Broad Definition of PII? |
Businesses covered |
Status |
|
California |
Yes |
Yes |
No |
$750/consumer (breaches) |
Yes (Probabilistic) |
Revenues over $25 million |
In effect : 1/1/2020 |
|
New York |
Yes |
Yes |
Yes |
$750/consumer |
Yes |
All |
Pending |
|
Maryland |
Yes |
Yes |
No |
No. (Only through AG.) |
Yes (Probabilistic) |
Over $25 million |
Pending |
|
Massachusetts |
Yes |
Yes |
No |
$750/consumer |
Yes (Probabilistic) |
Over $10 million |
Pending |
|
Hawaii |
Yes |
Yes |
No |
No |
Yes |
All |
Pending |
|
North Dakota |
No |
Yes |
No |
Limited |
No |
Over $25 million |
Pending |
Micro Data Privacy FAQ and Cheat Sheet
The most cocktail-worthy privacy chitchat from this post compressed into four questions!
Q: Does the US have a single GDPR-style consumer privacy law?
A: No. The US instead has vertically focused data federal privacy laws for finance (GLBA), healthcare (GLBA), children’s data (COPPA), as well as a new wave of state privacy laws with California Consumer Privacy Act (CCPA) being the most significant.
The reasons for this patchwork are rooted in US policy decisions to foster innovation — ‘break it and see what happens’ — in technology over other considerations. But at “our laboratories of democracy”, state laws are finally catching up with reality and will ultimately wag the federal dog.
Q: Which states have privacy laws?
A: Very few — three in total! Sure, all 50 states now have a data breach notification rule usually also calling for reasonable data security. But as of this writing, only California, Nevada, and Maine have privacy laws in effect. Several states (see above) have privacy laws working their way through the legislatures. For a current snapshot of the status of these proposed state laws, the International Association of Privacy Professionals (IAPP) is maintaining an up-to-date scorecard.
Q: What is protected by the Privacy Act of 1974?
A: Many people assume that when the Privacy Act was passed way back 1970s that it protects consumer data in the US. Nothing can be further from the truth! While the US Privacy Act was innovative legislation, incorporating ideas like data minimization, right to access, and right to correct — it is limited to data collected by the US government from its citizens. It has no impact on private industry or in particular data collected on the Internet by companies.
Q: Do US federal and state privacy laws impact foreign companies?
A: To the extent that foreign companies incorporate subsidiaries in the US, they would be under all US laws including of course our data security and privacy laws. The real question is whether the US has an extraterritorial aspect to its security and privacy laws like the EU’s GDPR that would reach out to organizations outside its borders. And the answer to that is no.
Closing Privacy Thoughts and the Future of Data Privacy Laws
With states taking it upon themselves to innovate in this area, it’s perhaps only a matter of time before a federal law is introduced to create a level playing field.
In the meantime, there are three lessons to draw from the state experiments:
PII will be defined to go beyond ordinary identifiers to encompass probabilistic identifiers (or quasi-PII) that can be used to indirectly identify consumers.
The right to delete will become an essential part of privacy laws. Whether that will extend to a broader “right to be forgotten” is less likely
There’s now an understanding among regulators that consumers want to know all the information the companies have about them, backed up with the right to view and possibly correct this data.
Where is all this heading? If I were to prognosticate, I’d say something close to the recently proposed privacy acts from Congresswoman Eschoo or Senator Cantwell will become the law of the land.
And that’s to say a future US privacy law will reflect some of the key ideas from the CCPA. But as we’ve seen in California there will likely be exemptions and softening of requirements involving privacy rights of employees, access and deletion requests, and finally, penalties and fines.
