US Data Privacy Laws: Are US Citizens Protected?
By Matt Brennan
We tend to hear more about individual state laws when it comes to data privacy, but there are a few US data privacy laws in place that protect consumers within specific industries. Even still, there is no over-arching data privacy law in the US, like there is in Europe.
Data protection and data privacy laws are an increasingly hot issue around the world as we hear more news stories about private companies misusing the data and information that they are collecting. The European Union’s GDPR guidelines for example, is an all-encompassing, central regulation from a federal body that protects all citizens.
In the U.S, there are several vertically focused US data privacy laws that target individual sectors of the economy, such as HIPAA and health care. There are also several laws popping up that are coming from California, Nevada, and other states. The Federal Trade Commission has enforcement powers at the federal level and the state attorneys have the same power at the state level.
US Data Privacy Laws
Below are some of the privacy laws protecting US citizens. They are not as wide in scope as the GDPR.
The Privacy Act
The Federal Privacy Act addresses concerns about the creation and use of computerized databases and individuals’ privacy rights. The act is restricted to only US citizens and permanent residents of the country, meaning that no one else can sue under the Privacy Act. It also only pertains to selected federal government agencies.
In other words, citizens have the right to access data held by these government agencies, and a right to copy or correct that information. The law restricts the ability of agencies to share this information with one another, and individuals maintain the right to sue the government for any violation.
Health Insurance Portability and Accountability Act
HIPAA requires healthcare providers and related organizations to implement safeguards to protect sensitive personal health information. Under HIPAA, patients have the right to access their health records and request corrections. The penalties for companies found in violation of HIPAA are based on level of negligence.
Gramm-Leach-Bliley Act
This statute requires financial institutions and other businesses that offer financial services and products to disclose how they protect and share private information. The customers are then given the right to opt out of any data sharing. Businesses in the financial services industry must protect the confidentiality, integrity, and availability of their clients’ personal information.
Financial institutions can face fines as high as $100,000 for each violation.
State Privacy Laws
California Consumer Privacy Act
The CCPA gives Californians a strong level of control over their personal data. It gives residents of the state similar control over their privacy as the GDPR in the European Union. It allows residents of the state to sue a business if it fails to implement security measures and your data is compromised in a breach.
It also allows residents to understand what data is being collected and how to access it. Residents can also find out what data is being sold or disclosed, and to whom. Residents have the right not to be discriminated against as well and can opt out of the sale of their data.
Virginia Consumer Data Protection Act
The Virginia state law gives residents more control over their data. This law is set to take effect in 2023, giving businesses an opportunity to work their way into compliance. This law will require businesses to limit their collection of data to what is adequate, relevant, and reasonably necessary. It also requires businesses to evaluate the risks associated with specific activities.
Residents have the right to access data, the right to rectification, the right to deletion, the right to data portability, the right to object to processing, and the right to be free from discrimination.
There are also many state laws that are in some form of legislative review.
