Key Takeaways
Data privacy laws give users transparency on how their data is used, allows opt-in consent and minimizes data collection on you.
There is no single comprehensive federal law in the US for data privacy.
Instead, the US has several industry (e.g., healthcare, financial) or demographic (e.g., children) specific laws that have been enacted over the last 50 years.
Data privacy laws are a major way of regulating companies on the ethical use of user data. Failure to follow applicable data privacy laws may lead to fines, lawsuits, and even prohibition of a site's use in certain jurisdictions. Navigating these laws and regulations can be daunting for the corporations that are subject to them, but also for the user trying to understand their rights. This post will start a blog series on the current state of data privacy regulation. We’ll begin by looking at what federal laws exist in the US (this post), then state laws, and finally we will compare regulations in the US to those in the EU which has the General Data Protection Regulation (GDPR).
What data privacy laws usually cover
Data privacy sounds like something we all want, but how does it actually manifest itself in laws? This list should give you an idea of what data privacy laws might cover:
Data collection transparency: Laws can give people the right to see what data various companies have collected on them, to request that companies delete any data they’ve collected.
Sharing rights: Laws can give a user the right to tell companies not to sell (or share) your data to third parties.
Opt-in consent: Laws can give you authority to allow your permission to a company to collect your data (e.g., through cookies) or sell your data to third parties.
Data minimization: Laws can limit a company to collect only what it needs to provide the service you’re using.
Nondiscrimination and no data-use discrimination: Laws can prevent companies from discriminating against people who exercise their privacy rights; for example, the company can’t charge someone more for protecting their privacy, and the company can’t offer discounts to customers in return for their giving up more data.
Current State of U.S. Federal Data Privacy Laws
Unlike in the EU, there is no single, comprehensive federal law regulating how most companies collect, store, or share customer data. Instead, in the US we have several vertical-specific federal laws and some comprehensive state laws. The federal laws either look at specific types of data, like health information, or protect specific demographics like children, and regulate within those realms.
These are all the privacy laws in the U.S. that are carried out at a federal level (in chronological order from the time they were enacted):
Federal Trade Commission Act (FTC Act): Published in 1914, the FTCA is not exactly a privacy law, but you might see it come up in privacy cases. The FTCA outlaws deceiving advertisements. This means that the FTC can penalize apps or websites that violate their own privacy policy.
Fair Credit Reporting Act (FCRA): Adopted in 1970, FCRA was the first data privacy law adopted in the U.S..FCRA protects information in your credit report. It limits who is allowed to see a credit report, what the credit bureaus can collect, and how information is obtained.
US Privacy Act of 1974: This contains important rights and restrictions on personal data held by US government agencies, including among other things:
Right of US citizens to access any personal data held by government agencies. And a right to copy that data.
Right of citizens to correct any information errors
Agencies should follow data minimization principles when collecting data – least information “relevant and necessary” to accomplish its purposes.
Access to data is restricted on a need to know basis – for example, employees who need the records for their job role.
Family Educational Rights and Privacy Act (FERPA): Enacted in 1974, FERPA protects the privacy of student education records. This gives parents of minors, eligible students, and other schools the right to see education records but prevents everybody else from accessing that data without consent.
Electronic Communications Privacy Act (ECPA): Enacted in 1986, the ECPA restricts government wiretaps on wire, oral, and electronic communications. However, the law is quite outdated because it only protects data in transit; this means that conversations stored on servers are not protected.
Health Insurance Portability and Accountability (HIPPA): Enacted in 1996, HIPPA lays down the data confidentiality requirements for personal health information (PHI). Healthcare providers have permission to use patient data if it’s related to “treatment, payment, and health care operations.” However, using the data for marketing purposes or selling the PHI requires explicit authorization. HIPPA does not cover all health data, like Fitbit data or COVID-19 vaccination status.
Gramm-Leach Bliley Act (GLBA): Enacted in 1999, is an improvement over the FCRA. It protects nonpublic personal information (NPI), which is defined as any “information collected about an individual in connection with providing a financial product or service, unless that information is otherwise publicly available”. Examples of NPI include social security numbers, account balances, and credit card numbers.
Children’s Online Privacy Protection Act (COPPA): Enacted in 2000, COPPA specifically prohibits online companies from asking for personally identifiable information (PII) from children 12-and-under unless there’s verifiable parental consent.
Current shortcomings and a better future
Hopefully, the last section helps you understand more of your rights and the current state of federal privacy laws in the US right now. You, along with many others, might think it's time for a refresh, seeing that the last act was passed in 2000 and technology has changed a lot since then. The truth is that the U.S. is behind other nations when it comes to data privacy laws and behind the current state of technology. People do not trust big tech with their data or the government’s ability to protect them. A University of Maryland survey found that 50% of smartphone users wouldn’t use a contact-tracing app even if it promised to rely on anonymous tracking and reporting; 56% wouldn’t trust the big tech companies to keep the data anonymous; and 43% wouldn’t even trust public health agencies and universities to do so
Comprehensive federal privacy legislation would give consumers across the nation a clearer understanding of their rights, and it would help businesses grasp what is needed for compliance instead of referring to nine different laws.
The Information Transparency and Personal Data Control Act became the first piece of comprehensive privacy legislation introduced in Congress. The proposed federal bill would create protections for the processing of sensitive personal information. For the collection, processing and sharing of non-sensitive information, meanwhile, companies would be required to allow consumers to opt out at any time. The bill grants enforcement authority to both the FTC and state attorneys general. Notably, it does not include a private right of action. This bill may not pass, but similar ones will certainly follow until one does pass.
Some states have already enacted their own comprehensive privacy laws, and so have other nations. We’ll take a look at those laws in our upcoming blogs.