U.S. Privacy Act of 1974
Rights and restrictions on data held by government agencies
The United States has a patchwork and ever-changing web of laws governing data privacy. While there’s no comprehensive federal privacy decree, several laws do focus on specific data types or situations regarding privacy.
Without a holistic statute, however, it can be unclear what protections are in place for the various types of personal information with which companies. Despite the lack of a comprehensive privacy framework, organizations that process or store data are still responsible for staying up-to-date on the latest regulations to ensure compliance.
This guide provides details of the major U.S. privacy laws and shares some recent updates and changes. You can also download this detailed fact sheet for a quick background on U.S. data protection laws.
Unlike other forms of communication, such as physical mail, online privacy and security is more difficult to govern. This can leave individuals vulnerable to an invasion of privacy.
The internet has revolutionized our lives and work, providing unprecedented access to information and communication. However, along with this increased connectivity comes new risks to privacy. Everyone’s lives are now online, leaving behind a digital trail of personal data that unscrupulous businesses or individuals can exploit.
Thankfully, data privacy laws govern the collection, use, and disclosure of personal data and set standards for how businesses need to handle sensitive data. The Federal Trade Commission (FTC) is the principal enforcer of these laws in the U.S. In recent years, the FTC has taken several enforcement actions against companies that have misled consumers about their data security and privacy practices.
For example, in 2012, the FTC reached a settlement with Google after it accused the company of misrepresenting its privacy policies to users of its service. Under the payment terms, Google agreed to pay a $22.5 million fine and change its privacy practices. More recently, in 2018, the FTC took action against Facebook for deceiving users about their ability to control the visibility of their personal information. Again, under a settlement with the FTC, Facebook agreed to pay a $5 billion fine and make significant changes to its privacy measures.
These cases show that the FTC is willing to crack down on companies that violate consumer privacy laws. These examples also set a critical precedent for future internet privacy lawsuits — as people’s lives continue to move online, strong laws must be in place to protect data from exploitation.
The United States and Europe have the most comprehensive data security and privacy laws; the EU’s General Data Protection Regulation (GDPR) came into effect in 2018, while the California Consumer Privacy Act (CCPA) took effect in 2020.
GDPR and CCPA set strict standards for how service providers must handle personal data, including ensuring that data collection is transparent, secure, and obtained with the concerned individual's consent. The standards also provide individuals the right to know what personal data is collected about them and allow them to access it and request its deletion.
The main difference between CCPA and GDPR is that GDPR applies to any organization that processes or intends to process EU citizens’ sensitive data, regardless of location. GDPR compliance is mandatory for any organization that processes the personal data of EU citizens, regardless if they're customers or not. There are also no entity revenue or processing threshold requirements for GDPR.
CCPA only covers entities that do business in California. This regulation applies to entities satisfying thresholds such as annual revenues above $25 million, any organization that processes personal data of more than 50,000 individuals, and those entities that acquire 50 percent of their revenue from selling data.
These requirements mean GDPR has a much broader reach and protection than CCPA. For example, in terms of enforcement, GDPR provides heavy fines for service providers violating its provisions. In contrast, CCPA offers California residents the right to sue businesses for damages if there's a violation of their consumer rights.
Finally, GDPR requires companies to appoint a data protection officer, while CCPA has no such requirement. While GDPR and CCPA are strong data protection laws providing individuals with robust rights and protection, GDPR applicability extends beyond U.S. borders, making it one of the most far-reaching data protection structures today.
It's crucial for organizations to consult with legal counsel and carefully consider which laws apply to them, ensuring compliance with each applicable requirement.
Generally speaking, privacy laws fall into two categories: vertical and horizontal. Vertical privacy laws protect medical records or financial data, including details such as an individual's health and financial status.
Horizontal privacy laws focus on how organizations use information, regardless of its context. The types of data covered by these laws include fingerprints, retina scans, biometric data, and other personally identifiable information such as names and addresses.
Rights and restrictions on data held by government agencies
Healthcare and heath insurance personal data protection
Protects financial nonpublic personal information (NPI)
Protects the personal information of those age 12 and younger
While both vertical and horizontal privacy laws play an essential role in protecting individuals' privacy rights, many view vertical policies as more effective because they're better at targeting specific risks.
The federal government passed the U.S. Privacy Act of 1974 to enhance individual privacy protection. This act established rules and regulations regarding U.S. government agencies' collection, use, and disclosure of personal information. Below are some examples of the guaranteed rights covered by the information privacy rule:
Enacted in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal privacy protection law that safeguards individuals’ medical information. HIPAA applies to all entities that handle protected health information (PHI), including healthcare providers, hospitals, and insurance companies. When a company shares PHI with a healthcare provider or covered entity, individuals have the following rights:
Congress enacted the Children's Online Privacy Protection Act (COPPA) in 1998 to protect the online privacy of minors under the age of 13. COPPA applies to any website or online service that collects, uses, or discloses personal information from children. Under COPPA, websites and online services must take the following steps to protect children’s privacy:
In 1999, the U.S. government signed the Gramm-Leach-Bliley Act (GLBA). This law protects consumer privacy and applies to any financial institution that collects, uses, or discloses personal information. Financial institutions must take the following steps to protect individuals’ privacy:
Privacy laws in the U.S. vary by state — some states have signed laws that provide privacy protections, while others have no rules. Below are some examples of signed and proposed individual state privacy laws:
In 2020, voters in California passed the California Privacy Rights Act (CPRA), an amendment to the CCPA. The CPRA provides additional protection for Californians, such as the right to know what personal data entities are collecting about them and the right to know if businesses are selling their data and to whom.
The Colorado Privacy Act is a new law that will take effect on July 1, 2023. This law will require businesses to disclose their data collection and sharing practices to consumers and gives Colorado residents the right to opt out of the sale of their personal data. The law also imposes strict penalties for companies and authorizes the state attorney general to bring enforcement actions.
The Connecticut Personal Data Privacy and Online Monitoring Act covers any business that collects personal information from Connecticut residents. The law provides privacy protection regulations for data controllers and processors and requires them to take reasonable security measures to protect personal data.
The Maryland Online Consumer Protection Act protects consumers from cybersecurity threats, including data breaches, theft, phishing, and spyware. While this law is similar to other state privacy laws, it’s more comprehensive in certain respects.
For instance, Maryland law requires businesses to take reasonable steps to protect consumers' personal information from unauthorized access, use, or disclosure. The law also requires entities to provide consumers with a way to opt out of having their personal information collected, used, or sold.
This act applies to all businesses that collect, use, or disclose personal data about Maryland residents, including out-of-state companies that sell goods or services to Maryland locals.
The Massachusetts Data Privacy Law is a set of regulations governing businesses' handling of personal information. The law applies to any organization that holds, uses, or discloses personal data about Massachusetts residents.
Some of the law’s provisions state that companies must obtain consumer consent before collecting or using their data. In addition, entities must take necessary steps to secure consumer data. The state law also establishes that companies must disclose how they use consumer data and allow customers to opt out of specific uses. Finally, organizations must ensure that the data they collect is accurate and up-to-date.
The New York Privacy Act is one of the most comprehensive pieces of privacy and security legislation in the U.S. This law sets strict rules about how businesses must handle consumers’ personal information and gives individuals new rights concerning data. The act significantly impacts companies operating in New York state and helps ensure all residents control their personal information. Some key provisions of the privacy law include:
The Virginia Consumer Data Protection Act is a new law that’ll take effect on January 1, 2023. It will require businesses to take reasonable steps to protect consumer data privacy, confidentiality, and integrity.
This new law applies to any business that collects, uses, or discloses the personal information of 100,000 or more Virginia consumers or derives 50 percent or more of its revenue from the sale of consumer data.
The law also gives Virginia residents the right to access their personal data and request correction if it’s inaccurate.
Although the state and federal privacy law ecosystem may seem daunting, there are straightforward ways to determine which regulatory requirements apply to you and your business. Consider your business:
Using these key factors, honing in on which privacy requirements apply to your organization can be a relatively straightforward endeavor.
Below are frequently asked questions about data privacy laws.
A: The most significant difference is that the U.S. doesn't have a single, comprehensive federal privacy law like the EU's GDPR. Instead, the U.S. has a patchwork of federal and state laws that offer varying levels of protection for consumers' personal data.
A: Most U.S. privacy laws share a few main provisions, such as obtaining consumer consent before collecting or using personal data and the need to take data security steps. However, there are some crucial differences between the laws, so it’s essential to check the specific requirements of each decree to ensure compliance.
A: The consequences of violating U.S. privacy laws can vary depending on the law. In some cases, entities may be subject to fines or other penalties. In other cases, consumers may have the right to sue the company for damages.
As more private and sensitive data digitally changes hands each year, it becomes increasingly critical to understand the laws protecting our privacy. In the United States, internet privacy laws are still evolving, but they are a strong start toward protecting personal data. Citizens and residents can expect more states to pass comprehensive privacy laws in the future, and the federal government may eventually pass a law that provides nationwide protection for consumers’ data.
In the meantime, staying informed about the latest security controls and data privacy developments is essential in taking steps to protect your personal information. Deploying data loss prevention and threat detection solutions can also help you keep your data safe and ensure compliance with privacy laws.
Below are three ways we can help you begin your journey to reducing data risk at your company:
David is a professional writer and thought leadership consultant for enterprise technology brands, startups and venture capital firms.