U.S. Data Privacy Laws 101

The consumer data collection process is saturated with ethical and legal complexities. Yet, firms cannot get enough of this ‘digital fuel’ for their business and marketing initiatives. With new technologies and methods of personal data collection, consumer literacy about data privacy rights and risks challenges the so-called privacy paradox—consumers care about privacy but fail to protect it.  

In 2024, it would be wise to heed Benjamin Franklin’s quote, ‘By failing to prepare, you are preparing to fail.’ And comply with all the U.S. federal and state data privacy regulations. 

Data Privacy Laws in the U.S.  

The dangers of malpractice, unauthorized exposure, and theft of personal information have been deriding customers’ confidence in brands and businesses. Nearly 32% of cybersecurity incidents involve data theft and leak, suggesting that the threat actors prefer stealing and selling data over ransomware extortions. Moreover, over 30% of cybersecurity breaches in 2023 involved cybercriminals ‘logging into the networks’ rather than ‘hacking in’.  

The new threat patterns call for significant attention from technology platform providers to double up on security and resiliency to attacks. Cybersecurity leaders and Data Privacy Officers (DPOs) can now extend the security from their networks to their AI data, models, usage, and governance with OpenPages. The highly scalable, AI-powered governance, risk, and compliance (GRC) platform is updated with latest enhancements to ease compliance. Several laws in the U.S. provide specific rules for different aspects or situations of data privacy like those related to healthcare and financial information or the data collected from children.   

However, unlike the EU GDPR, that applies to all businesses in and outside EU, processing personal data of EU individuals, the U.S. does not have a comprehensive federal privacy dictum. Let us go through the evolution of data privacy laws and existing regulations in the U.S.   

A Brief Recap of Data Privacy Laws in the U.S. 

The concept of information privacy existed in colonial America long before technology intertwined with customer data. The earliest laws protected individuals against ‘eavesdropping’ and misusing the information ‘to frame slanderous and mischievous tales.’ During the American Revolutionary War, the American Patriots despised general warrants that led to ‘ransacking’ and confiscation of ‘personal papers of political dissenters, authors, and printers of seditious libel’ 1.

The Bill of Rights from the Third, Fourth, and Fifth Amendments were drafted to protest the government’s invasion of privacy of the people.

In the late 19th century, the federal government began collecting the public’s information through census 2. Later, in 1890, when the census began gathering information about people’s diseases, disabilities, and financial information, it raised objections, driving stricter laws in the 20th century to make census data confidential 3. In 1919, Congress declared publicly sharing census data as a felony. Benjamin Franklin led colonial mail and had his employees swear an oath to not to open mail 4. In 1782, Congress introduced a law that mail should not be opened 5.  

There were many significant chapters in history that raised considerable questions about privacy protections. To name a few are the bill to protect the privacy of telegrams, Warren and Brandel’s Right to Privacy to protect against the sensationalistic Yellow Press, Federal Communications Act Section 605 against wiretapping by the FBI, and the Freedom of Information Act of 1966.  

Below are some of the federal data privacy laws applicable in today’s scenarios where business or legal entities collect and process customer data: 

The Privacy Act of 1974: 

The federal U.S. Privacy Act of 1974 was enacted on December 31, 1974. The law governs federal officials and systems’ collection, use, and disclosure of personal information for individual privacy protection. The act was created to address concerns regarding citizens’ privacy from the creation and use of computerized databases by the federal government. It establishes a Code of Fair Information Practice. The Privacy Act’s provisions apply to: 

• U.S. citizens or permanent residents. 
• Certain federal government bodies, including executive, military, independent regulatory agencies, and government-controlled agencies (U.S. Postal Service, FDA, FBI, and Department of Education) 
• A system of records refers to any record where information is retrieved in the name of the individual or individual identifier.  

The rights covered under the regulation include: 

1. The right to request data access and correct if required: All U.S. citizens or permanent residents have the right to access personal data maintained or stored by government agencies and request changes if they think the information is inaccurate. 
2. The right to data access (restricted on an individual basis): Federal government agencies grant the users data access based on their role in their company. 
3. The right to data use information: Individuals have the right to understand and know how federal government agencies use their personal data after collection. 

HIPAA 

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law introduced in 1996 to protect the privacy of individual’s medical data from theft and fraud. The HIPAA provisions apply to all entities that handle protected health information (PHI), like hospitals, healthcare companies, employer-sponsored health plans, and insurance providers. According to the law, whenever an organization discloses PHI to a healthcare provider or covered entity, the individuals have the following rights: 

• Healthcare providers or covered entities can use patient data only for specific reasons, such as treatment and payment. Providers must request patients’ consent and permission to use their data for marketing activities.  
• Healthcare providers must disclose to patients a notice of privacy practices regarding the usage and protection of their healthcare data. Patients have the right to restrict how healthcare providers use and disclose their PHI. 
• Patient rights allow them to update medical records in case they believe the information provided is incorrect.  

COPPA 

The Children’s Online Privacy Protection Act (COPPA) was announced as a federal law in 1998. The regulation oversees the collection of personal data of children below 13 residing in and outside the U.S. The COPPA includes directives for websites and online forums to have privacy policies to protect children’s safety and online privacy and to verify the consent of the parents and guardians if the users are children.  

GLBA 

Also known as the Financial Moderation Act of 1999, the Gramm-Leach-Bliley Act (GLBA) regulates disclosures of customer data by financial institutions. GLBA requires financial companies to be transparent about how they share customer data and includes the option for customers to have control of how their personal data is shared by revoking the company’s data collection rights. The regulation prevents customers’ data theft and accidental exposure.  

 Data Privacy Laws Across U.S. States 

The U.S. has enacted several consumer data privacy laws at the state level. So far, the privacy laws are across 15 states—California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennesse, Oregon, Montana, Delaware, New Hampshire, Florida, Texas, and New Jersey. More states are likely to implement privacy laws to protect against cybersecurity risks and introduce data privacy standards that are on par with the GDPR. Below is the comprehensive list of state consumer data privacy laws: 

• California: The state became the first to enforce its data privacy legislation under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). The CCPA went into effect in January 2020 and outlines comprehensive policies on the privacy rights of the state’s citizens and directives for businesses engaged in personal data collection and sales to third parties. In November 2020, CCPA was expanded, and voters collectively approved CPRA.  
• Colorado: On June 8, 2021, the Colorado Privacy Act (CPA)was signed. It came into force as of July 1, 2023. The CPA outlines the five critical data privacy rights of Colorado consumers: 

1. Right to access.  
2. Right to correction.  
3. Right to delete.  
4. Right to data portability. 
5.  Right to opt-out.  

• Connecticut: Connecticut implemented privacy legislation in May 2022. The Connecticut Data Privacy Act (CDPA) includes stricter regulations on data protection for children and has privacy norms for data controllers and processors like other state regulations.  
• Delaware: Delaware’s consumer privacy law will be enacted on January 1, 2025. The state’s law has the exact requirements as the rest of the U.S. State Data Privacy Laws. The only exception is it does not exclude not-for-profit organizations or higher education institutions. Also, the Delaware Personal Data Privacy Act has no revenue threshold for entities to whom the privacy obligations apply.  
• Florida: The state of Florida enacted the Digital Bill of Rights recently in February 2024. The Florida Digital Bill of Rights (FDBR) incorporates several provisions for opt-out rights, children’s online data protection, and regulations on government entities moderating content. The FDBR obligations on controllers apply to those with a global revenue totaling more than a $1 billion per year. The act is set to take effect on July 1, 2024.  
• Indiana: Indiana is officially the seventh state to include its own comprehensive data privacy law. The Indiana Consumer Data Protection Act applies to all businesses processing the data of at least 100K residents or handling the data of about 25K consumers in the state and earning half of their revenue by selling that data. The law will be effective on January 1st, 2026.  
• Iowa: The Iowa Consumer Data Protection Act (ICDPA) is one of the business-friendly privacy regulations that regulators and privacy advocates consider less restrictive than the other state privacy laws. ICDPA is expected to take effect on January 1, 2025.  
• Maryland: The Maryland Online Data Privacy Act of 2024 establishes numerous consumer protection and regulatory requirements against personal data breaches, theft, phishing, and spyware. The obligations for the processors and controllers will apply from April 1, 2026, onwards. Violation of the bill will be considered unfair, abusive, or deceptive under the Maryland Consumer Protection Act (MCPA).  
• Montana: Montana’s Consumer Data Privacy Acts are based on Connecticut’s data privacy law and are expected to go into effect in October of this year. The privacy act restricts the collection of personal data of only ‘adequate, relevant, and reasonably necessary’ data. 
• New Hampshire: This law applies to only those companies that handle 35K residents’ data annually, or 10K if more than 25% of their gross revenue is from selling personal data. The law is set to come into effect on January 1, 2025.  
• New Jersey: The New Jersey Data Privacy Act (NJDPA) protects state residents’ privacy rights by regulating how businesses collect and use their personal data.  The law applies to all businesses in New Jersey that handle the personal data of 100k consumers annually or at least 25K in case the company sells personal data.  
• Oregon: Oregon passed its data privacy law on July 18, 2023. The Oregon Consumer Privacy Act (OCPA) includes provisions on biometric data, sensitive and personal data, and children’s data. Additionally, it includes exemptions found in other state privacy laws. 
• Tennessee: The Tennessee Information Protection Act (TIPA) will become effective on July 1, 2025. TIPA mostly follows other states and controllers may expect some difficulty adapting from the state’s existing compliance requirements to the data privacy laws.   
• Texas: After California, Texas is the largest state to enact privacy laws to empower its residents with better control over their personal data. The Texas Data Privacy and Security Act (TDPSA) will take effect July 1, 2024, and apply to large companies operating in Texas or sell, collect, or process personal data.  TDPSA excludes small businesses.  
• Utah: On March 24, 2022, Utah passed the Utah Consumer Privacy Act (UCPA), which came into effect on December 31, 2023. The law incorporates a business-friendly approach to consumer protection.   
• Virginia: On March 21, 2021, Virginia enacted the Virginia Consumer Data Protection Act (VCDPA), and went into force on January 1, 2023. Under VCDPA, Virginians have the right to access their data and request that deletion of their personal information by businesses. The privacy act requires companies to conduct data protection assessments if they are processing personal data for targeted advertising and sales purposes. 

Our Takeaway:  

Data breaches continue to increase and evolve in sophistication. Besides suffering damage to their reputation and market value, businesses impacted by these threat incidents have distressingly high expenses to pay in the form of penalties for non-compliance. IBM’s Cost of Data Breach Report finds that $4.45 million was the average cost of data breaches in 2023, representing a 15% increase since 2020. Whether intentional or not, data protection laws in the U.S. will actively enforce their regulations on firms that fail to protect consumers’ data privacy. 

At iTech GRC, we help businesses to map all their regulatory requirements and proactively respond to the most recent changes in regulatory events.  

Get in touch with our GRC experts to maximize IBM OpenPages’ capabilities and achieve end-to-end regulatory compliance management.  

References: 

1. A Brief History of Information Privacy Law: George Washington University Law School.  

2. A Brief History of Information Privacy Law: George Washington University Law School. 

3. A Brief History of Information Privacy Law: George Washington University Law School. 

4. A Brief History of Information Privacy Law: George Washington University Law School. 

5. A Brief History of Information Privacy Law: George Washington University Law School.