How U.S. data protection laws work
Updated at: Dec 11, 2019
Although the U.S. doesn't have a general data protection law such as GDPR in Europe and LGPD in Brazil, it doesn't mean that the country has no laws on the subject. Quite the contrary. There are several laws enacted at federal and state levels. In general, unlike GDPR and LGPD, U.S. data security and privacy laws are specific. That is, they regulate the use of certain types of data or regulate some sectors, such as health, finance, and telecommunications.
In an attempt to cover points that federal laws don't cover, there are state-level laws and regulations as well. That is, each state creates its own rules regarding data and information protection. Although they have similarities, these regulations usually differ among states because they cover different points of interest.
By the way, some states are already working on new, more comprehensive and protective laws. This is the case of California with the California Consumer Privacy Act (CCPA) and New York with the New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD).
Examples of U.S. federal data protection laws
There are several federal laws in the United States that involve data and information security and privacy. Let's see a few examples to illustrate.
1. Driver’s Privacy Protection Act (DPPA)
DPPA defines a number of rules and cautions that state departments of motor vehicles must have when dealing with personal information, such as name and telephone number.
2. Children’s Online Privacy Protection Act (COPPA)
COPPA regulates the use and gathering of children's information under 13 by some types of companies. For example, it states that companies need to obtain consent from parents in order to collect and use children's information.
3. Fair Credit Reporting Act (FCRA)
FCRA addresses data protection collected by consumer information agencies, such as credit and medical companies. For example, it defines special care when handling confidential information from third parties.
4. Telemarketing Sales Rules (TSR)
As its name suggests, TSR establishes telemarketing rules and restrictions, primarily involving privacy. For example, it prohibits calls to those who have said they no longer want to receive calls and sets a time limit for calls.
5. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
CAN-SPAM sets rules for companies that send unsolicited commercial emails. One of the main points of this regulation is that the recipient can opt out of receiving messages.
6. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA requires patient information to be protected, ensuring personal data privacy and security.
7. Family Educational Rights and Privacy (FERPA)
FERPA guarantees student information protection. It prohibits, for example, the disclosure of personal data and student records without permission or consent from the student or guardian.
U.S. state-level data protection laws
Many state laws in the United States also make requirements regarding the gathering and use of various types of data and information. We can even say that, in many cases, state regulations are extensions or complements of federal laws. But obviously there are differences and some states end up being stricter than others.
For example, all 50 states have data breach notification laws. The point is that there are differences among them, including in defining what a data breach is and what personal and sensitive data are.
The fact is that some states, such as California, New York, Massachusetts, and Minnesota, are known for having stricter privacy and data protection laws, ensuring more rights for their residents.
To illustrate some states' concern about the rights and privacy of their residents, let's cite two new state laws that come into force in 2020.
1. California Consumer Privacy Act (CCPA)
When it comes to privacy and data protection, California is, for sure, a reference. The state recently enacted the CCPA, which goes into effect early next year. This law affects a group of companies and creates new consumer rights, which now have more control over their own information.
2. New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD)
Another law that will also come into force in 2020 is NY SHIELD. It's similar to CCPA. In fact, NY Shield is an expansion of the state's existing data breach notification law. It requires certain companies to be more transparent and more careful in handling personal data.
U.S. data protection authorities
There's no central data protection authority in the U.S., but the top federal authority on data protection and security issues, despite having limited jurisdiction, is called Federal Trade Commission (FTC).
In the words of the agency itself, “In all of its privacy and data security work, the FTC’s goals have remained constant: to protect consumers’ personal information; and to ensure that consumers have the confidence to take advantage of the many benefits of products offered in the marketplace”.
There are other important agencies and authorities that help regulate and enforce data protection laws. They operate, though, in specific sectors of society, such as the Federal Communications Commission (FCC), the Department of Health and Human Services (HHS), the Consumer Financial Protection Bureau (CFPB) and the Securities and Exchange Commission (SEC).
In addition to them, state attorneys also play an important role in law enforcement.
U.S. General Data Protection Law
The big question to ask (and many experts have asked) is: Should the U.S. enact a universal and general data protection law like the GDPR?
We believe that yes, the U.S. should adopt a general data protection law. As there are now different federal and state laws, it's difficult and bureaucratic for companies to meet so many requirements. Many end up being contradictory or conflicting, which makes the work even more difficult. In addition, a new general law would better address today's society, including new technologies and new types of data.
The federal government, though, hasn't signaled anything about a general law. Only time will tell. But one might go even further. Maybe, in the future, we could have a global data protection law, with universal rules and standards. It could act as an agreement among several countries for a more transparent and secure world. That would definitely be an important step for cybersecurity.