Sector and State-Specific Privacy Laws

In the United States, there is no one comprehensive privacy law that applies to the entire private sector. However, there are numerous sector and state-specific laws that businesses operating in the United States need to understand.

All states have some statutory protection for specific privacy rights, and some state constitutions specifically identify a right of privacy for their citizens. The only state with a broad private sector data protection law is California with the CCPA.

Also, breach notification laws are in force in many states and should be well understood in order to appropriately notify attorney general offices, law enforcement authorities and individuals in the context of a data security breach.

The following are three high profile federal statutes in the United States:

California Privacy Rights Act

  • The CPRA took effect on January 1, 2023, and will become fully enforceable on July 1, 2023 – with a lookback period from January 1, 2022. The CPRA significantly expands upon the California Consumer Privacy Act (CCPA)  which came into force in 2020. It is intended to enhance privacy rights and consumer protection for California residents. The CPRA works as an addendum to the CCPA, strengthening rights of California residents, tightening business regulations on the use of personal information, and establishing a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA). Other provisions further enhance privacy protections and organizations' transparency and data handling responsibilities. Visit this blog article to learn more!
  • The CCPA/CPRA apply to any company operating in California that either makes at least $25 million in annual revenue, gathers data on more than 50,000 California residents, or makes more than half its money off of user data.
  • Click here for more on the CCPA from the State of California Attorney General's Office.

Gramm-Leach-Bliley Act

  • Under this law, financial institutions and certain affiliates must comply with broad “consumer privacy” rules.
  • Institutions covered must create and provide notice of policies and procedures governing the collection, secure storage, and disclosure of personal information.
  • Click here for more on Gramm-Leach from the Federal Trade Commission.

Health Insurance Portability and Accountability Act Regulations

  • Applies to health plan providers, health care clearinghouses and certain health care providers.
  • Covers “protected health information”: Information related to physical or mental health, the provision of health care, and the payment for health care.
  • HIPAA violations carry substantial penalties.
  • Click here for more on HIPAA from the United States Department of Health and Human Services.

Children’s Online Privacy Protection Act

  • Applies to the online collection of personal information from children under 13.
  • Requires a notice containing specific details about information pratices to be posted on the home page and each area of the website where personal information is collected from children.
  • Click here for more on COPPA from the Federal Trade Commission.

Visit the Electronic Privacy Information Center for more information on privacy laws in the United States.

Need more on data protection in the U.s.?