Sector and State-Specific Privacy Laws

In the United States, there is no one comprehensive privacy law that applies to the entire private sector. However, there are numerous sector and state-specific laws that businesses operating in the United States need to understand.

All states have some statutory protection for specific privacy rights, and some state constitutions specifically identify a right of privacy for their citizens. The only state with a broad private sector data protection law is California with the CCPA.

Also, breach notification laws are in force in many states and should be well understood in order to appropriately notify attorney general offices, law enforcement authorities and individuals in the context of a data security breach.

The following are three high profile federal statutes in the United States:

California Consumer Privacy Act

  • The CCPA became effective on January 1, 2020. It is intended to enhance privacy rights and consumer protection for California residents. The CPRA (California Privacy Rights Act) will come into effect on January 1, 2023, further enhancing privacy protections and organizations' transparency and data handling responsibilities. Visit this blog article to learn more!
  • The CCPA applies to any company operating in California that either makes at least $25 million in annual revenue, gathers data on more than 50,000 California residents, or makes more than half its money off of user data.
  • Click here for more on the CCPA from the State of California Attorney General's Office.

Gramm-Leach-Bliley Act

  • Under this law, financial institutions and certain affiliates must comply with broad “consumer privacy” rules.
  • Institutions covered must create and provide notice of policies and procedures governing the collection, secure storage, and disclosure of personal information.
  • Click here for more on Gramm-Leach from the Federal Trade Commission.

Health Insurance Portability and Accountability Act Regulations

  • Applies to health plan providers, health care clearinghouses and certain health care providers.
  • Covers “protected health information”: Information related to physical or mental health, the provision of health care, and the payment for health care.
  • HIPAA violations carry substantial penalties.
  • Click here for more on HIPAA from the United States Department of Health and Human Services.

Children’s Online Privacy Protection Act

  • Applies to the online collection of personal information from children under 13.
  • Requires a notice containing specific details about information pratices to be posted on the home page and each area of the website where personal information is collected from children.
  • Click here for more on COPPA from the Federal Trade Commission.

Visit the Electronic Privacy Information Center for more information on privacy laws in the United States.

Need more on data protection in the U.s.?