Data privacy is a major and ever-growing concern. And yet, the U.S. does not have a comprehensive data privacy law that applies nationwide. Several states have enacted comprehensive data security laws that will take effect in 2023. The following offers an overview of the current state of data security laws at the federal and state levels in the U.S.
The Importance of Data Security Laws
Businesses collect vast amounts of personal identifying information (PII) from customers. PII includes information like names, dates of birth, addresses, phone numbers, credit card numbers, and Social Security numbers. Fraudsters use PII for identity theft and other illegal activities, costing consumers billions of dollars each year.
Data security laws give businesses an incentive to protect PII in their possession. If they fail to meet their legal obligations, they could face fines and other penalties, as well as liability for damages suffered by consumers. Instead of a single law that addresses data security, the U.S. has hundreds of federal and state laws that, in most cases, address specific privacy concerns.
Comprehensive Data Privacy Laws
Many data privacy laws take a “harm reduction” approach, meaning that they:
- Require businesses to take steps to protect PII; and
- Impose penalties if a data breach occurs.
This type of law does not give a consumer any particular rights unless they experience harm, such as the theft of their information.
A comprehensive data security law begins with the premise that an individual has the right to control their own PII. The European Union’s General Data Protection Regulation (GDPR) is a comprehensive data security law. It limits the amount of PII businesses may collect, as well as the purposes for which they collect it. It requires them to be transparent about their data security measures and holds them accountable for failing to meet the law’s standards. The overall goal is to prevent data breaches from happening in the first place.
The closest thing to a comprehensive law at the federal level is probably the Federal Trade Commission Act (FTC Act). It empowers the FTC to investigate deceptive or unfair business practices. This may include inadequate data security in some situations, such as when a company does not follow its own published privacy or cybersecurity policies. It also allows the FTC to enforce various other federal data privacy laws.
Comprehensive data security laws went into effect in two states, California and Virginia, on January 1, 2023. The two laws protect various types of PII, including not only financial information. but also genetic data, geolocation data, and personal information like race, sex, or sexual orientation. Similar laws will take effect in Colorado and Connecticut on July 1, 2023, and in Utah on December 31.
Industry- or Issue-Specific Data Privacy Laws
Many data security laws apply to specific industries, activities, or issues. State bar rules, for example, require attorneys to safeguard client information. ABA Model Rule 1.6 prohibits the unauthorized disclosure, with some exceptions, of “information relating to the representation of a client during the lawyer’s representation of the client.”
Certain other professions and industries, such as finance and health care, have laws addressing data security. These laws regulate businesses and professionals in specific sectors of the economy.
State data privacy laws are too numerous to list. Federal laws, which apply nationwide, include the following:
- Family Educational Rights and Privacy Act (FERPA) of 1974: Regulates access to students’ educational records
- Video Privacy Protection Act (VPPA) of 1988: Originally regulated the disclosure of videotape rental records. Subsequently extended to data regarding rentals and purchases of a wide range of media, in both physical and digital forms.
- Driver’s Privacy Protection Act (DPPA) of 1994: Regulates the collection and use of PII by state departments of motor vehicles
- Health Insurance Portability and Accountability Act (HIPAA) of 1996: Regulates how healthcare providers and health insurance companies may handle PII
- Children’s Online Privacy Protection Act (COPPA) of 1998: Applies to U.S. operators of websites and online services that provide services to or collect information from children who are less than 13 years old
- Graham-Leach-Bliley Act (GLBA) of 1999: Requires financial institutions to safeguard the PII of account holders, loan applicants, loan recipients, investors, and others.
Learn More
Baer Reed helps corporate law departments address concerns about confidentiality and data privacy. Contact us today to learn more.
Mr. Reyes graduated with honors from the Ateneo de Manila University, where he received the Procter and Gamble Student Excellence Award. He obtained his Juris Doctor degree from the Ateneo de Manila School of Law. During law school, Mr. Reyes was part of the Philippine delegation to the Willem C. Vis International Commercial Arbitration Moot held in Vienna, Austria. He was also a member of the Ateneo Society of International Law and the St. Thomas More Debate Society. He completed his internship at the Public Attorney’s Office. He wrote a thesis entitled: “To Kill A White Elephant: An Analysis of the Fiduciary Exception to the Corporate Attorney-Client Privilege”. Mr. Reyes is admitted to practice law in the Philippines and the State of New York.
Ms. Lardizabal-Manzano is a graduate of San Sebastian College-Recoletos, where she earned her B.A. in Political Science. In 2003, she received her law degree from Lyceum of the Philippines and was admitted to practice law in 2004.
Matthew Hersh earned a B.A. in Political Science from Columbia University in 1990 and graduated cum laude from Georgetown University Law Center in 1999. He also holds a master’s degree in international relations from the Georgetown University School of Foreign Service.
Cap. Avi Levak (Res. IDF) graduated from from Israel’s prestigious Ben-Gurion University of the Negev with a Bachelor of Science in Computer Science and Mathematics. He is also a Leadership and Communication coach trained in TuT coaching by Alon gal in Israel. Avi specializes in high-level, in-depth analysis of business and client needs, within systems and software strategy and architecture.
Ms. Tyler graduated cum laude from Georgetown University and received her law degree, cum laude, from Georgetown University Law Center. During law school, she interned at the United Nations Economic Commission for Europe. She also worked on The Tax Lawyer journal and was a member of the award-winning Barristers’ Council Mock Trial Team. Ms. Tyler is admitted to practice law in the State of California and the District of Columbia.
Ms. Cruz-Anonuevo graduated cum laude and top nine in her batch from Miriam College with a degree of Bachelor of Arts in InternationalStudies. She obtained her Juris Doctor degree from Ateneo de Manila University School of Law in Rockwell. During law school, she interned in Rivera, Santos, Maranan & Associates. She was also part of Ateneo’s Labor Law Bar Operations. She wrote her thesis on, “Stealing Privacy: Limitations on Media’s Photographic Invasion.,” Ms. Cruz-Anonuevo is admitted to practice law in the Philippines.
Ms. Aquino-Batallones obtained a Bachelor of Arts degree in Development Studies (with Minors in Global Politics and Hispanic Studies) from the Ateneo de Manila University. In 2011, she received her Juris Doctor degree from Ateneo de Manila University School of Law. During law school, she interned at Romulo Mabanta Buenaventura Sayoc & de los Angeles then became an intern of Ateneo Legal Services Center’s Clinical Legal Education Program.
Mr. De Guzman graduated from San Beda College with a degree of Bachelor of Arts Major in Economics and received his law degree from San Beda College of Law. He is multilingual and is fluent in three languages: Chinese, Filipino, and English. He was admitted to the Philippine Bar in 2003.