Understanding Data Privacy Laws In The United States: How Are American Citizens Protected?
The internet has completely transformed our personal and professional lives, providing access to communication and information at the speed of one click.
Along with this unprecedented connectivity comes significant risks and challenges to maintaining privacy. Whenever we use online services, we leave a trail of data or a “digital footprint” behind us. A person’s full name, birth date, residential address, email, phone, Social Security number, and many other sensitive details may end up in the databases of organizations and unscrupulous individuals without his or her knowledge.
Online privacy is difficult to govern, which leaves people vulnerable to an invasion of their privacy. So, how is data privacy regulated in the United States and what protections are available to American citizens?
No comprehensive regulatory framework
To date, America has no singular law covering the privacy of all data. Instead, privacy laws vary from state to state or focus on specific types of data. Because no all-encompassing privacy laws exist, most businesses and institutions are relatively free to use, share, and sell data without people’s explicit consent. Some states have passed their own comprehensive data privacy laws that have drawn comparisons to the European Union’s General Data Protection Regulation (GDPR) – the strictest privacy and security law in the world.
California Consumer Privacy Act (CCPA)
Enacted in 2018, the CCPA is regarded as the strictest of US data privacy laws. It applies to businesses collecting personal information from consumers. It grants consumers the following rights: knowing what is collected and to whom it’s sold, deleting collected data, opting out of data sale, and getting fair treatment when exercising privacy rights. In 2020, the California Privacy Rights Act expanded CCPA rights, allowing consumers to correct inaccurate data and restrict sensitive data use and disclosure.
Health Insurance Portability And Accountability Act (HIPAA)
HIPAA, signed by President Bill Clinton in 1996, applies to “covered entities” like healthcare providers, plans, and clearinghouses. Covered entities must respect a person’s rights to access and correct health information, and issue written consent for data use or sharing. HIPAA doesn’t cover all health data, only what is shared with covered entities.
The Gramm-Leach-Bliley Act (GLBA)
Signed by Clinton in 1998, the GLBA focuses on financial institutions’ data privacy. It applies to companies offering financial products or services like loans, advice, or insurance. Under the GLBA, businesses must implement policies to protect data from outsider threats, have privacy notices in place, and inform consumers of their right to opt out of having their information shared with third parties.
Children’s Online Privacy Protection Act (Coppa)
COPPA, enacted in 1998, restricts data handling for persons under 13 years of age. Companies collecting data from these individuals must post a privacy policy online, get parental consent, and allow parents to access, review, or delete their child’s data. Under COPPA, companies must keep the collected data confidential and only as long as needed.
To conclude, American businesses and organizations have been historically allowed to collect personal information without explicit consent while specific sectors and states have implemented regulatory frameworks to protect citizens’ sensitive data. However, the data privacy regulatory landscape is constantly changing and evolving. Following California’s example, states like Colorado, Connecticut, Utah, and Virginia are expected to enforce tougher data privacy statutes in 2023.
