U. S. Data Privacy Laws
In the United States, there is currently no universal data privacy law – rather there are a handful of laws dealing with certain specific situations and/or classes of data, including:
- COPPA – Children’s Online Protection Privacy Act
- HIPAA and HITECH – Health Insurance Portability and Accountability Act
HIPAA is a wide-ranging law which governs the use and disclosure of Protected Health Information (PHI) in healthcare treatment, payment, and related operations. The HITECH Act is a law that was passed to promote health information technology and the use of electronic health records. The HITECH Act also expanded upon the privacy requirements of entities covered by HIPAA, particularly with respect to breach notification requirements.
- Gramm-Leach-Bliley Act
The GLBA is a federal law that governs the ways that financial institutions deal with the private information of individuals. Financial institutions include any company that offers consumers financial products or services, including loans, financial or investment advice, or insurance.
- Electronic Communications Privacy Act
The ECPA is an extension of the Federal Wiretap laws that prohibits (both civilly and criminally) the intentional intercepting, disclosing, or using any wire, oral, or electronic communication.
- Video Privacy Protection Act
The VPPA was originally passed to prevent a video tape service provider from knowingly disclosing an individual’s personally identifiable information to third parties. The law has since been applied to digital video materials and streaming services.
- California Consumer Privacy Act (goes into effect January 1, 2020)
The CCPA is the first law in the United States to follow the stringent privacy laws codified in the European Union’s General Data Protection Regulation (GDPR). The Act extends protections to the citizens of California and applies to for-profit entities doing business in California. For the Act to apply to a business, it must meet one of the following criteria: (1) annual gross revenue in excess of $25 million, (2) receive or share the personal information of more than 50,000 California residents annually, or (3) derive at least 50% of annual revenue by selling the personal information of California residents. The U.S. government is currently considering a national data privacy law that will likely borrow some aspects of the CCPA and GDPR.
- Personal information can include a person’s name, address, date of birth, marital status, contact information, social security number, driver’s license, financial information, medical history, and location services.
Businesses Must Plan for a Potential Data Breach
A data breach is an incident in which private data is copied, transmitted, viewed, stolen, accessed, or used by an individual unauthorized to do so. Examples include:
- Theft, loss, or unauthorized disclosure of digital media such as computer tapes, hard drives, laptop computers, or cell phones which upon which private data is stored unencrypted.
- Posting private information on the Internet or on a computer otherwise accessible from the Internet without proper information security precautions.
- Transfer of private information to a system which is not completely open, but is not appropriately or formally accredited for security at the approved level, such as unencrypted email.
- Transfer of private information to the information systems of a possibly hostile agency, such as a competing corporation or a foreign nation, where it may be exposed to more intensive decryption techniques.
Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers (sometimes within a set time period) and take other steps to remediate possible injuries. Therefore, depending on the nature of your business, it is imperative that your company (ideally with the assistance of an attorney) has developed a plan to detect and report a data breach.
Data Privacy Action Items
- Identify the nature and scope of your company’s collection and use of customer data.
- Identify any specific privacy laws that may be triggered by your company’s collection and use of customer data.
- Have a plan in place to ensure – to industry standards – the security of customer data.
- Have a plan in place to detect and report a data breach.
- Consulting with experienced counsel is highly recommended for most of these steps.
You may also be interested in reading:
- False Advertising Issues For Emerging Businesses
- Copyrights For Start-Ups And Emerging Businesses
- Trade Secrets For Start-Ups And Emerging Businesses
- Patent Checklist For Start-Ups And Emerging Businesses
- Trademark Checklist For Start-Ups And Emerging Businesses