Data Protected - U.S.
Last updated September 2023
General | Data Protection Laws
Federal (National) and State Legislation
National Supervisory Authority
Scope of Application
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Transfer of Personal Data to Third Countries
ePrivacy | Marketing and cookies
General | Data Protection Laws
General data protection laws
In the US, there is no single, comprehensive federal (national) law regulating individual privacy or personal data collection and use. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail, and contradict one another. Governmental agencies and industry groups also have published numerous guidelines that lack the force of law but are considered best practices, including in connection with self-regulatory frameworks. These self-regulatory frameworks have accountability and enforcement components that regulators increasingly use as enforcement tools.
With the notable exception of the Federal Trade Commission Act – whose prohibition on “unfair or deceptive acts or practices in or affecting commerce” has historically been used as a basis for privacy enforcement – federal privacy laws and regulations are generally sector and practice-specific. Such federal sector and practice-specific privacy laws and regulations include those that apply to financial institutions, health plans and healthcare clearinghouses and providers, and credit reporting agencies, as well as children’s privacy, telemarketing, and electronic mail marketing and communications. Primarily, these laws regulate privacy and the collection, use, processing, and disclosure of personal information.
In contrast, beginning with the California Consumer Privacy Act (which went into effect on January 1, 2020), there has been a recent flurry of US state general privacy laws – to date, four such laws are in effect, and seven more have been enacted and will go into effect in the near future.
The Federal Trade Commission Act (the “FTC Act”):The FTC Act (15 U.S.C. §§ 41-58) is a federal consumer protection law that prohibits unfair or deceptive commercial practices. The Federal Trade Commission (the “FTC”) has long applied it to business practices that affect consumer privacy and data security. Under its broad consumer protection enforcement authority, the FTC has emerged as the primary federal data protection regulator. In addition to its authority under the FTC Act and under other federal laws discussed in this chapter, the FTC also issues privacy and data security guidelines, principles, and policy statements that may not be legally binding but are considered best practices. The FTC Act does not include a “private right of action” for individuals to file lawsuits for violations.
The Gramm-Leach Bliley Act (“GLBA”): GLBA’s (15 U.S.C.A. §§ 6801 to 6809) privacy and data security provisions regulate the collection, use, protection, and disclosure of non-public personal information (“NPI”) by financial institutions. GLBA applies to financial institutions, which the law broadly defines to include a range of institutions that engage in financial activities. The FTC considers a business to be a financial institution if it significantly engages in financial activities, which is a flexible standard that takes into account all of the facts and circumstances. GLBA requires a financial institution to provide notice of its privacy practices to customers and consumers in certain situations (see below). GLBA is enforced by a myriad of regulators, including the FTC as well as, depending on the underlying industry and company, the Consumer Financial Protection Bureau (the “CFPB”), the Commodity Futures Trading Commission (“CFTC”), and state insurance authorities. GLBA does not include a private right of action.
The Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”): In 2010, the Dodd-Frank Act created the CFPB and grants the CFPB financial privacy rulemaking and enforcement authority under GLBA. The Dodd-Frank Act also gives the CFPB enforcement authority against covered organizations that engage in acts or practices related to consumer financial products and services that are unfair, deceptive, or abusive.
The Health Insurance Portability and Accountability Act (“HIPAA”): HIPAA (Pub. L. No. 104-191 (1996)) governs individually identifiable health information. It applies to “covered entities” – health plans, health care clearinghouses, and most health care providers – and their service providers (“business associates”). The Department of Health and Human Services (“HHS”) promulgates related regulations under HIPAA, including the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Transactions Rule, as well as the HIPAA Breach Notification Rule (45 C.F.R. Part 164). Pursuant to the Health Information Technology for Clinical and Economic Health (HITECH) Act, state attorney generals also have the authority to bring civil actions for violations of the HIPAA Privacy and Security Rules. The HIPAA Privacy Rule requires each “covered entity” to provide notice to individuals of its privacy practices and of individuals’ rights. The HIPAA Breach Notification Rule requires covered entities to provide notice of a “protected health information” (“PHI”) breach (see below). HIPAA does not provide for a private right of action.
Children’s Online Privacy Protection Act (“COPPA”): COPPA (15 U.S.C. §§ 6501-6506) applies to commercial websites, mobile apps, or other online services that are directed to and collect personal information from children under 13 years old and have actual knowledge that they are collecting personal information from children. The FTC is the primary enforcer of COPPA, although states also have enforcement authority under the statute. There is no private right of action under COPPA.
Video Privacy Protection Act (the “VPPA”): The VPPA (18 U.S.C. § 2710) governs the disclosure and destruction of “personally identifiable information” by “video tape service providers”. As (i) the VPPA’s definition of “video tape service provider” includes not only “prerecorded video cassette tapes,” but also “similar audio visual materials”, and (ii) the VPPA includes a private right of action, the statute has been the subject of a wave of class action litigation over the last several years relating to the use of third-party technology on websites and other digital properties that play videos. The VPPA provides for the recovery of actual damages, but not less than liquidated damages of $2,500 (generally understood to be per plaintiff, per violation), as well as punitive damages.
There are currently four US state general privacy laws in effect – the California Consumer Privacy Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), and the Connecticut Data Privacy Act (“CTDPA”). In addition, seven other states – Utah, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon – have enacted general privacy laws. When this chapter refers to state general privacy laws, it means the four state general privacy laws currently in effect.
While there are significant differences across the various state general privacy laws, such laws govern the collection, use, processing, and disclosure of consumers’ personal data, including with respect to “targeted advertising”, “selling” of personal data, use of personal data for “profiling”, and the collection, use, and disclosure of “sensitive” data.
Each of such state general privacy laws contains a series of exemptions, including exemptions intended to ensure alignment (and lack of overlap) with such federal privacy laws as GLBA and HIPAA; however, some states provide exemptions at the entity level, while other states provide exemptions at the data level.
In addition, California is the only state general privacy law that does not exempt individuals acting in a commercial or employment context from its definition of “consumer”.
While not identical, the VCDPA, CPA, and CTDPA are substantially similar to each other, and the VCDPA/CPA/CTDPA framework has started to emerge as the customary model for other states’ general privacy laws. California and Colorado are the only two states to have issued rules or regulations under their general privacy laws.
All 50 US states have data breach notification laws in effect.
There are also numerous sector or activity-specific state privacy laws, including: the Illinois Biometric Information Privacy Act (“Illinois BIPA”); the California Invasion of Privacy Act (“CIPA”) and similar state laws; children’s online privacy laws (including in California); data broker laws (in California, Nevada, and Vermont); laws related to employment and hiring (including in Illinois, as well as in New York City); and a series of recently enacted consumer health data laws (including in Connecticut and Washington). Notably, several such state laws provide for a private right of action, and, pursuant to such private right of action, both Illinois BIPA and CIPA have been extensively targeted for class action litigation. Further details of some such key state laws are set out below:
Illinois BIPA: Illinois BIPA governs the collection, disclosure, and destruction of “biometric identifiers” and “biometric information” and prohibits private entities from selling, leasing, trading or otherwise profiting from such identifiers or information. Pursuant to the private right of action under the Illinois BIPA, a claimant may recover the greater of actual damages or an enumerated per-violation amount for liquidated damages ($1,000 for a negligent violation, $5,000 for an intentional or reckless violation).
CIPA: CIPA, which is a criminal statute, prohibits the “tapping” or other interception of certain communications without the consent of all parties to such communication. Even though it is a criminal statute, CIPA provides a private right of action pursuant to which a plaintiff may recover the greater of $5,000 per violation or three times the amount of actual damages suffered. In addition to such damages, CIPA carries potential criminal penalties consisting of a fine of up to $10,000 and up to a year in jail.
State consumer health data laws: In the first half of 2023, three consumer health data laws were enacted – Connecticut’s SB 3, which, as a supplement to CTDPA, is in effect; Washington’s My Health My Data Act (“WA MHMDA”), which is in effect with respect to “geofencing” and will fully go into effect in the first half of 2024; and Nevada’s SB 370, which will also go into effect in the first half of 2024. Such laws require “opt-in” consent for the collection of “consumer health data” (which is defined especially broadly under WA MHMDA), and the Washington and Nevada laws both impose substantial obligations and restrictions with respect to the processing of such data. While all three laws provide for civil damages pursuant to state enforcement, WA MHMDA also provides a private right of action, and Nevada’s SB 370 includes criminal penalties consisting of both fines (up to $100,000) and prison sentences (up to 20 years).
Entry into force
National Supervisory Authority
Details of the competent national supervisory authority
There is no single US national supervisory authority.
At a federal level, the FTC has jurisdiction over most commercial entities and has authority to issue and enforce regulations and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially unfair privacy and data security practices.
In addition, other federal agencies, such as the CFPB, the HHS, and the FCC, have jurisdiction under certain federal sector or activity-specific privacy laws, and state insurance authorities have certain jurisdiction under GLBA, and the US Securities and Exchange Commission (“SEC”) recently adopted a final rule that, among other things, imposes cybersecurity-related disclosure requirements on public companies.
Under state consumer protection laws, state attorneys generally have primary enforcement authority over unfair and deceptive business practices similar to that of the FTC, including with respect to failure to implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states.
Additionally, the California Privacy Rights Act (“CPRA”) (which supplemented and amended the CCPA) established the California Privacy Protection Agency (“CPPA”) and provided it with authority to enforce the CCPA and to promulgate regulations under the CCPA.
Notification or registration scheme and timing
Federal and state privacy laws generally do not require companies to notify regulators of their data processing activities or to register with regulators. Notable exceptions are the data broker laws of California and Vermont, both of which require “data brokers” to register annually (with the state attorney general for California, and with the secretary of state for Vermont) between January 1 and January 31.
In addition, additional regulations contemplated to be issued by the CPPA under CCPA would require businesses whose processing of personal information “presents a significant risk to consumers’ privacy or security” to submit to such agency a risk assessment on a regular basis. In contrast, data protection assessments required under VCDPA, CPA, and CTDPA are not required to be proactively submitted, but rather must be made available to the applicable attorney general upon request.
Exemptions to notification
Scope of Application
What is the territorial scope of application?
Federal laws such as the FTC Act, GLBA, and HIPAA are generally understood to apply only to activities within the United States and/or territories thereof. Among other things, the FTC Act sets forth provisions with respect to territorial jurisdiction for the service of “civil investigative demands” under the statute and with respect to the jurisdiction of the courts of the United States to take action with respect to compliance with the statute.
In an antitrust context (rather than a privacy context), the FTC (in conjunction with the US Department of Justice) has released guidance to reinforce the principle that remedies should avoid extraterritorial application unless necessary to effectively redress harm or threatened harm to US commerce and consumers.
State general privacy laws include territorial requirements and thresholds, including: (A) requirements that the entity either (i) conducts business within the particular state or (ii) either targets goods and services to residents of the particular state or produces a good or service consumed by residents of the particular state; and (B) thresholds based on the number of affected “consumers” within the particular state.
Is there a concept of a controller and a processor?
Federal privacy laws do not generally use the terms “controller” and “processor”, and the FTC Act does not include such a concept. However, HIPAA includes a relatively analogous concept, with a “covered entity” corresponding to “controller” and “business associate” corresponding to processor”.
In addition, GLBA includes an exception to its opt-out requirements if: (i) the nonaffiliated third party that receives the nonpublic personal information (akin in such context to a “processor”) uses such personal information to perform services or functions on behalf of the financial institution that provides such information (akin to a “controller”); and (ii) the financial institution enters into a contractual agreement with the recipient nonaffiliated third party that imposes certain prohibitions with respect to the disclosure and use of such nonpublic personal information.
State general privacy laws include the concept of a controller and a processor. While most of such laws use such terms, CCPA uses the corresponding terms “business” (instead of “controller”) and “service provider” and “contractor” (instead of “processor”). The term “contractor” was added to CCPA by CPRA and covers a significantly narrower set of entities than “service provider”; under CCPA, service providers process personal information made available by a business, while contractors do not.
Under state general privacy laws, the “controller” (or “business” under CCPA) determines the purposes and means of the processing of personal data, and a “processor” processes personal data on behalf of the controller pursuant to a contract that governs the processor’s processing activities. In addition, state privacy laws establish the concept of “third parties”, which are generally defined as persons or entities other than the controller or a processor and which may have independent rights to process data received from or via the controller.
Are both manual and electronic records subject to data protection legislation?
Yes. For example, neither GLBA nor HIPAA makes any distinction with respect to the format (electronic or otherwise) of the underlying data covered by such legislation. While COPPA applies to information collected online, its application extends to records containing such collected information, regardless of the form of such records.
State general privacy laws similarly apply regardless of format. While not addressing the underlying format of personal information records, CCPA expressly provides that its provisions are not limited to information collected electronically or over the Internet but apply to all personal information collected by a business from consumers.
Are there any national derogations?
While there are no national derogations, there are a number of state privacy and data security laws and regulations, including both the state general privacy laws discussed above and more specific laws, including Illinois BIPA, CIPA, and state data security breach laws. In some instances, such state laws and regulations go beyond federal law, while in other instances they are pre-empted in part by federal law.
What is personal data?
In the US, the terms “personally identifiable information” (“PII”) or personal information (“PI”) have historically been used in place of the term “personal data”. However, there is no single definition of personal data, PII or PI and their meanings vary widely.
Some laws – such as state data breach notification laws – cover a relatively narrow set of personal information, such as names in combination with government identifiers, financial account information, password, biometrics, health insurance or medical information, and/or other information that can lead to identity theft and fraud or harm.
Under other laws, personal data is defined broadly, and includes, among other things, online identifiers such as cookie IDs and IP addresses. For example: (i) COPPA defines personal information as “individually identifiable information about an individual collected online”, including any identifier that permits the physical or online contacting of a specific individual; and (ii) definitions of personal data under state general privacy laws include any information that identifies or is linked or reasonably linkable to an identified or identifiable individual.
Each of VCDPA, CPA, and CTDPA uses the “linked or reasonably linkable” formulation in its definition of personal data. As noted above, each of VCDPA, CPA, and CTDPA expressly excludes “an individual acting in a commercial or employment context” from their respective definitions of “consumer”, and both VCDPA and CPA expressly define consumer as a resident of the applicable state acting only in an individual or household context.
Under the CCPA, personal information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The definition specifically includes, among other things, “identifiers” (such as name, postal address, “unique personal identifier”, online identifier, IP address, email address, account name, social security number, driver’s license number, or other similar identifier), “commercial information” (such as purchase history), “internet or other electronic network activity information” (such as browsing history, search history, and other online activities), “sensitive personal information”, and “inferences” drawn from any other category of personal information, in each case if it identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Each state general privacy law expressly excludes “de-identified data” and “publicly available information” from its definition of personal data.
Is information about legal entities personal data?
No. Personal data relates to “individuals” or “natural persons” and, in the case of CCPA, “households”, but not to legal entities.
What are the rules for processing personal data?
The rules imposed by federal and state privacy laws and regulations vary widely.
State general privacy laws have also borrowed certain key concepts from the GDPR, including: (i) the principle of “purpose limitation”, which requires that personal data be collected and processed only for the specific purposes disclosed to the consumer and prohibits the controller from processing personal data for purposes that are not reasonably necessary for or compatible with such disclosed purposes, unless the controller first obtains the consumer’s “opt-in” consent to the processing of personal data for such secondary purposes; and (ii) the principle of “data minimization”, which establishes that a controller collect personal data only to the extent that it is relevant and limited to what is necessary or reasonably necessary (depending on the state law) in relation to the specified purposes.
Federal and state laws also generally require regulated entities to implement and maintain reasonable and appropriate security measures to protect information.
Are there any formalities to obtain consent to process personal data?
GLBA: GLBA does not require any affirmative “opt-in” consent from a customer or consumer, although, as described above, financial institutions are required under GLBA to provide customers and consumers with reasonable means (which can be written, oral, or electronic) to opt out of certain uses and disclosures of their NPI.
HIPAA: The HIPAA Privacy Rule sets forth optional consent provisions, pursuant to which a covered entity may obtain consent of the individual to use or disclose that individual’s PHI for certain purposes. However, HIPAA requires “authorization” for the use or disclosure of PHI for marketing purposes, the sale of PHI, or the use or disclosure of psychotherapy notes. Authorizations must be in writing and in plain language and must contain certain elements, including the individual’s signature and the date, and required notice statements.
COPPA: COPPA requires websites, online services, and mobile apps directed to children (under 13 years old), or that knowingly collect personal information from children, to obtain “verifiable parental consent” before collecting, using, or sharing children’s personal information. However, COPPA includes limited exceptions allowing operators to collect certain information without obtaining parental consent in advance.
VPPA: VPPA generally requires the consumer’s informed, written (including through electronic means using the Internet) consent for a video tape service provider to disclose personally identifiable information.
State general privacy laws: In addition to affirmative opt-in consent requirements for secondary uses of personal data, with the exception of CCPA, state general privacy laws require affirmative opt-in consent for the processing of “sensitive data” (discussed below); in contrast, CCPA provides a right for consumers to limit the use and disclosure of their sensitive personal information.
State general privacy laws also require affirmative opt-in consent (or affirmative authorization, under CCPA) for certain processing of the personal data of children who are known to be less than 13 years old, including the “selling” of such consumers’ personal data, the “sharing” (under CCPA) of such consumers’ personal data, and the use of such consumers’ personal data for “targeted advertising”, which consent (or authorization, under CCPA) must be provided by the child’s parent or lawful guardian; under both CCPA and CTDPA, such processing of personal information of a teenager who is known to be older than 13 years old but younger than 16 years old also requires affirmative opt-in consent, but the teenager can provide such consent.
Under state general privacy laws, each of the foregoing usages (selling, sharing, and targeted advertising) of personal data of consumers who are at least 16 years old is subject to an “opt-out” right. In addition, under CCPA, CPA, and CTDPA, an agreement obtained through the use of a “dark pattern” does not constitute valid consent. Under CCPA, businesses must honor with opt-out preference signals (sent by a platform, technology, or mechanism) indicating a consumer’s intent to so “opt out”, and controllers will be subject to a corresponding obligation under both CPA and CTDPA in the near future (July 1, 2024 under CPA, and January 1, 2025 under CTDPA).
Are there any special rules when processing personal data about children?
COPPA: As described above, COPPA requires websites, online services, and mobile apps directed to children under 13, or that knowingly collect personal information from children, to obtain “verifiable parental consent” before collecting, using, or sharing children’s personal information. However, COPPA includes limited exceptions allowing operators to collect certain information without obtaining parental consent in advance.
State general privacy laws: Also as described above, state general privacy laws require affirmative opt-in consent (or affirmative authorization, under CCPA) for certain processing of the personal data of children who are known to be less than 13 years old, including the “selling” of such consumers’ personal data, the “sharing” (under CCPA) of such consumers’ personal data, and the use of such consumers’ personal data for “targeted advertising”, which consent must be provided by the child’s parent or lawful guardian; under CCPA, such processing of personal information of a child who is known to be older than 13 years old but younger than 16 years old also requires affirmative opt-in consent, but the child can provide such consent.
Are there any special rules when processing personal data about employees?
Most state general privacy laws do not cover personal data processed in an employment context.
However, this is covered by CCPA. That law includes “personal information” that is collected by a business about a person: (a) in the course of that acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or independent of, that (a “workforce” member), to the extent that such is and used by the solely within that workforce context; (b) that is emergency contact information of a workforce member, to the extent that such is and used solely within that “emergency contact” context; and/or (c) that is necessary for the to retain to administer benefits for another relating to the workforce member, to the extent that the is and used solely within the context of administering those benefits.
In addition, both Illinois and New York City have effective laws that impose certain requirements on the use of automated decision-making tools for employment screening and, in the case of New York City’s law, for promotion decisions, including prior notice and either opt-in consent (under Illinois’ law) or the right to opt out (under New York City’s law).
Further, more than ten states, plus the District of Columbia, have laws that prohibit (with some narrow exceptions) administering or requesting to administer lie detector tests to employees and applicants, and the federal Employee Polygraph Protection Act of 1988 includes similar prohibitions. Such laws have been the basis of claims in connection with the use of automation software or tools to screen or assess employees or applicants for “honesty”, “integrity”, or similar characteristics
Sensitive Personal Data
What is sensitive personal data?
While definitions of sensitive personal data vary across laws, the following are certain elements generally common to each definition under state general privacy laws:
- Personal data revealing, racial or ethnic origin, religious belief(s), sexual orientation, mental or physical health condition or diagnosis.
- Biometric information processed for the purpose of uniquely identifying a person.
- Personal data collected from a known child.
- Precise location data.
Both CPA and CTDPA also include “sex life” as an element of sensitive data, while CCPA also includes: (i) a consumer’s social security, driver’s license, state identification card, or passport number; and (ii) a consumer’s account log-in, financial account, debit card or credit card number, in each case in combination with any required code, password, or credentials that allow access to an account. The FTC also considers social security numbers, credit reports, and account numbers to be sensitive data,
State data security breach notification laws generally limit their definitions of security breaches to personal information that include specific types of “sensitive data” i.e., – social security numbers; passport numbers; drivers’ license numbers and other government identification numbers; financial account, credit card, or debit card number, each in combination with a passcode or password; and email address in combination with a passcode or password – as well as medical information and biometric information.
Are there additional rules for processing sensitive personal data?
As described above, with the exception of CCPA, state general privacy laws require affirmative opt-in consent for the processing of “sensitive data” (discussed below); in contrast, CCPA provides a right for consumers to limit the use and disclosure of their sensitive personal information.
Are there additional rules for processing information about criminal offences?
Putting aside laws that govern the activities of governmental agencies (such as the federal Privacy Act of 1974), federal and state privacy laws do not generally include express provisions with respect to the processing of information about criminal offenses.
However, each of VCDPA, CPA, and CTDPA includes “a decision that result in the provision or denial of…criminal justice” as an example of a decision that produces legal or similarly significant effects concerning a consumer. Under each of such laws, (i) consumers have the right to opt out of “profiling” in furtherance of such decisions and (ii) “profiling” in furtherance of such decisions may constitute a processing activity that requires the controller to conduct and document a data protection assessment.
Are there any formalities to obtain consent to process sensitive personal data?
As described above, authorizations under HIPAA must be in writing and in plain language and must contain certain elements, including the individual’s signature and the date, and required notice statements.
Under state general privacy laws, “consent” must be an affirmative act that signifies the consumer’s freely given, specific, informed, and unambiguous agreement. Under CCPA, CPA, and CTDPA, an agreement obtained through the use of a “dark pattern” does not constitute valid consent.
Data Protection Officers
When must a data protection officer be appointed?
With the exception of HIPAA – which requires both a “privacy official” and a “security official” – federal and state privacy laws do not generally require the appointment of a data protection officer.
What are the duties of a data protection officer?
The HIPAA privacy official is responsible for the covered entity’s development, implementation, and maintenance of, and adherence to, privacy policies and procedures regarding PHI in compliance with its HIPAA obligations. The HIPAA security official is responsible for the covered entity’s development, implementation, and maintenance of, and adherence to, security policies and procedures regarding PHI in compliance with its HIPAA obligations.
Accountability and Privacy Impact Assessments
Is there a general accountability obligation?
No, there is not a general accountability obligation under US federal or state privacy law.
Are privacy impact assessments mandatory?
While the FTC Act does not require a privacy impact assessment, such assessments are mandatory under both GLBA and HIPAA, as well as under state general privacy laws in the event the controller is engaged in certain data processing activities.
GLBA requires each financial institution to: (i) develop, implement, and maintain its information security program based on a written risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information; and (ii) design, implement, and assess the sufficiency of safeguards in place to control such risks.
HIPAA requires each covered entity and business associate to: (i) conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI it holds; and (ii) implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
As noted above, additional regulations contemplated to be issued by the CPPA under CCPA would require businesses whose processing of personal information “presents a significant risk to consumers’ privacy or security” to submit to such agency a risk assessment on a regular basis.
Each of VCDPA, CPA, and CTDPA already require controllers to conduct and document a data protection of each of its processing activities that presents a “heightened risk of harm to a consumer”, which activities include: (i) the sale of personal data; (ii) the use of personal data for targeted advertising; (iii) the processing of personal data for certain profiling; and (iv) the processing of sensitive data. CPA prohibits such processing activities without having conducted and documented such a data protection assessment.
Rights of Data Subjects
GLBA: Under the GLBA Privacy Rule, financial institutions must notify their customers about their information-sharing practices and inform consumers of their right to “opt out” of the sharing of their information with certain nonaffiliated third parties. Such notices must be provided by financial institutions both at the time the customer relationship is established and annually thereafter. In contrast, the opt-out right provided to consumers under the federal Fair Credit Reporting Act (15 U.S.C. §§ 1681-1681x) extends to the sharing of consumer report information with both affiliated third parties and nonaffiliated third parties.
HIPAA: The HIPAA Privacy Rule requires each covered entity to provide notice to individuals of its privacy practices and of individuals’ rights under HIPAA. For health care providers, this requirement generally applies on the first visit for treatment. The rule sets out specific requirements for the contents and method of the notice.
Rights to access information
HIPAA is unique under federal privacy laws, as, with limited exceptions, it provides individuals the right to access their medical information.
However, state general privacy laws all also provide consumers the right to access their personal data.
Rights to data portability
Under HIPAA, individuals have the right to receive a copy of their PHI from covered entities.
Each of the state general privacy laws also provides consumers the right to data portability.
Right to be forgotten
There is currently no “right to be forgotten” under US federal or state privacy laws although users can exercise their rights to have their personal data deleted under state general privacy laws.
Objection to direct marketing and profiling
Under the CAN-SPAM Act, recipient consumers have the right to opt out of “commercial electronic mail messages” (e.g., such direct marketing as emails and some text messages) from the sender. Similarly, under both the TCPA and the TSR, consumers have the right to register their phone number on the National Do-Not-Call Registry to opt out of telemarketing calls.
Each of VCDPA, CPA, and CTDPA provide consumers with the right to opt out of the use of personal data for targeted advertising, while CCPA provides consumer with a substantially similar right to opt out of the “sharing” of personal data (which, under the CCPA, is for “cross-context behavioral advertising”). In addition, CCPA provides consumers with the right to limit the use and disclosure of sensitive personal information.
Each of the state general privacy laws provides consumers with the following additional rights: (a) a right to correct personal data; (b) a right to opt out of the use of personal data for certain automated decision-marking/profiling; and (c) a right not to be discriminated against for exercising any of their rights under such law.
Importantly, state general privacy laws also provide a right to opt out of “sales” of personal data. The definition of “sale” varies across state general privacy laws, with the VCDPA using “monetary consideration”, while the other three use the broader “monetary or other valuable consideration”.
Security requirements in order to protect personal data
Federal and state laws generally require regulated entities to implement and maintain reasonable and appropriate security measures to protect information.
GLBA: The GLBA Safeguards Rule requires covered companies to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards that is designed to protect customer information and is based on risk assessments also required by such rule.
HIPAA: The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting all PHI that it creates, receives, maintains, or transmits in electronic form.
State laws: Each state general privacy law requires the controller to implement reasonable and appropriate security measures to protect personal data. Notably, the only private right of action provided by CCPA inures in the event of certain personal information breaches as a result of the business’s failure to implement and maintain reasonable and appropriate security procedures and practices
In addition, other states, including New York and Massachusetts, have enacted laws and regulations that impose more prescriptive requirements on businesses to protect certain data, including sensitive personal information. New York’s SHIELD Act requires companies to develop, implement, and maintain reasonable administrative, technical, and physical safeguards that are designed to protect the security, confidentiality, and integrity of private information. Massachusetts regulations require covered parties to develop, implement, and maintain a comprehensive, written information security program and establish mandatory elements of such programs, including encryption requirements with respect to personal information transmitted wirelessly or across public networks and personal information stored on laptops or other portable devices.
Specific rules governing processing by third party agents (processors)
GLBA: Under GLBA, a financial institution that discloses nonpublic personal information to a nonaffiliated third party under an exception from GLBA’s opt-out requirements must enter into a contract with such third party that prohibits the third party from disclosing or using such information other than to perform services for the financial institutions or functions on the financial institution’s behalf.
HIPAA: HIPAA’s Privacy, Security, and Breach Notification Rules apply to “business associates” as well as “covered entities”. HIPAA: (i) generally requires covered entities to enter into a written contract with each of their business associates to ensure that such business associates appropriately safeguard PHI made accessible by the covered entity; and (ii) establishes certain requirements for such contracts, including a description of the permitted and required uses of such PHI and a prohibition of the use and disclosure of such PHI other than as permitted or required by the contract or as required by law.
State general privacy laws: Each state general privacy law requires the business / controller to enter into a contract with each processor / service provider (including, under CCPA, both “service providers” and “contractors”) that governs the processor’s / service provider’s processing of personal data and that imposes obligations on the processor / service provider, including with respect to confidentiality, deletion or returning of personal data, compliance and auditing, and the engagement of sub-processors by the processor / service provider.
CCPA’s obligations with respect to service providers are the most proscriptive of such laws, as (i) they require that the service provider’s retention, use, and disclosure of personal information must be only for the “business purposes” specified in the contract and (ii) CCPA establishes a relatively narrow, exhaustive set of business purposes.
Unlike other state privacy laws, CCPA also requires businesses to enter into a contract with each third party that specifies the purposes for which personal data is being provided or made available to such third party, imposes certain obligations on such third party, and grants certain rights to the business.
Notice of breach laws
FTC Act: Although the FTC Act does not expressly include provisions with respect to data breach notification, the FTC has taken the position that, regardless of whether a breach notification law applies, an entity that suffers a data breach and fails to disclose information to help parties mitigate reasonably foreseeable harm may be deemed to have engaged in an unfair and/or deceptive data security practice in violation of Section 5 of the FTC Act.
GLBA: Under “Interagency Guidelines” established pursuant to GLBA, a financial institution should notify customers affected by unauthorized access or misuse of “sensitive customer information”, including notifying affected customers as soon as possible after it determines that misuse of customer information has occurred or is reasonably possible.
In addition, under a recently enacted “Notification Rule”, a financial institution is obligated to notify: (i) its primary federal regulator as soon as possible (and no later than 36 hours) after it determines that a “notification incident” has occurred; and (ii) each affected “banking organization” customer as soon as possible after it determines that it has experienced a “computer security incident” that has caused, or is reasonably likely to cause, a material service disruption or degradation for at least four hours.
HIPAA: Under the HIPAA Breach Notification Rule, both covered entities and business associates have notification obligations in the event of a breach of unsecured protected health information. Covered entities must provide notification of such a breach to affected individuals, the Secretary of HHS, and, in certain circumstances, to the media. Business associates must notify the applicable covered entities of such a breach at or by the business associate.
SEC: The final rule recently adopted by the SEC requires public companies to disclose material cybersecurity incidents in a current report filing within four days after the company’s determination that the cybersecurity incident is material.
State laws: All 50 US states have specific data breach notification laws in effect. Although none of the state general privacy laws include express notification requirements, a declaration in the introduction to the CCPA provides that businesses should notify consumers when their most sensitive information has been compromised. CCPA also provides a private right of action to consumers for certain breaches of unencrypted personal information.
Transfer of Personal Data to Third Countries
Restrictions on transfers to third countries
There are no express restrictions imposed by US federal or state privacy laws on the transfer of personal data to third countries. The EU-US Data Privacy Framework, which was recently determined to be adequate by the European Commission, addresses the transfer of personal data of EU data subjects.
Notification and approval of national regulator (including notification of use of Model Contracts)
There is no obligation to notify or obtain the consent of a national regulator for transborder dataflows from the US.
Use of binding corporate rules
There is no concept of binding corporate rules in US federal or state privacy laws.
Various entities enforce US federal and state privacy laws. Violations of privacy laws, rules, and regulations are generally enforced by the FTC, state attorneys general or the regulator for the industry sector in question.
FTC and COPPA Act: The FTC may bring civil actions for civil monetary penalties of up to $50,120 per violation of the FTC Act. Each day that non-compliance continues is considered a separate “violation” for purposes of the law. Violations of COPAA are deemed to be unfair or deceptive trade practices and are therefore subject to the same administrative penalties as set forth under the FTC Act, as described above. COPPA also gives both states and certain other federal agencies authority to enforce compliance.
GLBA: The FTC, the CFPB, the CFTC, and other financial regulators all have the authority to bring civil actions for damages for violations of GLBA. Civil monetary penalties range from a maximum of $5,000 per day of violation to $1,000,000 per day of violation, where an individual knowingly violated the law.
HIPAA: The HHS may impose civil monetary penalties of between $100 to $50,000 per HIPAA violation, with a total of $25,0000 to $1.5 million for all violations of a single requirement in one calendar year.
VPPA: The VPPA provides for the recovery of actual damages, but not less than liquidated damages of $2,500 (generally understood to be per plaintiff, per violation), as well as punitive damages.
State general privacy laws: CCPA provides for an administrative fine of up to $2,500 per violation or up to $7,500 per intentional violation. Maximum damages are $7,500 per violation under VCDPA, $5,000 per violation under CTDPA, and $20,000 per violation under CPA (which increases to $50,000 per violation if the affected consumer is an elderly person).
FTC Act: The FTC does not have criminal enforcement authority under the FTC Act, although, if it obtains evidence of conduct that may constitute a violation of a federal criminal law, it may transmit such evidence to the US Attorney General.
GLBA: Under GLBA, criminal penalties for knowing and intentional violations may include prison sentences of up to five years.
HIPAA: Under HIPPA, criminal penalties for knowing and intentional violations may include prison sentences of up to ten years.
State privacy laws: State general privacy laws do not generally carry criminal penalties. However, CIPA carries potential criminal penalties including up to a year in jail and criminal penalties under Nevada’s forthcoming consumer health data law include prison sentences (up to 20 years).
Certain laws – including the VPPA, Illinois BIPA, CIPA, and WA MHMDA – provide a private right of action. Each of the VPPA, Illinois BIPA, and CIPA has been a frequent target for class action litigation pursuant to such private rights of action. Given the potentially massive values of damages, privacy class action litigation represents a significant issue for businesses.
Pursuant to the private right of action under the TCPA, plaintiffs may receive compensation in an amount equal to the greater of actual damages suffered or statutory damages of $500 ($1,500 if the violation is willful or knowing) per unsolicited call or message.
Compensation under the VPPA is for the recovery of actual damages, but not less than liquidated damages (generally understood to be per plaintiff, per violation), and punitive damages can be assessed in addition to such actual or liquidated damages. The VPPA has been a particularly attractive target for such litigation in recent years, with plaintiffs seeking to apply the prohibitions of the 1988 statute to the collection of data on websites and other digital properties that play videos.
Similarly, the CIPA – which was enacted in 1967 and provides for a private right of action pursuant to which a plaintiff may recover the greater of $5,000 per violation or three times the amount of actual damages suffered – has also been a frequent target for class action litigation, including with respect to the use of “chatboxes” on websites and other digital properties.
Illinois BIPA has also been the subject of substantial class action litigation. Illinois BIPA provides that a claimant may recover the greater of actual damages or an enumerated per-violation amount for liquidated damages ($1,000 for a negligent violation, $5,000 for an intentional or reckless violation). In one 2022 case, a jury awarded $228 million in damages, based on a finding of 45,600 intentional or reckless violations of Illinois BIPA. That award was vacated by an Illinois federal district court, which held that the $5,000 maximum liquidated damages amount was discretionary based on the use of “may” in the statute.
CCPA is the only state general privacy law that provides a private right of action, and such right under CCPA applies only with respect to certain breaches of unencrypted personal information. Pursuant to such private right of action, CCPA provides for recovery of $100-$750 per consumer per incident.
In addition to the enforcement measures described above, regulatory authorities are typically granted further powers to enforce the privacy laws described in this chapter, including the right to seek injunctive relief. Injunctive relief is an available remedy under, among other statutes, the FTC Act, GLBA, and HIPAA, as well as under each of the state general privacy laws.
As the primary federal consumer protection regulator, the FTC is also empowered under the FTC Act to, among other things: prescribe rules with respect to unfair or deceptive acts or practices; establish requirements designed to prevent such acts or practices; conduct investigations; and make legislative recommendations to the US Congress.
In the last several years, there have been numerous eight- and nine-figure fines, as well as one ten-figure fine, levied for violations of US federal privacy laws and for privacy-related violations of federal and state consumer protection laws. Such massive fines have been levied by the FTC under the FTC Act, the GLBA Safeguards Rule, and COPPA, as well as by the Office of the Comptroller of the Currency under GLBA, and include:
- $5 billion penalty imposed in 2019 by the FTC on Facebook, arising out of alleged deceptive acts and practices in violation of Section 5 of the FTC Act, as well as of a 2012 order previously issued by the FTC. In 2023, a federal judge approved a $725 million settlement arising out of the same data practices
- $575 million settlement in 2019 between the FTC and Equifax arising out of alleged violations of Section 5 of the FTC Act and the GLBA Safeguards Rule, in connection with network security and a data breach that affected approximately 147 million people
- $520 million settlement in 2022 between the FTC and Epic Games, consisting of a $275 million fine for alleged violations of COPPA and $245 million in refunds to affected consumers for alleged deceptive acts or practices in violation of Section 5 of the FTC Act, including with respect to the use of “dark patterns”
Other enforcement action:
Remedies in each of the three preceding cases entailed, in addition to financial penalties, injunctive relief, including the implementation of a comprehensive privacy program and/or a comprehensive information security program.
ePrivacy | Marketing and cookies
The two key federal laws are set out below.
The Telephone Consumer Protection Act (the “TCPA”) and the Telemarketing Sales Rule (the “TSR”): Created and regulated by the Federal Communication Commission, the TCPA (47 U.S.C. § 227) regulates the collection and use of telephone numbers for commercial purposes. It applies to telephone calls and text messages, as well as faxes, provides a private right of action for certain violations, and permits recovery of the greater of actual damages or statutory damages of $500 ($1,500 if the violation is willful or knowing) per unsolicited call or message. Because of these statutory damages, TCPA class action litigation is a key issue for businesses, and the terms of the statute are frequently litigated. The TSR regulates calls and text messages (but not faxes), was promulgated by the FTC under the Telemarketing and Consumer Fraud and Abuse Prevention Act, and is generally enforced by the FTC. The underlying statute provides a private right of action only if the amount in controversy exceeds $50,000 in actual damages for each person adversely affected by the telemarketing activities.
Controlling the Assault of Non-Solicited Pornography and Marketing Act (the “CAN-SPAM Act”): The CAN-SPAM Act (15 U.S.C. §§ 7701-7713) regulates “commercial electronic mail messages”, which includes emails and some text messages. In the email context, the CAN-SPAM Act prohibits senders of commercial emails from using any false or misleading header information or subject lines that would likely mislead a recipient about a material fact regarding the message’s contents or subject matter. Senders of commercial emails must also follow certain requirements, including providing, in each email, a clear and conspicuous identification that the message is an advertisement or solicitation and notice of the opportunity to opt out of receiving further commercial email messages from the sender and instructions on how to do so. There is no private right of action under the CAN-SPAM Act.
Similarly, cookie IDs are generally understood to constitute personal data under each of the state general privacy laws, and both CCPA and CPA include express provisions with respect to cookies or online identifiers in connection with their definitions of personal data. CCPA expressly includes cookies, beacons, and similar technology within the definition of “unique personal identifier”, which, in turn, is an express element of “personal information”. Similarly, CPA’s definition of “identified or identifiable individual” expressly indicates that an “online identifier” (e.g., a cookie ID) can be the basis for such identification.
While CalOPPA does not mandate that operators support or honor ‘Do-Not-Track’ signals, the more recently enacted CCPA does obligate businesses to treat an opt-out preference signal (such as Global Privacy Control) as a consumer’s election to opt out of the sale and sharing of personal information.
Conditions for direct marketing by e-mail to individual subscribers
The CAN-SPAM Act applies labeling and opt-out requirements to all commercial electronic mail messages, which include emails and some text messages. CAN-SPAM generally allows a company to send such commercial messages to any recipient, as long as: (i) the recipient has not opted out of receiving such messages from the sender; and (ii) the message (a) identifies the sender and the sender’s contact information; and (b) contains instructions on how the recipient can easily and without cost opt out of future commercial electronic mail messages from the sender.
The FTC and state attorneys general, as well as ISPs and corporate email systems, can sue violators. Knowingly falsifying the origin or routing of a commercial electronic mail message is a federal crime.
Under each state general privacy law, an e-mail address constitutes personal data and is therefore subject to each such law’s “purpose limitation” requirements. Therefore, an e-mail address collected for a particular specified purpose (e.g., for the controller to contact a consumer in connection with a transaction) may not be able to be used for direct marketing unless, among other things, the controller also discloses the marketing purpose at the time of collection of such e-mail address.
Conditions for direct marketing by e-mail to corporate subscribers
The CAN-SPAM Act does not make an exception for business-to-business messages.
While each of VCDPA, CPA, and CTDPA excludes individuals acting in a commercial context from the definition of “consumer”, CCPA does not.
Exemptions and other issues
Unlike “commercial” content, “transactional” or “relationship” content – which facilitates an already agreed-upon transaction or updates a customer about an ongoing transaction – is not covered by the CAN-SPAM Act. The “primary purpose” of a particular message (i.e., whether it is “commercial” or is either “transactional” or “relationship”) is the determining factor in whether the act applies to that message.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Both the TCPA and the TSR regulate the direct marketing by telephone numbers for commercial purposes, including marketing. The TCPA applies to telephone calls, text messages, and faxes, while the TSR applies to telephone calls and text messages.
The TCPA and the TSR both set forth rules governing, among other things, times during the day when telephone solicitations can be made, use of automated dialing systems and software solicitations, obligations with respect to the “National Do-Not-Call Registry”, opt-out requirements, and information the solicitor must provide to the recipient.
As with email addresses, under each state general privacy law, a phone number constitutes personal data and is therefore subject to each such law’s “purpose limitation” requirements.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
Calls to corporate cell phones are generally subject to the restrictions under the TCPA and the TSR.
Again, while each of VCDPA, CPA, and CTDPA excludes individuals acting in a commercial context from the definition of “consumer”, CCPA does not.
Exemptions and other issues
Under certain circumstances, both the TCPA and the TSR exempt certain calls to corporate landline telephones.