When it comes to privacy and data security, the United States has a less strict regulatory environment than many other major economies, such as the European Union.
However, several states have passed laws in recent years that impose significant requirements on businesses handling the personal information of US residents.There are also some tough sector-specific federal privacy laws that you might not realize you need to comply with.
This guide will help you understand:
- Which US state and federal privacy laws apply to your business
- What the laws require
- The consequences of a violation
Let’s start with state laws.
While these are “US state privacy laws”, they actually apply to businesses around the world. Why? Because it doesn’t matter where your business is located, it matters whose personal information you’re handling. We’ll give examples below, with a focus on the three broadest and strictest US state privacy laws.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) came into full force in 2020 and is California’s state law that many people are (justifiably) comparing to the European Union’s world-leading General Data Protection Regulation (GDPR).
If you’re interested, you can read the full text here.
Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, pushing the state statute closer to the GDPR.
The CPRA creates a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected and for purposes of which the consumer has been informed. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options.
What does this mean for you? Organizations must ensure compliance with the CPPA – integrating the demands of the CPRA – before it takes effect on January 1, 2023.
Who Does the CCPA Apply to?
Although the CCPA was written with big tech companies in mind, it affects businesses across sectors.
The CCPA covers any business handling the personal information of California residents (regardless of whether the business has any physical presence in the state) that meets one of the following three thresholds:
- It has gross revenues in excess of $25 million per year,
- It buys, sells, receives or shares for commercial purposes the personal information of at least 50,000 California consumers or households per year, OR
- It derives 50 percent or more of its annual revenues from selling consumers’ personal information
Note that, due to the CCPA’s broad definition “personal information” — and of what constitutes “selling” personal information — a company may fall under threshold “B” if:
- It operates a website or app that uses third-party cookies for advertising or analytics, and
- The website or app attracts at least 50,000 California visitors or users per year.
What Are the Main Requirements Under the CCPA?
The CCPA’s main obligations include:
- Control: Businesses must allow consumers to access and delete their personal information. How? By allowing consumers to opt out of the sale of their personal information.
- Security: Businesses must apply reasonable security procedures and practices to safeguard the personal information they store. This may include malware protection, staff training, and email security.
Violating any part of the CCPA can lead to civil penalties of:
- Up to $2,500 per unintentional incident (such as failing to implement proper security protections, leading to a data breach).
- Up to $7,500 per intentional incident (such as deliberately selling the personal information of consumers who have “opted out”).
Data breaches can be particularly heavily penalized under the CCPA’s private right of action, with statutory damages of up to $750 per consumer, per incident.
Failing to implement proper data security practices could, therefore, lead to class action lawsuits in the billions of dollars, depending on the severity and extent of the breach. That’s why it’s so important organization’s level-up their cybersecurity.
Still have questions? We answered 13 FAQs about the CCPA in this article. We also outline the 5 Things CISOS Should Know About The CCPA here.
New York SHIELD Act
The New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) is a New York State Act that came into full force in 2020. Again, if you want to read the full text, you can find it here. In a sentence, it’s a data breach notification law that imposes data security standards on covered businesses.
Who Does the NY SHIELD Act Apply to?
The NY SHIELD Act applies to “any person or business that owns or licenses computerized data which includes private information of a resident of New York.”
This includes businesses with no physical presence in the state.
So, what’s “private information”? The Act’s definition is complex, but, broadly, it includes:
- A person’s full name, or first initial and last name, plus
- At least one of the following unencrypted (or compromised) data elements:
- Social security number,
- Driver’s license or other ID number,
- Bank account or credit card number (plus security code or PIN),
- Biometric data.
- An email address or username, plus
- A password, “secret question” answer, or any other means of access.
It’s important to note that gaining access to these data points is easier than you might think. Just look at your mailing list.
What Are the Main Requirements Under the NY SHIELD Act?
The NY SHIELD Act consists of two parts:
- Data breach notification: Businesses must report any breach of the private information of New York residents to the affected persons and to various New York authorities “in the most expedient time possible and without unreasonable delay.”
- Data security program: Businesses must implement reasonable administrative, technical, and physical security measures to safeguard the private information of New York residents. This must include:
- Risk assessment of how employees transfer and communicate private information,
- Appropriate software protection such as email security,
- Staff training on privacy and data security.
Violating the SHIELD Act’s data breach notification requirements can lead to a civil penalty of up to $250,000.
Oregon Consumer Identity Theft Protection Act (OCIPA)
The Oregon Consumer Identity Theft Protection Act (OCIPA) (previously the Oregon Consumer Identity Theft Protection Act) is an Oregon state law that received significant amendments in 2019 (available here). It is a data breach notification law that imposes data security standards on covered businesses.
Who Does OCIPA Apply to?
OCIPA law applies to “any person that owns, maintains or otherwise possesses” the personal information of Oregon residents.
OCIPA defines “personal information” in much the same way as the NY SHIELD Act, with two additional types of information included:
- Health insurance policy numbers and other health-related identifiers,
- Information about a person’s physical or mental diagnoses or history.
This means that those working in healthcare have to be especially careful. You can read more about the frequency of data loss incidents in this specific sector in our blog: Data Loss Prevention in Healthcare.
What Are the Main Requirements Under the OCIPA?
Like the NY SHIELD Act, OCIPA requires businesses to implement a “data security program” to maintain administrative, technical, and physical safeguards over the personal information they possess.
An OCIPA data security program must include measures such as:
- Designating an employee to oversee the program,
- Safeguarding against and and responding to cyberattacks
- Implementing anti-malware and email protection software
Any data breach must be reported to the individuals affected “without unreasonable delay, but not later than 45 days” after discovering the breach. If the breach affects 250 or more Oregon residents, it must be reported to the Oregon Department of Justice.
The maximum fine for failing to properly report a breach is $25,000 per violation.
Next up: three of the most important US federal privacy laws. These are sector-specific, but they each apply more broadly than you might expect.
Children’s Online Privacy Protection Act (COPPA)
The Children’s Online Privacy Protection Act (COPPA) is a federal law first passed in 1998 and it covers the provision of goods and services to children. You can read the full text here, but we’ve answered key questions below.
Who Does COPPA Apply to?
COPPA applies to anyone who operates a commercial website, online service, or mobile app that is:
- Directed at minors under the age of 13, or
- Knowingly collecting the personal information of minors under the age of 13.
While we can’t write an extensive list of all the different websites, services, or apps that meet these requirements, think of brands like Disney, Hasbro, and Mattel. Importantly, COPPA applies to non-US companies and content creators using platforms such as YouTube and TikTok.
Personalized advertising is a big target of COPPA enforcement. IP addresses and device IDs qualify as “personal information” under the Act. Most websites and apps collect this type of information.
What Are the Main Requirements Under COPPA?
Under COPPA, businesses are required to:
- Provide privacy notices to parents,
- Obtain parental consent before collecting, using, or sharing children’s personal information,
- Allow parents to opt out of the processing of children’s personal information,
- Allow parents to access their children’s personal information,
- Collect the minimum personal information necessary from children,
- Protect the confidentiality, security, and integrity of children’s personal information by maintaining reasonable security practices.
Violating COPPA can lead to fines of up to $43,280 per incident. In 2019, Google settled an alleged COPPA violation with the FTC for $170 million
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law first passed in 1996. As the name suggests, it covers the healthcare sector.
Who Does HIPAA Apply to?
HIPAA applies to “covered entities,” including:
- Healthcare providers (e.g. doctors, physiotherapists, nursing homes, pharmacists, dentists, etc.)
- Health plans (e.g. health insurance companies, employee-sponsored health plans)
- Healthcare clearinghouses (e.g. billing services, community health information systems)
Covered entities process “protected health information” (PHI), which covers 18 categories of personal information including:
- Email addresses
- IP addresses
- Medical record numbers
- IP addresses
While “covered entities” deal directly with health information, HIPAA also applies to subcontractors of covered entities that require access to PHI. Such subcontractors are known as “business associates.”
Some common types of companies that act as “business associates” include:
- Third-party claims management administrators
- Medical transcriptionists
- Data analysts
What Are the Main Requirements Under HIPAA?
HIPAA places strict obligations on how covered entities and business associates process PHI, with rules covering:
- Providing access to PHI to individuals (this is optional, unlike “the right to access” under the CCPA)
- Providing Privacy Notices when collecting or disclosing PHI,
- Training employees on matters of patient privacy.
- Assessing the risk to PHI from cybersecurity threats,
- Implementing anti-malware and email protection software,
- Reporting actual or suspected cyberattacks to the Office for Civil Rights as soon as possible, and within 60 days.
Remember that privacy and security threats can come from outside or inside your organization.
In 2017, the Department for Health and Human Services settled an investigation with a HIPAA covered entity for $5.5 million after a trusted employee leaked the PHI of 80,000 individuals. You can read more about incidents involving Insider Threats (including two instances involving the NHS) in this blog: Insider Threat Types and Real-World Examples.)
Penalties under HIPAA can range from $100 to $50,000 per violation.
Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is a federal law first passed in 1999 (available here). It covers the financial sector.
Who Does the GLBA Apply to?
The GLBA covers “financial institutions,” but this definition is broader than you might expect.
The FTC defines a “financial institutional” as any business that is “significantly engaged in providing financial products or services.”
So, alongside banks and investment firms, the GLBA covers following types of businesses:
- Check-cashing businesses
- Payday and other non-bank lenders
- Mortgage brokers
- Real estate appraisers
- Professional tax preparers
- Certain courier services
What Are the Main Requirements Under the GLBA?
One of the chief obligations under the GLBA is to develop a written security program explaining how your business safeguards consumer information.
When it comes to creating a security program, GLBA’s requirements are fairly flexible, and include:
- Designating an employee to oversee the program,
- Identifying risks in each area of operation, and assessing the security safeguards relevant to that area,
- Adjusting the program in light of relevant risk factors and technological developments.
While the GLBA’s security program requirement leaves plenty of room for maneuver, covered businesses would be expected to implement basic cybersecurity protections such as the encryption of consumer information and company-wide installation of security software, including data loss prevention solutions.
GLBA violations incur particularly heavy penalties, including fines of up to $100,000 per violation and/or up to five years in prison. But, that isn’t deterring professionals working in Financial Services from mishandling data. According to Tessian research, the majority of employees have accidentally or intentionally exfiltrated data.
How can I stay compliant?