When it comes to privacy and data security, the United States has a less strict regulatory environment than many other major economies, such as the European Union.
However, several states have passed laws in recent years that impose significant requirements on businesses handling the personal information of US residents.There are also some tough sector-specific federal privacy laws that you might not realize you need to comply with.
This guide will help you understand:
Let’s start with state laws.
While these are “US state privacy laws”, they actually apply to businesses around the world. Why? Because it doesn’t matter where your business is located, it matters whose personal information you’re handling. We’ll give examples below, with a focus on the three broadest and strictest US state privacy laws.
The California Consumer Privacy Act (CCPA) came into full force in 2020 and is California’s state law that many people are (justifiably) comparing to the European Union’s world-leading General Data Protection Regulation (GDPR).
If you’re interested, you can read the full text here.
Although the CCPA was written with big tech companies in mind, it affects businesses across sectors.
The CCPA covers any business handling the personal information of California residents (regardless of whether the business has any physical presence in the state) that meets one of the following three thresholds:
Note that, due to the CCPA’s broad definition “personal information” — and of what constitutes “selling” personal information — a company may fall under threshold “B” if:
The CCPA’s main obligations include:
Violating any part of the CCPA can lead to civil penalties of:
Data breaches can be particularly heavily penalized under the CCPA’s private right of action, with statutory damages of up to $750 per consumer, per incident.
Failing to implement proper data security practices could, therefore, lead to class action lawsuits in the billions of dollars, depending on the severity and extent of the breach. That’s why it’s so important organization’s level-up their cybersecurity.
The New York Stop Hacks and Improve Electronic Data Security Act (NY SHIELD Act) is a New York State Act that came into full force in 2020. Again, if you want to read the full text, you can find it here. In a sentence, it’s a data breach notification law that imposes data security standards on covered businesses.
The NY SHIELD Act applies to “any person or business that owns or licenses computerized data which includes private information of a resident of New York.”
This includes businesses with no physical presence in the state.
So, what’s “private information”? The Act’s definition is complex, but, broadly, it includes:
It’s important to note that gaining access to these data points is easier than you might think. Just look at your mailing list.
The NY SHIELD Act consists of two parts:
Violating the SHIELD Act’s data breach notification requirements can lead to a civil penalty of up to $250,000.
The Oregon Consumer Identity Theft Protection Act (OCIPA) (previously the Oregon Consumer Identity Theft Protection Act) is an Oregon state law that received significant amendments in 2019 (available here). It is a data breach notification law that imposes data security standards on covered businesses.
OCIPA law applies to “any person that owns, maintains or otherwise possesses” the personal information of Oregon residents.
OCIPA defines “personal information” in much the same way as the NY SHIELD Act, with two additional types of information included:
This means that those working in healthcare have to be especially careful. You can read more about the frequency of data loss incidents in this specific sector in our blog: Data Loss Prevention in Healthcare.
Like the NY SHIELD Act, OCIPA requires businesses to implement a “data security program” to maintain administrative, technical, and physical safeguards over the personal information they possess.
An OCIPA data security program must include measures such as:
Any data breach must be reported to the individuals affected “without unreasonable delay, but not later than 45 days” after discovering the breach. If the breach affects 250 or more Oregon residents, it must be reported to the Oregon Department of Justice.
The maximum fine for failing to properly report a breach is $25,000 per violation.
Next up: three of the most important US federal privacy laws. These are sector-specific, but they each apply more broadly than you might expect.
The Children’s Online Privacy Protection Act (COPPA) is a federal law first passed in 1998 and it covers the provision of goods and services to children. You can read the full text here, but we’ve answered key questions below.
COPPA applies to anyone who operates a commercial website, online service, or mobile app that is:
While we can’t write an extensive list of all the different websites, services, or apps that meet these requirements, think of brands like Disney, Hasbro, and Mattel. Importantly, COPPA applies to non-US companies and content creators using platforms such as YouTube and TikTok.
Personalized advertising is a big target of COPPA enforcement. IP addresses and device IDs qualify as “personal information” under the Act. Most websites and apps collect this type of information.
Under COPPA, businesses are required to:
Violating COPPA can lead to fines of up to $43,280 per incident. In 2019, Google settled an alleged COPPA violation with the FTC for $170 million
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law first passed in 1996. As the name suggests, it covers the healthcare sector.
HIPAA applies to “covered entities,” including:
Covered entities process “protected health information” (PHI), which covers 18 categories of personal information including:
While “covered entities” deal directly with health information, HIPAA also applies to subcontractors of covered entities that require access to PHI. Such subcontractors are known as “business associates.”
Some common types of companies that act as “business associates” include:
HIPAA places strict obligations on how covered entities and business associates process PHI, with rules covering:
Remember that privacy and security threats can come from outside or inside your organization.
In 2017, the Department for Health and Human Services settled an investigation with a HIPAA covered entity for $5.5 million after a trusted employee leaked the PHI of 80,000 individuals. You can read more about incidents involving Insider Threats (including two instances involving the NHS) in this blog: Insider Threat Types and Real-World Examples.)
Penalties under HIPAA can range from $100 to $50,000 per violation.
The Gramm-Leach-Bliley Act (GLBA) is a federal law first passed in 1999 (available here). It covers the financial sector.
The GLBA covers “financial institutions,” but this definition is broader than you might expect.
The FTC defines a “financial institutional” as any business that is “significantly engaged in providing financial products or services.”
So, alongside banks and investment firms, the GLBA covers following types of businesses:
One of the chief obligations under the GLBA is to develop a written security program explaining how your business safeguards consumer information.
When it comes to creating a security program, GLBA’s requirements are fairly flexible, and include:
While the GLBA’s security program requirement leaves plenty of room for maneuver, covered businesses would be expected to implement basic cybersecurity protections such as the encryption of consumer information and company-wide installation of security software, including data loss prevention solutions.
GLBA violations incur particularly heavy penalties, including fines of up to $100,000 per violation and/or up to five years in prison. But, that isn’t deterring professionals working in Financial Services from mishandling data. According to Tessian research, the majority of employees have accidentally or intentionally exfiltrated data.
While every data privacy law is slightly different, each is consistent in saying that businesses must implement and maintain a cybersecurity program.
Tessian helps organizations across sectors stay compliant by protecting data on email.
Powered by machine learning, our Human Layer Security technology understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity.
Learn more by booking a demo. Or, you can read through our customer stories, including those operating in Healthcare and Financial Services.