Q&A: the data protection legal framework in USA

Regulation and the regulatory authority

Legislative framework

Summarise the legislative framework for the safety of own data (PI). Does your jurisdiction have a committed knowledge protection regulation? Is the data protection law in your jurisdiction based on any global devices or legal guidelines of other jurisdictions on privacy or info security?

The US’s legislative framework for the protection of PI traditionally has resembled a patchwork quilt. Contrary to other jurisdictions, the United States does not have a single devoted facts protection regulation at the federal stage, but in its place regulates privacy generally by marketplace, on a sector-by-sector foundation. There are various resources of privateness regulation in the United States, which includes laws and rules made at both equally the federal and point out degrees. These rules and laws may possibly be enforced by federal and condition authorities, and many present folks with a non-public proper to bring lawsuits towards organisations they believe that are violating the legislation. Beginning in 2018, improved legislative action at the state stage signalled a shift in aim towards much more broad-dependent purchaser privateness laws in the United States. California grew to become the to start with state to enact these legislation with the passage of the California Purchaser Privateness Act (CCPA), as later amended by the California Privateness Rights Act (CPRA), a broad privacy law encouraged in section by the Normal Information Security Regulation (GDPR) in the European Union that is aimed at guarding the individual facts of people across industries. Considering that then, 4 other states have passed comparable wide-based customer privacy legislation, all of which just take result in 2023. These new laws are the Connecticut Details Privateness Act, the Colorado Privateness Act, the Utah Client Privateness Act and the Virginia Shopper Facts Defense Act. In addition, as indicated over, the CCPA has been appreciably amended and expanded on by the passage of the CPRA (collectively the CCPA/CPRA), which takes outcome 1 January 2023. Several other states have proposed likewise broad privateness laws, although various thorough privacy payments have been released at the federal level in the US Congress.

Information security authority

Which authority is accountable for overseeing the knowledge safety regulation? What is the extent of its investigative powers?

There is no single regulatory authority focused to overseeing details protection law in the United States. At the federal degree, the regulatory authority liable for oversight relies upon on the law or regulation in question. In the money services context, for instance, the Shopper Fiscal Security Bureau and various economic solutions regulators (as properly as condition insurance regulators) have adopted standards below the Gramm-Leach-Bliley Act (GLB) that dictate how corporations subject matter to their regulation may perhaps acquire, use and disclose non-community personal information. In the same way, in the healthcare context, the Section of Health and fitness and Human Providers is dependable for enforcement of the Overall health Insurance policies Portability and Accountability Act of 1996 (HIPAA).

Outside the house of the controlled industries context, the Federal Trade Commission (FTC) is the most important federal privateness regulator in the United States. Section 5 of the FTC Act, which is a common customer protection legislation that prohibits ‘unfair or deceptive acts or practices in or influencing commerce’, is the FTC’s main enforcement resource in the privacy arena. The FTC has utilized its authority below part 5 to deliver several privacy enforcement steps for a vast selection of alleged violations by entities whose details tactics have been considered ‘deceptive’ or ‘unfair’. Although segment 5 does not give the FTC fining authority, it does empower it to provide enforcement actions in opposition to alleged violators, and these enforcement actions generally have resulted in consent decrees that prohibit the company from upcoming misconduct and typically call for audits biennially for up to 20 yrs. Underneath segment 5, the FTC can fine companies that have violated a consent get.

At the state degree, lawyers common can also deliver enforcement steps for unfair or deceptive trade tactics, or to implement violations of certain point out privateness rules. The lawyers standard in Connecticut, Colorado, Utah and Virginia are empowered to implement violations of the respective privacy legal guidelines in these states. The California legal professional normal was empowered to enforce violations of the CCPA. The CPRA, which amended and expanded on the CCPA, founded the California Privateness Security Agency (CPPA), a new regulatory body responsible for implementing and implementing the CCPA/CPRA and imposing administrative fines for violations when the CPRA usually takes influence on 1 January 2023.

Apart from complete state privateness legal guidelines explained previously mentioned, which do not have a non-public appropriate of action (besides for California, where by the non-public correct of motion is minimal to sure actions linked to info breaches), some other condition privateness rules let affected men and women to provide lawsuits to enforce violations of the law.

Cooperation with other info security authorities

Are there lawful obligations on the data protection authority to cooperate with other knowledge safety authorities, or is there a system to solve diverse approaches?

There are no restrictions or constructions that call for the several federal and point out facts safety authorities to cooperate with a single a further. In the event of a knowledge breach, however, lots of state lawyers common set up multistate activity forces to pool methods, look into the corporations that skilled the breach, and get to a settlement or collectively litigate from the firm. The resolutions often need organizations to increase their data stability programmes and get 3rd-social gathering assessments of their programmes.

Breaches of facts defense legislation

Can breaches of facts protection law guide to administrative sanctions or orders, or legal penalties? How would such breaches be managed?

In standard, violations of federal and point out privacy rules guide to civil, not prison, penalties. The major exceptions are the rules directed at surveillance pursuits and computer system crimes. Violations of the federal Electronic Communications Privacy Act (which is composed of the Wiretap Act, the Stored Communications Act and the Pen Sign up Act) or the Computer Fraud and Abuse Act can direct to criminal sanctions and civil liability. Also, many states have enacted surveillance legislation that contain prison sanctions, in addition to civil liability, for violations.

Exterior of the surveillance context, the US Section of Justice is authorised to criminally prosecute really serious HIPAA violations. In conditions where by an particular person knowingly violates constraints on acquiring and disclosing lawfully cognisable wellness information and facts, the Department of Justice may possibly pursue felony sanctions.


Exempt sectors and institutions

Does the details safety legislation include all sectors and types of organisation or are some parts of exercise outside its scope?

There is no one regulatory authority focused to overseeing info safety regulation in the United States. At the federal degree, distinctive privacy needs utilize to distinct market sectors and data processing actions. These regulations usually are narrowly personalized and address unique data employs. For these entities not issue to industry distinct regulatory authority, the Federal Trade Fee (FTC) has wide enforcement authority at the federal level, and attorneys basic at the state degree, to provide enforcement action for unfair or misleading trade procedures in the privacy context. The detailed condition privateness legal guidelines in California, Connecticut, Colorado, Utah and Virginia are broadly applicable but contain varying exemptions for specific types of details or selected business sectors (this sort of as money establishments matter to the Gramm-Leach-Bliley Act or included entities issue to the Well being Insurance plan Portability and Accountability Act of 1996). 

Interception of communications and surveillance guidelines

Does the info protection legislation protect interception of communications, electronic advertising and marketing or checking and surveillance of individuals?

Interception of communications is regulated generally at the federal degree by the Digital Communications Privacy Act, which is composed of the Wiretap Act, the Stored Communications Act and the Pen Register Act. The federal Computer system Fraud and Abuse Act also prohibits selected surveillance things to do but is targeted primarily on proscribing other laptop-relevant routines pertaining to hacking and laptop or computer trespass. At the condition stage, most states have legislation that regulate the interception of communications.

There are only a handful of regulations that exclusively target the apply of digital advertising and the applicable legislation are unique to the advertising channel in concern. Industrial e-mail is regulated at the federal amount by the Controlling the Assault of Non-Solicited Pornography and Advertising Act of 2003 (CAN-SPAM). There are also point out guidelines regulating professional e mail, but these regulations are frequently pre-empted by CAN-SPAM. Telemarketing is controlled at the federal degree by the Telephone Customer Safety Act of 1991 (TCPA) and the Telemarketing and Buyer Fraud and Abuse Prevention Act, as effectively as regulations carried out by the FTC and the Federal Communications Fee (FCC). There are also point out laws regulating telemarketing routines. Textual content concept marketing is regulated principally by the TCPA and laws carried out by the FCC. Fax marketing and advertising is controlled by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state legal guidelines.

Other guidelines

Are there any more guidelines or restrictions that supply specific details defense principles for linked locations?

In addition to the legislation outlined previously, many other federal and point out rules handle privateness troubles, which include state info protection rules and guidelines that use to:

  • buyer report information and facts: Good Credit Reporting Act and the Reasonable and Precise Credit score Transactions Act of 2003
  • children’s details: Children’s On the internet Privacy Protection Act
  • driver’s data: Driver’s Privateness Security Act of 1994
  • online video rental records: Movie Privacy Defense Act and
  • federal federal government pursuits: Privacy Act of 1974.


The Cybersecurity Data Sharing Act (CISA) authorises entities to have interaction in specified cybersecurity monitoring, defence methods and facts-sharing actions for functions of defending in opposition to cybersecurity threats. To enable organizations protected their info and units, CISA offers firms with specified legal responsibility protections in connection with monitoring facts units for cybersecurity reasons, applying cybersecurity defensive actions, and sharing cyber intelligence with other non-public entities and federal federal government businesses.

In 2018, the California legislature enacted the California Customer Privateness Act (CCPA), which became powerful on 1 January 2020. The CCPA was amended in 2020 by the passage of the California Privacy Rights Act (CPRA) (collectively the CCPA/CPRA). The CCPA/CPRA will go into influence 1 January 2023 and will apply to any for-financial gain enterprise that:

  • does organization in California
  • collects consumers’ private details (or on whose behalf this kind of information is gathered)
  • on your own, or jointly with other folks, decides the applications and implies of the processing of consumers’ own information and facts and
  • satisfies certain earnings thresholds or collects the individual info of 100,000 or additional consumers or homes.


Since then, 4 other states (Connecticut, Colorado, Utah and Virginia) have enacted comparable wide-centered purchaser privacy laws. Like the CCPA/CPRA, these legislation will utilize to particular organizations that perform enterprise in the respective states. Compared with the CCPA/CPRA, nevertheless, the four other detailed point out privateness guidelines have knowledge processing thresholds for applicability (eg, the small business will have to accumulate and method the private information of a specified variety of citizens of that state on an annual basis, these as 100,000 citizens every year in Virginia).

The CCPA/CPRA, the Connecticut Knowledge Privateness Act (CTDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA) and the Virginia Customer Info Defense Act (VCDPA) define ‘personal information’ broadly and contain provisions granting shoppers particular legal rights regarding their particular details. These new rules have aided set the phase for quite a few related proposed rules at present pending in various point out legislatures throughout the United States, as perfectly as a probable federal facts privacy legislation.

PI formats

What categories and sorts of PI are included by the law?

The United States does not have a committed information protection legislation. Thus, the definition of PI may differ depending on the fundamental legislation or regulation. In the point out stability breach notification regulation context, for illustration, the definition of PI commonly involves an individual’s name in addition his or her Social Protection selection, driver’s licence variety or money account amount. Some states broaden the definition of PI below the knowledge breach notification guidelines to incorporate factors these kinds of as health care information, insurance policies information, biometrics, electronic mail addresses and passwords to online accounts. In other contexts, these as FTC enforcement steps, the Gramm-Leach-Bliley Act or the Well being Insurance policy Portability and Accountability Act of 1996, the definition of PI is significantly broader. Although selected legal guidelines use only to electronic PI, a lot of include PI in any medium, together with tricky-copy information.

The CCPA/CPRA has a wide definition of PI that contains any ‘information that identifies, relates to, describes, is moderately capable of currently being affiliated with or could reasonably be connected, directly or indirectly, with a specific shopper or household’. The CTDPA, CPA, UCPA and VCDPA likewise contain a wide definition of PI that incorporates any ‘information that is joined or reasonably linkable’ to ‘an recognized or identifiable individual’ or ‘identified or identifiable purely natural person’.


Is the attain of the regulation confined to PI entrepreneurs and processors physically founded or operating in your jurisdiction, or does the regulation have extraterritorial influence?

As a common subject, the access of US privateness guidelines is limited to organisations that are topic to the jurisdiction of US courts as constrained by constitutional owing procedure criteria. Determinations about this sort of jurisdiction are extremely truth-particular and depend on the particulars of an organisation’s contacts with the United States.

Protected takes advantage of of PI

Is all processing or use of PI lined? Is a distinction manufactured among those people who handle or personal PI and individuals who offer PI processing companies to entrepreneurs? Do owners’, controllers’ and processors’ obligations vary?

Frequently, US privateness rules utilize to all processing of PI. Right until a short while ago, with the passage of the CTDPA, CPA, UCPA and VCDPA, there have been no formal designations of ‘controllers’ and ‘processors’ beneath US legislation as there are in the guidelines of other jurisdictions. That becoming mentioned, there are particular laws that set forth different obligations based on regardless of whether an organisation would be viewed as a data owner or a service supplier. The most notable instance of this difference is located in the US state breach notification legal guidelines. Pursuant to these rules, it is commonly the scenario that the proprietor of the PI is responsible for notifying afflicted persons of a breach, while a company supplier is liable for informing the facts operator that it has endured a breach influencing the data owner’s knowledge. Once a information proprietor has been notified of a breach by a company provider, the knowledge proprietor, not the services provider, then must notify afflicted men and women.

The CCPA/CPRA has adopted a idea rather comparable to the controller notion below the EU Basic Facts Protection Regulation (GDPR), in that companies right topic to the law are defined to necessarily mean those entities who decide the reasons and signifies of the processing of consumers’ personalized details. The CTDPA, CPA, UCPA and VCDPA, also impressed in component by the GDPR, exclusively use the conditions ‘controllers’ and ‘processors’ to distinguish who controls or decides the purposes and indicates of the processing of PI and who offers PI processing solutions to people that command these PI. 

Legislation said day

Correct on

Give the date on which the facts previously mentioned is precise.

16 May possibly 2022.

You May Also Like

About the Author: AKDSEO