Jacqueline W. Cooney: U.S. Privacy Laws – An Overview for Non-U.S. Companies
By Jacqueline W. Cooney, Partner, Arnall Golden Gregory
After years of criticism regarding U.S. data protection practices, many U.S. states and federal agencies have taken aggressive steps toward greater (and more complex) consumer privacy statutes and regulations. Of particular note are the more than a dozen states that have enacted comprehensive privacy statutes, as well as two that have enacted laws specifically to protect health data in recent years.
Until a few years ago with the passage of the California Consumer Privacy Act (CCPA), privacy laws in the U.S. were largely the province of the federal government. Federal sectoral laws such as the Health Insurance Portability and Accountability Act (HIPAA), which protects certain types of health data, the Fair Credit Reporting Act (FCRA), which protects credit report and other background check information, the Childrens’ Online Privacy Protection Act
(COPPA), which protects personal information collected online from children under 13, and Gramm-Leach-Bliley, which protects consumer financial data, were among the primary privacy statutes and regulations in the U.S.
Now, the new state laws and increased regulation by federal agencies, such as the Federal Trade Commission (FTC) and the Securities and Exchange Commission, are bellwethers for more strident steps that will continue to be taken in the U.S. to protect personal data.
For companies outside of the U.S. who want to do business here, what does that mean for their privacy compliance programs?
Depending on the types of personal data collected and processed in the U.S. and where in the U.S. an organization is doing business, it’s important to keep in mind the following:
GDPR Compliance is Not the Only Consideration
Many U.S. states have adopted provisions similar to the EU General Data Protection Regulation (GDPR), providing consumers with specific rights related to their data. It is no longer possible for companies to simply comply with GDPR for their global programs – they will need to take a deeper look at how U.S. laws apply to them. While there are many similarities between the new state laws and GDPR, there are also important differences, including issues such as notice content requirements, mechanisms for data subjects to exercise choices, contracting requirements, and restrictions on the sale and sharing of personal data.
U.S. State Laws May Apply to You
There are some similarities among the U.S. state laws but each has nuances making it difficult for any company to take a “one-size-fits-all” approach to compliance. For instance, some states have opt-in requirements for the collection of sensitive data, while others have an opt-out, and some only regulate the processing of health-related data. We anticipate more states to follow suit in the years ahead, creating an even more complex patchwork of requirements for privacy notices, third-party contracts, consents, restrictions on sensitive data, consumer rights requests, cookie practices, privacy assessments, and other privacy program requirements.
It is important to note that many states have had other, more targeted and sectoral privacy-related laws on their books for many years, including those that govern the collection and use of biometric data, such as those in Illinois, Texas, and Washington. Many other states (and the federal government) have wiretap laws that have long-reaching effects on how video and teleconference calls can be recorded. Additional state laws in various states regulate other types of data and practices, for example: website privacy policies, data security and data breach notification requirements, children’s data, employee data, telephone numbers, text messaging, driver’s license numbers, and social security numbers.
Federal Privacy Laws May Apply to You
As noted, HIPAA, the FCRA, COPPA, and Gramm-Leach-Bliley are key federal laws that regulate how certain data can be processed in the U.S. The FTC likewise has a long history of regulating and enforcing consumer privacy laws under Section 5 of the FTC Act, which prohibits unfair and deceptive trade practices. The FTC is also tasked with regulation and enforcement of privacy-related laws such as the Telephone Consumer Protection Act, which governs how companies may communicate via phone and text messages (along with the Federal Communications Commission), and commercial email marketing.
U.S. State Data Breach Laws Are Not Uniform
In addition to the myriad sectoral and comprehensive privacy laws, all 50 U.S. states plus the District of Columbia, Guam, the U.S. Virgin Islands, and Puerto Rico, have their own data breach notification laws. Many of those laws have similar triggers for notifying consumers and attorneys general. However, there are enough differences between each of the states that an analysis of each individual state’s laws must be undertaken when a breach occurs. Companies may be liable in different ways and have to comply with different notification standards per state if there is a breach that affects individuals in multiple jurisdictions.
About the author: Jacqueline W. Cooney is a partner with Arnall Golden Gregory