Data privacy is complex and constantly evolving. It is an area that businesses need to take very seriously and ensure that they are informed, proactive, and compliant. One of the factors that makes data privacy so challenging is that in the United States, there is not a specific, comprehensive federal law or department that governs the regulation of data; rather, there are a series of laws, some at the state level, others at the federal level, that create the legal and compliance framework businesses must follow.
For many businesses, data is an extremely valuable asset. The collection, sharing, storage, and use of data plays an important role for many business models and operations. However, with this asset comes great responsibility. Companies that collect and acquire data from the public need to understand the importance of properly handling data, which includes consent, notice and regulatory obligations and duties.
At the federal level, two of the biggest and most obvious areas where there are data privacy regulatory requirements are in healthcare and financial services. The Health Insurance Portability and Accountability Act (HIPAA) provides requirements that businesses and healthcare professionals must follow when they come into contact with personally identifiable medical information. The Gramm-Leach-Bliley Act (GLBA) provides requirements to financial institutions and companies offering financial services, such as banks, securities firms, investment firms, and insurance companies.
Other noteworthy federal statutes that involve regulating data privacy include: the Telephone Consumer Protection Act (TCPA), which relates to telemarketing phone calls and text messages; the Electronic Communications Privacy Act (ECPA), which relates to improper access and interception of electronic communications such as emails; the Fair Credit Reporting Act (FCRA), which regulates how businesses can use and disclose credit information; the Computer Fraud and Abuse Act (CFAA), which prohibits computer hacking; and the Federal Trade Commission Act (FTC), which protects against unfair and deceptive business practices, and this includes not properly protecting sensitive and private customer data.
Various states have laws with respect to how companies must inform the public of their data collection methods and how data is shared with third parties. For example, in 2020, California will institute its California Consumer Privacy Act (CCPA), which will grant California residents the following rights; (1) Transparency, which will require websites to disclose (either from consumer requests or through privacy policies) what personal information is collected and how its used; (2) Opt-Out, the right of refusal to deny companies from selling a person's personal data and information to third parties; (3) Right To Be Forgotten, the right to have all personal information deleted from company databases; and (4) No Penalties For Privacy, the right to receive equal and fair services from companies if a person exercises their privacy rights.
And of course, there are international data protection and security regulations that businesses have to be familiar with and prepared to comply with. For example, the General Data Protection Regulation (GDPR), enacted in May 2018 by the EU, is a sweeping privacy regulation, which can impose significant financial repercussions for violations by American companies. For more on the GDPR, please visit:
Non-compliance of privacy regulations and breaches of privacy security can result in a number of consequences; such as investigations from state attorneys general offices; investigations from federal agencies such as the FTC; class action lawsuits; and private lawsuits, consisting of claims such as breach of contract, negligence, fraud, or violations of consumer protection statutes. As such, all businesses, whether established corporations, small businesses, or emerging companies, should recognize there are a wide range of data privacy regulations and rules from federal, state, and international agencies, and that it is extremely important to prioritize data privacy and data security obligations.