Law and the regulatory authority
Summarise the legislative framework for the protection of personal information (PI). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments or laws of other jurisdictions on privacy or data protection?
The US’s legislative framework for the protection of PI historically has resembled a patchwork quilt. Unlike other jurisdictions, the United States does not have a single dedicated data protection law at the federal level, but instead regulates privacy primarily by industry, on a sector-by-sector basis. There are numerous sources of privacy law in the United States, including laws and regulations developed at both the federal and state levels. These laws and regulations may be enforced by federal and state authorities, and many provide individuals with a private right to bring lawsuits against organisations they believe are violating the law. Starting in 2018, increased legislative activity at the state level signalled a shift in focus towards more broad-based consumer privacy legislation in the United States. California became the first state to enact such legislation with the passage of the California Consumer Privacy Act (CCPA), as later amended by the California Privacy Rights Act (CPRA), a broad privacy law inspired in part by the General Data Protection Regulation (GDPR) in the European Union that is aimed at protecting the personal information of consumers across industries. Since then, four other states have passed similar broad-based consumer privacy laws, all of which take effect in 2023. These new laws are the Connecticut Data Privacy Act, the Colorado Privacy Act, the Utah Consumer Privacy Act and the Virginia Consumer Data Protection Act. Moreover, as indicated above, the CCPA has been significantly amended and expanded upon by the passage of the CPRA (collectively the CCPA/CPRA), which takes effect 1 January 2023. Numerous other states have proposed similarly broad privacy legislation, while multiple comprehensive privacy bills have been introduced at the federal level in the US Congress.
Data protection authority
Which authority is responsible for overseeing the data protection law? What is the extent of its investigative powers?
There is no single regulatory authority dedicated to overseeing data protection law in the United States. At the federal level, the regulatory authority responsible for oversight depends on the law or regulation in question. In the financial services context, for example, the Consumer Financial Protection Bureau and various financial services regulators (as well as state insurance regulators) have adopted standards under the Gramm-Leach-Bliley Act (GLB) that dictate how firms subject to their regulation may collect, use and disclose non-public personal information. Similarly, in the healthcare context, the Department of Health and Human Services is responsible for enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Outside of the regulated industries context, the Federal Trade Commission (FTC) is the primary federal privacy regulator in the United States. Section 5 of the FTC Act, which is a general consumer protection law that prohibits ‘unfair or deceptive acts or practices in or affecting commerce’, is the FTC’s primary enforcement tool in the privacy arena. The FTC has used its authority under section 5 to bring numerous privacy enforcement actions for a wide range of alleged violations by entities whose information practices have been deemed ‘deceptive’ or ‘unfair’. Although section 5 does not give the FTC fining authority, it does enable it to bring enforcement actions against alleged violators, and these enforcement actions typically have resulted in consent decrees that prohibit the company from future misconduct and often require audits biennially for up to 20 years. Under section 5, the FTC can fine businesses that have violated a consent order.
At the state level, attorneys general can also bring enforcement actions for unfair or deceptive trade practices, or to enforce violations of specific state privacy laws. The attorneys general in Connecticut, Colorado, Utah and Virginia are empowered to enforce violations of the respective privacy laws in those states. The California attorney general was empowered to enforce violations of the CCPA. The CPRA, which amended and expanded upon the CCPA, established the California Privacy Protection Agency (CPPA), a new regulatory body responsible for enforcing and implementing the CCPA/CPRA and imposing administrative fines for violations when the CPRA takes effect on 1 January 2023.
Apart from comprehensive state privacy laws described above, which do not contain a private right of action (except for California, where the private right of action is limited to certain actions related to data breaches), some other state privacy laws allow affected individuals to bring lawsuits to enforce violations of the law.
Cooperation with other data protection authorities
Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?
There are no regulations or structures that require the various federal and state data protection authorities to cooperate with one another. In the event of a data breach, however, many state attorneys general set up multistate task forces to pool resources, investigate the companies that experienced the breach, and reach a settlement or collectively litigate against the company. The resolutions often require companies to improve their information security programmes and obtain third-party assessments of their programmes.
Breaches of data protection law
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
In general, violations of federal and state privacy laws lead to civil, not criminal, penalties. The main exceptions are the laws directed at surveillance activities and computer crimes. Violations of the federal Electronic Communications Privacy Act (which is composed of the Wiretap Act, the Stored Communications Act and the Pen Register Act) or the Computer Fraud and Abuse Act can lead to criminal sanctions and civil liability. Also, many states have enacted surveillance laws that include criminal sanctions, in addition to civil liability, for violations.
Outside of the surveillance context, the US Department of Justice is authorised to criminally prosecute serious HIPAA violations. In circumstances where an individual knowingly violates restrictions on obtaining and disclosing legally cognisable health information, the Department of Justice may pursue criminal sanctions.
Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
There is no single regulatory authority dedicated to overseeing data protection law in the United States. At the federal level, different privacy requirements apply to different industry sectors and data processing activities. These laws often are narrowly tailored and address specific data uses. For those entities not subject to industry specific regulatory authority, the Federal Trade Commission (FTC) has broad enforcement authority at the federal level, and attorneys general at the state level, to bring enforcement action for unfair or deceptive trade practices in the privacy context. The comprehensive state privacy laws in California, Connecticut, Colorado, Utah and Virginia are broadly applicable but include varying exemptions for particular types of data or certain industry sectors (such as financial institutions subject to the Gramm-Leach-Bliley Act or covered entities subject to the Health Insurance Portability and Accountability Act of 1996).
Interception of communications and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals?
Interception of communications is regulated primarily at the federal level by the Electronic Communications Privacy Act, which is composed of the Wiretap Act, the Stored Communications Act and the Pen Register Act. The federal Computer Fraud and Abuse Act also prohibits certain surveillance activities but is focused primarily on restricting other computer-related activities pertaining to hacking and computer trespass. At the state level, most states have laws that regulate the interception of communications.
There are only a handful of laws that specifically target the practice of electronic marketing and the relevant laws are specific to the marketing channel in question. Commercial email is regulated at the federal level by the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM). There are also state laws regulating commercial email, but these laws are generally pre-empted by CAN-SPAM. Telemarketing is regulated at the federal level by the Telephone Consumer Protection Act of 1991 (TCPA) and the Telemarketing and Consumer Fraud and Abuse Prevention Act, as well as regulations implemented by the FTC and the Federal Communications Commission (FCC). There are also state laws regulating telemarketing activities. Text message marketing is regulated primarily by the TCPA and regulations implemented by the FCC. Fax marketing is regulated by the TCPA, as amended by the Junk Fax Prevention Act of 2005, and state laws.
Are there any further laws or regulations that provide specific data protection rules for related areas?
In addition to the laws mentioned earlier, numerous other federal and state laws address privacy issues, including state information security laws and laws that apply to:
- consumer report information: Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act of 2003;
- children’s information: Children’s Online Privacy Protection Act;
- driver’s information: Driver’s Privacy Protection Act of 1994;
- video rental records: Video Privacy Protection Act; and
- federal government activities: Privacy Act of 1974.
The Cybersecurity Information Sharing Act (CISA) authorises entities to engage in certain cybersecurity monitoring, defence practices and information-sharing activities for purposes of protecting against cybersecurity threats. To help companies secure their information and systems, CISA provides businesses with certain liability protections in connection with monitoring information systems for cybersecurity purposes, implementing cybersecurity defensive measures, and sharing cyber intelligence with other private entities and federal government agencies.
In 2018, the California legislature enacted the California Consumer Privacy Act (CCPA), which became effective on 1 January 2020. The CCPA was amended in 2020 by the passage of the California Privacy Rights Act (CPRA) (collectively the CCPA/CPRA). The CCPA/CPRA will go into effect 1 January 2023 and will apply to any for-profit business that:
- does business in California;
- collects consumers’ personal information (or on whose behalf such information is collected);
- alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information; and
- satisfies certain revenue thresholds or collects the personal information of 100,000 or more consumers or households.
Since then, four other states (Connecticut, Colorado, Utah and Virginia) have enacted similar broad-based consumer privacy laws. Like the CCPA/CPRA, these laws will apply to certain businesses that conduct business in the respective states. Unlike the CCPA/CPRA, however, the four other comprehensive state privacy laws have data processing thresholds for applicability (eg, the business must collect and process the personal information of a certain number of residents of that state on an annual basis, such as 100,000 residents annually in Virginia).
The CCPA/CPRA, the Connecticut Data Privacy Act (CTDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA) and the Virginia Consumer Data Protection Act (VCDPA) define ‘personal information’ broadly and contain provisions granting consumers certain rights concerning their personal information. These new laws have helped set the stage for several similar proposed laws currently pending in various state legislatures across the United States, as well as a possible federal data privacy law.
What categories and types of PI are covered by the law?
The United States does not have a dedicated data protection law. Thus, the definition of PI varies depending on the underlying law or regulation. In the state security breach notification law context, for example, the definition of PI generally includes an individual’s name plus his or her Social Security number, driver’s licence number or financial account number. Some states broaden the definition of PI under the data breach notification laws to include elements such as medical information, insurance information, biometrics, email addresses and passwords to online accounts. In other contexts, such as FTC enforcement actions, the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996, the definition of PI is much broader. Although certain laws apply only to electronic PI, many cover PI in any medium, including hard-copy records.
The CCPA/CPRA contains a broad definition of PI that includes any ‘information that identifies, relates to, describes, is reasonably capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household’. The CTDPA, CPA, UCPA and VCDPA similarly contain a broad definition of PI that includes any ‘information that is linked or reasonably linkable’ to ‘an identified or identifiable individual’ or ‘identified or identifiable natural person’.
Is the reach of the law limited to PI owners and processors physically established or operating in your jurisdiction, or does the law have extraterritorial effect?
As a general matter, the reach of US privacy laws is limited to organisations that are subject to the jurisdiction of US courts as constrained by constitutional due process considerations. Determinations regarding such jurisdiction are highly fact-specific and depend on the details of an organisation’s contacts with the United States.
Covered uses of PI
Is all processing or use of PI covered? Is a distinction made between those who control or own PI and those who provide PI processing services to owners? Do owners’, controllers’ and processors’ duties differ?
Generally, US privacy laws apply to all processing of PI. Until recently, with the passage of the CTDPA, CPA, UCPA and VCDPA, there have been no formal designations of ‘controllers’ and ‘processors’ under US law as there are in the laws of other jurisdictions. That being said, there are specific laws that set forth different obligations based on whether an organisation would be considered a data owner or a service provider. The most prominent example of this distinction is found in the US state breach notification laws. Pursuant to these laws, it is generally the case that the owner of the PI is responsible for notifying affected individuals of a breach, whereas a service provider is responsible for informing the data owner that it has suffered a breach affecting the data owner’s data. Once a data owner has been notified of a breach by a service provider, the data owner, not the service provider, then must notify affected individuals.
The CCPA/CPRA has adopted a concept quite similar to the controller concept under the EU General Data Protection Regulation (GDPR), in that businesses directly subject to the law are defined to mean those entities who determine the purposes and means of the processing of consumers’ personal information. The CTDPA, CPA, UCPA and VCDPA, also inspired in part by the GDPR, specifically use the terms ‘controllers’ and ‘processors’ to distinguish who controls or determines the purposes and means of the processing of PI and who provides PI processing services to those that control such PI.
Law stated date
Give the date on which the information above is accurate.
16 May 2022.