This guide breaks down the entirety of the U.S. privacy law ecosystem to help you understand the rights and obligations of citizens and businesses.
The United States has a patchwork and ever-changing web of laws governing data privacy. While there’s no comprehensive federal privacy decree, several laws do focus on specific data types or situations regarding privacy.
Without a holistic statute, however, it can be unclear what protections are in place for the various types of personal information with which companies. Despite the lack of a comprehensive privacy framework, organizations that process or store data are still responsible for staying up-to-date on the latest regulations to ensure compliance.
This guide provides details of the major U.S. privacy laws and shares some recent updates and changes. You can also download this detailed fact sheet for a quick background on U.S. data protection laws.
Unlike other forms of communication, such as physical mail, online privacy and security is more difficult to govern. This can leave individuals vulnerable to an invasion of privacy.
The internet has revolutionized our lives and work, providing unprecedented access to information and communication. However, along with this increased connectivity comes new risks to privacy. Everyone’s lives are now online, leaving behind a digital trail of personal data that unscrupulous businesses or individuals can exploit.
Thankfully, data privacy laws govern the collection, use, and disclosure of personal data and set standards for how businesses need to handle sensitive data. The Federal Trade Commission (FTC) is the principal enforcer of these laws in the U.S. In recent years, the FTC has taken several enforcement actions against companies that have misled consumers about their data security and privacy practices.
For example, in 2012, the FTC reached a settlement with Google after it accused the company of misrepresenting its privacy policies to users of its service. Under the payment terms, Google agreed to pay a $22.5 million fine and change its privacy practices. More recently, in 2018, the FTC took action against Facebook for deceiving users about their ability to control the visibility of their personal information. Again, under a settlement with the FTC, Facebook agreed to pay a $5 billion fine and make significant changes to its privacy measures.
These cases show that the FTC is willing to crack down on companies that violate consumer privacy laws. These examples also set a critical precedent for future internet privacy lawsuits — as people’s lives continue to move online, strong laws must be in place to protect data from exploitation.
The United States and Europe have the most comprehensive data security and privacy laws; the EU’s General Data Protection Regulation (GDPR) came into effect in 2018, while the California Consumer Privacy Act (CCPA) took effect in 2020.
GDPR and CCPA set strict standards for how service providers must handle personal data, including ensuring that data collection is transparent, secure, and obtained with the concerned individual's consent. The standards also provide individuals the right to know what personal data is collected about them and allow them to access it and request its deletion.
The main difference between CCPA and GDPR is that GDPR applies to any organization that processes or intends to process EU citizens’ sensitive data, regardless of location. GDPR compliance is mandatory for any organization that processes the personal data of EU citizens, regardless if they're customers or not. There are also no entity revenue or processing threshold requirements for GDPR.
CCPA only covers entities that do business in California. This regulation applies to entities satisfying thresholds such as annual revenues above $25 million, any organization that processes personal data of more than 50,000 individuals, and those entities that acquire 50 percent of their revenue from selling data.
These requirements mean GDPR has a much broader reach and protection than CCPA. For example, in terms of enforcement, GDPR provides heavy fines for service providers violating its provisions. In contrast, CCPA offers California residents the right to sue businesses for damages if there's a violation of their consumer rights.
Finally, GDPR requires companies to appoint a data protection officer, while CCPA has no such requirement. While GDPR and CCPA are strong data protection laws providing individuals with robust rights and protection, GDPR applicability extends beyond U.S. borders, making it one of the most far-reaching data protection structures today.
It's crucial for organizations to consult with legal counsel and carefully consider which laws apply to them, ensuring compliance with each applicable requirement.
Generally speaking, privacy laws fall into two categories: vertical and horizontal. Vertical privacy laws protect medical records or financial data, including details such as an individual's health and financial status.
Horizontal privacy laws focus on how organizations use information, regardless of its context. The types of data covered by these laws include fingerprints, retina scans, biometric data, and other personally identifiable information such as names and addresses.
