Safeguarding data in the US: A comprehensive overview of federal and state-level data protection legislation

Compliance with US data privacy regulations can turn into a real challenge for businesses due to the complex patchwork of federal and state laws. Given the importance of the matter, enterprises must stay up to date on the latest developments and implement tools and policies that help ensure adherence to applicable regulations. Especially because compliance breaches can result in significant legal and financial consequences, as well as reputational damage. 

In this article, we want to explore the current state, federal, and sector-specific laws, and regulations that protect US residents' personal data.

A primary legislation for data protection does not exist in the United States. Instead, there are hundreds of laws enacted at both the federal and state levels to protect the personal data of US residents. At the federal level, the Federal Trade Commission Act gives the US Federal Trade Commission (FTC) broad authority to enforce federal privacy and data protection regulations, as well as protect consumers against unfair or deceptive practices. The FTC has taken the position that "deceptive practices" include a company’s failure to comply with its published privacy promises, failure to provide adequate security of personal information, and use of deceptive advertising or marketing methods.

There are also federal statutes targeting particular sectors, such as healthcare or financial services. State-level statutes protect the privacy rights of individual residents, with protections differing considerably from one state to another. Some state statutes are comprehensive, while others cover diverse areas: from protecting library records to keeping homeowners free from drone surveillance.

Although there is no federal legislation that affects data protection in general, there are specific federal data protection laws that relate to particular sectors or types of data, such as the Children’s Online Privacy Protection Act, the Driver’s Privacy Protection Act, the Video Privacy Protection Act, and the Cable Communications Policy Act.

State laws also impose restrictions and obligations on businesses in terms of the collection, use, disclosure, security, or retention of various types of information, such as financial records, tax records, criminal justice information, email addresses, education records, driver’s license information, library records, and insurance information. All states have adopted data breach notification legislation that applies to certain types of personal information about residents, and businesses must comply with the state’s laws even if they do not have a physical presence in that state.

Certain states have stringent data protection regulations that require entities that receive, store, maintain, process, or have access to state residents' personal information to implement and maintain a comprehensive written information security plan and establish a formal information security program. Here are a few examples of such state-level legislation:

• The Massachusetts Information Privacy Act establishes a set of directives that define the obligations that organizations must comply with to safeguard the personal data of Massachusetts residents.
• The New York’s SHIELD Act mandates entities to implement administrative, technical, and physical safeguards to protect private information’s security, confidentiality, and integrity. 
• The Illinois Biometric Information Privacy Act (BIPA) requires businesses that collect or obtain biometric information to comply with its provisions. 
• The California Consumer Privacy Act introduced new rights for state residents, while the California Privacy Rights Act expanded the rights and obligations of businesses. 
• Virginia enacted the Consumer Data Protection Act, becoming the second state to have a comprehensive data privacy law, followed shortly thereafter by Colorado. 
• The Colorado Privacy Act grants Colorado residents the option to decline targeted advertising, the sale of their personal information, and particular forms of profiling. 
• In March 2022, Utah enacted the Utah Consumer Privacy Act, which is considered to be less stringent and more accommodating to businesses compared to other state-level regulations that have been enacted thus far. 
• In May 2022, Connecticut introduced amendments to its existing data breach notification law, which requires businesses to provide notice to affected residents and the state attorney general within 60 days of discovering a breach.

In addition to the state-level privacy laws, there are also some federal agencies that have their own regulations regarding data protection. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates the use and disclosure of protected health information by covered entities and their business associates, while the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect the privacy and security of customer information. Another example is the International Traffic in Arms Regulations (ITAR) designed to control the dissemination of sensitive information and technology to foreign nationals and governments. Under ITAR, companies must obtain a license from the US Department of State before exporting any defense-related items or data.

Various sectors have specific laws that govern their operations, including financial services, healthcare, telecommunications, and education. For instance, the previously mentioned GLBA mandates banks, insurance companies, and other financial service providers to protect customers' personal information, commonly known as Non-Public Personal Information (NPI). The act imposes specific requirements on companies regarding securing, disclosing, and notifying customers in cases of unauthorized exposure of NPI.

The Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act (FACTA), controls the use of credit-related information in determining eligibility for credit, employment, or insurance. It also regulates the handling of credit card numbers on printed receipts, the destruction of personal information, and the use of information received from affiliated companies for marketing.

Apart from these, major credit card companies require businesses to comply with the Payment Card Industry Data Security Standard (PCI-DSS), which ensures secure processing, storage, and transmission of payment card data. The healthcare industry is also subject to a rigid regulatory framework: The aforementioned HIPAA safeguards health-related information and regulates its collection and disclosure through its Privacy and Security Rules.

The Telephone Consumer Protection Act (TCPA) and associated regulations govern calls and text messages to mobile and residential phones made for marketing purposes. The Family Educational Rights and Privacy Act (FERPA) protects student records' privacy and prohibits their disclosure without the student’s or parent’s consent.

Although federal statutes may pre-empt similar state laws on a specific topic, some federal laws, such as the GLBA, do not pre-empt state laws on the subject.

Although the United States lacks a comprehensive data protection regulator, the FTC wields expansive authority and often serves as the standard-bearer for federal privacy and data security concerns. Additionally, a range of other agencies, such as the Office of the Comptroller of the Currency (OCC), the Department of Health and Human Services (HHS), the Federal Communications Commission (FCC), the Securities and Exchange Commission, the Consumer Financial Protection Bureau (CFPB), and the Department of Commerce, oversee data protection through industry-specific legislation. 

At the state level, the California Privacy Rights Act created the inaugural privacy regulator in the United States, the California Privacy Protection Agency (CPPA), which will be responsible for enforcing the CPRA alongside the California Attorney General, creating rules under the CPRA, and raising awareness of privacy issues.

Unlike Europe, the US does not impose restrictions on the transfer of personal data to other countries and leaves this at the discretion of the company. Before the Schrems II decision, the EU-US Privacy Shield Framework provided a way to comply with data protection requirements when transferring personal data from the EU to the U.S. However, since the invalidation of the Privacy Shield Framework, companies can only rely on Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), or derogations. Despite the lack of formal guidance from the FTC following Schrems II, it still expects companies to comply with their obligations under the Privacy Shield Framework and adhere to privacy principles. The Department of Commerce, Department of Justice, and the Office of the Director of National Intelligence issued a White Paper in September 2020 to provide specific guidance in light of the Schrems II decision.

In March 2022, the United States and the European Commission announced an agreement in principle to replace the Privacy Shield Framework with the Trans-Atlantic Data Privacy Framework, which includes commitments to strengthen privacy and civil liberties safeguards, establish a multi-layer redress mechanism, and enhance oversight. The US did not provide specific guidance for companies regarding the European Commission’s revised SCCs but expressed concern that they may interfere with government efforts to protect public safety and national security.

In today’s digital age, protecting personal information has become an increasingly important issue for businesses across industries and regions. With the lack of a single comprehensive federal data protection law in the United States, companies must navigate a complex web of federal and state regulations to ensure compliance and safeguard their customers' personal data. By proactively addressing data protection concerns, businesses can not only ensure streamlined operations but also gain a competitive edge in the market. Ultimately, prioritizing data security isn’t just a legal box to check — it’s the key ingredient for building trust.