Based in the US and looking to ensure you are complying with data privacy regulations? Unlike the EU’s GDPR there is no single overarching data privacy legislation in the US.
Instead, the United States follows data privacy requirements that are guided by various state laws and sector-specific privacy laws, meaning you have to understand the various regulations that apply to the states and industries you operate (or collect data) in.
To ensure your business is complying with the data privacy regulations that apply to it, in this blog we give an overview of all US data protection laws.
State-specific data privacy laws
Only four states in the US have comprehensive consumer privacy laws; California, Colorado, Virginia and Utah. Regardless of which state a company is located in, these laws only apply to the people who live within these states.
California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them, as well as providing guidance to companies on how to implement the law.
Under CCPA, consumers have new privacy rights, including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
Businesses are required to give consumers certain notices explaining their privacy practices.
Colorado Privacy Act (CPA)
The Colorado Privacy Act (CPA) was signed into law on July 8, 2021, making Colorado the third state - after California and Virginia - to pass a comprehensive privacy law to protect its residents.
The CPA applies to organizations that conduct business in Colorado or deliver products or services targeted to Colorado residents that either (1) control or process the personal data of 100,000 or more consumers during a year, or (2) control or process the personal data of 25,000 or more consumers and derive revenue or receive a discount on the price of goods or services from the sale of personal data.
To comply, businesses are reunited to provide consumers with clear privacy notices and conduct data protection assessments for any personal data processing that presents a “heightened risk of harm” to consumers.
Virginia Consumer Data Protection Act (VCDPA)
The VCDPA gives consumers the right to access their data and request that their personal information be deleted by businesses, as well as requiring companies to conduct data protection assessments related to processing personal data for targeted advertising and sale spurposes.
Businesses that must comply with the VCDPA must control or process (1) the personal data of at least 100,000 consumers in a calendar year, or (2) the personal data of at least 25,000 consumers, while deriving over 50 percent of gross revenue from the sale of that data.
Utah Consumer Privacy Act (UCPA)
Gov. Spencer Cox signed the Utah Consumer Privacy Act into law in 2022, making it the fourth state to enact comprehensive data privacy legislation.
Closely representing the scope of the VCDPA, UCPA applies to any controller or processor who:
- conducts business in the state or produces a product or service that is targeted to consumers who are residents of the state;
- has annual revenue of $25,000,000 or more; and
- satisfies one or more of the following thresholds:
- during a calendar year, controls or processes personal data of 100,000 or more consumers; or
- derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.”
Consumers are provided four main rights under UCPA, the right to access, the right to delete, the right to data portability and the right to opt out of certain processing. This is similar to its counterparts in California, Virginia and Colorado, with the only notable absentee being the right to correct - meaning, unlike the other regulations, consumers that are protected by the UCPA do not have the right to correct inaccuracies in their personal data.
Industry-specific data security laws
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA establishes a set of national standards for the protection of certain health information. HIPAA’s Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals' privacy rights to understand and control how their health information is used.
The goal of HIPAA’s Privacy Rule is to assure that individuals’ health data collected is properly protected, while at the same time allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being.
Fair Credit Reporting Act (FCRA)
FCRA is a federal law that regulates the collection of consumers' credit information and access to their credit reports. To enhance the privacy of personal information, FCRA limits who is allowed to see a credit report and under what circumstances.
In addition, FCRA also gives consumers certain rights, including free access to their own credit reports. By law, consumers are entitled to one free credit report every 12 months from each of the three major bureaus.
Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act is a federal law that details who can request student education records. FERPA gives parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records.
Gramm-Leach-Bliley Act (GLBA)
GLBA requires financial institutions, such as loan services or investment-advice services and any company that offers consumer financial products, to explain how they share data and to safeguard the sensitive data that they do collect. It also gives customers the right to opt out.
Interested in learning how your organization can improve its data compliance and data protection processes? Check out a demo of the Cavelo data discovery platform, and learn how we help companies gain complete visibility of their sensitive data inventory.