This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in United States.
This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
There is no single, omnibus U.S. federal law addressing data privacy rights and obligations. Federal laws, which apply to residents in all states, are generally sector-specific and primarily regulate the financial and healthcare sectors, the telecom industry, government contractors and children. State laws, where they exist, more frequently look to protect consumers residing in that state, which is permitted under the U.S. system that allows states to regulate absent federal pre-emption or an undue burden on interstate commerce.
At the federal level, key laws include the Gramm-Leach-Bliley Act (GLBA), which protects personal information held by financial institutions and related companies collected as part of the provision of financial services; the Fair Credit Reporting Act (FCRA), which regulates use of information to make employment, credit, insurance or certain other determinations; the Privacy Act of 1974 and the Federal Information Security Management Act of 2002, which regulate use of personal information by the government and government contractors; the Health Information Portability and Accountability Act (HIPAA), which regulates information related to health status that can be linked to an individual under the control of certain covered entities and their contractors and regulates the collection, disclosure and security of such information; the Cable TV Privacy Act of 1984, Video Privacy Protection Act (VPPA), Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA), which protect the privacy of certain types of communications and content; the Children’s Online Privacy Protection Act (COPPA), which regulates personal information collected online from children under age 13 and requires related privacy notices and in many instances verified parental consent; and the Family Educational Rights and Privacy Act (FERPA), which regulates privacy of student records.
Federal laws also regulate use of email addresses and phone numbers for both marketing and nonmarketing purposes. Depending on the law, federal privacy laws are primarily enforced by the Federal Trade Commission (FTC), the Department of Health & Human Services or the Office of the Comptroller of the Currency (OCC). The FTC is the principal regulator of consumer privacy under its authority to regulate deceptive and unfair practices in or affecting commerce, including to require companies to disclose unexpected data practices prior to collection, to enforce failures to comply with published privacy policies and to require companies to reasonably protect personal information in their custody or under their control.
Many states also have laws that protect the personally identifiable information of residents, but the level of protection and the types of information considered to be personally identifiable differ from state to state. To varying extents, state laws commonly restrict the information that may be collected during retail or credit card transactions, limit the recording of communications without consent, and protect minors.
Some states are more protective of privacy than others. Massachusetts, for example, has data protection laws requiring comprehensive data security planning for any entity obtaining or storing personal information. New York has similar regulations requiring comprehensive cybersecurity planning for financial institutions doing business in New York. California, Connecticut, Delaware, Pennsylvania, Nebraska, Nevada, Oregon and Utah have laws regarding privacy policies. Many states restrict collection of any, or certain, personal information in connection with credit card or other commercial transactions, except as necessary to complete the transaction. States have also passed laws protecting employee privacy, including the privacy of their social media accounts and activities, and providing greater levels of student privacy than are accorded under FERPA. Around a dozen states have their own, often more restrictive version, of the VPPA. States also regulate the use and protection of personal information by insurers.
Among the states, California has been especially protective of consumer privacy. Currently, there are limited protections under California’s Shine the Light law and the California Online Privacy Protection Act (CalOPPA), which Nevada and Delaware have copied in large part; but broader, more European-style data subject rights will take effect on January 1, 2020, under the California Consumer Privacy Act (CCPA), which mandates that California residents have data access and portability rights, data deletion rights, and the right to request that personal information not be sold, with “sale” broadly defined to cover most disclosures or access other than to vendors that meet very restrictive purpose and contractual restriction requirements. The CCPA will also require very granular privacy notices and the right of data subjects to obtain very specific information on a business’s practices regarding their own personal information upon request. In addition, companies may not discriminate against California consumers who exercise their CCPA rights. At least 14 other states are considering CCPA-inspired legislation as of the date of publication, and federal consumer privacy legislation is also under consideration.
All states have data security and breach notification laws, though the scope of what data is covered as well as the notice and reporting obligations vary from state to state.
Due to the patchwork nature of U.S. federal and state privacy laws, the best course of action is to consult with skilled legal counsel to advise on a particular situation.
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
The U.S. does not have any privacy-oriented general requirements to register personal information processing activities. However, certain industry-specific self-regulatory programs that touch on privacy may be applicable. For example, the Payment Card Industry Data Security Standard (PCI-DSS) – a standard, not a law – provides security requirements for all entities accepting or processing payment transactions and might apply in this scenario. The digital advertising industry is governed by self-regulatory principles enforced by the Digital Advertising Alliance and the Network Advertising Initiative.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
Because there is no single, overarching privacy law in the U.S., there is no one concept of personal data or personal information. In general, all U.S. privacy laws protect some form of “personal data,” “personal information (PI),” or “personally identifiable information” (PII), but the scope of coverage varies significantly. Some of these laws may also have special designations for sensitive information, such as health information, and Social Security numbers (SSNs) or tax identification numbers, requiring additional disclosures or protections before that data can be collected or processed. PII generally refers to information used to distinguish or trace an individual’s identity, such as name, SSN, date of birth, mother’s maiden name or biometric records, or any other information that is linked or linkable to an individual.
For data breach notification purposes, the definition of “personal information” is usually laid out in each state’s data breach notification law and may vary by state. However, most breach notification laws define personal information as an individual’s name plus:
- driver’s license number; or
- financial account number, if paired with sufficient information to access funds in the account.
Other definitions of “personal information” or “personal data” under federal law include:
- personal information, broadly defined under COPPA;
- protected health information (PHI), defined in HIPAA;
- nonpublic personal information, defined in GLBA; and
- consumer credit and other information, defined in FCRA.
State definitions of PII and PI vary as well. The California attorney general, for example, has stated that mobile device identifiers are PI. Additionally, California’s privacy laws set out their own definitions of “personal information.” For example, California’s Shine the Light law identifies 27 categories of personal information, including – in addition to common PII categories – the number, age and gender of children; political party affiliation; products purchased, leased or rented by a consumer; real property purchased, leased or rented; payment history; and type of service provided. The forthcoming CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and specifically includes unique ID, IP address, device ID, demographics and classifications, usage data, transactions and inquiries; biometric information; geolocation data; audio, electronic, visual, thermal, olfactory or similar information; preferences; inferences drawn to create a profile about a consumer; and educational information. Under the CCPA, there are 11 categories of personal information, and these categories must be used when providing required notices of purposes of collection, use and disclosure.
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
In general, U.S. law does not impose comprehensive restrictions on or requirements related to the processing of PII by private industry outside of government contracting, and there is no requirement that entities that process PII establish a “legal basis” for such processing. Certain federal and state laws may require consent from an individual prior to collecting or otherwise processing certain types of PII or PI under certain circumstances. In some cases, specific disclosures regarding the processing activity must be provided prior to processing, but these obligations are not omnibus in nature. Numerous state and federal records retention laws may apply to PII and PI collected or retained in various circumstances, but there are no universally applicable data retention periods for PII and PI. The FTC has recognized and encouraged the use of the Fair Information Practice Principles (FIPPs), which serve as guidelines for handling and safeguarding electronic PII, and application of FIPPs is required by the federal government and its contractors in many instances. These principles include notice, choice, consent, access, integrity, security and accountability.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
There is no single federal law in the U.S. that sets out general requirements for when and how to obtain consent from data subjects. Instead, consent requirements are regulated by various individual sector-specific laws. In particular, in the U.S., certain types of information require opt-in consent. These include health information, credit reports, financial information, student data, personal information collected online from children, biometric data, video viewing choices, certain uses of phone numbers, and geolocation data. Certain other uses of personal information are subject to opt-out consent (e.g., email marketing, or soon in California the “sale” of PI), and the rest are generally not subject to any consent requirement at all.
The U.S. regulates the type of consent an entity must obtain prior to communicating with an individual directly via email, phone, text or fax. Specifically, under the Telephone Consumer Protection Act (TCPA), in many circumstances consent must be obtained from the recipient of a call or text before a call is placed or a text is sent, particularly in the context of marketing. Whether and what kind of consent must be obtained (for example, none vs. “prior express consent” vs. “prior express written consent”) depend on the type of call (emergency, sales/marketing, transactional/informational); the type of calling technology used (manual dial, autodialer, prerecorded voice); the type of phone called (residential landline, cell phone); the type of caller (for-profit, nonprofit, state/local government, federal government); and the type of recipient of the call (business-to-consumer vs. business-to-business).
With regard to biometric data, certain states require specific kinds of consent before collection. In particular, the Illinois Biometric Information Privacy Act (BIPA) requires that written consent be obtained before collecting a biometric identifier.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
In general, privacy laws in the U.S. do not designate specific categories of personal information as sensitive. Accordingly, there is no uniform view of what constitutes sensitive personal information in the U.S., although certain types of data, such as financial and health information, and PI collected online from children, or by schools or their contractors from or about students, often are subject to heightened protections. For example, HIPAA imposes privacy and security obligations on entities that handle PHI; GLBA protects “nonpublic personal information” maintained by financial institutions about their customers; FCRA governs how consumer reporting agencies collect, use and disclose consumer credit information; and the Genetic Information Nondiscrimination Act prohibits certain uses of genetic information. There also are state laws applicable to particular categories of personal information that may be considered sensitive, such as laws concerning the collection, use and retention of biometric information (for example, the Illinois BIPA) and requiring heightened data security safeguards for regulated financial institutions and insurers (for example, the New York Department of Financial Services Cybersecurity Regulation). Relatedly, certain federal and state nondiscrimination laws prohibit soliciting certain types of personal information or using such information to the detriment of a protected class or group, particularly in housing, employment and credit. California’s Unruh Civil Rights Act prohibits discrimination in public accommodations, or the offering of products or services, based on any of a large number of protected classes, or any other arbitrary classification. Protected groups, depending on the law at issue, include those discriminated against on the basis of sex, gender, religion, age, race, ethnicity, citizenship, ideology, political affiliation, creed, appearance, family status, sexual orientation, health status, military or veteran status, or source of income.
How do the laws in your jurisdiction address children’s PII?
At the federal level, COPPA governs the collection, use and disclosure of personal information collected from children under the age of 13 by operators of websites and other online services. COPPA is enforced by the FTC, which takes a broad view of COPPA’s scope, applying it to many different types of online services (including video games, websites and connected toys) and operators (including third-party contractors, advertisers and others who passively collect children’s personal information). COPPA requires transparent and accessible privacy policies; heightened security practices to safeguard children’s personal information; and verifiable parental consent before collection, use or disclosure of children’s personal information, with narrow exceptions, including for internal operational purposes, one-time responses and email verification. COPPA also places limits on the use of personal information collected online from children for direct marketing purposes.
In addition, FERPA governs how schools collect, use and disclose information from students’ educational records, including information collected about children or minors. FERPA sets forth certain rights and restrictions concerning the disclosure of students’ educational information – which generally requires written consent – and how parents and students may access, revise or delete student educational information.
A handful of states have implemented privacy laws that specifically address the collection and use of children’s, students’ or minors’ personal information. For example, California’s Privacy Rights for California Minors in the Digital World law allows California residents under the age of 18 to delete publicly available personal information they have submitted online. Michigan and Utah have Child Protection Registry Acts. And several states have laws governing schools’ and third-party contractors’ collection, use, disclosure and sale of educational information. In addition, when the CCPA takes effect in January 2020, businesses may not sell PI of California residents under the age of 16 without their or, in the case of children under 13, their parent’s opt-in consent.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Owners or processors of PII or PI are not generally required to maintain any internal records of their data processing activities or to establish internal processes or written documentation. However, there are several statutory frameworks in the U.S., including GLBA, HIPAA, and some state information security and health laws, that require specific record retention practices as well as the implementation of associated information security programs. These programs typically require internal processes and documentation of the administrative, technical and physical safeguards implemented to protect the confidentiality and security of personal information. In turn, certain of these regulations subsequently require documentation of those practices. For example, HIPAA requires covered entities to maintain related documentation for six years from date of creation or when last in effect, whichever is later. Finally, entities also typically use industry or third-party benchmarking data to determine how best to maintain records generally, including data processing documentation.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
Consultations with regulators regarding privacy and data security matters are not generally required in the U.S., and unlike in other countries, U.S. regulators are not data protection authorities of general application. Entities in certain regulated industries, such as health or financial services, may have routine or compulsory consultations with their federal or state regulators that include discussions concerning privacy or data security matters, although the underlying purpose of the consultation is focused on other issues. Although not formally recommended in most cases, it may be advisable to consult with a regulator under certain circumstances. For example, a company that has experienced a serious data security incident and is investigating in preparation for a large-scale notification may wish to inform the relevant state or federal regulatory agencies of its investigation and notification plan to avoid post-notification inquiries regarding timing or delays.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
While periodic risk assessments are often advisable, data security risk assessments are explicitly required only for certain industries in a limited number of jurisdictions. However, security risk assessments are generally deemed to be a necessity of the reasonable security required by a myriad of state and federal laws. Privacy impact assessments have not been mandated by law in the U.S. as they have in other countries. However, the FTC and many state attorneys general have advised adoption of privacy-by-design and use of privacy impact assessments as a best practice.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
U.S. privacy laws do not require appointment of a data protection officer. However, it is a common practice for the FTC and state attorneys general to require as part of the settlement of an enforcement action that a company hire a chief privacy officer who has C-level authority with direct reporting to the chief executive or the board of directors, and that it develop and maintain robust privacy and data protection policies and practices. HIPAA requires covered entities to designate a privacy officer and a security officer, and business associates to designate a security officer. HIPAA considers a covered entity to be any health plan, healthcare clearinghouse or healthcare provider in the U.S. that transmits health information in electronic form. HIPAA considers a business associate to be any person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. The privacy and security officer(s) can have other titles and duties in addition to these roles. The privacy officer is responsible for overseeing the organization’s development, implementation and maintenance of HIPAA-compliant privacy policies and procedures for all health information, not just that which is stored or transmitted electronically. The security officer implements policies and procedures to avoid, identify, contain and resolve potential security risks to electronic health information. Both are responsible for ensuring their staff are properly trained on the applicable HIPAA requirements.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
There is no omnibus federal law that requires entities to provide notice to individuals when collecting, processing or disclosing personal information. However, the FTC, which serves as the closest thing the U.S. has to a lead data protection authority, takes the position that under Section 5 of the FTC Act (which prohibits deceptive or unfair acts or practices in or affecting commerce), it is an unfair business practice not to disclose material data practices, especially if they would be unexpected, and that any material omissions or inaccuracies in privacy notices are a deceptive practice. In addition, several federal sector-specific laws require privacy notices. For example, HIPAA requires covered entities to provide a health information privacy notice titled “Notice of Privacy Practices” and obtain consent prior to certain types of disclosures of PHI; GLBA requires financial institutions to provide annual privacy notices and certain privacy choices; the Cable Communications Policy Act requires notice and consent for cable communications providers to disclose subscriber information except to the extent necessary to render core cable services; and COPPA requires online service operators to post a privacy notice for parents to read, and further requires various levels of consent prior to collection of personal information from children. Most states have their own versions of HIPAA and GLBA that can set higher standards, and state insurance laws also regulate privacy notices and choices for insurers. Various state laws require privacy notices by internet service providers, and other states are considering similar legislation. Congress and various state legislatures are considering privacy and security requirements for internet of things providers, some of which include privacy notice obligations.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
U.S. privacy laws generally do not apply directly to service providers, and most requirements stem from flow-down data owner contractual requirements. There are, however, several sector-specific federal laws, such as HIPAA, GLBA, FCRA, FERPA and COPPA, that may require certain service provider activities and apply related standards. In addition, federal procurement programs, such as the Defense Federal Acquisition Regulations Supplement (DFARS), may require entities servicing the federal government to maintain adequate security and apply protective measures to prevent the loss of, misuse of, unauthorized access to or modification of information. Finally, the new CCPA regulates service providers and has complex provisions regarding when making PI available to a vendor is or is not a sale subject to a “do not sell” request and when the business and the service provider are or are not entitled to a safe harbor as to the other’s noncompliance with the law.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
U.S. privacy laws generally do not require minimum contract terms with service providers. However, there are several sector-specific federal laws, such as HIPAA, GLBA, FCRA, FERPA and COPPA, that may require service providers to be retained and governed by written agreements with specific provisions, and the new CCPA also takes this approach. Many state laws highly recommend that a written information security plan be included as part of the contractual requirements for service providers. In addition, California and Massachusetts laws require nonaffiliated service providers to contractually agree to take reasonable and appropriate measures to protect shared personal information, and Connecticut law requires contractors working with the state to encrypt all sensitive personal data that is transmitted wirelessly or via public internet connection or is visible on portable electronic devices. Some states also look to the PCI-DSS as the de facto benchmark for determining whether a service provider is sufficiently secure in the relevant context.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
The U.S. relies primarily on industry standards to mandate “reasonable and appropriate security measures.” FTC guidance advises entities to implement a “comprehensive security program that is reasonably designed to address security risks” and “protect the privacy, security, confidentiality, and integrity” of consumers’ information. In a series of FTC enforcement actions, these security programs have been required to address a wide range of potential risks, including:
- employee training and management;
- product design, development and research;
- secure software design, development and testing, including for default settings, access key and secret key management, and secure cloud storage;
- application software design;
- information systems, such as network and software design, information processing, storage, transmission, and disposal;
- review and assessment of as well as response to third-party security vulnerability reports; and
- prevention and detection of as well as response to attacks, intrusions, or other system failures or vulnerabilities.
Following the identification of security risks, FTC guidance indicates that entities must also:
- design and implement “reasonable safeguards” to control the identified risks;
- conduct regular testing of the effectiveness of key controls, systems and procedures, and evaluate and adjust information security programs based on the results of the testing;
- have a written information security policy;
- adequately train personnel to perform data security-related tasks and responsibilities;
- ensure that third-party service providers implement reasonable security measures to protect personal information, such as through the use of contractual obligations;
- regularly monitor systems and assets to identify data security events and verify the effectiveness of protective measures;
- track unsuccessful login attempts;
- secure remote access;
- restrict access to data systems based on employee job functions;
- develop comprehensive password policies, addressing password complexity, prohibiting reuse of passwords to access different servers and services, and deploying reasonable controls to prevent the retention of passwords and encryption keys in clear text files on the company’s network; and
- conduct vulnerability and penetration testing, security architecture reviews, code reviews, and other reasonable and appropriate assessments, audits, reviews or other tests to identify potential security failures and verify that access to devices and information is restricted consistent with user security settings.
In addition to these federal standards, at least 24 states have laws that address data security practices of private sector entities. Most of these state laws relate to entities that maintain personal information about residents of that state and require the entity to maintain “reasonable security procedures and practices” appropriate to the type of information and the risk. In keeping with current state laws, the CCPA does not contain an explicit, stand-alone security requirement. However, entities subject to the CCPA can be penalized for not maintaining “reasonable security procedures and practices appropriate to the nature of the personal information,” and the CCPA will create a private right of action, which may be brought on a classwide basis, with no requirement to demonstrate harm and the potential for statutory damages if certain types of PII are compromised due to a failure to maintain reasonable security.
Does your jurisdiction impose requirements of data protection by design or default?
The U.S. does not impose requirements of data protection by design or default. However, the FTC has recommended that companies consider both privacy and data security when designing and developing their products and services. In cases where a company is launching a novel product that raises unique privacy and data security issues, it is a best practice to take into consideration both privacy and data security impacts at the design stage.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
All states in the U.S., as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands, have enacted laws requiring notification in the event of a “security breach,” “breach of security” or “breach of security of the system” (collectively referred to here as a “security breach”). These jurisdictions define security breach differently, but generally the definition is dependent on three elements: (1) what types of personal information are protected under the relevant statute, (2) how an unauthorized person interacted with the protected personal information and (3) the potential that the incident could result in harm to the individuals whose protected personal information was involved.
A majority of the jurisdictions with breach notification laws define security breach as involving the unauthorized acquisition of personal information. A small number of jurisdictions, including Connecticut, Florida, New Jersey, Puerto Rico and Rhode Island, define security breach as the unauthorized access to personal information. The remaining jurisdictions define it as both unauthorized access to and acquisition of personal information. No state requires notification to individuals or regulators if an incident has not resulted in unauthorized acquisition of or access to personal information.
Additionally, a majority of the jurisdictions maintain a risk-of-harm analysis, which for some is provided for in the definition of security breach. North Carolina’s law, as a representative example, defines security breach as “an incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer.” Most jurisdictions also maintain an exception in the definition of security breach, which generally states that a good faith but unauthorized acquisition of personal information for a lawful purpose is not a security breach unless the personal information is used in an unauthorized manner or subject to further unauthorized disclosure.
For a small number of states, the definition of security breach includes both computerized/electronic data and paper/hard copy records. For example, Indiana’s definition of “breach of the security of data” includes “the unauthorized acquisition of computerized data that has been transferred to another medium, including paper, microfilm, or a similar medium….”
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
Currently, there is no single U.S. security breach notification law that applies to all businesses in the U.S. Rather, security breach notification requirements are governed by a patchwork of federal and state breach notification laws. In some instances, a business may be required to provide breach notification in accordance with both federal and state breach notification laws.
Whether an entity must provide notification of a security breach depends on a variety of factors, including (1) the type of business (that is, the sectoral regulatory regime the entity falls under), (2) how “security breach” is defined under the applicable breach notification law, and (3) the type of information involved in the security breach.
Federal laws with breach notification requirements include HIPAA and the guidance and regulations for financial institutions established under the umbrella of GLBA (Interagency Guidelines). HIPAA’s breach notification requirements apply to healthcare entities that meet the definition of “covered entities” or “business associates.” The GLBA Interagency Guidelines apply to certain financial institutions, depending on the applicable regulator for the financial institution.
The definitions of “security breach” and “personal information” vary under state law, as discussed in more detail in Questions 3 and 18 above. Some states require notice to regulators if any individual in that state is notified of a security breach, while other states have thresholds that trigger notice to a state regulator, such as 500 or more individuals impacted.
Some states have additional sectoral notice and regulatory requirements. For example, insurance companies in many states are required to notify the state’s department of insurance of a security breach. In additional, the New York Department of Financial Services (NYDFS) has its own notice requirements for entities that it regulates, including a requirement that licensed entities must provide notice to the New York Department of Financial Services of a security breach within 72 hours of discovery.
If breach notification is not required by law, determining whether to provide voluntary notification is a fact-specific analysis that can be based in part on guidance from regulators but ultimately is a “business decision.” The FTC, OCC, Department of Education and self-regulatory entities, such as the Financial Industry Regulatory Authority, have produced guidance on when certain entities should provide notification of a security breach. In addition, some businesses opt to provide voluntary notification based on the specific facts and circumstances surrounding a data security incident.
Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
There are sectoral laws governing health information, children’s information and consumer reports that provide limited rights. For example, FCRA provides individuals various rights with respect to how their consumer reports are compiled, maintained and disclosed to third parties.
FERPA, which applies to all educational institutions receiving federal funds, grants students (or, if the student is a minor, their parents) the right to inspect and review the student’s education records maintained by the school. Schools are generally not required to provide copies of records unless it is impossible for the student (or their parents) to review the records. Schools may charge a fee for copies. FERPA does not grant a deletion right but does grant the student (or their parents) the right to request that a school correct records that they believe to be inaccurate or misleading.
COPPA grants parents the right to receive copies of personal information collected online from their child under the age of 13, the right to request that the personal information be deleted and a way to revoke their consent for the collection of personal information from their child.
Under HIPAA, individuals are entitled to request copies of medical information held by a health services provider. HIPAA requires that covered entities provide individuals with access to PHI about them in one or more “designated record sets” (e.g., medical, billing, claims or health plan enrollment records) maintained by or for the covered entity. Covered entities are required to inform individuals of this right of access in their notice of privacy practices. Access must be granted or denied within 30 days of receipt of a request, although one 30-day extension is permitted.
This right to access does not extend to certain information, including (1) PHI contained in psychotherapy notes or (2) PHI compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. HIPAA does not grant individuals a right to deletion. HIPAA does, however, provide individuals with the right to request an amendment of their PHI if they believe the information held by the covered entity is incomplete or inaccurate.
In addition, the majority of states have laws granting patients the right to access certain medical records. While most of these access laws are pre-empted by HIPAA, several state laws do avoid pre-emption either by providing individuals with access to a broader range of records or by requiring that providers respond to these access requests sooner.
California currently has limited access rights under its Shine the Light law, and the forthcoming CCPA will expand these rights in the state. Under the Shine the Light law, companies that disclose California customer information to third parties for direct marketing purposes are required to provide an opt-out or respond to customer requests to disclose the identity of the third parties with whom customer information is shared and the types of information the company shares. When the CCPA takes effect in January 2020, California residents will be granted individual access rights, deletion rights and the right to request that their personal information stop being sold. Other states are considering similar legislation. In addition, California minors have the right to request deletion of information they posted online while under the age of 18.
Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
Most privacy-specific laws in the U.S. are enforced by a designated government agency or other regulatory body, and/or by state attorneys general. For example, COPPA may be enforced by the FTC or any state attorney general. In general, individuals or groups may lodge complaints regarding potential privacy or data security violations with the appropriate regulator and request that the regulator investigate the allegedly infringing practices to bring an enforcement action.
Some privacy-specific laws, such as the federal TCPA and the Illinois BIPA, include a private right of action to permit individuals to seek damages in court even where the alleged violation is not pursued by a government enforcement authority. In addition, certain laws that are not privacy-specific, such as those regulating unfair and deceptive business practices generally, may be used by an individual as a vehicle to pursue privacy-related violations in court. For example, an entity’s misuse of personal information, or a failure to maintain adequate security safeguards for personal information after having made public representations that such safeguards were in place, may be deemed an “unfair” or “deceptive” trade practice in violation of applicable consumer protection laws. In addition, many states have private attorney general acts and/or unfair and deceptive practices acts that permit citizens to file suit, sometimes on a classwide basis, if they are affected by any party’s violation of any law.
Although individuals in the U.S. may in some instances avail themselves of a statutory private right of action to file suit, they still must meet certain thresholds for their case to survive. Among other requirements, a plaintiff in federal court must have Article III constitutional standing, which typically requires demonstrating that the plaintiff has suffered an injury due to the violation of the law in question. A majority of state courts apply a similar standard. The U.S. Supreme Court has ruled that such an injury can be “intangible” but must constitute “concrete harm,” leaving lower courts grappling with varying interpretations of that concept – for example, whether misuse of personal information must result in a specific monetary loss in order to be “concrete” or if anticipatory or imminent harm suffices. Depending on the law, the types of damages individuals can seek may be limited. For example, some laws enable individuals to pursue injunctive relief but not restitution or punitive damages. However, the new CCPA does away with such standards and allows for minimum statutory damages regardless of any economic harm. The federal TCPA takes a similar approach and has created a cottage industry of plaintiff’s lawyers in search of errors and omissions related to telemarketing.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
Federal and state privacy laws are enforced at the federal and state levels, respectively. At the federal level, enforcement is typically handled by the FTC, although other agencies and/or state attorneys general may dually enforce certain laws. For example, HIPAA is enforced by the federal Department of Health & Human Services and state attorneys general. The FTC may seek consent decrees with or bring actions against companies in violation of U.S. privacy laws or Section 5 of the FTC Act (prohibiting deceptive and unfair practices), but only under certain laws such as COPPA can issue fines. Typically the FTC’s authority is restricted to restitution and injunctive relief, though violation of a consent order settling a matter can incur civil penalties for contempt of court. Fines, penalties or other relief are laid out in and limited by the specific privacy law under which the regulator brings an action (see below).
At the state level, enforcement of privacy laws typically falls to the state attorney general, situated within the state’s chief law enforcement body, its justice department. There is substantial variation in enforcement power and actions among the different state regulators. Certain states, such as California, Connecticut, Illinois, Massachusetts and New York, are the most active in enforcing privacy laws, as these states also have some of the most robust privacy laws in the U.S. Generally speaking, most enforcement actions and settlements are made public. For example, the State of California Department of Justice has a privacy enforcement actions page. Individual state privacy laws set out the range of fines or penalties that may be issued and may provide for equitable remedies, such as injunction, as well as monetary fines. Fines at the state level are usually issued on a per-violation basis.
Below is a summary of the penalties laid out in several key federal privacy laws:
- FCRA: Damages for willful violations by the consumer reporting agency, information furnisher or entity using the information are either actual damages or statutory damages between $100 and $1,000 per violation or punitive damages, as decided by the court, and also attorneys’ fees and costs. Damages for negligent violations include actual damages and attorneys’ fees and costs. Actual damages can include damages for emotional stress even if the plaintiff suffered no economic damages.
- HIPAA: Penalties depend upon a number of case-specific factors, including the flagrancy of the violation and any mitigating steps the entity may have taken. Fines are issued in four categories: (1) minimum of $100 per violation, up to $50,000; (2) minimum of $1,000 per violation, up to $50,000; (3) minimum of $10,000 per violation, up to $50,000; and (4) minimum of $50,000 per violation. Fines are generally issued on a per-violation basis, per year that the violation occurred. The maximum fine per category, per year is $1,500,000. Data breaches resulting from a violation may trigger additional fines. State attorneys general may also enforce HIPAA and can issue fines up to $25,000 per violation category per year. HIPAA violations may also carry criminal penalties.
- COPPA: Courts may hold operators liable for civil penalties up to $42,530 per violation. Penalties are determined by a number of factors, including the egregiousness of the violations, whether the entity has previously violated the statute, and the number of children affected.
The CCPA will subject violators to civil penalties of $2,500 per violation, $7,500 if intentional, and plaintiffs in the limited private right of action are potentially entitled to minimum statutory penalties of $750 per violation, or actual damages.
As also discussed in Section 21., judicial relief may be available for individuals affected by a violation of certain U.S. federal and state privacy laws. Consumer class action lawsuits, brought by groups of similarly situated individuals affected by the same violation, for example, can be a powerful means of compelling compliance. Class action lawsuits have been settled under the FCRA and TCPA for significant amounts. The penalties available for consumer judicial actions under federal and state laws vary and may also include injunctive relief.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
Generally, U.S. federal and state privacy laws include a number of exclusions and limitations. For example, many state breach notification laws include exemptions from notification if an entity complies with obligations under sector-specific federal laws such as HIPAA and GLBA. In some cases, state privacy laws are pre-empted by sector-specific federal laws. Some state laws also provide for enhanced penalties under state law for violations of federal privacy laws. California’s new CCPA has exclusions of various degrees for data governed by HIPAA, GLBA, FCRA, and other state and federal laws.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
There are two federal statutes that, although they do not directly apply to cookies, have been used to enforce activities relating to cookies used for tracking and behavioral advertising. For example, the FTC Act has been used as a basis for regulatory enforcement against entities misrepresenting or failing to disclose tracking cookies. Enforcement actions have also been taken on the basis of the Federal Computer Fraud and Abuse Act (CFAA), and state equivalents, against entities using cookies for behavioral advertising, where the cookie allowed for deep packet inspection. Some states have deceptive practices acts which have been used as a basis for enforcement similar to the federal laws described above. Recently, the city attorney for Los Angeles brought a claim under California’s consumer protection laws against the Weather Channel for disclosing users’ geolocation data to advertisers and others without clear and conspicuous notice and express consent.
In addition, ECPA, SCA and CFAA, as well as tort laws, have been used as a basis for lawsuits against companies utilizing keystroke and other tracking features on websites and mobile apps, although that law is evolving.
Finally, the Digital Advertising Alliance and the Network Advertising Initiative self-regulatory programs for the U.S. digital advertising industry require notice, enhanced notice for intrusive or sensitive tracking, and an opportunity to opt out.
Please describe any laws addressing email communication or direct marketing?
In the U.S., federal and state laws limit and regulate the way in which companies communicate with individuals and other businesses for marketing purposes. In particular, these laws regulate the ways in which companies can call, text or fax consumers, as discussed in Question 3.
Telephone communications, including telemarketing calls, autodialed calls, prerecorded calls and text messages as well as fax communications, are regulated by the TCPA, the Telemarking Sales Rule and individual state laws. The rules pertaining to such communications differ according to the type of communication at issue, such as marketing versus nonmarketing communications.
Email communications are regulated by the federal Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), which establishes requirements for sending unsolicited commercial email, including clearly identifying the email as a commercial email, and gives consumers the right to opt out of commercial email, including prompt compliance with any opt-out request. CAN-SPAM pre-empts state laws, except to the extent they prohibit fraud or deception. In short, TCPA is mostly an opt-in scheme, while CAN-SPAM takes an opt-out approach. Both require certain notices and disclosures and have various other requirements. Email communications may also be protected by ECPA and SCA, which together address interception and compelled disclosure of various electronic communications.