In the United States, 45% of respondents to a user data survey from leading encryption label RSA openly admitted that they had been victims of a data breach. With the increasing frequency of data breaches, consumers are more aware of their data- where it lives or who accesses it. With that said- businesses are looking for new ways to collect, analyze and leverage user data with business intent.
Under 15 U.S. Code 41 et seq, the Federal Trade Commission Act broadly authorizes the U.S. (FTC) Federal Trade Commission to enforce actions to protect users against unfair or deceptive applications. Failure to complying with GDPR and Data Protection Law may lead to fines, lawsuits or legal liabilities. Following Washington and Nevada, even Virginia passed its Consumer Data Protection Act on March 2, 2021.
Data Protection Law
In 2020 alone, data breaches resulting from inadequate data protection measures exposed the sensitive data of over 150 million U.S. residents. In addition, Amazon’s Alexa listening to conversations and Google accessing healthcare information of millions without knowledge has alarmed the public.
In the absence of a comprehensive blanket solution like GDPR, states are now taking these issues into account. In addition, the framework of federal data privacy law is shaping the nation’s future privacy landscape. While there are no comprehensive regulations that govern data privacy in the United States, there’s a complex patchwork of data security and privacy that address financial, healthcare and telecommunication information.
How does the FTC adjust to the shifting regulatory landscape?
The Federal Trade Commission (FTC) is an independent agency of the US government whose primary mission is to enforce civil US antitrust law and promote consumer protection law. While the FTC has no explicit policies to regulate website privacy laws , it uses data privacy compliance and enforcement action to protect consumers. The FTC takes action against organizations breaching the Data privacy policies if:
- A user/ organization fails to execute a reasonable data security course of actions
- A user/organization falls short of adhering to the self-regulatory principles of an organization’s industry.
- A user/organization transfers personal data or security representations to consumers in privacy policies.
- A user/organization falls short of providing sufficient security for personal data or company data privacy policy.
- A user/organization gives away personal information in a manner not disclosed on the privacy policies.
- A user/organization breaches consumer data protection and privacy rights by monitoring, storing or sharing information.
- A user/organization engages in malpractices.
Many companies earlier relied on sharing raw consumer information or allowing others to quarry the unprocessed data files. However, the new regulations make it hard to approve, consent or provide disclosure when needed.
Here is a list of Federal laws that administer the collection of information online:
- The Children’s Online Privacy Protection Act (COPPA) administers the collection of information about Minors.
- The Fair Credit Reporting Act (FCRA) regulates the collection and use of credit information.
- The Health Insurance Portability and Accountability Act (HIPAA) examines health information.
- The Gramm Leach Bliley Act (GLBA) examines personal data collected by banks and financial institutions.
Here’s a list of the important privacy legislation in the U.S.:
Laws that are similar to CCPA include-
- New York Privacy Act (S5642)
- Massachusetts Consumer Privacy Bills (S.120)
Other privacy laws include:
- Vermont Act 171 Data Broker regulation
- Virginia’s Consumer Data Protection Act
The United States has numerous sectoral online privacy laws in different states. In addition, U.S. state attorneys general oversee data privacy laws monitoring the storage of personal data of their residents and Social Security numbers. Some apply to governmental entities, and others apply only to private entities and some to both.
Over the next decade, Europe’s May 2018 launch of GDPR compliance would create a global ripple effect, creating coherent data privacy regulations.
The California Consumer Privacy Act (CCPA) & The California Privacy Rights Act (CPRA)
CCPA is the most prominent piece of the U.S. legislative act affecting digital privacy rights. Motivated by GDPR, the act allows residents of California unprecedented transparency and accessibility to data accumulated by businesses. In addition, the law focuses on information that is released or sold to third parties, which distinguishes it from GDPR.
In 2020, this was revived by a new stricter legislative act- The California Privacy Rights Act (CPRA). This act will revise many concepts from CCPA and introduce harsher penalties for data compliance regulations. In the case of a suit filed by consumers from $100-$750 per resident in case of data privacy protection breaches or user information theft if not properly protected. In the case of a suit by the State Attorney General- $2500 per violation and $7,500 per intentional violation of privacy.
Massachusetts Consumer Privacy Bill (S.120)
This state is stranger to data security and privacy breaches, with almost 2,000,000 residents reporting security infringements. The Massachusetts bill is akin to California’s predecessor; they share the same scope, business demands and other power in the hands of the people. Furthermore, this law prevents an array of online accidents and better protects user privacy.
Under the Massachusetts Consumer Privacy Bill (S.120), users can take legal action against a company if they violate the safety of their personal information.
New York Privacy Act (S5642)
The New York Privacy Act shares various similarities with the CCPA, but features make it significantly stricter. For example, this law allows private action against companies that breach the online privacy law. Furthermore, forbidding the sharing of personal information to third parties without a documented consent.
According to the New York Privacy Act, the victim can seek civil penalties up to $15,000 per Data Protection Law infringement. In addition, any user whose rights have been violated can recover damages or seek compensation of $1000.00.
Virginia’s Consumer Data Protection Act (CDPA)
Virginia’s Consumer Data Protection Act offers Virginia residents more control over how companies use or sell their information. The CDPA is also referred to as “opt-out law”, which means the under-act consumers take action to object to their data collection. The law allows companies to control the data of at least 100,000 consumers during the calendar year. In addition, it processes the personal data of at least 25,000 consumers from the sale of personal data.
However, large corporations won’t be subject to this data privacy law if they don’t fall within these categories.
Vermont Act 171 Data broker Regulation
The Vermont Act 171 Data broker regulation rules that gather and consumer data to third parties. The regulation considers data as brokered personal information (BPI) if it’s digitally created and organized to be distributed business.
This privacy protection act holds businesses that plan to sell Vermont-sourced information to the standard of security.
There is no question that these data privacy regulations are drastically transitioning the way data-driven businesses operate. However, the barriers are not so tall that you can leap over them. So instead, we recommend that you understand how to tap into tools that support your business goals and consumer demand.