Privacy Laws in United States

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Law in United States

The United States has about 20 sector specific or medium specific national privacy or data security laws, and hundreds of such laws among its 50 states. (California alone has more than 25 state privacy and data security laws). These laws address particular problems or industries. They are too diverse to summarize fully in this volume.

In addition, the large range of companies regulated by the Federal Trade Commission ('FTC') are subject to enforcement if they engage in materially unfair or deceptive trade practices. The FTC has used this authority to pursue companies that fail to implement minimal data security measures or fail to live up to promises in privacy policies.

Definitions

Definition of Personal Data

Varies widely by regulation. The FTC now considers information that can reasonably be used to contact or distinguish a person, including IP addresses and device identifiers, as personal data. However, very few U.S. federal or state privacy laws define "personal information" as including information that on its own does not actually identify a person.

Definition of Sensitive Personal Data

Varies widely by sector and by type of statute. Generally personal health data, creditworthiness data, personal information collected online from children under 13, and information that can be used to carry out identity theft or fraud are considered sensitive. For example, US state data security breach notice and state data security laws typically cover name plus government identification number, financial account or payment card number, or in some states medical and/or biometric data.

National Data Protection Authority

No official national authority. However, the FTC has jurisdiction over most commercial entities and has authority to issue and enforce privacy regulations in specific areas (e.g. for telemarketing, spamming, and children's privacy).

The FTC uses its general authority to prevent unfair and deceptive trade practices to bring enforcement actions against inadequate data security measures, and inadequately disclosed information collection, use and disclosure practices. State Attorneys General typically have similar authority and bring some enforcement actions.

In addition, a wide range of sector regulators, particularly those in the healthcare and financial services sectors, have authority to issue and enforce privacy regulations.

Registration

There is no requirement to register databases.

Data Protection Officers

With the exception of entities regulated by HIPAA, there is no requirement to appoint a data protection officer, although appointment of a chief privacy officer and an IT security officer is a best practice among larger organizations and increasingly among mid-sized ones.

Collection & Processing

US privacy laws and self-regulatory principles vary widely, but generally require pre-collection notice and an opt out for use and disclosure of regulated personal information.

Opt in rules apply in special cases involving information that is considered sensitive under US law, such as for health information, use of credit reports, personal information collected online from children under 13 (see below for the scope of this requirement), video viewing choices, and telecommunication usage information. The FTC interprets as a 'deceptive trade practice' failing to obtain opt in consent if a company engages in materially different uses or discloses personal information not disclosed in the privacy policy under which personal information was collected.

States impose a wide range of specific requirements, particularly in the employee privacy area.

The US regulates marketing communications extensively, including telemarketing, fax marketing and email marketing (which is discussed below).

Transfer

No geographic transfer restrictions apply in the US, except with regard to accountants transferring tax preparation materials. The Commerce Clause likely bars US states from imposing data transfer restrictions and there are no other such restrictions in US national laws.

By contrast, some European data protection authorities take the position that personal data transferred to the United States under the US EU Safe Harbor principles may not be transferred outside the US without another valid legal basis.

Security

Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of sensitive personal information (e.g. health or financial information, telecommunications usage information, or information that would require security breach notification). A few states have enacted laws imposing more specific security requirements for data elements that trigger security breach notice requirements.

For example, Massachusetts has enacted regulations, which apply to any company that collects or maintains sensitive personal information (e.g. name in combination with Social Security number, driver's license, passport number, or credit card or financial account number) on Massachusetts residents. Among other things, the Massachusetts regulations require regulated entities to have a comprehensive, written information security program; the regulations also set forth the minimum components of such program.

HIPAA regulated entities are subject to much more extensive data security requirements, and some states impose further security requirements (e.g. for payment card data, for social security numbers, or to employ secure data destruction methods).

HIPAA security regulations apply to so-called ‘covered entities’ such as doctors, hospitals, insurers, pharmacies and other health-care providers, as well as their 'business associates' which include service providers who have access to, process, store or maintain any protected health information on behalf of a covered entity. 'Protected health information' under HIPAA generally includes any personally identifiable information collected by or on behalf of the covered entity during the course of providing its services to individuals.

Breach Notification

Security breach notification requirements are a US invention. 46 US states, Washington, D.C. and most US territories (including, Puerto Rico, Guam and the Virgin Islands) require notifying state residents of a security breach involving residents’ name plus a sensitive data element—typically, social security number, other government ID number, or credit card or account number in combination with any security code or password that would permit access to a financial account. Notice of larger breaches is typically required to be provided to credit bureaus, and in minority of states, to State Attorneys Generals, and in rare cases to other state officials. National laws require notification in the case of breaches of health care information, breaches of information from financial institutions, and breaches of government agency information.

Enforcement

Violations are generally enforced by the FTC, State Attorneys General, or the regulator for the industry sector in question. Civil penalties are generally significant. In addition, some privacy laws (for example, credit reporting privacy laws, electronic communications privacy laws, video privacy laws, call recording laws, cable communications privacy laws) are enforced through class action lawsuits for significant statutory damages and attorney’s fees. Defendants can also be sued for actual damages for negligence in securing personal information such as payment card data, and for surprising and inadequately disclosed tracking of consumers.

Electronic Marketing

The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and fax marketing.

E-Mail

The CAN-SPAM Act is a federal law that applies labelling and opt-out requirements to all commercial email messages. CAN-SPAM generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions on how the recipient can easily and without cost opt out of future commercial emails from the sender. Not only the FTC and State Attorneys General, but also ISPs and corporate email systems can sue violators. Furthermore, knowingly falsifying the origin or routing of a commercial email message is a federal crime.

Text Messages

Federal and state regulations apply to the sending of marketing text messages to individuals. Generally, express, written consent is necessary to send marketing text messages and applicable regulations also specify the form of consent. This is a significant class action risk area, and any text messaging (marketing or informational) needs to be carefully reviewed for strict compliance with legal requirements.

Telemarketing

In general, federal law applies to most telemarketing calls and programs, and a state’s telemarketing law will apply to telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law, as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing.

For example, national ('federal') and state rules address calling time restrictions, honoring do-not-call registries and opt-out requests, mandatory disclosures to be made during the call, requirements for completing a sale, executing a contract or collecting payment during the call, restrictions on the use of auto-dialers and pre-recorded messages, and record keeping requirements.

Many states also require telemarketers to register or obtain a license to place telemarketing calls.

Fax Marketing

Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent. Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the recipient hasn't opted out of receiving fax advertisements and has provided their fax number 'voluntarily', a concept which the law specifically defines. The law also requires that each fax advertisement contain specific information, including:

  • A 'clear and conspicuous' opt out method on the first page of the fax
  • A statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply with the request within 30 days is unlawful
  • A telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out requests 24 hours a day, seven days a week

Online Privacy

Cookies

There is no specific federal law that regulates the use of cookies, web beacons, Flash LSOs and other similar tracking mechanisms. However, undisclosed online tracking of customer activities poses class action risk. The use of cookies and similar tracking mechanisms should be carefully and fully disclosed in a website privacy policy. Furthermore, it is a best practice for websites that allow behavioral advertising on their websites to participate in the Digital Advertising Alliance code of conduct, which includes displaying an icon from which users can opt-out of being tracked for behavioral advertising purposes. Under California law, any company that tracks any personally identifiable information about consumers over time and across multiple websites must disclose in its privacy policy whether the company honors any 'Do-Not-Track' method or provides users a way to opt out of such tracking; however, the law does not mandate that companies provide consumers a 'Do-Not-Track' option.. The same law also requires website operators to disclose in their privacy policy whether any third parties may collect any personally identifiable information about consumers on their website and across other third party websites, and prohibits the advertising of certain products, services and materials (including alcohol, tobacco, firearms, certain dietary supplements, ultraviolet tanning, tattoos, obscene matters, etc.).

Minors

Effective January 1, 2015, California law will require that operators of websites or online services that are directed to minors or that knowingly collect personally identifiable information from minors permit minors that are registered users of their sites to remove any content the minor has posted from the site or online service. The law does not give minors the right to remove information posted by third parties. Minors must be give clear notice on how to exercise their right to removal.

Location Data

Privacy requirements of location-based apps and services is in flux and is a subject of extensive interest and debate. Federal Communications Commission regulations govern the collection and disclosure of location information by telecommunications carriers, including wireless carriers. Further, any location service that targets children under the age of 13 or has actual knowledge that it is collecting location information from children under age 13 must comply with the requirements of the Children's Online Privacy Protection Act (COPPA) Rules—including obtaining prior verifiable parental consent in most circumstances. Both the Federal Trade Commission and California Attorney General’s Office have issued best practices recommendations for mobile apps and mobile app platforms, and the California Attorney General has entered into an agreement with major app platforms in which they promise to prompt mobile apps to post privacy policies.

Furthermore, a Department of Commerce-led multi-stakeholder negotiation to develop a code of conduct for mobile app privacy is well underway.