November 15, 2022
Estimated reading time: 8 minutes
US data regulation: an overview
Unlike other jurisdictions around the world, the United States has no principal federal data regulation. Instead, businesses must comply with a variety of US data regulations imposed at the state (and sometimes federal) level when dealing with the personal data of customers and clients.
The US regulatory environment stands in contrast to the EU, for example, which implemented the General Data Protection Regulation (GDPR) in 2018. A landmark regulation, the GDPR imposes a range of strict compliance standards on how businesses may collect, store, and use personal data within the bloc. Although it left the EU in 2020, the UK also committed to implementing the GDPR and did so via the Data Protection Act 2018. The GDPR was the first comprehensive data regulation of its kind in Europe and is regarded internationally as an important legislative standard.
Compared to the EU, the US data protection landscape remains fragmented and administratively challenging for businesses with international footprints. However, despite the lack of a federal data regulation, there are signs that the US is moving towards a more standardized data landscape, with individual states leading the effort to impose data privacy rules.
With that in mind, companies that do business or that are seeking to expand in the US should ensure they understand its data landscape, and how it might change in the future.
History of US data regulation
While it has no comprehensive federal data protection regulation, the US has had limited forms of privacy legislation on the books since the seventies. Key examples include:
The US Privacy Act: Specifically relating to the use of computerized databases, the US Privacy Act was passed in 1974 and introduced requirements for government agencies to reveal, upon request, any information they were holding on private citizens. The Act also set out rules on how that information could be shared with other organizations.
HIPAA: In 1996, the US introduced data privacy regulations for the handling of personal healthcare-related data. The Health Insurance Portability and Accountability Act (HIPAA) included protections for online medical records and rules for how the data within them could be disclosed without patient authorization.
GLBA: In 1999, the Gramm-Leach-Bliley Act (GLBA) introduced data privacy rules for financial service providers. The GLBA required financial institutions to implement safeguards for their client’s sensitive data and be transparent about how they were using client information.
COPPA: In 2000, the US government introduced the Children’s Online Privacy Protection Act (COPPA). Enforced by the Federal Trade Commission, COPPA set out protections for the personal data of children under 13 years of age by imposing rules on the owners and operators of websites. COPPA was updated in 2013 to reflect advances in technology, such as the increased use of smartphones.
Current US data protection landscape: key regulations
In an increasingly high-risk online landscape, with cybercrimes and data breaches causing rising concern about the treatment of personal data, some US states have acted to regulate in the absence of federal laws.
California Consumer Privacy Act
In January 2020, the California Consumer Privacy Act (CCPA) came into effect in the state of California. The Act was passed in 2018 and followed the EU’s GDPR footsteps – it was a move to modernize the data regulation landscape to account for new types of threats, such as the ubiquity of digitized personal information and the increasing sophistication of cyber-attacks. The CCPA is a state-level law but applies to all organizations that operate in California and that generate over $25 million per year. It also applies to businesses that buy or sell the personal data of 100,00 customers or more, or that generate over 50% of their revenue by selling personal data.
Like the GDPR, the CCPA sets out the following rights and responsibilities regarding the treatment of personal data:
- California residents have the right to know what kind of personal data businesses are collecting.
- California residents have the right to know if businesses are selling their personal data to third parties and forbid businesses from doing so.
- Businesses must allow California residents to access their personal data upon request, and must also delete that data upon request.
- Businesses must not treat California residents with prejudice if they choose to exercise their CCPA rights.
Virginia Consumer Data Protection Act
In March 2021, Virginia’s state legislature passed the Virginia Consumer Data Protection Act (VCDPA) into law. Following the CCPA, the VCDPA is scheduled to come into effect on 1 January 2023 and will offer residents of Virginia greater control over the way their personal data is handled by corporations.
The VCDPA shares a lot of regulatory detail with the CCPA, and sets out the following rights and responsibilities:
- Consumers have the right to access their personal data upon request, and to request that businesses delete their data.
- Businesses must obtain consent from their customers before processing personal data.
- Businesses must disclose the purposes of personal data collection and inform customers what kind of personal data is being collected.
The VCDPA applies to all firms in Virginia that process the personal data of at least 100,000 customers per year, or that process the data of 25,000 customers while deriving over 50% of their profits from selling that data.
The Colorado Privacy Act
The Colorado Privacy Act (CPA) was passed by Colorado in July 2021 and will come into effect, like the VCDPA, on 1 July 2023. The Act gives residents of Colorado the right to:
- Prevent businesses from selling their personal data.
- Opt out of their personal data being used for targeted advertising.
- Access, correct, and delete personal data held by businesses.
The Act applies to all businesses in Colorado that process the data of at least 100,000 customers and that intentionally target residents of the state with products and services. It also applies to businesses that generate profits from the sale of the personal data of at least 25,000 customers. Unlike the CCPA and the VCDPA, the CPA does not put a threshold on the revenue generated by the sale of data for the law to be applicable.
The US data regulation horizon
Many US states are following the example set by California, Colorado, and Virginia, with data protection regulations set to come into effect in 2023 and beyond. The data protection regulations typically follow the precedents set by other states, in that they apply in similar contexts and that they confer rights of data access on consumers, and data disclosure responsibilities on businesses.
Upcoming state data protection regulations include:
- The Connecticut Data Privacy Act – in effect from 1 July 2023.
- The Utah Consumer Privacy Act – in effect from 31 December 2023.
The American Data Privacy Protection Act
The US federal government has not been entirely inactive when it comes to data protection regulation. Following the state-level laws, the US Senate introduced a proposal for the American Data Privacy Protection Act (ADPPA) in July 2022.
The ADPPA will be a single law that applies to all personal data held by businesses in US jurisdiction and will, if passed, be the US’ first comprehensive data privacy law. The ADPPA will, like the GDPR, introduce data access rights for individuals, and impose restrictions on what businesses can do with the personal data they hold.
Data regulation compliance challenges
In principle, the implementation of data protection regulations, such as the CCPA, requires US businesses to review their regulatory compliance solutions, focusing on processes that involve collecting and analyzing personal data.
Banks and financial service providers should be particularly careful about data regulation compliance since they will likely be handling customer data regularly and in many ways. Digital banks and other online businesses, for example, may be collecting an array of electronic personal data, including customers’ IP addresses and the locations from which they are accessing services. It’s also worth remembering that, in many financial service contexts, compliance processes, including cyber-security, are outsourced to third-party providers. In these cases, the data controllers (ie, the banks that collect the customer information) must verify that these third parties are also compliant with the relevant data regulations.
AML/CFT data exceptions
While the various state data protection regulations enhance consumer protections, they may cause particular compliance challenges in relation to compliance with US anti-money laundering (AML) and counter-financing of terrorism (CFT) laws, such as the Bank Secrecy Act (BSA) and the Patriot Act.
These key AML/CFT laws require businesses to obtain, analyze, and often share personal information with third parties and the authorities in order to establish criminal risk, and prevent criminal activities – often without alerting customers that their data will be used in this way. In theory, comprehensive compliance with regulations such as the CCPA, the CPA, and the VCDPA, would prevent businesses from collecting the data necessary to detect activities such as money laundering, and potentially even alert criminals, making it easier for them to evade scrutiny.
With that in mind, the state-level data protection regulations outlined above include exceptions for the BSA and the Patriot Act. In contexts, where information is collected in order to establish customer identities, or to prevent criminal acts such as fraud, the requirements of CCPA-style data protection rules tend not to apply.
Ever thought about using AI to automate data regulations? CUBE RegPlatform is the ideal solution for navigating published and upcoming data regulations that matter specifically to your business.
With our “quick search” feature, choose predefined filters that are relevant such as jurisdictions and issuing bodies to filter out all the noise. Rather than get lost in hundreds of pages of search results – CUBE simplifies the change management process to close your firm’s compliance gaps.
Our Machine Learning uses previous viewing histories and what has been tagged in the past to present articles that may be of relevance. Whilst our horizon scanning module helps firms to anticipate new regulatory changes – ensuring that your business stays ahead of proposed changes to data protection regulation based on different jurisdictions. This includes a range of formats, from news pieces, speeches, and policy statements to consultations and proposed rules.
The CUBE platform can maintain a unique profile for an organization and map this profile to relevant regulatory content.
Overcome data regulation gaps today.