Data privacy laws exist to protect individuals' personally identifiable information (PII) from mishandling, abuse, and malicious use.
Such privacy laws define how entities can handle, secure, and share data. For example, data privacy laws that pertain to the United States government define how government agencies must treat the personal data of U.S. citizens.
Other data privacy laws might apply only to businesses. In that case, companies must follow those regulations to protect the personal data of their users, consumers, and customers.
There are a handful of federal and state data privacy laws in addition to international regulations like the GDPR. In future articles, we'll explore various state laws and examine GDPR and its updates since its adoption in 2016.
In this post, however, we'll delve into four of the major U.S. federal data privacy laws:
• The Privacy Act of 1974
• Health Insurance Portability and Accountability Act (HIPAA)
• Gramm-Leach-Bliley Act (GLBA)
• Children's Online Privacy Protection Act (COPPA)
Let's get to it.
Enacted December 31, 1974, the authors designed The Privacy Act of 1974 "to balance the government's need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from federal agencies' collection, maintenance, use, and disclosure of personal information about them." (Source: Bureau of Justice Assistance).
The Act has four primary policy objectives:
1. To restrict disclosure of PII maintained by government agencies.
2. To grant increased rights to individuals to access agency records regarding their PII.
3. To grant individuals' amendment rights on agency records regarding their PII if the records are not accurate, relevant, timely, or complete.
4. To establish "fair information practices" that require agencies to follow statutory standards for collecting, maintaining, and sharing PII records.
For a law to have teeth, it must have penalties for violations and non-compliance. Government agencies can be fined or sued for violations, including:
• Refusing to amend an individual's record upon request
• Willfully disclosing PII
• Maintaining records without revealing their existence
We wrote a complete 3-part series on HIPAA, covering HIPAA history, entities vs. business associates, HIPAA rules (privacy, security, breach notification, and omnibus), compliance requirements, violations and fines, third-party validation, and more.
To summarize, HIPAA is a federal data privacy law intended to protect individuals' medical Protected Health Information (PHI) and electronic Protected Health Information (ePHI). HIPAA also grants several rights to patients, including access and amendments to their PHI/ePHI.
Start reading part 1 of our HIPAA series here.
The GLBA, also known as the Financial Services Modernization Act, was signed into law in 1999 by the 106th United States Congress. GLBA requires financial institutions, providers, and services to abide by the following rules:
• Pretexting Protection - prohibits the social engineering attack of pretexting, which occurs with attempted unauthorized access of non-public, personal information.
• Safeguards Rule - requires a documented information security program to safeguard customer data from unauthorized access.
• Financial Privacy Rule - consumers must receive a privacy notice describing what information is collected and how it's used, shared, and protected, in addition to opt-out rights.
If financial institutions (or their employees) violate GLBA, penalties can be severe, including fines and imprisonment.
Enacted by Congress in 1998, COPPA aims to protect the online privacy of children under 13 years old. The Act applies to websites, apps, and services directed to children, including foreign websites directed towards U.S. children.
Lawmakers created COPPA in response to the increased use of internet marketing techniques that collect children's PII without parental awareness, consent, or notification.
Here are a few of the obligations that online websites, services, and apps directed at children must obey with COPPA in place:
• Instituting and maintaining protection procedures for the confidentiality, integrity, and availability of PII collected from children under 13
• Providing ways for parents to review the PII collected from their child and to refuse further collection or use
• Obtaining verifiable consent from parents before any collection, use, and disclosure of children's PII
COPPA is enforced by the Federal Trade Commission (FTC), states, and other federal agencies, depending on the jurisdiction. Penalties include fines of up to $16,000 per violation, depending on various factors like previous violations, the seriousness of offenses, the number of children involved, and others.
These four major U.S. data privacy laws should give a good overview of how PII is defined, considered, and protected in the United States.
What's in store for the future?
One bill, The American Data Privacy Protection Act (ADPPA), is making progress in the federal legislative process. Could this bill be a U.S. equivalent of the EU's GDPR? Only time will tell. In the meantime, be sure any business services your company uses follows the letter of the law.
Does your marketing meet modern data security standards and relevant privacy laws? Sign up for a 1-hour Secure Mail assessment to review your current program to see if we have ways we can help you keep your business secure now and in the future.