Data Privacy Legislation: What is it and how does it affect your company
October 02, 2023 •
As more of our personal and private information is stored and transmitted online, data privacy has become a major concern for individuals and businesses alike. In the United States, there have been numerous attempts to establish comprehensive data privacy legislation, but progress has been slow and often contentious.
In this blog post, we’ll take a closer look at the current state of data privacy legislation in the United States and what it means for you and your company.
What is data privacy?
Data privacy refers to the protection of an individual’s personal information from unauthorized access or misuse. It involves ensuring that data is collected, processed, and stored in a way that respects individuals’ rights and prevents the data from falling into the wrong hands. This can include sensitive information such as financial data, health records, and personal identifiers like Social Security numbers.
How did data privacy concerns evolve?
With the rise of cloud data storage, the IoT, and the dominance of social media, individuals recognized the potential risks associated with sharing personal data online. High-profile data breaches and unauthorized data access incidents also contributed to growing concerns about the privacy and security of personal information.
As greater awareness about data privacy rights and concerns has grown, governments around the world have responded by introducing legislation governing the use, storage, and transmission of personal and private data. Consequently, many individuals and organizations advocated for greater transparency, accountability, and protection of personal data.
Through these efforts, the first pieces of data privacy legislation began.
Milestones in US Data Privacy Legislation
Below are some of the major pieces of privacy legislation that have been introduced in the United States over the years.
Privacy Act of 1974
The Privacy Act of 1974 is a federal law that aims to protect individuals’ privacy rights by regulating the collection, use, and disclosure of personal information by federal agencies. It ensures that people are informed about the information collected by the government and have the right to access and correct it if needed. Additionally, the Privacy Act establishes guidelines for federal agencies to use and share personal information while imposing penalties for any unauthorized disclosure.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that aims to safeguard individuals’ medical records and personal health information from unauthorized disclosure. HIPAA sets national standards to regulate the handling of personal health information by healthcare providers, insurance companies, and other entities. Furthermore, the law grants individuals the right to manage and access their medical information, and violations of its provisions are subject to penalties.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions are required by federal law to safeguard their customers’ personal financial information under the Gramm-Leach-Bliley Act (GLBA). This act includes provisions for protecting information, providing privacy notices, and allowing customers to opt-out of information sharing. GLBA applies to banks, credit unions, and other financial institutions, and violations can result in fines and legal action. Non-compliance with GLBA can have serious consequences.
Children’s Online Privacy Protection Act (COPPA)
In order to safeguard the privacy and personal data of children under the age of 13 who utilize the internet, the federal government has enacted the Children’s Online Privacy Protection Act (COPPA). Websites and online services must obtain parental consent before collecting any personal information from children, which includes details like name, address, phone number, and email address. Additionally, companies must provide a clear explanation of their data collection practices and offer parents the ability to review and delete their child’s personal information.
GDPR: International Influence on US Legislation
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a regulation in the European Union that gives individuals greater control over their personal data. Businesses are required to obtain explicit consent before collecting and processing personal data, as well as giving individuals access to their data and the ability to request its deletion. Additionally, it imposes severe penalties for non-compliance.
Impact of GDPR on US Data Privacy Legislation
The GDPR is considered one of the strongest pieces of data privacy legislation in the world today. It’s changed the landscape of data protection in the United States for two different reasons.
Firstly, companies that are not based in the EU, but interact with EU citizens, are also required to comply with the GDPR standards. Secondly, it’s changed the way that modern data privacy legislation is being written in the United States. Where most laws used to cover specific industries, new legislation being passed at the state level is industry agnostic, and focuses on the need for individuals’ data to be protected regardless of what type of business is obtaining and storing it.
This has meant that even more businesses, especially smaller businesses in previously low-risk industries, are being required to comply with stringent data protection requirements.
Recent Developments in US Data Privacy Legislation
There are now wide-ranging data privacy laws in twelve different US states, including:
- California: California Privacy Rights Act
- Colorado: Colorado Privacy Act
- Connecticut: Connecticut Data Privacy Act
- Delaware: Delaware Personal Data Privacy Act
- Indiana: Indiana Consumer Data Protection Act
- Iowa: Iowa Consumer Data Protection Act
- Montana: Montana Consumer Data Privacy Act
- Oregon: Oregon Consumer Privacy Act
- Tennessee: Tennessee Information Protection Act
- Texas: Texas Data Privacy and Security Act
- Utah: Utah Consumer Privacy Act
- Virginia: Virginia Consumer Data Protection Act
There’s also some new proposed federal legislation, including the Consumer Online Privacy Rights Act (COPRA) and the Information Transparency and Personal Data Control Act.
What do the current US data privacy laws include?
Modern data privacy laws in the United States have requirements that fall into two main categories: consumer protections and business obligations.
Through these laws, consumers are granted the right to access their information, correct it, and have it deleted. They are also granted the right to opt out of data being processed in the first place, or transported from one place to another.
On the other hand, businesses are obligated to:
- Offer opt-in data collection procedures by default, especially to minors;
- Notify consumers about their data practices and privacy programs;
- Conduct thorough risk assessments of their data practices;
- Not treat consumers differently whether or not they exercise their privacy rights;
- Not collect or process data except for a specific, intended purpose.
The other element of data privacy legislation is data breach notification and remediation requirements. These can require businesses to:
- Notify those involved in a data breach within a certain amount of days;
- Notify the Attorney General in their State;
- Notify the consumer reporting agency;
- Face financial penalties and fines;
- Pay for credit monitoring for those affected by the data breach.
How to protect your business and clients from data privacy law violations
The effects of a data breach on your company can be far-reaching and damage your long-term business outlook. Luckily, there are things you can do to keep in compliance with data privacy laws, and protect your client’s data and your business from damaging attacks.
- Security by design: Design your data collection and retention practices with the strongest data privacy practices in mind. Consider the principle of least privilege — users and programs should only have access to information that is absolutely necessary, and no more.
- Cybersecurity training: Users are often the weakest link in the security chain. Ensure that all employees that are able to access client information are aware of the legal requirements around storing and using data, and follow best practices for security.
- Implement security tools: Many data privacy laws require users with access to private data to have security tools, such as Multi-Factor Authentication (MFA), implemented on their accounts. MFA can help prevent malicious actors from accessing private data and accounts, and keeps your business in compliance.
MFA and Data Privacy Legislation
So far, data privacy legislation has made a point to not require specific cybersecurity tools in order to remain compliant, but instead has called for a risk-assessment based recommendations for keeping your clients and business secure.
In many cases, robust security tools implemented comprehensively can help you meet compliance regardless of your risk profile.
For example, official GDPR regulations recommend that high-risk assessed companies should implement some form of two-factor authentication. Similarly, HIPAA requires that healthcare organizations have secure authentication practices in place, and official guidelines say that depending on your risk assessment, MFA is the recommended way to meet that requirement.
More stringent is the updated standards of the GLBA, which does require MFA implemented on all accounts that have access to customer data. The updated GLBA requirements could be a sign of changing thinking around how essential MFA is to secure authentication.
Like GLBA, it’s likely that more privacy legislation will require more than one authentication factor for accounts with access to customer information.
Conclusion
As data privacy laws expand to more areas of jurisdiction and industries, it’s important for businesses to be aware of the rules and regulations around the storage, transportation and processing of private data.
Avoiding data breaches — which come with costly repercussions — through improved security tooling and awareness is a critical step that businesses can take to protect consumers and businesses alike.