With the devastating data breach incidents of the past years, Americans are increasingly troubled by data security issues. According to Pew research, the majority of Americans report being concerned about the way their data is being used by companies (79%) or the government (64%). What’s more, 63% of Americans admit that they understand little or nothing about the laws protecting their security.
If Americans are confused, it is for good reason. Unlike the EU, which is covered by the toughest privacy and security law in the world, the General Data Protection Regulation (GDPR), the US has limited data security laws at the federal level. Instead, a patchwork of data security laws are written and enforced by states. The most effective and influential of these laws is the California Consumer Privacy Act (CCPA). This law which came into effect on January 1st 2020— not a moment too soon.
In this post, we’ll provide walk you through the data security laws you need to know in the US.
- What is Data Security?
- EU vs. US Privacy Laws
- Data Security Laws in the USA
- The California Consumer Privacy Act
Data security is the practice of protecting digital information from unauthorized access, corruption, or theft. This starts with the physical security of hardware and storage devices, and covers technical measures such as administrative controls, as well as organizational policies and procedures.
Data breaches can spell disaster for individuals and organizations alike, threatening strategic information, monetary assets, and intellectual property. Even though GDPR levies fines of €20 million or up to 4% of a business’s global annual revenue for data breaches, that may not be the worst of a leaky organization’s problems. Breaches compromise a business’s reputation and have a detrimental impact on consumer trust. Businesses must invest in data security measures; they really can’t afford not to.
While Europe’s GDPR went into effect in May 2018, the U.S. was and remains something of a data security wild west.
GDPR focuses on protecting personal data, which is to say, any information that directly or indirectly identifies a person, such as a person’s name, location, or IP address. This bill gives consumers the right to access, to delete, and to opt-out of processing at any time. It also grants consumers the right to correct or rectify incorrect personal data and requires explicit consent to the point where consumers hand in their data.
In short, GDPR obligates organizations to implement all “appropriate technical and organizational measures” to protect user data. Organizations must be able to demonstrate their compliance and GDPR imposes hefty fines on those that cannot. There is also a strict timeline for organizations to report a breach if one should occur.
If 8 out of10 Americans are concerned about how their personal data is being used, why don’t data security laws in the US replicate those of GDPR? According to The Washington Post, it is unlikely that American legislators will pass a data protection law of GDPR’s caliber.
Unlike European countries, the US has no data privacy authority. The Federal Trade Commission (FTC) has only been able to tackle tech and social media companies for misleading “representations.” That is to say, that if a social media company (ahem, Facebook) tells users in agreements and notices that it won’t sell their data and this claim turns out to be false, the FTC can file a complaint. But if the company doesn’t make such declarations, it falls outside of the FTC’s authority.
Data security legislation has repeatedly failed to get through Congress. If Americans want to see change, they’re going to have to make a fuss.
Following Cambridge Analytica’s infamous misuse of Facebook data, Americans have started paying more attention to data privacy laws. Keeping track of federal laws governing data security is easy; there are few.
- US Privacy Act of 1974 restricts data held by US government agencies and allows US citizens to access their data, correct errors.
- The Health Insurance Portability and Accounting Act (HIPAA) is a broad bill with two important privacy clauses. The Security Rule and The Privacy Rule govern the collection of Private Health Information of PHI. Only a healthcare provider or a “covered entity” can use patient data for “treatment payment, and health care operations.”
- The Children’s Online Privacy Protection Act (COPPA) governs the collection of information about minors, prohibiting online companies from asking for information from children 12-and-under without parental consent.
- The Gramm Leach Bliley Act (GLBA) protects nonpublic personal information (NPI) collected by banks and financial institutions. However, for third-party companies affiliated with the bank or insurance company, consumers have no legal privacy controls.
In the absence of federal regulations, data security laws by state are becoming increasingly common. Since California implemented CCPA in 2018, New York, Maryland, Massachusetts, Hawaii, and North Dakota have also drummed up their own data privacy laws.
New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act came into effect in March 2020. This law broadens the scope of consumer privacy and protects New York residents from data breaches.
The CCPA may have no equivalent at the federal level but it functions as defacto national standard. This is because the sheer number of Californians means most businesses in the country will have to comply.
The CCPA considers personal information as that which “identifies, relates to, or could reasonably be linked with you or your household.” It also protects “probabilistic identifiers,” which is data that gives a good chance of identifying someone.
Rights Provided by the CCPA
- Right to know- Under CCPA, consumers have a right to access the categories and specific pieces of personal information held by a covered business.
- Ability to delete- Similar to GDPR, consumers can request that companies delete their personal information.
- Right to opt-out- Consumers can request that businesses stop selling their personal information. Businesses must notify consumers before sales and offer an opportunity to opt-out.
- Non-discrimination- Businesses cannot discriminate against those who exercise their rights under the CCPA, nor ask consumers to waive these rights.
Who Does the CCPA Apply to?
If a business in California meets at least one of the following thresholds, it is subject to compliance. CCPA applies to businesses that:
- Earn more than $25,000,000 or more a year in revenue.
- Annually, buy, receive, sell, or share personal information of 50,000 or more consumers, households or devices for commercial purposes.
- Derive 50% or more of its annual revenue from selling consumer personal information.
Under CCPA, California citizens can bring a civil action lawsuit against companies not in compliance. The state can also bring these charges to a company directly. They can charge a $7,500 fine for any violation not addressed in 30 days.
Managing Data Security Compliance
As legislation like CCPA and GDPR becomes more common —and more strict— businesses are taking note and rethinking their internal policies. Don’t expect this to be the last privacy act! Companies must be prepared to meet stringent privacy regulations in the future. That starts with protecting employee data with compliant software.