Support Centre

USA Federal


Law: There is no general federal privacy regulation yet, however, House Resolution ('HR') 8152 for the federal American Data Privacy and Protection Act ('ADPPA') has been tabled and will now be submitted to the U.S. House of Representatives. In addition, multiple sectoral laws apply on a federal level.

Regulator: The Federal Trade Commission ('FTC') takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. Moreover, under the ADPPA the FTC would have the authority to issue regulations for companies to comply with a newly introduced requirement to implement security practices to protect and secure personal data against unauthorised access. Furthermore, under the ADPPA, the FTC would be provided with the authority to enforce such requirements, together with state attorneys general ('AGs') and the California Privacy Protection Agency ('CPPA').

Summary: The ADPPA establishes requirements for how companies handle personal data, specifically it requires covered enitities and service providers to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Additionally, the ADPPA sets out legal protections for consumers' data, including the right to access, correct, and delete their personal data, and requires companies to provide individuals with a means to opt-out of targeted advertising. Lastly, the ADPPA would generally pre-empt state laws that are covered by its provisions, except for certain categories of state laws and specified laws in Illinois and California.

Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 ('GLBA'), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 ('COPPA'), which imposes requirements on operators of websites or online services directed to children under 13 years old. The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information. The USA also participates in the Privacy Shield Framework with Switzerland, as well as the Asia Pacific Cross-Border Privacy Rules system, both of which allow for the seamless flow of data to other jurisdictions.

Furthermore, on 7 October 2022, the US President signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the EU - U.S. Data Privacy Framework ('EU-US DPF'), which aims to restore the legal basis for transatlantic data flows by addressing concerns expressed by the Court of Justice of the European Union ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), whereby the Privacy Shield framework was invalidated as a EU-US data transfer mechanism.

Other key laws and regulations include:


The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') are two of the most important data protection regimes in place today. The former is a comprehensive data protection regime that applies generally to any information relating to an identified or identifiable natural person and the wide variety of organisations that collect and process the personal data of individuals in the EEA. In contrast, HIPAA is a much narrower US-based regime that only applies to protected health information ('PHI') and certain specified healthcare entities.

Christiana State and Brandon C. Ge, from Crowell & Moring LLP, explore key differences and similarities between the two jurisdictions' approaches to data protection with regard to health-related data.

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024. The CAADC will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children's Online Privacy and Protection of 1998 ('COPPA'), with the aim of better protection children's privacy and online safety. Nerissa Coyle McGinn, Partner at Loeb & Loeb LLP, provides a comparison between the provisions of the CAADC and COPPA, specifically looking at areas such as default privacy settings and privacy policy requirements.

Whether it is facial recognition technology ('FRT') being used by law enforcement or in connection with various physical security and access management applications, the use of fingerprint-based time management systems or voiceprint technologies to validate identity, applications in the public and private sectors involving the use of biometric identifiers and information continue to grow. Correlated with that growth are concerns about privacy and security, as well as civil liberties. Over the past few years, significant compliance and litigation risks have emerged factoring heavily into the deployment of biometric technologies, particularly facial recognition. Joseph J. Lazzarotti, Privacy, Principal at Jackson Lewis P.C., explores the current leglisation covering biometrics and privacy within the US, as well as the link between biometrics and bias.

The European Data Protection Board ('EDPB') published, on 28 February 2023, Opinion 5/2023 ('the Opinion') on the European Commission Draft Implementing Adequacy Decision ('the Draft Adequacy Decision') on the adequate protection of personal data under the European Union-US Data Privacy Framework ('EU-US DPF'). Overarchingly, the Opinion concludes that the EDPB welcomes the improvements introduced by the Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), whilst highlighting key areas of concern, as well as areas for further clarification. OneTrust DataGuidance Research provides a summary of the key issues considered by the EDPB in its Opinion.

In the fourth quarter of 2022, new hope emerged for transatlantic data flows with a pair of significant developments in the effort by the EU and the US governments to adopt a new mechanism for transferring the personal data of EU individuals to the US.

W. James Denvil and Julian B. Flamant, from Hogan Lovells, discuss key changes of Executive Order 14086 on Enhancing Safeguards for United States Signal Intelligence Activities ('the Executive Order') and the EU-US Data Privacy Framework ('EU-US DPF') and delve into the impact these have on companies carrying out transatlantic data transfers.

The New Year marks the entry into effect of various privacy legislation in the US along with amendments to existing privacy legislation. In particular, the California Privacy Rights Act of 2020 ('CPRA') which amends the California Consumer Privacy Act of 2018 ('CCPA'), and Virginia's Consumer Data Protection Act ('CDPA') entered into effect at the beginning of the year alongside Kentucky's House Bill 474 for an Act relating to insurance data security ('the Insurance Act').

Later in 2023, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTPDA'), the Colorado Privacy Act ('CPA') and Utah's Consumer Privacy Act ('UCPA') will enter into effect. OneTrust DataGuidance Research provides an overview of the impact these legislation will have with comments from Starr Drum, from Maynard Cooper Gale LLC., Paul Lanois, from Fieldfisher, Odia Kagan, from Fox Rothschild LLP, and Beth Waller and John Pilch from Woods Rogers.

The COVID-19 pandemic has made 'work-from-home' a common term and has changed how Americans think about the balance between work and life. Not only are employees regularly working productively for their employers without stepping into the office, many are doing so from entirely different cities and states. Ira Saxe and Jacob Canter, from Crowell & Moring LLP, provide some top tips on how to handle work-from-home employee information.

In the US, location tracking data constitutes personal data. According to the multi-state settlement reached by 40 US State Attorney Generals ('AGs') on 14 November 2022, on the use of location tracking data, companies should be aware of how location tracking technology should be used in accordance of data protection and privacy standards. OneTrust DataGuidance provides an insight into obligations relating to the use of location tracking technology and those specifically described in the settlement, including those relating to consent, disclosure, account controls, and limits on data use and retention, as highlighted in the settlement.

Just as the Gramm-Leach-Bliley Act of 1999 ('GLBA') permits US states to extend greater protections than afforded by the same, states can also choose to exempt GLBA-regulated entities from compliance with state privacy statutes. In this Insight article, David Zetoony and Jena Valdetero, from Greenberg Traurig LLP, discuss how the California Consumer Privacy Act of 2018 ('CCPA') and the California Privacy Rights Act of 2020 ('CPRA') apply to financial institutions, whilst also drawing comparisons to other state privacy statutes' exemptions for financial institutions.

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM Act') is a US federal law that establishes certain requirements for covered businesses that send emails and some text messages for 'commercial advertisement or promotion of a commercial product of service'. Specifically, the CAN-SPAM Act prohibits businesses from sending commercial messages that contain false or misleading information.

In this Insight article, Starr Drum, Shareholder at Maynard Cooper & Gale, LLP, details the scope of the obligations under the CAN-SPAM Act, highlights key requirements for covered entities, discusses the interplay between the CAN-SPAM Act and state legislation, and provides a look into the future of the CAN-SPAM Act's regulation and enforcement.