USA Federal
Summary
Law: There is no general federal privacy regulation yet, however, House Resolution ('HR') 8152 for the federal American Data Privacy and Protection Act ('ADPPA') has been tabled and will now be submitted to the U.S. House of Representatives. In addition, multiple sectoral laws apply on a federal level.
Regulator: The Federal Trade Commission ('FTC') takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. Moreover, under the ADPPA the FTC would have the authority to issue regulations for companies to comply with a newly introduced requirement to implement security practices to protect and secure personal data against unauthorised access. Furthermore, under the ADPPA, the FTC would be provided with the authority to enforce such requirements, together with state attorneys general ('AGs') and the California Privacy Protection Agency ('CPPA').
Summary: The ADPPA establishes requirements for how companies handle personal data, specifically it requires covered enitities and service providers to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Additionally, the ADPPA sets out legal protections for consumers' data, including the right to access, correct, and delete their personal data, and requires companies to provide individuals with a means to opt-out of targeted advertising. Lastly, the ADPPA would generally pre-empt state laws that are covered by its provisions, except for certain categories of state laws and specified laws in Illinois and California.
Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 ('GLBA'), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 ('COPPA'), which imposes requirements on operators of websites or online services directed to children under 13 years old. The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information. The USA also participates in the Privacy Shield Framework with Switzerland, as well as the Asia Pacific Cross-Border Privacy Rules system, both of which allow for the seamless flow of data to other jurisdictions.
Furthermore, on 7 October 2022, the US President signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which directs the steps that the US will take to implement its commitments under the EU - U.S. Data Privacy Framework ('EU-US DPF'), which aims to restore the legal basis for transatlantic data flows by addressing concerns expressed by the Court of Justice of the European Union ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18), whereby the Privacy Shield framework was invalidated as a EU-US data transfer mechanism.
Other key laws and regulations include:
- Electronic Communications Privacy Act of 1986
- Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH')
- Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 ('TCFAPA')
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM')
- Fair Credit Reporting Act of 1970 ('FCRA')
- Telephone Consumer Protection Act of 1991 ('TCPA')
- Privacy Act of 1974
- Fair and Accurate Credit Transactions Act of 2003 ('FACTA')
- Video Privacy Protection Act of 1988 ('VPPA')