Support Centre

USA Federal

Summary

Law: There is no general federal privacy regulation yet, however, House Resolution (HR) 8152 for the federal American Data Privacy and Protection Act (ADPPA) has been tabled and will now be submitted to the U.S. House of Representatives. In addition, multiple sectoral laws apply on a federal level.

Regulator: The Federal Trade Commission (FTC) takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. Moreover, under the ADPPA the FTC would have the authority to issue regulations for companies to comply with a newly introduced requirement to implement security practices to protect and secure personal data against unauthorised access. Furthermore, under the ADPPA, the FTC would be provided with the authority to enforce such requirements, together with state attorneys general (AGs) and the California Privacy Protection Agency (CPPA).

Summary: The ADPPA establishes requirements for how companies handle personal data, specifically it requires covered enitities and service providers to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Additionally, the ADPPA sets out legal protections for consumers' data, including the right to access, correct, and delete their personal data, and requires companies to provide individuals with a means to opt-out of targeted advertising. Lastly, the ADPPA would generally pre-empt state laws that are covered by its provisions, except for certain categories of state laws and specified laws in Illinois and California.

Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 (GLBA), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 (COPPA), which imposes requirements on operators of websites or online services directed to children under 13 years old. The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information. The USA also participates in the Privacy Shield Framework with Switzerland, as well as the Asia Pacific Cross-Border Privacy Rules system, both of which allow for the seamless flow of data to other jurisdictions.

Furthermore, on July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization.

Other key laws and regulations include:

Insights

The prevalence of digital health services in the US has grown dramatically in recent years, prompted by factors such as the COVID-19 pandemic along with technological advancements in cloud computing, mobile applications, wearable devices, artificial intelligence (AI), and medical research. As the healthcare ecosystem rapidly digitizes health data to fuel these technological advancements, lawmakers and regulators seek to address evolving privacy and security challenges.

In this Insight article, Alaap Shah, Lisa Pierce Reisz, and Avery Schumacher, from Epstein Becker & Green, P.C., explore the evolving federal legal landscape governing health data in the US through the lens of the regulatory agencies responsible for oversight and enforcement of the relevant laws and regulations. The article also describes related implications for organizations whose activities involve the collection, use, or disclosure of health information. A separate article examining state laws and legislation is forthcoming.

India's commitment towards the promotion and development of artificial intelligence (AI) was recently highlighted in the Union Budget of 2024-25 that was announced by the Indian government in July 2024. The Budget allocated $65 million exclusively to the IndiaAI Mission, an ambitious $1.1. billion program that was announced earlier this year to focus on AI research and infrastructure in India. It has also widely been reported that the Ministry of Electronics and Information Technology (MeitY) is in the process of formulating a national AI policy, which is set to address a wide spectrum of issues including the infringement of intellectual property rights and the development of responsible AI. As per reports, MeitY is also analyzing the AI framework of other jurisdictions to include learnings from these frameworks in its national AI policy. Part I of this series focussed on understanding the regulatory approaches adopted by some key jurisdictions like the EU and the USA. In Part two, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, explore measures that India can adopt, and lessons it can take from such markets, in its journey in the governance of AI systems.

In the past few years, the digital market has witnessed an outpour of artificial intelligence (AI) systems, with the AI market expected to reach a valuation of nearly $2 trillion by 2030.  However, the surge in the use of AI has led to the birth of several pertinent issues ranging from concerns about data privacy and intellectual property rights infringements to issues around transparency and ethical concerns, among others. In the first part of this series on navigating the AI frontier, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, aim to analyze and assess the regulatory position around AI in three key jurisdictions, namely the EU, USA, and India. Part two of this series will evaluate the diverse approaches of these jurisdictions and the learnings that India can adopt from the EU and the USA while framing its own set of AI regulations, as well as what lies ahead for India in the AI regulatory space.  

On June 28, 2024, the Supreme Court issued its decision in Loper Bright Enterprises v. Raimondo, written by Justice Roberts, holding that courts should exercise independent judgment in deciding whether an agency acted within its statutory authority, and not defer to an agency's interpretation of the law simply because a statute is ambiguous. The decision overturns decades of precedent and thousands of cases premised on the Supreme Court's 1984 decision in Chevron v. Natural Resources Defense Council.

Given the lack of a comprehensive federal privacy law, and fairly high-level coverage in federal statutes addressing data privacy, federal agencies have historically exercised significant discretion in driving regulatory and enforcement activities around data privacy, so the Loper decision may have a significant impact in this area. In this Insight article, Mark Francis, Partner at Holland & Knight LLP, addresses several key areas for attention.

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell introduced the American Privacy Rights Act 2024 (the Bill), aimed at establishing robust national data privacy standards with a focus on consumer control over personal information. Since its initial release, the Bill has evolved while being reviewed by the House Energy & Commerce Committee (the Updated Draft). In this Insight Q&A article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia, from Lewis Rice LLC, delve into key provisions, limitations, and implications of this proposed legislation. They address frequently asked questions, offering valuable insights into how the Bill could reshape data privacy regulations in the US. This Q&A article has been updated on June 18, 2024, based upon the amendments made by the House Energy & Commerce Committee in the Updated Draft. This Q&A article was further updated on July 12, 2024, based upon the amendments made by the House Energy & Commerce Committee which was introduced as House Bill 8818.

On April 7, 2024, a bipartisan, bicameral Act was introduced. It aims to establish a federal-level comprehensive privacy law and eliminate the growing patchwork of US state-level comprehensive privacy laws. The initial draft of the Act has evolved since its introduction and was recently introduced as House Bill 8818 (House Bill). In this Insight article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia summarize the differences between the American Privacy Rights Act (APRA) Bill (the Bill) released on April 7, 2024, the Updated Draft of the APRA (the Updated Draft) released on May 23, 2024, and the House Bill introduced on June 25, 2024, in seven fundamental areas (scope; data minimization and restrictions; consumer rights; civil rights, algorithms, and impact assessments; opt-out rights; protections for children; preemption; and enforcement).

The American Privacy Rights Act 2024 (APRA) was released on April 7, 2024, by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell. Thereafter, on May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the APRA. The revised APRA retains the provisions of the original draft while introducing certain amendments, including the Children's Online Privacy Protection Act 2.0. (COPPA 2.0). In this article, OneTrust DataGuidance Research breaks down the main provisions of the APRA, including the revisions.

The US privacy landscape has seen significant change in the past year, through the introduction of various state privacy legislation and federal initiatives. On June 23, 2024, the Protecting Americans' Data from Foreign Adversaries Act of 2024 (the Act) under Division I of House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes (House Resolution 815) entered into force. OneTrust DataGuidance breaks down the key provisions of the Act with expert comments from Mark Francis, Partner at Holland & Knight LLP.

In the US, privacy laws are quickly evolving - especially for financial services companies. A significant number of states are passing or contemplating laws to protect personal information, including consumer financial information. At the same time, U.S. federal regulators are either initiating or updating laws and regulations, including recent changes to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the U.S. Congress considering a federal privacy law. This ever-changing landscape makes it challenging for financial institutions to navigate whether state privacy laws apply to their operations. In this Insight article, Eyvonne Mallet, Of Counsel at Loeb & Loeb LLP, outlines current state privacy law exemptions for financial institutions and suggests best practices for businesses in the financial space.

Kentucky's Governor Andy Beshear signed the Act Relating to Consumer Data Privacy as an addition to Kentucky's Consumer Protection Act (under Chapter 367 of the Kentucky Revised Statutes) on April 4, 2024. Kentucky's new privacy law is the 16th state consumer privacy law enacted in the US and the third in 2024. It shares many of the same features as the other comprehensive US state privacy laws. Julia Jacobson and Alexandra Kiosse, from Squire Patton Boggs, compare 2024's first three new consumer privacy laws.

In part one of this Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answered common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws. In part two, they delve into the specific obligations of controllers under these laws and highlight the key differences between them.

Three states - Kentucky, Maryland, and Nebraska - welcomed Spring 2024 by passing comprehensive consumer privacy laws, joining the laws in New Hampshire and New Jersey1 enacted earlier this year. With the five new laws enacted in early Q2 2024, more than one-third of states have consumer privacy laws on the books.

In this part one Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answer common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws.