Law: There is no general federal privacy regulation yet, however, House Resolution (HR) 8152 for the federal American Data Privacy and Protection Act (ADPPA) has been tabled and will now be submitted to the U.S. House of Representatives. In addition, multiple sectoral laws apply on a federal level.
Regulator: The Federal Trade Commission (FTC) takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. Moreover, under the ADPPA the FTC would have the authority to issue regulations for companies to comply with a newly introduced requirement to implement security practices to protect and secure personal data against unauthorised access. Furthermore, under the ADPPA, the FTC would be provided with the authority to enforce such requirements, together with state attorneys general (AGs) and the California Privacy Protection Agency (CPPA).
Summary: The ADPPA establishes requirements for how companies handle personal data, specifically it requires covered enitities and service providers to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Additionally, the ADPPA sets out legal protections for consumers' data, including the right to access, correct, and delete their personal data, and requires companies to provide individuals with a means to opt-out of targeted advertising. Lastly, the ADPPA would generally pre-empt state laws that are covered by its provisions, except for certain categories of state laws and specified laws in Illinois and California.
Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 (GLBA), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 (COPPA), which imposes requirements on operators of websites or online services directed to children under 13 years old. The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information. The USA also participates in the Privacy Shield Framework with Switzerland, as well as the Asia Pacific Cross-Border Privacy Rules system, both of which allow for the seamless flow of data to other jurisdictions.
Furthermore, on July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization.
Other key laws and regulations include:
- Electronic Communications Privacy Act of 1986
- Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
- Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 (TCFAPA)
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
- Fair Credit Reporting Act of 1970 (FCRA)
- Telephone Consumer Protection Act of 1991 (TCPA)
- Privacy Act of 1974
- Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- Video Privacy Protection Act of 1988 (VPPA)