Support Centre

USA Federal

Summary

Law: There is no general federal privacy regulation yet, however, House Resolution (HR) 8152 for the federal American Data Privacy and Protection Act (ADPPA) has been tabled and will now be submitted to the U.S. House of Representatives. In addition, multiple sectoral laws apply on a federal level.

Regulator: The Federal Trade Commission (FTC) takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. Moreover, under the ADPPA the FTC would have the authority to issue regulations for companies to comply with a newly introduced requirement to implement security practices to protect and secure personal data against unauthorised access. Furthermore, under the ADPPA, the FTC would be provided with the authority to enforce such requirements, together with state attorneys general (AGs) and the California Privacy Protection Agency (CPPA).

Summary: The ADPPA establishes requirements for how companies handle personal data, specifically it requires covered enitities and service providers to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Additionally, the ADPPA sets out legal protections for consumers' data, including the right to access, correct, and delete their personal data, and requires companies to provide individuals with a means to opt-out of targeted advertising. Lastly, the ADPPA would generally pre-empt state laws that are covered by its provisions, except for certain categories of state laws and specified laws in Illinois and California.

Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 (GLBA), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 (COPPA), which imposes requirements on operators of websites or online services directed to children under 13 years old. The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information. The USA also participates in the Privacy Shield Framework with Switzerland, as well as the Asia Pacific Cross-Border Privacy Rules system, both of which allow for the seamless flow of data to other jurisdictions.

Furthermore, on July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization.

Other key laws and regulations include:

Insights

Kentucky's Governor Andy Beshear signed the Act Relating to Consumer Data Privacy as an addition to Kentucky's Consumer Protection Act (under Chapter 367 of the Kentucky Revised Statutes) on April 4, 2024. Kentucky's new privacy law is the 16th state consumer privacy law enacted in the US and the third in 2024. It shares many of the same features as the other comprehensive US state privacy laws. Julia Jacobson and Alexandra Kiosse, from Squire Patton Boggs, compare 2024's first three new consumer privacy laws.

In part one of this Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answered common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws. In part two, they delve into the specific obligations of controllers under these laws and highlight the key differences between them.

Three states - Kentucky, Maryland, and Nebraska - welcomed Spring 2024 by passing comprehensive consumer privacy laws, joining the laws in New Hampshire and New Jersey1 enacted earlier this year. With the five new laws enacted in early Q2 2024, more than one-third of states have consumer privacy laws on the books.

In this part one Insight article, Julia Jacobson, Alexandra Kiosse, and Alan Friel, from Squire Patton Boggs, answer common questions such as the scope of protection, effective dates, and applicability, about the three newest state consumer privacy laws.

Children's online privacy has become a top priority in the United States at both the federal and state levels. This focus has consistently been echoed in President Biden's State of the Union speeches in 2022, 2023, and again in 2024 where he unequivocally called on lawmakers to "pass bipartisan privacy legislation to protect our children online." As a result, efforts to protect children online have significantly increased in the past year, and it is expected that new measures will continue to be introduced in 2024. Key areas of policy, regulatory, and enforcement activity continue to focus on guardrails around behavioral tracking and targeted advertising towards minors, increased consent requirements to gain access to minors' personal information, and access to, as well as the use of, social media by minors. Alaap B. Shah and Lisa Pierce Reisz, from Epstein Becker & Green, P.C., discuss the developments across the US to further protect children online.

In this Insight article, Michelle Schaap, Partner at CSG Law, will discuss some (not all) notable distinctions between the failed American Data Privacy and Protection Act (ADPPA) and the draft American Privacy Rights Act (APRA). Not surprisingly, the two have many of the same terms, as the APRA drafters used the ADPPA as their starting point.

New tools for employers to increase productivity and efficiency continue to evolve as artificial intelligence (AI) and automated decision-making become more sophisticated and prevalent. These tools are particularly common in the hiring arena, where employers can use technology to screen, track, and even communicate with applicants. Large companies that receive hundreds or thousands of applicants per week can save a lot of time by deploying a tool that, for example, scores each applicant based on how closely they match a job description or extracts and summarizes relevant information from applications and hiring materials.

Legislators are now beginning to regulate the use of such tools in the employment context. In the absence of federal regulation, it appears likely that the US will have a patchwork of regulations passed on the local and state level, similar to the current privacy regulation landscape. Laura Schwalbe, from Aurelian Law PLLC, evaluates the current regulation of AI in the employment context and how this may evolve.

In this Insight article, Alan Friel and Kyle Dull, from Squire Patton Boggs, delve into the complexities of direct marketing regulations in the US, exploring the intricacies of federal and state laws, industry standards, and best practices to navigate the maze of compliance and foster consumer trust.

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell introduced the American Privacy Rights Act 2024 (the Bill), aimed at establishing robust national data privacy standards with a focus on consumer control over personal information. In this Insight Q&A article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia, from Lewis Rice LLC, delve into key provisions, limitations, and implications of this proposed legislation. They address frequently asked questions, offering valuable insights into how the Bill could reshape data privacy regulations in the US.

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell unveiled the American Privacy Rights Act 2024 (the Bill) which would establish national consumer data privacy rights and set standards for data security. The Bill has bipartisan and bicameral support and is the first comprehensive US federal privacy bill to be unveiled since the American Data Privacy and Protection Act (ADPPA). In this article, OneTrust DataGuidance Research breaks down the main provisions of the Bill, with expert comments provided by Starr Drum, Shareholder at Polsinelli PC, and Michelle Schaap, Partner at CSG Law.

Since the public debut of generative artificial intelligence (AI) about 18 months ago, proponents and detractors of the new technology have saturated the media with breathless commentaries about the promise and peril of this new technology in the legal profession. On the one hand, a reported 44% of all legal tasks could be replaced by generative AI, while on the other hand, generative AI 'hallucinates' and makes up fake but convincing-sounding case citations, leading to lawyers being sanctioned. So, which is it? 

And importantly, how should lawyers navigate this new landscape? Shun AI and risk falling behind the competition? Or embrace it and get too far out over your skis? 

This choice raises both practical and ethical questions. While the practicalities are still a work in progress - as new use cases and applications are hitting the market every day - the ethical questions are beginning to take shape. Lawyers should be aware of how to use generative AI tools responsibly and ethically, maintaining compliance with professional rules of conduct as required by their respective state bars. Several state bar associations have now issued guidance. Dr. Christian Mammen, Vincent Look, and Dr. Seiko Okada, of Womble Bond Dickinson, discuss this guidance and how the practice of law may evolve with the increasing use of generative AI.  

On February 28, 2024, the White House published Executive Order 14117 on Preventing Access to Americans' Bulk Sensitive Personal Data and Government-Related Data by Countries of Concern (the EO). The EO calls for the promulgation of regulations to prevent the transfer of bulk sensitive personal data, including genomic data, biometric data, personal health data, geolocation data, financial data, etc., and government-related data, to countries of concern. OneTrust DataGuidance Research gives an overview of the EO and its impact on companies, with expert comments from Mark Francis, Partner at Holland & Knight.

In this Insight article, Zach Lerner and Hannah Schaller, from ZwillGen PLLC, analyze the privacy challenges confronting artificial intelligence (AI) developers in US education, navigating compliance nuances with laws and state privacy regulations to ensure responsible AI use.