Support Centre

USA Federal


Law: There is no general federal privacy regulation yet, however, House Resolution (HR) 8152 for the federal American Data Privacy and Protection Act (ADPPA) has been tabled and will now be submitted to the U.S. House of Representatives. In addition, multiple sectoral laws apply on a federal level.

Regulator: The Federal Trade Commission (FTC) takes enforcement action against organisations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. Moreover, under the ADPPA the FTC would have the authority to issue regulations for companies to comply with a newly introduced requirement to implement security practices to protect and secure personal data against unauthorised access. Furthermore, under the ADPPA, the FTC would be provided with the authority to enforce such requirements, together with state attorneys general (AGs) and the California Privacy Protection Agency (CPPA).

Summary: The ADPPA establishes requirements for how companies handle personal data, specifically it requires covered enitities and service providers to limit the collection, processing, and transfer of personal data to that which is reasonably necessary to provide a requested product or service. Additionally, the ADPPA sets out legal protections for consumers' data, including the right to access, correct, and delete their personal data, and requires companies to provide individuals with a means to opt-out of targeted advertising. Lastly, the ADPPA would generally pre-empt state laws that are covered by its provisions, except for certain categories of state laws and specified laws in Illinois and California.

Whilst the ADPPA is still going through the legislative process, there are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 (GLBA), which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 (COPPA), which imposes requirements on operators of websites or online services directed to children under 13 years old. The absence of a federal privacy law or a supervisory authority has made the FTC the de facto regulator resulting in a body of case law and settlements over violations of consumers' privacy rights or failures to maintain security of sensitive consumer information. The USA also participates in the Privacy Shield Framework with Switzerland, as well as the Asia Pacific Cross-Border Privacy Rules system, both of which allow for the seamless flow of data to other jurisdictions.

Furthermore, on July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without the need to obtain any further authorization.

Other key laws and regulations include:


Artificial intelligence (AI) has become a transformative force across every industry, revolutionizing the way businesses operate and impacting employment practices worldwide. In the US, the rapid advancement of AI has led to significant changes in the job market, with both positive and negative effects on employment. As AI continues to evolve, regulators and legislators have taken notice. They have responded with numerous proposals to address potential challenges and ensure a fair and inclusive future of work. Natalie Koss, Esq., Managing Partner at Potomac Legal Group PLLC, provides insight into the impact of AI on employment practices and how employers can prepare for changing legislation.

Given the increasing number of data privacy laws in the US, entering into appropriate data processing agreements (DPAs) with vendors has now become a critical component of vendor management. It can also be one of the most time-consuming and complex aspects of data privacy compliance.

In part one of this operational Insight series on what companies need to do in order to comply with US privacy laws, Amanda M. Witt, Partner at Kilpatrick Townsend & Stockton LLP, discusses when an organization should enter into a DPA with a vendor, an overview of US DPA requirements, key considerations when negotiating a DPA, and some other key aspects of vendor management from a US data privacy perspective besides entering into a DPA.

In October 2022, the White House Office of Science and Technology Policy (OSTP) published its Blueprint for an AI Bill of Rights. In this Insight article, Karen Silverman, Chloe Autio, and Brinson Elliott, from the Cantellus Group, set out primary areas of the Bill of Rights and how it has been received, built upon, and operationalized since its release, including how it fits into the U.S. Administration's broader push for responsible artificial intelligence (AI).

In this Insight article, Jessica Lee, Partner at Loeb & Loeb LLP, delves into the implications of the U.S. Chamber of Commerce report on the use of artificial intelligence (AI) (the Report) and its impact on the future of AI regulation in the US. She also discusses the key areas of focus and the joint statement by federal agencies, highlighting the growing importance of AI regulation at the national level.

The Children's Online Privacy Protection Act of 1998 (COPPA) is a US federal law that governs the online collection, use, and disclosure of personal information of children under 13. In this Insight article, Amy Mudge, Carolina Alonso, and Tucker Sarchio, from Baker & Hostetler LLP, highlight trends and recent developments in the enforcement of COPPA, as well as possible future regulations, to help businesses understand the evolving landscape of children's online privacy.

Artificial intelligence (AI) is among us, and there are a number of ways that AI can be used throughout the course of the employment relationship. Amber Rogers, Brittany Bacon, Katherine Sandberg, and Danielle Dobrusin, from Hunton Andrews Kurth, trace the regulatory landscape governing the use of AI in the US, with concluding practical tips for avoiding discrimination when using AI.

As of January 1, 2021, the Corporate Transparency Act (CTA) was enacted by Congress as part of the 2021 National Defense Authorization Act, which governs the annual budget and disbursement of funds for the U.S. Department of Defense. In this Insight article, Vincent Merola and Destiny Bajonero, from Murtha Cullina, uncover the key provisions and reporting requirements of the CTA.

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') are two of the most important data protection regimes in place today. The former is a comprehensive data protection regime that applies generally to any information relating to an identified or identifiable natural person and the wide variety of organisations that collect and process the personal data of individuals in the EEA. In contrast, HIPAA is a much narrower US-based regime that only applies to protected health information ('PHI') and certain specified healthcare entities.

Christiana State and Brandon C. Ge, from Crowell & Moring LLP, explore key differences and similarities between the two jurisdictions' approaches to data protection with regard to health-related data.

Assembly Bill 2273 for the California Age Appropriate Design Code Act ('CAADC') was signed into law on 15 September 2022 and will become effective on 1 July 2024. The CAADC will impose new requirements and prohibitions on a broad range of businesses beyond those that are included in the Children's Online Privacy and Protection of 1998 ('COPPA'), with the aim of better protection children's privacy and online safety. Nerissa Coyle McGinn, Partner at Loeb & Loeb LLP, provides a comparison between the provisions of the CAADC and COPPA, specifically looking at areas such as default privacy settings and privacy policy requirements.

Whether it is facial recognition technology ('FRT') being used by law enforcement or in connection with various physical security and access management applications, the use of fingerprint-based time management systems or voiceprint technologies to validate identity, applications in the public and private sectors involving the use of biometric identifiers and information continue to grow. Correlated with that growth are concerns about privacy and security, as well as civil liberties. Over the past few years, significant compliance and litigation risks have emerged factoring heavily into the deployment of biometric technologies, particularly facial recognition. Joseph J. Lazzarotti, Privacy, Principal at Jackson Lewis P.C., explores the current leglisation covering biometrics and privacy within the US, as well as the link between biometrics and bias.

The European Data Protection Board ('EDPB') published, on 28 February 2023, Opinion 5/2023 ('the Opinion') on the European Commission Draft Implementing Adequacy Decision ('the Draft Adequacy Decision') on the adequate protection of personal data under the European Union-US Data Privacy Framework ('EU-US DPF'). Overarchingly, the Opinion concludes that the EDPB welcomes the improvements introduced by the Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), whilst highlighting key areas of concern, as well as areas for further clarification. OneTrust DataGuidance Research provides a summary of the key issues considered by the EDPB in its Opinion.

In the fourth quarter of 2022, new hope emerged for transatlantic data flows with a pair of significant developments in the effort by the EU and the US governments to adopt a new mechanism for transferring the personal data of EU individuals to the US.

W. James Denvil and Julian B. Flamant, from Hogan Lovells, discuss key changes of Executive Order 14086 on Enhancing Safeguards for United States Signal Intelligence Activities ('the Executive Order') and the EU-US Data Privacy Framework ('EU-US DPF') and delve into the impact these have on companies carrying out transatlantic data transfers.