Information privacy or data protection laws prohibit the disclosure or
misuse of information held on private individuals. More than 130
countries have adopted laws dealing in some way with data protection.
United States: State laws and the Federal Trade Commission (FTC)
State Laws
In
the United States, data privacy legislation exists as a patchwork of
federal and state laws governing different sectors and aspects of data
protection. While federal laws like the Health Insurance Portability and
Accountability Act (HIPAA) and the Children's Online Privacy Protection
Act (COPPA) provide protections for specific types of data, there is no
comprehensive federal privacy law. However, there has been a growing
push for federal privacy legislation, spurred by high-profile data
scandals, increasing consumer awareness, and the need to harmonize
regulations across states.
More than a dozen states in the U.S.
have enacted comprehensive consumer data privacy laws. California has
been at the forefront of the data privacy movement, spearheading
significant legislative developments with the California Consumer
Privacy Act (CCPA) in 2018. This landmark legislation, effective from
January 1, 2020, established pioneering privacy rights and imposed new
obligations on businesses regarding the collection and sale of
Californians’ personal information. Building upon the CCPA’s framework,
California voters approved the California Privacy Rights Act (CPRA) on
November 3, 20202, further refining and expanding privacy protections.
The CPRA took effect on December 16, 2020, ushering in additional
provisions, although many of its revisions became enforceable on January
1, 2023. Together, these laws set a precedent for comprehensive data
privacy regulations and inspired other states to enact similar measures.
Other states including Colorado, Connecticut, Delaware,
Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas,
Utah, and Virginia have followed suit with their own legislation, each
offering varying degrees of consumer protections, including rights to
access, correction, deletion, data portability, and opt-out options.
These laws aim to regulate how businesses collect, process, and store
personal data, with some focusing on specific aspects like protections
for children’s data or regulations for online advertising.
Each
state’s legislation differs in scope and approach, ranging from
business-friendly laws like Utah’s Consumer Privacy Act to more
stringent measures like Oregon’s Consumer Privacy Act, which includes
provisions on biometric data and lacks exemptions found in other states.
Effective dates vary, with some laws already in effect and others set
to take effect in the coming years, such as Delaware’s Personal Privacy
Act, which becomes effective on January 1, 2025. These diverse
state-level efforts reflect the growing concerns about data privacy and
aim to provide consumers with greater control over their personal
information in an increasingly digital world.
The American Privacy Rights Act of 2024
A
bipartisan effort led by Rep. Cathy McMorris Rodgers and Sen. Maria
Cantwell is set to introduce the American Privacy Rights Act (APRA), a
comprehensive federal data privacy law resembling Europe's General Data
Protection Regulation (GDPR). The proposed legislation aims to grant
Americans extensive privacy rights, including the ability to opt out of
targeted advertising, access, correct, and delete their personal data
held by companies, and opt out of algorithmic decision-making in crucial
areas like employment and housing. APRA seeks to preempt existing state
privacy laws to create a consistent regulatory framework nationwide,
but its prospects in Congress remain uncertain amid lobbying efforts
from various stakeholders.
The push for APRA comes as a response
to the growing demand for stronger data privacy protections among
American consumers and signals a significant shift towards harmonizing
federal regulations to create a predictable regulatory landscape.
However, the bill's introduction is likely to spark intense lobbying
efforts, with tech firms and other stakeholders vying to influence its
provisions, particularly concerning the extent of privacy rights granted
to consumers and the enforcement mechanisms. Despite these challenges,
proponents of APRA argue that it represents a crucial step towards
giving Americans greater control over their personal data in the digital
age, aligning with widespread public support for increased regulation
of consumer data.
The Federal Trade Commission
The
Federal Trade Commission (FTC) provides guidelines and acts for data
privacy. The ‘Fair Information Practice Principles, represents widely
accepted concepts concerning fair information practices in an electronic
marketplace. Further, the FTC created the Children Online Privacy
Protection Act (COPPA) in 1998 to respond to growing concerns that young
people may not realize the risk of data tracking. COPPA limits online
services which gather information from children under the age of 13 and
created warning labels if potential harmful information or content was
presented. In 2000, the Children’s Internet Protection Act (CIPA) was
developed to implement requirements for schools, libraries and other
entities offering online services to children. Specifically, CIPA
requires filtered access to content harmful to minors.
Europe: General Data Protection Regulation (GDPR) and Copyright Directives
The
European Union passed the GDPR in 2016, which was a monumental piece of
legislation for cyber security and privacy. Although the GDPR primarily
applies to online databases operating in the European Union, most
companies in the US engage in business with European Union members,
meaning that they are also regulated by the GDPR. As of 2018, all
organizations are expected to comply with the GDPR. Some companies have
temporarily shut off access to European users while they consider how to
respond to the new regulations.
The core components of the GDPR that concern cyber security include:
• After discovering a data breach, businesses must notify authorities within 72 hours
• Businesses must conduct compliance assessments
• Businesses are now liable for personal data processing
• Businesses must request permission to process personal data using clear language
• Enterprises that violate the GDPR can be fined up to 4% of annual global turnover
After
GDPR was implemented, the European Union Directive on Copyright in the
Digital Single Market passed in March 2019. The EU Copyright Directives
provide wider cross-border access to online material and a more robust
copyright marketplace for educational and cultural materials.
China
While
the U.S. and Europe sought to ensure better protections surrounding an
individual’s data, China did not start to implement privacy laws until
about 30 years later. At first, China’s laws reflected the U.S.’
regional approach to privacy legislation. In 2016, China’s Cybersecurity
Law provided data protection close to global standards. Specifically,
China’s laws have requirements for data collection, and breach
notification. Compared to the GDPR and U.S. privacy laws, China limits
freedom of expression online more significantly and does not protect the
right to be forgotten online.