US data protection laws: key regulations and compliance

Looking at US data protection laws involves a look at a complex ecosystem where both federal and state level regulations coexist, and where a number of sector-specific norms must also be taken into account.

With the ultimate goal of protecting US residents’ rights, a number of US data privacy laws have emerged in recent years that demand compliance and which companies must pay close attention to.

Keep reading to find out the key laws for data protection compliance in the United States, some of the differences between Europe’s GDPR and the United States, and the key measures businesses can implement to comply with these regulations.

An overview of US data protection laws 

The decentralised nature of US data privacy laws

As hinted above, the United States does not have a unified, comprehensive data protection law. 

This means the answer to “what is the US equivalent of GDPR compliance” is there’s no equivalent, but a complex network of legislation that must be navigated by each company in order to design their compliance strategies..

Federal vs. state-level privacy regulations

US data protection laws can be understood as falling under one of each of the following categories:

• Federal regulations that address specific sectors or interest groups, including laws that target marketing or telecommunications services (such as Video Privacy Protection Act or the Cable Communications Policy Act); businesses related to biometrics and driving records (Driver's Privacy Protection Act), or the Children’s Online Privacy Protection Act, which also acts at a federal level. 

Special attention is paid to data protection in the financial sector, which is subject to the Gramm Leach Bliley Act or GLBA and other regulations that address certain data privacy concerns, such as the Fair Credit Reporting Act and the Payment Card Industry Data Security Standard.

The health industry is also particularly regulated, with the HIPAA standing out at a federal level.

You might be interested: How does data security impact the health sector

• State-level regulations protect citizens’ rights in their respective territories.

Generally speaking, a business will need to comply with such regulations when processing data about a particular state’s citizens, even if they don’t physically operate there. However, the scope of each regulation can greatly vary, including certain exceptions and thresholds in data volume or annual revenue, so that each regulation must be carefully consulted to confirm applicability.

When it comes to the synergies between federal and state level laws, it’s important to understand some contents may overlap. Following the Supremacy Clause in the US Constitution, this means certain provisions of state laws can be preempted. Additionally, it’s also worth noting that some state-level regulations are more comprehensive, detailed or broader in scope than the existing federal regulations.

How does the GDPR differ from the US? The key differences

The GDPR emerged in 2018 to grant European citizens extended privacy and data protection rights and it’s generally recognized as the most comprehensive data privacy law across the world.

Some of the key differences between the GDPR and the ecosystem of US data privacy laws include:

• Centralized vs. decentralized approach: the GDPR applies to the rights of all individuals within the European Economic Area, emerging as a transnational and centralized regulation.

On the contrary, the US data protection laws involve a decentralized approach, creating a complex net of regulations aligning with the country’s own federal model. 

• Broad vs. narrow scope: the GDPR emerged as ambitious in its scope, applying to all organizations that, regardless of location, process the personal data of individuals within the EU. 

While scope definitions are diverse across the various US data privacy laws, some are markedly more limited than that of the GDPR. For instance, some establish annual revenue thresholds or limit compliance to companies that handle large amounts of data; others include exceptions, such as non-profits or data related to Human Resources and B2B environments. 

• Centralized data protection authorities: the GDPR established the need for each member state to create Data Protection Authorities (DPAs), which oversee compliance. In the US, this role falls on a variety of authorities, according to what each regulation establishes. For instance, while the  California Privacy Protection Agency (CPPA) established a privacy-focused regulatory body, other regulations involve federal or state enforcement. Additionally, sector-specific federal regulations have appointed their own control agencies.

You might be interested: General Data Protection Regulation Summary

Major federal US data protection laws 

The Health Insurance Portability and Accountability Act (HIPAA)

Enacted in 1996, the HIPAA sets nationwide rules to safeguard sensitive health information from being shared without patients’ permission. 

More specifically, it establishes the concept of protected health information (PHI), and sets up rules about collecting, disclosing and securing information about patients’ health statuses, payment data or information about the delivery of healthcare services. 

Healthcare providers must comply with HIPAA, but also companies that provide services such as health plans, healthcare clearinghouses and any business associates.

Additionally, the HIPAA grants individuals rights and tools for further control and transparency about their health information and how it is processed. As such, some of the key aspects included in the HIPAA are:

• The need to obtain explicit patient consent for any data sharing.
• Patient rights for data access and rectification.
• Requirement to set up strict controls for accessing medical records, as well as detailed audit logs.
• Implementation of security measures to protect health information in digital environments.
• Obligation to notify affected individuals and relevant authorities about security breaches within 60 days.

The Gramm-Leach-Bliley Act (GLBA)

The Gramm Leach Bliley Act or GLBA targets the protection of sensitive data within the financial industry. Established in 1999, it is applicable for financial institutions in the broad sense, including banks and savings associations, credit unions, insurance companies, security firms and brokers, and financial advisors or investment companies, among others.

The GLBA defines Non-Public Personal Information (NPI) as the personally identifiable data collected by financial institutions about their customers, and sets a series of requirements to protect it.

In order to do so, here are some of the key provisions in this data protection act in the United States:

• Institutions must provide clear privacy notices, where how they collect and share data is explained in an accessible way.
• Organizations must periodically implement risk assessment protocols to have visibility around potential security issues, and have explicit security protocols for safeguarding client information.
• It grants clients the right not to allow financial institutions to share their personal information with third parties.
• From 2024, as part of the FTC’s GLBA data security regulations, it set obligations for data breach notifications.

The Children's Online Privacy Protection Act (COPPA)

The COPPA was enacted in 1998 with the aim of protecting online privacy for children under 13. It sets specific requirements that apply to both websites and online services addressing minors under 13 years of age, as well as general commercial websites or online services that collect their data.

More specifically, the COPPA:

• Bans collection, use or disclosure of data from minors under 13 without verifiable parental consent.
• Requires organizations to post clear, understandable privacy notices about their data collection activities, how data is used and the measures to protect it.
• Provides parents with the right to review and delete their child’s personal information, and the right to opt out of sharing data with third parties.
• Requires organizations to only collect data that is strictly necessary.
• Obligates organizations to implement reasonable procedures to protect children’s data.

The Federal Trade Commission Act (FTC Act) and its role in data privacy

A rule designed to grant the US Federal Trade Commission to protect customers and promote fair competition, its goal has been understood as also giving the FTC authority to take action against practices that involve the misuse or inadequate protection of personal data.

As such, the FCT ACT serves as a data protection act in the United States, acting as a basis for investigating US companies that may be violating their privacy notices or misleading users about their data processing activities.

The FTC has thus been involved in several actions involving data malpractices, including Facebook’s $5 billion fine for privacy violations and Youtube’s $170 million fine for lack of compliance with the Children’s Online Privacy Protection Act.

Key state-level data privacy laws

The California Consumer Privacy Act (CCPA) and CPRA

Enacted in 2018, the CCPA was amended by the California Privacy Rights Act (CPRA) in 2023, which is recognized as one of the most comprehensive state-level regulations as part of US data protection laws.

Some of its key provisions include:

• The establishment of the first US privacy regulation authority, the California Privacy Protection Agency (CPPA).
• Citizen rights to access and deletion of their personal data, and the possibility to opt out of third-party data sharing.
• Transparency requirements for organizations, which are obligated to inform about what data is collected, the purpose of their data collection and processing and the third parties it shares it with.
• Requires certain businesses to implement risk assessments and security audits.

The Virginia Consumer Data Protection Act (VCDPA)

In effect from 2023, the VCDPA represents another advanced US data privacy law. 

It aims at granting Virginia’s citizens data privacy rights, including the right to access, correct and delete their personal data, as well as obtaining a copy in a portable format. It also grants the right to opt out of certain data processing and sharing activities. 

The law also includes a number of requirements for businesses collecting, processing or storing Virginia consumers’ data. However, this regulation sets specific criteria for the type of organizations subject to its requirements, limiting compliance to businesses that:

• Process personal data of at least 100,000 Virginia residents annually.
  
• Process data of at least 25,000 residents and derive 50% or more of revenue from selling personal data.

The Colorado Privacy Act (CPA)

The CPA went into effect in 2023 to grant new data privacy rights to Colorado consumers and is part of the State of Colorado’s Consumer Protection Act.

Some of its key provisions include:

• Citizens’ rights to access, delete and correct their personal data. The law also grants citizens the right to opt out of the sale of personal data or data used for targeted advertising, an option which should be part of privacy notices as well as in a “readily accessible location outside the privacy notice”.
• Puts the focus on the need to obtain informed and freely given consent for data collection and processing activities. 
• Implements transparency requirements for businesses about their data collection and processing practices, through privacy notices that are accessible, including reasonable access for consumers with disabilities.
• Requires companies to implement security measures to protect personal data, as well as conducting risk assessments.
• Obligates businesses to inform citizens about their data collection and processing activities.

Other emerging state privacy laws

A number of other US data protection laws have emerged at the state level, all of which aim at establishing citizens’ rights in their territories as well as new obligations for companies that collect, process, or share personal data within those states.

At the time of writing this article, these were the key US data privacy laws regulations that were in effect or expected to be:

• Connecticut Data Privacy Act 
• Delaware Personal Data Privacy Act
• Florida Data Privacy and Security Act
• Indiana Consumer Data Protection Act
• Iowa Consumer Data Protection Act
• Kentucky Consumer Data Protection Act
• Maryland Online Data Privacy Act
• Minnesota Consumer Data Privacy Act
• Montana Consumer Data Privacy Act
• Nebraska Data Privacy Act
• New Hampshire Consumer Expectation of Privacy Act
• New Jersey Personal Data Privacy Act
• Oregon Consumer Privacy Act
• Tennessee Information Protection Act
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act

These offer various approaches to issues such as privacy notices, rights, definitions or scope, so that each company must closely examine their requirements to ensure compliance. However, the majority of them share some common elements with the state regulations mentioned above, including:

• Consumer rights to access, correct and delete their personal data
• Transparency obligations in privacy notices
• The need for certain security measures
• Limitations and requirements for third-party sharing of data
• Notification requirements in case of data breaches

How US companies handle GDPR Compliance

While the article has so far covered the key US data protection laws, it’s important to understand that US companies that process data from EU citizens must also guarantee GDPR compliance.

A basic outline for achieving GDPR compliance involves the following steps:

• Data auditing and mapping to obtain visibility about what personal data is collected, stored and processed, according to the GDPR’s definition of Personal Identifiable Information (PII). 
• As the GDPR requires that every act of personal data processing must be justified by one of six legal bases, companies must ensure there are protocols to determine which one of the bases each processing applies to beforehand. The legal bases include consent, contract, legal obligation, vital interests, public tasks and legitimate interests. Additionally, it’s necessary to create dedicated consent protocols for data collection and cookies.
• Compliance to rules referring to data transfers outside of the EU must be verified, which include storage, processing and accessing of data according to GDPR requirements. 
• Assess the need to conduct a Data Protection Impact Assessment (DPIA) and appoint a Data Protection Officer (DPO), according to GDPR provisions regarding the collection of sensitive data.

These actions must coexist with others that align US-based requirements, such as creating transparent privacy notices, adequate protocols for handling consumers rights and requests and the right cybersecurity measures.

Data protection software tools such as icaria Data Privacy emerge as key allies in managing this complex scenario and facilitating companies’ compliance. 

Below in this article, we cover how this tool supports organizations' capacities to comply with the GDPR as well as US data protection laws.

Best practices for GDPR and US data privacy law compliance

Outlined above is a complex legal scenario that companies must take into account when approaching data privacy compliance in the US. 

While the specific measures must be guided by precise examination of the relevant legislation, the following are the three main pillars on which to base compliance policies:

Implementing data security measures

The federal and state level legislations introduce the need for businesses to implement security measures to protect personal data. While each rule may introduce its own requirements, some common measures include: 

• Performing data obfuscation techniques.

• Establishing a proactive approach to security, including the implementation of response plans, risks assessment protocols and cybersecurity audits.
• Training employees to adhere to best practices in data security.
• Establishing capacities to promptly detect and notify any potential data breaches.

You might be interested: GDPR cybersecurity strategies to protect sensitive personal data

Developing transparent privacy policies

Transparent privacy policies are understood as part of citizens’ rights and, as such, as recognized in most US data privacy laws.

These involve guaranteeing privacy notices are understandable (that is, short, clear and in language that is accessible), and which include detailed information on what data is collected, how it is processed and how it is shared.

Managing consumer data requests and consent

An important step for complying with US data protection laws involves devising consent measures that comply with regulations. Additionally, companies must set up protocols that guarantee consumers can exercise their rights to data access, rectification and elimination. 

This is a particularly important issue, as most regulations establish a limited timeframe to respond to such requests. Accordingly, the lack of streamlined processes can result in compliance issues and penalties.

This is where icaria Data Privacy comes in. A platform that goes one step ahead in data protection, providing organizations with streamlined capacities to execute data protection rights, automatically and across their digital ecosystems.

Specially built for complex application systems, icaria Data Privacy orchestrates data blocking and suppression without compromising business intelligence. As such, it manages deletion requests by securely blocking, anonymizing and deleting data across all relevant applications, thus guaranteeing compliance with strict regulations such as the GDPR and US data privacy laws.

Want to elevate your data privacy compliance capacities? At icaria Technology, we can help you. 

Discover more about us and get in touch with us to speak to our team.