Frustrated man

The US privacy landscape: complex and in a state of flux

US privacy laws consist of a multitude of federal and state regulations that protect the personal information of individuals from unauthorized use or disclosure. If you are doing business in the US don't get caught out, or assume that your company's 'GDPR-oriented framework' will suffice.

Here are some key points to grasp about the complex US privacy scene:

Federal Privacy Laws
There are many federal privacy laws in the US typically aligned with industry sectors. Some well known examples include:

  • The Health Insurance Portability and Accountability Act (HIPAA), regulates the privacy and security of personal health information
  • The Children's Online Privacy Protection Act (COPPA), protects the online privacy of children under the age of 13
  • The Gramm-Leach-Bliley Act (GLBA) regulates financial institutions' use of consumer data
  • The Fair Credit Reporting Act (FCRA) regulates how consumer credit information is collected, used, and shared
  • The Family Educational Rights and Privacy Act (FERPA) protects the privacy of students' education records
  • The Electronic Communications Privacy Act (ECPA) regulates the interception of electronic communications and the collection of personal information by the government and certain private entities
  • The Telephone Consumer Protection Act (TCPA) regulates the use of automated telephone equipment, such as robocalls and text messages, for telemarketing purposes.
  • The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) regulates commercial email messages.

State Privacy Laws
A growing number of US states have their own privacy laws including:

  • California (California Consumer Privacy Act/California Privacy Rights Act)
  • Virginia (Virginia Consumer Data Protection Act)
  • Connecticut (Connecticut Data Privacy Act)
  • Colorado (Colorado Privacy Act)
  • Utah (Utah Consumer Privacy Act)
  • Indiana (Indiana Consumer Data Protection Act)  
  • Iowa (Iowa Consumer Data Protection Act)
  • Illinois (biometrics)
  • Vermont (data broker)

US privacy laws are enforced by various government agencies, including the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), and state attorneys general. Individuals may also have the right to file private lawsuits for violations of certain privacy laws.

Consistencies and inconsistencies
Requirements, terminology and definitions vary from law to law. One consistency is that all 50 states have data breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached.

The big question
Will your company's 'GDPR-oriented framework' or 'gold standard' be fit for purpose in relation to addressing the complex US privacy landscape.

Unless you identify the numerous nuances across the applicable US laws, and address these within your framework, you will quickly realise that your company will be exposed from a compliance risk and legal risk perspective.

Get an overview and get the certification
With a huge amount of change happening currently on the US privacy scene, now is a good time to get a baseline by taking IAPP's US Private-Sector Privacy course that leads to their CIPP/US certification.

IAPP have recently updated the course material to reflect recent changes and, as an Official IAPP Training Partner, Purpose and Means have several courses scheduled between now and the end of the year delivered by the highly knowledgeable and experienced privacy professional, Petruta Pirvan:

In-person, in Copenhagen (0900-1630 CET):

  • 4 & 5 September

Live online (1500-1900 CET):

  • 19, 20. 26 & 27 June
  • 21, 22, 28 & 29 August
  • 23, 24, 30 & 31 October
  • 20, 21, 27 & 28 November

More information and course registration can be found here.

Petruta Pirvan
Tim Clements
May 11, 2023


Other posts

June 2, 2023
Disseminating policies
Tim Clements
May 27, 2023
Ineffective controls
Tim Clements
May 26, 2023
DPIA on a page
Tim Clements
May 25, 2023
GDPR on a page
Tim Clements
May 22, 2023
GDPR 5 years old - is it really?
Tim Clements
May 9, 2023
Employee engagement
Tim Clements
May 2, 2023
Managing risk
Tim Clements
April 13, 2023
Copy/paste consultancies
Tim Clements
April 6, 2023
Controller/Processor life-cycle
Tim Clements
March 30, 2023
Responding to an audit
Tim Clements
March 23, 2023
Data protection templates
Tim Clements
March 11, 2023
Data protection program control
Tim Clements
March 6, 2023
Reporting data protection status
Tim Clements
March 2, 2023
The lone data protection army
Tim Clements