KNOWLEDGE BASE Data Protection Regulations In The US

The information on this page was current at the time it was published. Regulations, trends, statistics, and other information are constantly changing. While we strive to update our Knowledge Base, we strongly suggest you use these pages as a general guide and be sure to verify any regulations, statistics, guidelines, or other information that are important to your efforts.


Data Protection Regulation In The United States


There is no comprehensive, consolidated data protection law in the United States, instead, there are many industry specific (e.g., financial services and the medical sector) and state data protection laws and regulations. These laws and regulations may be enforced by both or either federal and state authorities, and in some cases, may provide individuals with a private right to sue companies they believe are violating the laws. The Federal Trade Commission is the primary federal privacy regulator, as it regulates consumer protection, including unfair and deceptive trade practices that affect commerce. At the state level, attorney generals enforce and regulate unfair or deceptive trade practices, as well as state level data protection and privacy laws and regulations.


Applicable laws and regulations

There are a number of federal and state laws and regulations you should be aware of and understand before accepting and using someone’s personal information. Some of the most important are discussed below.


Federal laws and regulations

The Children’s Online Privacy Protection Rule (COPPA) sets out specific requirements you must follow if you operate a website or online services that are directed to children under 13 years of age or if you knowingly collect their information. The requirements are as follows:

  • You must provide a conspicuous privacy notice on your website. This privacy notice must provide the following information:

    • the type(s) of personal information you collect;

    • how you will use the information;

    • whether and how you will disclose the information to third parties;

    • details regarding how a parent is able to review the information you collect about her child; and

    • how to ‘opt out’ of further information collection and use.

  • In general, you should also send a direct notice to parents that contains the above information along with a statement that informs parents that you intend to collection personal information from their child(ren).

  • You must also obtain verifiable parental consent prior to collecting, using, or disclosing personal information.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) address privacy concerns in the credit and consumer reporting sector, including the collection and use of personal information and identity theft. The FACTA requires that consumer reporting agencies provide notices to consumers that include the following information, in the context of written disclosures made to consumers by the consumer reporting agency:

  • identify theft,

  • employment screening,

  • pre-screened offers of credit or insurance,

  • information sharing with affiliates, and

  • adverse actions taken on the basis of a consumer report.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) specifies permissible uses and disclosures of protected health information (PHI), mandates that HIPAA covered entities provide individuals with a privacy notice and information on their other rights, regulates covered entities’ use of service providers, and sets forth extensive information security safeguards relevant to electronic PHI.


State laws and regulations

Laws in several state, including California, impose general information security standards on companies that maintain personal information. California, for example, requires companies that own or license personal information about California residents to implement and maintain reasonable security procedures and practices to protect the information from unauthorized access, destruction, use, modification, or disclosure. Additionally, companies that disclose personal information to nonaffiliated third parties must contractually require that those entities maintain reasonable security procedures and practices as well.

A number of states impose obligations with respect to the collecting and processing of social security numbers. These laws generally prohibit:

  • intentionally communicating or disseminating SSNs to the general public;

  • using SSNs on ID cards required for individuals to receive goods or services;

  • requiring that SSNs be used for internet transactions, unless the transaction is secure or the SSN is encrypted or redacted;

  • requiring an individual to use a SSN to access a website, unless another authentication device is also used; and

  • mailing materials with SSNs.

Almost every state has enacted a breach notification law that requires companies to notify affected individuals in the event of unauthorized access to or acquisition of their personal information. Most state breach laws require notification only if there is a reasonable likelihood that the breach will result in harm to affected individuals, although, there are a number of states that do not have this harm threshold, and require notification of any incident that meets their definition of a breach. Some states also require that in addition to notifying individuals, companies also notify a state regulator, generally the attorney general, of the breach.


California: The California Attorney General provides general information and a list of privacy laws in California. Some important laws include: Customer Records, Internet Privacy Requirements, Privacy Rights for California Minors in the Digital World, and Data Breach Notice


Colorado: Important Colorado privacy laws include: Disposal of Personal Identifying Documents, Notification of Security Breach


Georgia: Notification required upon breach of security regarding personal information


Illinois: Personal Information Protection Act


Massachusetts: The Standards for the Protection of Personal Information of Residents of the Commonwealth, Security Data Breach Notifications Law


Texas: Business Records

KNOWLEDGE BASE Data Protection Regulations In The US