What You Need to Know About U.S. Data Privacy Laws

In the first half of 2018, there were 668 data breaches and 22 million records exposed.

The number of data breaches is steadily increasing. With more of your personal information online than ever before, you should be concerned about your privacy.

Part of that is being informed about what governs the protection of information. US data privacy laws are a complicated system.

But we’ll tell you all you need to know about privacy laws in the US. Keep reading for more.

State Data Privacy Laws

California was the first state to create a law around data breach notification. This law states that businesses who experience a data breach must report the breach to affected persons.

Today, 48 states have laws that are similar. They differ in their definitions of what categories and types of personal information are protected.

States are also not aligned with who is covered by the regulations. There are different requirements about what other agencies need to be notified in the case of a breach (if any).

Federal Data Privacy Laws

At the federal level, data privacy laws are a patchwork of different regulations and laws. Some focus on categories of information. Others regulate activities that use personal information.

There are also consumer protection laws that function as data privacy laws to some degree. Below is a list of the most important laws regarding US data privacy laws:

  • The Financial Services Modernization Act. It regulates the collection, use, and disclosure of information held by banks, insurance companies, security firms, and other financial products and services businesses.
  • The Fair Credit Reporting Act. Applicable to lenders who use consumer reports. Also applies to credit card companies that hold information regarding consumer-reporting.
  • The Federal Trade Commission Act. This Act applies to offline and online privacy and data security. It prohibits unfair and deceptive practices in regards to consumer data protection.
  • The Controlling the Assault of Non-Solicited Pornography and Marketing Act and the Telephone Consumer Protection Act. Focuses on the collection and use of e-mail addresses and telephone numbers.
  • The Electronic Communication Privacy Act. Concerns interception and tampering with electronic communications.
  • Judicial Redress Act. Provides ally nations the right to access the US court system in cases of privacy violations. Particularly when personal information is disclosed to law enforcement.
  • The Health Insurance Portability and Accountability Act (HIPAA). Has to do with medical records held by health care providers, pharmacies, data processors, and entities that relate to medical information.
    • The Standards for Privacy of Individually Identifiable Health Information. Regulates the collection and use of protected health information (PHI).
    • The Standards for Electronic Transactions. Regulates medical data that’s electronically transmitted.
    • The Security Standards for the Protection of Electronic Protected Health Information. Sets the standard for the protection of medical data.

With so many pieces of legislation regulating federal data privacy laws – not to mention state laws – the system is complicated, to say the least.

The Problem with Federal Data Privacy Laws

Compared with most Western countries, the US is lacking in data privacy laws. There is no comprehensive legal protections for personal data. That is, there is no single federal law to regulate how personal information is collected and used.

As it stands, federal government regulations affect only some sectors. Regulations only account for some types of sensitive information.

There’s also a patchwork of guidelines for best practices. But these self-regulatory frameworks don’t have the law to ensure their implementation.

In addition, it’s not uncommon for federal laws to overlap with state laws. These contradictions can leave companies in a regulatory limbo. They’re unable to comply with both state and federal laws that regulate the same items.

Companies aren’t the only ones who suffer from the haphazard approach to data security laws. The personal information of citizens is also left vulnerable without adequate methods of protection and enforcement of breaches.

Data Privacy Law in the Health Sector

Perhaps one of the best examples of the problem with federal data privacy laws is the health sector. HIPAA governs health privacy and security law.

It’s intended to protect PHI. It applies to “covered entities” that collect and use this information. This includes entities that just come into contact with medical information.

However, there are other privacy laws that regulate areas related to health. These aren’t consistent with the compliance required under HIPAA.

For example, student immunizations and school health records are regulated by the Family Education Rights and Privacy Act. And this piece of legislation overlaps with some aspects of the Children’s Online Privacy Protection Act.

Data Privacy Law Enforcement

Who enforces data privacy laws in the US? Both state attorney generals and the Federal Trade Commission (FTC) have a role to play.

While state attorney generals play an important role, the FTC has historically taken the lead in this arena. Under the FTC Act, this governmental agency has the general power to enforce data privacy law. They’ve been given the power to prohibit unfair and deceptive trade practices.

This jurisdiction of the FTC is limited. In terms of insurance companies, nonprofits, banks, and internet service providers, the FTC has limited influence.

In addition, some companies are refusing to recognize the authority of the FTC. And without a comprehensive law to set standards for the collection and use of personal data, the FTC continues to face pushback regarding their policing of data security laws.

Are You Compliant?

There are no overarching data privacy laws in the US. The federal government regulates data privacy through a number of acts and agencies and many state governments have enacted their own data privacy laws. This has led to contradictory standards and compliance issues for companies regulated at both levels.

Under HIPAA, the medical sector is affected by these overlaps. For more information on HIPAA and staying compliant, check out our blog.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top