State of Data Privacy Laws in 2023
Data privacy is a major and ever-growing concern. And yet, the U.S. does not have a comprehensive data privacy law that applies nationwide. Several states have enacted comprehensive data security laws that will take effect in 2023. The following offers an overview of the current state of data security laws at the federal and state levels in the U.S.
The Importance of Data Security Laws
Businesses collect vast amounts of personal identifying information (PII) from customers. PII includes information like names, dates of birth, addresses, phone numbers, credit card numbers, and Social Security numbers. Fraudsters use PII for identity theft and other illegal activities, costing consumers billions of dollars each year.
Data security laws give businesses an incentive to protect PII in their possession. If they fail to meet their legal obligations, they could face fines and other penalties, as well as liability for damages suffered by consumers. Instead of a single law that addresses data security, the U.S. has hundreds of federal and state laws that, in most cases, address specific privacy concerns.
Comprehensive Data Privacy Laws
Many data privacy laws take a “harm reduction” approach, meaning that they:
- Require businesses to take steps to protect PII; and
- Impose penalties if a data breach occurs.
This type of law does not give a consumer any particular rights unless they experience harm, such as the theft of their information.
A comprehensive data security law begins with the premise that an individual has the right to control their own PII. The European Union’s General Data Protection Regulation (GDPR) is a comprehensive data security law. It limits the amount of PII businesses may collect, as well as the purposes for which they collect it. It requires them to be transparent about their data security measures and holds them accountable for failing to meet the law’s standards. The overall goal is to prevent data breaches from happening in the first place.
The closest thing to a comprehensive law at the federal level is probably the Federal Trade Commission Act (FTC Act). It empowers the FTC to investigate deceptive or unfair business practices. This may include inadequate data security in some situations, such as when a company does not follow its own published privacy or cybersecurity policies. It also allows the FTC to enforce various other federal data privacy laws.
Comprehensive data security laws went into effect in two states, California and Virginia, on January 1, 2023. The two laws protect various types of PII, including not only financial information. but also genetic data, geolocation data, and personal information like race, sex, or sexual orientation. Similar laws will take effect in Colorado and Connecticut on July 1, 2023, and in Utah on December 31.
Industry- or Issue-Specific Data Privacy Laws
Many data security laws apply to specific industries, activities, or issues. State bar rules, for example, require attorneys to safeguard client information. ABA Model Rule 1.6 prohibits the unauthorized disclosure, with some exceptions, of “information relating to the representation of a client during the lawyer’s representation of the client.”
Certain other professions and industries, such as finance and health care, have laws addressing data security. These laws regulate businesses and professionals in specific sectors of the economy.
State data privacy laws are too numerous to list. Federal laws, which apply nationwide, include the following:
- Family Educational Rights and Privacy Act (FERPA) of 1974: Regulates access to students’ educational records
- Video Privacy Protection Act (VPPA) of 1988: Originally regulated the disclosure of videotape rental records. Subsequently extended to data regarding rentals and purchases of a wide range of media, in both physical and digital forms.
- Driver’s Privacy Protection Act (DPPA) of 1994: Regulates the collection and use of PII by state departments of motor vehicles
- Health Insurance Portability and Accountability Act (HIPAA) of 1996: Regulates how healthcare providers and health insurance companies may handle PII
- Children’s Online Privacy Protection Act (COPPA) of 1998: Applies to U.S. operators of websites and online services that provide services to or collect information from children who are less than 13 years old
- Graham-Leach-Bliley Act (GLBA) of 1999: Requires financial institutions to safeguard the PII of account holders, loan applicants, loan recipients, investors, and others.
Baer Reed helps corporate law departments address concerns about confidentiality and data privacy. Contact us today to learn more.
- On February 27, 2023
- Back to post list