With this unprecedented level of connectivity come significant privacy challenges and risks. We leave a digital footprint or trail behind us when we use online services. The full name of a person, their birth date, their residential address, their email, telephone number, Social Security Number, and other sensitive information may be stored in databases by organizations or unscrupulous people without them knowing.
Privacy online is hard to regulate, leaving people open to invasions of privacy. What protections do Americans have when it comes to data security?
No comprehensive regulatory framework
Currently, there is no single law in America that covers all data privacy. Privacy laws are different from one state to another or they may focus on certain types of data. Due to the lack of a comprehensive privacy law, businesses and institutions can use, sell, and share data without the consent of individuals. Some states have their own comprehensive privacy laws which have been compared to European Union’s General Data Protection Regulation, the strictest privacy law in the entire world.
California Consumer Privacy Act (CCPA)
The CCPA, which was enacted in 2018, is considered the most stringent of US laws on data privacy. This law applies to companies that collect personal information about consumers. The act grants the following consumer rights: the right to know what information is being collected, who it’s going to, deleting data collected, opting out from data sales, and receiving fair treatment in exercising privacy rights. California Privacy Rights Act 2020 expanded CCPA’s rights by allowing consumers the ability to correct inaccurate data, and restrict sensitive data usage and disclosure.
Health Insurance Portability and Accountability Act (HIPAA).
HIPAA was signed by Bill Clinton in 1996 and applies to “covered entity” such as healthcare providers, insurance plans, clearinghouses, etc. The covered entities must respect the rights of a patient to access, correct and share health information. They also need written consent from the patient. HIPAA does not cover all data on health, but only that which is shared with covered organizations.
The Gramm-Leach-Bliley Act
The GLBA, signed by Clinton in 1998 and focusing on the privacy of financial institutions’ information, was a major part of his presidency. The GLBA applies to financial institutions that offer products and services such as loans, insurance, or advice. Businesses must comply with the GLBA by implementing policies that protect their data from external threats, putting in place privacy notices, and letting consumers know their right to refuse to share their personal information.
Children’s Online Privacy Protection Act
COPPA, enacted by Congress in 1998, limits data handling for individuals under the age of 13. Companies that collect data from children under 13 must publish a privacy statement online, obtain parental consent and let parents access, review or delete the data. Companies must comply with COPPA and keep collected data confidential.
In conclusion, American businesses and organizations were historically permitted to collect sensitive data from citizens without their explicit consent. However, certain sectors and states have put in place regulatory frameworks that protect this sensitive information. The data privacy regulatory landscape changes and evolves constantly. In 2023, following California’s lead, other states such as Colorado, Connecticut Utah and Virginia will enforce stricter data privacy laws.