Understanding US data privacy laws

26th March 2024

If you’re an organisation based in the UK and EU, you’re probably familiar with the General Data Protection Regulations (GDPR) that were brought into effect on 24th May 2018.

Even if you don’t fully understand the complexities of the law—understandable if you’re not a data privacy law expert—you’re probably at least aware of your basic responsibilities under GDPR.

GDPR applies to organisations that handle data belonging to EU citizens, whether those organisations are based in the EU or not, while UK GDPR—introduced following the UK’s exit from the European Union—is the equivalent legislation for the protection of UK citizen’s data.

However, what about laws protecting the data of US citizens? If you’re an organisation that handles such data, you need to be aware of your legal responsibilities and restrictions.

Is there an equivalent ‘GDPR’ law in the US?

The simple answer to this question is ‘no’—but that doesn’t mean you have total carte blanche when it comes to the data of US citizens.

There is no comprehensive federal policy in place that governs how personal data can be used, and the patchwork nature of these laws can make it unclear what protections are in place. However, there are several laws that focus on specific data types, or situations regarding privacy, and organisations that process or store the data of US citizens are responsible for ensuring compliance and staying up to date with new legislation.

US privacy laws typically fall into two categories: vertical and horizontal.

Vertical privacy laws: designed to protect medical records or financial data.
Horizontal privacy laws: focuses on how organisations use information more broadly.

Examples of vertical privacy laws

There are two high profile vertical privacy laws governing the medical and financial records of US citizens.

Health Insurance Portability and Accountability Act 1996 (HIPAA)

HIPAA is the US’ federal privacy law that protects the medical information of citizens, and it applies to all organisations and entities that handle ‘protected health information (PHI).

HIPAA grants individuals the right to:

Deny permission to healthcare providers to use their PHI for marketing activities.
Receive a notice of privacy practices from healthcare providers that explains how the individual’s PHI will be used and protected, while patients can also restrict how this information is used and disclosed.
Update their medical records if they believe them to be inaccurate.

Gramm-Leach-Billey Act 1999 (GLBA)

The GLBA is designed to protect consumer privacy and specifically applies to financial institutions that collect, use or disclose personal information. GLBA requires financial institutions to:

Explain to their customers how their information will be shared with third parties, and allow individuals to opt out.
Follow a set of guidelines that describe how financial institutions can collect, use and protect all types of consumer data.
Implement a written information security programme to protect customer data from unauthorised access.

Examples of horizontal privacy laws

Broader US privacy laws vary from state to state. For example, in California, New York State and Massachusetts, privacy laws cover any company that does business with the state whether they’re based there or not (similar to GDPR), while in Maryland they only apply to entities based in the state. Some states also only apply these laws to businesses that hit a certain revenue threshold, while others don’t have any revenue limitations in place.

If you’re handling the data of US citizens make sure you’re clear on the privacy laws that are in effect within the states you’re doing business with.

There are also two national privacy laws that cover data more broadly:

US Privacy Act 1974

Designed to enhance the privacy protection for individual US citizens, the US Privacy Act established rules and regulations for US government agencies in relation to the collection, use and disclosure of personal information.

As legislation only intended to cover US federal agencies, organisations outside of the US aren’t impacted by this Act.

Children’s Online Privacy Protection Act 1998 (COPPA)

COPPA applies to any organisation that collects, uses or discloses personal information from children (under the age of 13-years old), specifically via a website or online service.

COPPA states that websites and online service providers must:

Develop and publish a clear and concise online privacy policy that explains what information will be collected from children, how it will be used and under what circumstances that information will be disclosed.
Secure parental consent for collecting, using or disclosing the personal data of children.
Allow parents to review and, if requested, delete their child’s personal information.

How to know if US privacy laws apply to you

Because there’s no overarching federal law governing privacy in the US, ensuring compliance might seem complicated. To avoid falling foul of any one of the various privacy regulations, consider the following:

Which specific state(s) are you doing business with? Different states have different privacy laws, so first identify which states’ privacy laws will apply to you.
Which industry are you in? We’ve looked at two industry-specific privacy laws so far—HIPAA and GLBA—but make sure you’re clear on any other industry-specific regulations that will apply to your organisation.
Are you handling the personal data of children? If your organisation processes the personal information of children you should familiarise yourself with COPPA.

Navigating compliance when it comes to consent and data privacy can be a minefield, but a dedicated Digitial Asset Management system can help. To find out how ResourceSpace can help your organisation streamline its consent processes, book your free 30-minute demo below.