Summary of US Data Privacy Laws

Guest Post

With rapid evolution of the digital world, data privacy protection has become a global trend for organizations, individuals and governments.
These entities are now increasingly reconsidering the process of collecting, storing and processing personal information which not only includes names or phone numbers, but also individual healthcare information and financial data.

Data Privacy Laws in the US
At the federal level in the United States, the data privacy and regulation enforcing power is with the United States Federal Trade Commission (FTC). However, there is no central authority or federal unit responsible for ensuring compliance to the privacy laws. Rather, the regulations are mostly at the state levels and enforcement lies with the state attorneys. These regulations at state-level often overlap or are incompatible with each other. For instance, all states in the US have data breach laws enforced, but their definitions of personal data and data breach differ. Same goes for data privacy laws. With no federal mandate in place, about 25 of the US states have stepped up in formulating their data privacy laws, among which the California Consumer Privacy Act has gained the most popularity, followed by similar regulations in nine other states.

Let's look at some of the key requirements of the privacy laws by the states of California, Massachusetts, and Minnesota. These states are involved in development and amendment of their data privacy legislations. Let us look at some of the requirements in these state privacy laws.

California Consumer Privacy Act
The CCPA act is effective starting 1st January, 2020. It was materialized as a response to growing concerns about private data being silently collected by businesses in the Silicon Valley. It incorporates General Data Protection Regulation (GDPR) requirements specific to data privacy and data protection, the widely acclaimed law passed by the European Union.

CCPA is applicable to all for-profit businesses in California that also satisfy certain business conditions. It also includes all non-California based businesses operating inside California.

According to the law, businesses, their service providers and third parties are liable to inform the state that they are collecting, selling or disclosing about the residents of California and must promptly respond to any inquiries about this matter. The law also governs that no discrimination be undergone against any consumers exercising their rights, such as their objection to the sale of their personal data, such as bank accounts or credit card information. Business service providers can only use the data upon the direction of the business they are serving, and have to delete their information when requested.

CCPA requirements exclude patients' Protected Health Information (PHI), which is already covered by the Health Insurance Portability and Accountability Act (HIPAA). Businesses are also liable to verify the legitimacy of request of inquiry about consumer data before actually sharing the information.

In case of violation, the law gives a time of 30 days to a business to cure its violation. In an instance where a business fails to address the violation, they can face a civil penalty up to $7,500 for intentional and $2,500 for unintentional violation.

Massachusetts Data Privacy Law
The official name for this law is "Standards for the Protection of Personal Information of Residents of the Commonwealth". The law has been effective since March 1st, 2010. It states requirements for protecting the residents of Massachusetts against fraud and identity theft and is applicable to all organizations that license, store or maintain personal data of its residents.

It is mandatory for all such organizations to implement a detailed information security program. For this, they must have dedicated personnel to run the program and provide regular employee security awareness trainings. It also requires that third parties with access to their customer's data are capable of protecting the information.

Massachusetts state is also working to formulate a data privacy regulation similar to CCPA. If the regulation is passed, it is planned to go into effect on January 1, 2023.

In case of violations, a civil penalty of $5,000 along with investigation and litigation costs and attorney fees will be incurred.

Minnesota Data Privacy Act
The Minnesota Government Data Practices Act (MGDPA) is effective since 1979. It protects the rights of individuals to access government data and also regulates how private data is collected, stored and disseminated. It is based on a data classification system, including government-handled data such as education and law enforcement, individual data such as public or non-public and non-individual data such as nonpublic or protected nonpublic data.

This law is applicable to the government agencies and requires state agencies to appoint an authority responsible to establish procedure for prompt and appropriate management of data requests. In case any state entity wishes to get access to an individual's private data, they must give that individual a notice known as "Tennessen Warning". If a dispute arises between the two, the individual can take an advisory opinion from the Commissioner of Administration.

In case of violation, a civil action can be taken against the violator or the attorney fee can be charged in case the state entity does not follow advisory opinion. Willful violation can also result in imposition of criminal penalty on public employee, suspension without pay or even job dismissal.

Privacy laws at state level are extending towards more states, and already existing laws are also being amended to cater to the changing information security landscape. These privacy acts can also serve as a baseline for the formulation of a comprehensive data privacy regulation at a federal level. However, till such a law exists, organizations and businesses dealing with public data need to stay well-informed of all existing state laws since they have applications outside their boundaries and impose strict penalties for violations.

David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second startup (currently in stealth mode) that will track and interpret the use of contactless payments. His expertise includes system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences. David occasionally consults with smart card companies like Cardzgroup.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.