The U.S. data protection law landscape is moving fast since the GDPR arrived in the EU. This happens mostly at the state level so far, the CCPA being the best known of these new laws. The U.S. doesn’t yet have a nation-wide federal data privacy law, and relies on several sectoral laws. But this day will come, as the need to unify a patchwork of U.S. data privacy laws grows.
This post summarizes some results of my PhD thesis, to present them in a more casual fashion. I will often refer the law review article I published in the Colorado Technology Law Journal on U.S. data privacy laws, comparing them (including the CCPA) with the EU model.
To get a comparative view on data privacy rules that includes China, see this post (with a focus on China’s Cybersecurity Law). And for a very detailed explanation, read another of my law review articles published in the Penn State Journal of Law & International Affairs, comparing China Data Privacy Laws to EU and US rules (and the results may surprise you).
This Post is Just a Summary… Download the Full Research Paper (free)
You can download the complete paper (25 pages), published in the Colorado Technology Law Journal, on the Social Science Research Network (SSRN).
This post answers the following questions:
- How US data protection laws differ from the GDPR?
- What are the main federal US data protection laws?
- How do US states regulate data privacy themselves?
1. US Data Privacy Laws vs EU Law: Different Models
The EU and U.S. models are well established, but they don’t have the same approach. Both follow their own path to regulate privacy, leading to differences in the legal instruments used and the level of protection afforded to individuals.
In the EU, the rights to privacy and to the protection of personal data are both fundamental rights, protected by comprehensive legal standards. The law has a wide scope: it applies to all organizations collecting and processing personal data. Personal data is broadly defined to cover all information relating to an individual. The law provides strong guarantees for those individuals, that the General Data Protection Regulation (GDPR) made even stronger.
In the U.S., privacy rights are instead grounded in consumer protection regulations. Unlike the EU model, the U.S. doesn’t have a federal data protection law covering all aspects of data privacy. It regulates the protection of personal information and privacy through several laws with a narrow scope.1 Those many laws, regulating different topics and sectors, may concern government agencies, data on children, health data, focus on data breaches. Relevant provisions can exist in federal laws or state laws.
The United States Constitution provides only limited privacy protection. The Fourth Amendment2 only protects U.S. citizens and long-term U.S. residents against unreasonable searches and seizures by the government and does not grant an actual broad right to privacy. Conversely, the First Amendment can actually sometimes be used to restrict information privacy by protecting the freedom of expression.3 Therefore, the U.S. Constitution and its supporting body of jurisprudence does not provide adequate privacy protection, especially in light of continuing technological development.4
U.S. data protection laws typically establish less requirements and offer less protection than in the EU. It protects privacy “by means of a patchwork quilt made up of common law, federal legislation, the US Constitution, state law, and certain state constitutions.”5 However, this approach is now being challenged by data privacy scandals and the rise of the EU’s regulatory clout on this issue.
2. Limited U.S. Federal Data Protection Laws
The United States is one of the most prolific country for legal settlements, judgments, consent decrees and corporate compliance programs to protect privacy in the world, according to observers. A discussion on each of the numerous elements composing the patchwork of legal instruments for data protection in the U.S. is beyond the scope of this blog post. I instead consider the most significant U.S. data privacy laws, whether they are addressed to the government or the private sector.
2.1. Privacy Act of 1974
The Privacy Act of 1974,6 passed to answer concerns about how the federal government manages personal information in its possession and still in force today.
The Privacy Act of 1974 applies to data processing by the federal government (but not state governments). It regulates the collection, use, and disclosure of many types of personal information, including:
[an individual’s] education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.7
The Privacy Act of 1974 does not apply to businesses.
2.2. Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a US data privacy law that provides protection of personal information related to an individual’s health. The primary goal is to eliminate the discrimination on employment based on medical information. It sets a minimum level of protection that U.S. states can increase, illustrated by the principle of “minimum necessary” use and disclosure from healthcare providers to potential employers. Disclosure of personal health information requires an opt-in express consent from the individual obtained prior to the treatment although not required for it, and the data subjects benefits from the right to access, correction, and to know who was the information communicated to.8
2.3. Children’s Online Privacy Protection Act of 1998 (COPPA)
COPPA was passed to protect the privacy of children under the age of 13 against collection and misuse by commercial websites. Such websites have an obligation to publish privacy policies indicating if personal data are collected, how they are used and if and how it is disclosed. This notice must be provided to children’s parents and obtain their parental consent prior to the data collection. Parents may later request to access and correct their child’s personal information.
The Federal Trade Commission (FTC) is the primary agency entrusted with prosecuting COPPA violations, and state-level attorneys general can also bring actions in federal district court. The FTC received the power to promulgate rules to guide the interpretation and enforcement of the Act from the Congress. In 2013, the FTC expanded the definition of “personal information” to include persistent identifiers that recognize users over time and across different online services. Not only websites are concerned, but also makers of mobile apps, connected toys and other devices.
2.4. The (failed) Consumer Privacy Bill of Rights (CPBR)
To conclude with the evolution of privacy rules at the federal level, the Consumer Privacy Bill of Rights (CPBR) represents a failed opportunity to strengthen privacy protection in the U.S. The Obama administration first presented a blueprint for the bill in 2012 and then a draft bill in 2015.
The Administration aimed at palliating the lack of “a clear statement of basic privacy principles that apply to the commercial world and a sustained commitment of all stakeholders to address consumer data privacy issues as they arise from advances in technologies and business models,” and therefore the CPBR proposed to create comprehensive and globally recognized data privacy principles. Though it was considered a welcomed opportunity for convergence with the EU model, it never became law.
There are many other sectorial U.S. data privacy laws protecting individuals’ financial information, communications, video rental records, telephone and family information.
3. CCPA and Other State Laws: Improvements to US Data Privacy Laws
Today, the U.S. approach is lacking because it does not seek to protect privacy as a fundamental right as in the EU. The main consequence is that the protection of personal data is always balanced against other interests, e.g. commerce or free speech. This explains the U.S. decision to avoid having a comprehensive data protection law in favor of several narrower laws, and to provide lower protection to personal information so as to avoid hindering other interests. However, this approach has difficulty coping with today’s omnipresence of personal data processing, the risks associated with lack of data security, and the misuse of that data.
Recently, several data breaches and privacy scandals made the headlines, such as those involving Equifax, Facebook (the Cambridge Analytica scandal), or Uber. Now, the U.S. approach on the matter is increasingly scrutinized for being insufficient and even hurting the online economy, as a recent study shows.
3.1. California’s CCPA and Other US States Data Protection Laws
As a consequence of the absence of federal U.S. data privacy laws capable of preventing those scandals, initiatives from privacy advocates to strengthen the data protection legal framework gained popularity and support. The most notable of these evolutions is in California, but several of the state-level regulations on data protection are strengthening.
California is at the forefront of these developments in U.S. data privacy laws, state-level. As far back as 1972, the Golden State included in its constitution the right of privacy among the inalienable rights of all people, making explicit a right that is only implicitly guaranteed under the federal constitution.9
Several privacy protection advancements found in the laws of other states come from California, such as data breach notification requirements.10 In 2002, California was the first state to introduce that requirement, a choice now followed by all of the other states, plus the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands. It was again the first, in 2004, to require website privacy policies.
CCPA’ Scope: Entities, Data Subjects, Extraterriorial Application
On June 28, 2018, against the backdrop of the GDPR’s first days of being in effect and scandals such as the case of Facebook-Cambridge Analytic,11 California passed the California Consumer Privacy Act of 2018 (CCPA), with the goal to improve personal data protection for consumers.12 The CCPA is considered the most stringent privacy law in the country and one of the strongest in the world. It is likely that the rights created by this statute will extend to the rest of the US.
Businesses and Individuals Concerned by the CCPA
Being a consumer law, its scope is notably narrower than EU laws. A consumer under the CCPA is cumulatively a natural person and a California resident,13 whereas the GDPR does not have a residency requirement. Entities covered by the CCPA are limited to for-profit organizations operating in California, above several thresholds on revenues and amount of personal data processed.14 A covered business is one that collects consumers’ data and has annual gross revenues superior to twenty-five million dollars; annually buys, receives, sells, the personal information of 50,000 or more consumers, households, or devices; and 50% or more of its annual revenues from selling consumers’ personal information.15
If the CCPA is sometimes called “California’s GDPR” in the media, it isn’t for its scope. In addition, certain elements of an EU-like comprehensive data protection law are outside the scope of the CCPA, such as protection for health information and publicly available data.16
Although some observer claim that the CCPA does not have an extraterritorial scope, the reality is much more nuanced. The CCPA probably has an extraterritorial scope like the GDPR, but this not explicitly stated. It is the interpretation of the provision “[doing] business in the State of California” that will be crucial.17 Comparison with other California rules defining this “doing business” requirement shows that extraterritorial applicability of the CCPA is likely.18
Apart from the scope, the main topics of divergence are the absence of a requirement for a legal basis for data collection and processing, a right of action for individual that is limited to security issues in the context of a data breach, differences on the concept of supervisory authority and the nature of penalties.
Definition of Personal Data in the CCPA
Personal data is an information “that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”19 The CCPA gives an extensive list of covered data, such as a real name, alias, postal address, IP address, social security number, driver’s license number, passport number, records of personal property, products or services purchased, biometric information, browsing history, search history, geolocation data, education, professional or employment-related information;20 publicly available information being excluded from the covered data.21
To conclude this short analysis of the CCPA, in the wider context of the U.S. approach on legal instruments, it should be noted that the CCPA is a progress, but not as significant as some may argue. Indeed, despite a broad definition of personal data, the CCPA’s scope remains narrow. It is applicable only to California residents and focuses on consumer privacy. Several legal elements such as data breach notification of protection for sensitive data such as health information remain outside the scope of the CCPA, whereas they are all contained in EU-like comprehensive data protection laws.
This Post is Just a Summary… Download the Full Research Paper (free)
I uploaded the complete article (25 pages), published in the Colorado Technology Law Journal, on the Social Science Research Network (SSRN).
3.2. Towards a Comprehensive U.S. Federal Data Protection Law
As a result of the approach, in the U.S. companies must navigate a large number of state laws. A patch work that creates risks and costs. This is a key reason for federal lawmakers seeking to implement a nationwide law on personal information protection. Support for a “U.S. GDPR” even come from top executives with major U.S. companies, such as Apple and Cisco, advocating for such data protection law in the U.S.
Since 2018, the 116th U.S. Congress has seen several reports and initiatives for strengthening personal data protection, sometimes closely aligned with the most recent EU developments. The U.S. Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress, published a report in 2019, which states:
recent developments regarding Internet privacy suggest that this is an appropriate time for Congress to consider comprehensive Internet privacy legislation
The Social Media Privacy Protection and Consumer Rights Act,22 introduced in January 2019, would require covered entities to notify an individual of a data breach within 72 hours, faster than previous laws and aligned with the GDPR. Also introduced in January 2019, was the American Data Dissemination Act, which would extend to internet service providers the requirements imposed on federal agencies under the Privacy Act of 1974. A bill call “Data Protection Act” would create a U.S. federal data protection agency, dedicated to privacy as in the EU.
A possible solution to the legal fragmentation in the U.S. would see Congress pre-empting state laws by enacting a federal law on data protection, taking precedence and overruling other state level regulation. The question of whether a federal law should overrule state regulation is the subject of much debate, but most an approach that would help reduce the patchwork of U.S. laws seems to be preferred (see here and there).
Officials have expressed that the Trump administration is now working towards what could be the first comprehensive data protection law in the U.S. Such a law, as described by the White House, “aims to craft a consumer privacy protection policy that is the appropriate balance between privacy and prosperity […] We look forward to working with Congress on a legislative solution consistent with our overarching policy.”
A nationwide data protection law would mark a shift in the U.S. approach and bring much-needed clarity to the landscape of U.S. data privacy laws, but it would not necessarily mean stronger protection for personal information. Future comparative studies on the data protection legal frameworks in the EU and the U.S. will indicate whether transplantation of EU rules, which can currently be observed at the state level, may also occur at the federal level in the U.S. This potential new law could be a basis for proposing an alternate model for data protection and challenging the EU approach and influence.
- Shawn Marie Boyne, Data Protection in the United States, 66 Am. J. Comp. L. 299–343 (2018).
- U.S. Const., amend. IV (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized”).
- Paul M. Schwartz, The EU-U.S. Privacy Collision: a Turn To Institutions and Procedures, 126 Harvard L. Rev. 1966, 1976 (2013). Paul M. Schwartz explains that “the First Amendment can even restrict information privacy: statutes that limit information sharing on privacy grounds are subject to constitutional scrutiny of their impact on the speech of the data processor.”
- Avner Levin & Mary Jo Nicholson, Privacy law in the United States, the EU and Canada: The Allure of the Middle Ground, 2 U. Ottawa L. & Tech. J. 357, 367 (2005).
- Paul M. Schwartz, The EU-U.S. Privacy Collision: a Turn To Institutions and Procedures, 126 Harvard L. Rev. 1966, 1969 (2013).
- An Act to amend title 5, United States Code, by adding a section 552a, to safeguard individual privacy from the misuse of Federal records, to provide that individuals be granted access to records concerning them which are maintained by Federal agencies, to establish a Privacy Protection Study Commission, and for other purposes. Effective on 31st December 1974.
- Privacy Act of 1974, 5 U.S.C. sec. 552a(4).
- Avner Levin and Mary Jo Nicholson, “Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground,” University of Ottawa Law and Technology Journal 2 (2005): 367.
- J Clark Kelso, “California’s Constitutional Right to Privacy,” Perpperdine Law Review 19 (1991): 327.
- The California data security breach notification law (California S.B. 1386) was passed in 2002, before similar requirements appeared in the EU.
- As stated by Alastair Mactaggart, who initiated the CCPA.
- Cal. Civ. Code para. 1798.100-198, taking effect on January 1, 2020. See Eric Goldman, “An Introduction to the California Consumer Privacy Act (CCPA),” SSRN Scholarly Paper (Rochester, NY: Social Science Research Network, July 9, 2018)
- CCPA, para.1798.140(g).
- CCPA, para. 1798.140(c)(1)(A-C).
- CCPA, para. 1798.140(c)(1)(A) to (C).
- CCPA, para. 1798.140(o)(2) and 145(c).
- CCPA, para. 1798.140(c)(1).
- Alice Marini et al., “CCPA, Face to Face with the GDPR: An in Depth Comparative Analysis” (Future of Privacy Forum, November 28, 2018), 8–9.
- CCPA, para. 1798.140(n).
- CCPA, para. 1798.140(o)(1)(A)-(K).
- CCPA, para. 1798.140(o)(2).
- Amy Klobuchar, “S.189 – 116th Congress (2019-2020): Social Media Privacy Protection and Consumer Rights Act of 2019” (2019)