Data privacy is concerned with the way personal data is collected, analyzed, and used. This is not to be confused with data security, which is how collected data is protected from external attacks. Within the United States, internet usage amongst adults has increased from 52% in 2000 to 93% in 2021. With more people using the internet, more personal data can be retrieved from online. Thus, improvement of data privacy is increasingly vital. In the definition provided by the California Consumer Privacy Act, private information includes any material “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Some examples of private information include, but are not limited to:
- Health records
- Social Security Number
- Postal address
- Drivers license number
- Passport number
- Alias
Federal Policy
When it comes to understanding the policies in place to protect private data, only 3% of Americans know how current regulations and laws work. Furthermore, only 9% of Americans say they always read company privacy policies to understand how private data is used. This lack of knowledge about data privacy regulations is in part due to the way policies are set up. There is no federal regulation that includes language for multiple types of private data. Instead, multiple policies each cover a specific type of private data.
Here are the current federal policies that relate to data privacy:
- Congress passed the Federal Trade Commission Act in 1914, establishing the Federal Trade Commission (FTC). The FTC monitors commerce and ensures that unfair trade practices are limited and penalized. Under the FTC, consumer data is protected from unlawful use by commercial enterprises.
- Congress then passed the Fair Credit Reporting Act in 1970. The FCRA protects consumer information collected by any consumer reporting agency. Consumer reporting agencies are people or entities that collect information or evaluate consumer credit information or other information on consumers for the purpose of creating consumer reports for third parties. In addition, they also use a means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
- The Health Insurance Portability and Accounting Act (HIPAA), established in 1996, governs the collection of health information. The main goal of HIPAA is to establish confidentiality between the patient and the healthcare provider.
- The Gramm Leach Bliley Act (GLBA), passed in 1999, set stipulations that financial institutions must follow when collecting personal information. The GLBA specifies that companies must explain their information-sharing practices to their customers and safeguard sensitive data.
- Congress passed the Children’s Online Privacy Protection Act in 2000. The COPPA sets regulations on websites or other online outlets that collect information from children under the age of 13.
The Future of Data Privacy Policy
Data privacy policies are currently being revisited. Legislation at both the international and state level has heightened the repercussions for companies if found guilty of personal data misuse. In May of 2018, the European Union passed the General Data Protection Regulation (GDPR), the most progressive and punishing data privacy policy to date, with strict fines and broad terms. This regulation punishes any enterprise that illegally collects or uses, in the scope of the GDPR literature, the data of residents of the EU even if the company is not in the EU. The GDPR governs data privacy under seven basic principles including lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
In the United States, state level legislation is leading the way towards passing a federal law pertaining to data privacy. California passed the California Consumer Privacy Act (CCPA) in 2018, the first active data privacy state regulation. With the CCPA in place, all residents of California have the right to know how their personal information is collected and used, the right to delete personal information, the right to opt-out of their information being sold, and the right to non-discrimination should they exercise their rights listed under the CCPA. In 2020, the California Privacy Rights Act (CPRA) was passed. The CPRA builds on the CCPA, adding the right to rectification, right to restriction, and updated special protections surrounding sensitive personal data, like social security numbers. In addition to these new rights given to consumers, the CPRA established the California Privacy Protection Agency (CPPA). The CPPA is the first private data privacy agency in the United States.
Virginia is the second state to pass a data privacy law. The Virginia Consumer Data Protection Act (CDPA) was signed into law in March 2021. The CDPA is very similar to the CCPA and CPRA. However, there are two key differences between the California legislature and the CDPA. First, enforcement of the CPDA in Virginia comes from the attorney general, not a private enforcement agency, like the CPPA in California. Secondly, the CDPA does not include a revenue threshold for companies to impose obligations. This allows companies to avoid the CDPA laws as long as they do not control or process the personal data of at least 100,000 consumers during a calendar year or control or process the personal data of at least 25,000 consumers and derive at least 50% of their gross revenue from the sale of personal data.
Other states are working towards passing data privacy laws while using the GDPR and California legislature as examples to emulate and build upon. Despite the shared perspective that consumers’ data is valued, the Democratic and Republican parties want to regulate protection in different ways. Democrats focus on protecting the consumer, believing that data collectors should be held accountable for the misuse or mishandling of consumer data. Alternatively, Republicans fear that consumers could abuse their protections at the expense of industry and push for less strict punishments for companies that collect data.
As these differing viewpoints are discussed and navigated in policy making processes, states will look to establish their own laws. This trend can be tracked here, where you can view your own state’s progress in passing data privacy legislation.