The United States has adopted myriad federal and state privacy laws that give protections to individuals regarding the collection, use, and disclosure of personal information by both the public and private sectors. These laws are often targeted to address specific instances of abuse or perceived market failures or to protect particularly sensitive information, such as health information, or groups deemed worthy of special protections, such as children. The US approach stands in sharp contrast to the approach found in over 100 other countries around the world that have adopted omnibus privacy laws.
Legal and historical reasons largely account for the differences in privacy regulatory approaches. The US approach to the regulation of the handling of information typically relies on the concept of the marketplace of ideas. In contrast to the privacy regimes in other countries, the focus of a privacy inquiry in the United States is typically whether an individual can be harmed by the misuse of personal information. The premise under US law is not that the mere collection of personal information is improper and must be justified. Rather, under US law, an organization usually can collect any information it desires if it does so in a way that is not deceptive or unfair to individuals, but it may not misuse that information in ways that may harm an individual.
Also, information privacy regulation in the United States often differs across states, sectors, information types, and data subjects. Historically, individuals, government, and industry shared a belief that a ‘one-size-fits-all’ legislative approach would lack the necessary precision to avoid interfering with the benefits resulting from the free flow of information. Similarly, the states, rather than the federal government, often enact their versions of sectoral laws aimed at protecting certain data types or correcting specific issues of misuse or preventing harm in specific situations.
The United States has a federal system in which laws are enacted at the levels of national government, state government, and local government (e.g., cities and counties). In general, privacy and information security laws are enacted at the state and national levels of government.
The federal government, for example, has enacted detailed privacy and information security rules that apply to financial institutions regarding the use of information relating to individual consumers, even though the states are also authorized to regulate these same entities (with certain exceptions) for the same information. As a result, an organization can be subject to the laws of the state in which the organization is located, as well as subject to the laws of other states in which the organization conducts activity, and subject to all the federal laws regulating those activities. Moreover, state laws continue to be enforceable even if a national law regulates the same conduct unless certain conflicts between the laws cannot be reconciled under certain principles of constitutional law. In that case, the national law prevails over or pre-empts, the state or local law.
Regulation in the United States generally focuses on information viewed as particularly sensitive on a sectoral basis, such as financial information, health information, consumer report information, information collected online from children, and information that can be used for identification theft or fraud.
Here is a summary for some of the U.S. laws:
The Lack of Federal Legislation
State data privacy laws, which are far from uniform, are on the rise. To address that, it is expected that there will be a serious effort in Congress this year to enact federal data privacy legislation.
On the federal level, despite various competing bills, Congress has failed to enact data privacy legislation. However, it is much more likely to pass in 2021 for various reasons:
- More states will begin to enact their unique data privacy framework to address the privacy concerns of their residents. That will likely cause confusion when states’ interests overlap and dramatically increase compliance costs for businesses.
- Uniform federal data privacy legislation will help allow U.S. businesses to better compete in the global market given other countries’ privacy laws, such as the European Union’s General Data Protection Regulation (GDPR).
Businesses already complying with the CCPA or the GDPR will likely not face a learning curve when federal legislation is eventually enacted. This year will certainly be interesting to watch if, or how, federal data privacy unfolds.
Agio Healthcare shares information meant to not only make you aware of key changes in prominent cybersecurity and privacy standards, laws and frameworks, but helps to provide context and clarity to these rapidly changing and emerging topics.
Follow Agio Healthcare on LinkedIn