When it comes to privacy and data protection laws, the United States has long been a patchwork quilt of industry- and issue-specific statutes from both the federal and state legislatures.
The most famous are known by their acronyms: HIPAA1, FCRA2, COPPA3, and CCPA4. The more obscure statutes include the unique Illinois Biometric Information Privacy Act, which confers residents with privacy rights over their biometric data, such as fingerprints and face scans. Layer on top of that 50 separate breach notification laws.
This confusing regime starkly contrasts with the more unified national privacy frameworks of other jurisdictions, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR) and even China’s Data Security Law and Personal Information Privacy Law.
While a single U.S. federal privacy statute remains a far-off ideal, optimism for a more unified array of U.S. laws is on the horizon. Comprehensive privacy legislation will soon come into force in four states—California, Colorado, Utah and Virginia5—and nearly 40 state legislatures are currently advancing privacy or data protection bills. Although falling short of a robust, national scheme, a critical mass of state law is likely to establish minimum standards applicable to many, if not most, companies that do business in the United States.
Indeed, because the laws apply to any business that collects data from the respective state’s residents, they typically apply even to companies with no presence in the state. When they take effect, these laws will mandate that a company notify a person if it is selling his or her data; offer an opt-out from such use; and provide an opportunity to access, delete, correct, or move the data. That said, they differ in one very significant way: aside from California’s, they don’t provide any “private right of action”—the ability for a resident to sue a company—for violations. Such a right puts real “teeth” into a law, but several other state bills that contained a similar provision failed to be enacted out of concerns that it is susceptible to abuse, particularly when violations are pursued through a class action.
A significant step forward can be taken if the New York Privacy Act is adopted, a bill reintroduced in January 2022 that would “require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared”. Importantly, like the CCPA and CPRA, it also would provide a private right of action and award attorneys’ fees to a prevailing consumer. The act would apply to companies that conduct business in New York or produce products or services that are targeted to residents of New York, and that satisfy one or more thresholds, including an annual gross revenue of $25 million or more.
In the meantime, the U.S. Congress has taken an important step on breach notification and ransomware response. Spurred on by the ever-increasing cyber threats emanating from Russia, and underscored by the invasion of Ukraine, the bipartisan Cyber Incident Reporting for Critical Infrastructure Act was signed into law on March 15, 2022. It will require critical infrastructure owners and operators to report to the U.S. government within 72 hours if they are experiencing a substantial cyberattack, and within 24 hours if they make a ransomware payment.
“The act is a watershed moment”, said its co-sponsor U.S. Senator Gary Peters. “This provision,” he said, “will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts and help get our nation's most essential systems back online.”
In many respects, the U.S. has been behind the curve in enacting uniform, comprehensive legislation to protect its citizens’ privacy interests and the security of their data. While recent developments hardly achieve that goal, it appears the U.S. has begun heading down the right path of requiring businesses operating in the U.S. to protect the legitimate privacy interests of their customers and related stakeholders.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.