Data Protection Laws in the USA - A Guide for Businesses

Data Protection Laws in the USAFor many businesses, collecting information from consumers and employees is part of everyday operations. At the same time, businesses need to take steps to ensure informational is stored and disposed property. Data protection laws regulate how information is disclosed. They prevent the misuse of information that might be held by individuals and businesses. Unlike many countries in Europe, Asia and elsewhere in the world, the United States has not adopted comprehensive date protection and information privacy laws. The following is an overview of rules related to the protection of data, especially for businesses.

Federal Laws

Data collection and information privacy are not heavily legislated or regulated in the U.S., especially as it related to businesses. Although the Privacy Act controls how personal information is collected and used by federal government agencies, there is no overarching law that regulates the acquisition, storage and use of personal data by businesses. This means that generally anyone acquiring data can store and use it even if the information was collected without permission. Instead, there are a variety of sector-specific laws that govern the collection and use of information. Several acts govern how financial data, personal information from children, and information from credit reports are used. The Federal Trade Commission (FTC) business regulates and oversees privacy laws and policies that have an impact on consumers.

Consumer Privacy

Generally, businesses should have a privacy policy that applies to online and offline activities. This policy outlines how a business collects, uses, stores, shares and protects data that is collected from consumers. While the FTC prohibits deceptive practices when it comes to consumer data, it is not mandated by law. If a company is not honoring commitments it has made in its privacy policy, the FTC may investigate to ensure federal consumer protection laws related to preventing fraud, deception and unfair business practices are followed. The FTC administers a number of laws and regulations that relate to privacy, including the Identity Theft Act and the Fair Credit Reporting Act.

The U.S. Small Business Administration (SBA) recommends that policies explain how personal information is collected and used. For example, it should include a cookie policy that explains how cookies are used to store user information. It should also detail how information is shared and include contact information so consumers can get more information or submit a complaint. The privacy policy should be displayed and consumers should be able to opt-out of emails from the business.

Credit Reporting

Several laws govern how businesses use consumer and credit reports. Businesses might use these reports to assess a customer's credit worthiness or when evaluating job applications. Passed in 2003, The Fair Credit Reporting Act governs files maintained by consumer reporting agencies to promote privacy, accuracy and fairness. It also allows individuals to opt out of credit report offers. It also allows individuals to view, correct, contest and limit the use of their credit reports. At the same time, the Act protects credit agencies from charges of negligent release if the requestor misrepresents themselves. Specifically, a credit agency is not required to verify if the reason why someone is requesting a credit report is valid or truthful.

Fair and Accurate Credit Transactions Act (FACTA) of 2003 amended the Fair Credit Report Act. FACTA made it possible for consumers to request and obtain free credit reports once a year from nationwide credit reporting companies. It also permits individuals to place alerts on their credit histories in cases where identity theft is suspected or if they in the military and are deployed overseas. FACTA also requires the secure disposal of credit report records and information. The Fair Debt Collection Practices Act is also used with FACTA and the Fair Credit Reporting Act as it further limits the dissemination of information related to an individual's financial transactions. First passed in 1977 and amended in 1996, the legislation prevents creditors and their agents from sharing information about someone's debt to a third party. In addition to outlining the do's and don'ts for debt collection, it also makes it illegal for debt collection agencies to harass and contact individuals at their place of employment.

Other Laws and Regulations

Also known as the Kennedy-Kassebaum Health Insurance Portability and Accountability Act, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. It governs the collection and disclosure of protected health information by covered entities (for example, a health plan or medical service provider). Information can be shared, for example, when reporting a suspected case of child abuse to a state child welfare agency, required by law or ordered by a court. Information may also be disclosed without a patient's authorization to help with treatment or health care payments. At the same time, individuals have the right to request that information be corrected and covered entities must tell individuals how their information is used.

Businesses offering financial products or services such as investment advice, loans and insurance must also comply with information-sharing practices to safeguard sensitive data. Also known as the Gramm-Leach-Bliley Act, the Financial Services Modernization Act of 1999 requires financial institutions and companies to explain their information-sharing practices to customers. A privacy notice must be shared when the company enters into a relationship with a consumer, and this notice must be shared annually and when it is changed. The notice must outline how information about the costumer is collected, used, shared and protected. It must also include details about how the consumer can opt out of having their information shared. The legislation also requires financial institutions and businesses to safeguard sensitive data by developing a written information security plan describing how the company will protect non-public personal information.

State Laws

Most states do not recognize an individual's right to privacy, which allows businesses and others to collect, store and use data even without permission. Some exceptions do exist. For example, California's Online Privacy Protection Act (OPPA) introduced in 2003 requires a privacy policy to be posted on websites of commercial website operators and online service providers that collect personal information from residents of California through a website. Operators and service providers are required to abide by their policies.

International Laws

Businesses based in the United States may be required to comply with privacy laws in the countries that they are doing business. For example, a business regulated by the Federal Trade Commission or the Department of Transportation (for example, airlines) that are operating in European Union markets can opt into a voluntary program with data protection principles that comply with directives of the European Commission. The United States Department of Commerce developed Safe Habor Privacy Principles to help companies based in the U.S. demonstrate that they comply with these directives. The principles include providing notice that information is being collected and how it will be used and giving individuals the choice to opt out of data collection and how it is shared with third parties. Reasonable efforts must also be taken with respect to security to prevent loss of the information being collected, and data must be relevant and reliable. Individuals must also be able to access information that is being collected, as well as correct and delete anything that is not accurate. Onward transfer of information to third parties is also only allowed to other organizations that adhere to data protection principles. Finally, companies must have ways of enforcing the principles.

Preventing Identity Theft

The FTC provides guidance on how to keep data secure in order to prevent breaches and identity theft. As a general rule, businesses should only collect information they need. Access to sensitive personal information and data should also be restricted to people who need it to do their job. There should also be a system of secure passwords and authentication when accessing the data. Sensitive information should also be stored securely, for example with Transport Layer Security/Secure Sockets Layers (TLS/SSL) encryption. Businesses that keep sensitive personal information about their customers or employees are required to have a security plan. This plan should outline how information is collected and stored, and how it is disposed in a secure manner.