Support Centre

USA Federal

Summary

Law: There is currently no general federal privacy regulation. 

Regulator: The Federal Trade Commission (FTC) takes enforcement action against organizations for violations of Section 5 of the FTC Act, which prohibits unfair or deceptive acts in or affecting commerce. 

Summary: There are several related federal laws, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which regulates the privacy and security of health information, the Gramm-Leach-Bliley Act of 1999 (GLBA) which requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data, and the Children's Online Privacy Protection Act of 1998 (COPPA) which imposes requirements on operators of websites or online services directed at children under 13 years old.

Furthermore, on July 10, 2023, the European Commission voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF), concluding that the US provides a level of protection essentially equivalent to that of the EU for personal data transferred under the EU-US DPF from a controller or a processor in the EU to certified organizations in the US. The adequacy decision has the effect that personal data transfers from controllers and processors in the EU to certified organizations in the US may take place without needing further authorization. On August 14, 2024, the Swiss Federal Council announced that certified US companies under the new Swiss-U.S. Data Privacy Framework (Swiss-US DPF) offer an adequate level of protection, allowing for the transfer of personal data between Switzerland and certified US companies without additional guarantees. 

Multiple actions relating to artificial intelligence (AI) have also been fielded in the US, including the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence, directing the creation of guidelines and standards on AI, alongside other bills introduced at the federal level.  

Other key laws and regulations include: 

You can follow legislative developments in the US through the US State Law Tracker.

News

Insights

November 2024

USA: Health data laws - navigating state regulations (part three)

In part one of this series, Alaap Shah, Lisa Pierce Reisz, and Avery Schumacher from Epstein Becker & Green, P.C., explored the evolving federal legal landscape governing health data in the U.S., focusing on the regulatory agencies responsible for oversight and enforcement of relevant laws and regulations. In part two, they delved into the intricate and varied state health data privacy laws across the US. In part three, they look at state privacy laws relating to reproductive health and to children.

October 2024

USA: The SEC's cybersecurity rules

In 2023, the U.S. Securities and Exchange Commission (SEC) released new rules to standardize, clarify, and enhance businesses' obligations to disclose information about cybersecurity incidents as well as their policies and practices for managing cybersecurity threats and risks. First proposed in March 2022, these cybersecurity rules were finalized in an adopting release dated July 26, 2023, after a public comment period. Jacob Ragen, Associate at Shook, Hardy & Bacon, provides an overview of the cybersecurity rules, including who is affected by them and the obligations they impose on businesses.

October 2024

USA: Health data laws - navigating state regulations (part two)

In part one of this series, Alaap Shah, Lisa Pierce Reisz, and Avery Schumacher from Epstein Becker & Green, P.C., explored the evolving federal legal landscape governing health data in the U.S., focusing on the regulatory agencies responsible for oversight and enforcement of relevant laws and regulations. In part two, they delve into the intricate and varied state health data privacy laws across the US.

October 2024

USA: Understanding biometrics - definitions across states and compliance implications for businesses

The National Institute of Standards and Technology (NIST) defines 'biometrics' as 'a measurable physical characteristic or personal behavioral trait used to recognize the identity, or verify the claimed identity, of an applicant.' Fingerprint scanners, facial recognition, and voiceprints are all examples of biometrics. In the context of state laws, 'biometric data' refers to data resulting from or generated from measurements of these data. Today's e-commerce-driven economy sees biometric data play a critical role in providing facility security controls, preventing unauthorized access to computer networks, investigating and identifying fraudulent transactions, screening migrants at points of entry, and combating cybercrime. Willy C. Martinez, Esq., Associate at Mariner Strategies LLC, looks at different states' approaches to biometric data and best practices for businesses when dealing with this type of data.

September 2024

USA: Health data laws - update and impact on organizations (part one)

The prevalence of digital health services in the US has grown dramatically in recent years, prompted by factors such as the COVID-19 pandemic along with technological advancements in cloud computing, mobile applications, wearable devices, artificial intelligence (AI), and medical research. As the healthcare ecosystem rapidly digitizes health data to fuel these technological advancements, lawmakers and regulators seek to address evolving privacy and security challenges.

In this Insight article, Alaap Shah, Lisa Pierce Reisz, and Avery Schumacher, from Epstein Becker & Green, P.C., explore the evolving federal legal landscape governing health data in the US through the lens of the regulatory agencies responsible for oversight and enforcement of the relevant laws and regulations. The article also describes related implications for organizations whose activities involve the collection, use, or disclosure of health information. Part two examining state laws and legislation is available here.

August 2024

International: Navigating the AI frontier - understanding regulatory approaches in the EU, USA, and India - part two

India's commitment towards the promotion and development of artificial intelligence (AI) was recently highlighted in the Union Budget of 2024-25 that was announced by the Indian government in July 2024. The Budget allocated $65 million exclusively to the IndiaAI Mission, an ambitious $1.1. billion program that was announced earlier this year to focus on AI research and infrastructure in India. It has also widely been reported that the Ministry of Electronics and Information Technology (MeitY) is in the process of formulating a national AI policy, which is set to address a wide spectrum of issues including the infringement of intellectual property rights and the development of responsible AI. As per reports, MeitY is also analyzing the AI framework of other jurisdictions to include learnings from these frameworks in its national AI policy. Part I of this series focussed on understanding the regulatory approaches adopted by some key jurisdictions like the EU and the USA. In Part two, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, explore measures that India can adopt, and lessons it can take from such markets, in its journey in the governance of AI systems.

August 2024

International: Navigating the AI frontier - understanding regulatory approaches in the EU, USA, and India – part one

In the past few years, the digital market has witnessed an outpour of artificial intelligence (AI) systems, with the AI market expected to reach a valuation of nearly $2 trillion by 2030.  However, the surge in the use of AI has led to the birth of several pertinent issues ranging from concerns about data privacy and intellectual property rights infringements to issues around transparency and ethical concerns, among others. In the first part of this series on navigating the AI frontier, Raghav Muthanna, Avimukt Dar, and Himangini Mishra, from INDUSLAW, aim to analyze and assess the regulatory position around AI in three key jurisdictions, namely the EU, USA, and India. Part two of this series will evaluate the diverse approaches of these jurisdictions and the learnings that India can adopt from the EU and the USA while framing its own set of AI regulations, as well as what lies ahead for India in the AI regulatory space.  

August 2024

USA: The end of Chevron deference and its impact on data privacy regulation and enforcement

On June 28, 2024, the Supreme Court issued its decision in Loper Bright Enterprises v. Raimondo, written by Justice Roberts, holding that courts should exercise independent judgment in deciding whether an agency acted within its statutory authority, and not defer to an agency's interpretation of the law simply because a statute is ambiguous. The decision overturns decades of precedent and thousands of cases premised on the Supreme Court's 1984 decision in Chevron v. Natural Resources Defense Council.

Given the lack of a comprehensive federal privacy law, and fairly high-level coverage in federal statutes addressing data privacy, federal agencies have historically exercised significant discretion in driving regulatory and enforcement activities around data privacy, so the Loper decision may have a significant impact in this area. In this Insight article, Mark Francis, Partner at Holland & Knight LLP, addresses several key areas for attention.

July 2024

USA: American Privacy Rights Act - Q&A

On April 7, 2024, U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell introduced the American Privacy Rights Act 2024 (the Bill), aimed at establishing robust national data privacy standards with a focus on consumer control over personal information. Since its initial release, the Bill has evolved while being reviewed by the House Energy & Commerce Committee (the Updated Draft). In this Insight Q&A article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia, from Lewis Rice LLC, delve into key provisions, limitations, and implications of this proposed legislation. They address frequently asked questions, offering valuable insights into how the Bill could reshape data privacy regulations in the US. This Q&A article has been updated on June 18, 2024, based upon the amendments made by the House Energy & Commerce Committee in the Updated Draft. This Q&A article was further updated on July 12, 2024, based upon the amendments made by the House Energy & Commerce Committee which was introduced as House Bill 8818.

July 2024

USA: American Privacy Rights Act - a look into the evolving bill

On April 7, 2024, a bipartisan, bicameral Act was introduced. It aims to establish a federal-level comprehensive privacy law and eliminate the growing patchwork of US state-level comprehensive privacy laws. The initial draft of the Act has evolved since its introduction and was recently introduced as House Bill 8818 (House Bill). In this Insight article, Billee Elliott McAuliffe and Jacquelyn H. Sicilia summarize the differences between the American Privacy Rights Act (APRA) Bill (the Bill) released on April 7, 2024, the Updated Draft of the APRA (the Updated Draft) released on May 23, 2024, and the House Bill introduced on June 25, 2024, in seven fundamental areas (scope; data minimization and restrictions; consumer rights; civil rights, algorithms, and impact assessments; opt-out rights; protections for children; preemption; and enforcement).

June 2024

USA: APRA revisions – what you need to know

The American Privacy Rights Act 2024 (APRA) was released on April 7, 2024, by U.S. Representative Cathy Rodgers and U.S. Senator Maria Cantwell. Thereafter, on May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the APRA. The revised APRA retains the provisions of the original draft while introducing certain amendments, including the Children's Online Privacy Protection Act 2.0. (COPPA 2.0). In this article, OneTrust DataGuidance Research breaks down the main provisions of the APRA, including the revisions.

June 2024

USA: Protecting Americans' Data from Foreign Adversaries Act enters into force - impact on businesses

The US privacy landscape has seen significant change in the past year, through the introduction of various state privacy legislation and federal initiatives. On June 23, 2024, the Protecting Americans' Data from Foreign Adversaries Act of 2024 (the Act) under Division I of House Resolution 815 Making emergency supplemental appropriations for the fiscal year ending September 30, 2024, and for other purposes (House Resolution 815) entered into force. OneTrust DataGuidance breaks down the key provisions of the Act with expert comments from Mark Francis, Partner at Holland & Knight LLP.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.