United States General Overview
BDO Local Resources
Karen Schuler | Email | Phone
Mark Antalik | Email | Phone
Taryn Crane | Email | Phone
Regulator: The Information Commissioner's Office ('ICO')
Adequacy Agreement with GDPR: Privacy-Shield Renegotiation
 Privacy Shield Framework, FAQs – EU-US Privacy Shield Program Update, 31 March 2021
Federal Privacy and Data Protection Laws
There is no comprehensive privacy or data protection law for the United States of America. As of August 2021, 30 privacy bills had been introduced to the House of Representatives (‘House’) and in the Senate. While many of them are identical to one another, there are 24 unique privacy bills. Two proposed federal legislations exist for the US - Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (S.2499) proposed by Senator Roger Wicker (R-Miss.). The Consumer Data Privacy and Security Act of 2021 (S.1494) presented by Senator Jerry Moran (R-Kan.) has similar expectations.
- The right to access
- The right to correction of personal data
- The right to deletion
- The right to portability
- The ability to opt-out of processing and opt-in for sensitive processing
- Notice and transparency requirements
- The requirement for companies to hire a privacy officer
- Processors and service providers must meet and follow specific requirements
There is a myriad of sectoral laws and industry-specific frameworks at the federal level, including:
- Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’)
- Gramm-Leach-Bliley Act of 1999 (‘GLBA’)
- Children’s Online Privacy Protection Act of 1998 (‘COPPA’)
- Electronic Communications Privacy Act of 1986 (‘ECPA’)
- Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH')
- Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 ('TCFAPA')
- Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM')
- Fair Credit Reporting Act of 1970 ('FCRA')
- Telephone Consumer Protection Act of 1991 ('TCPA')
- Privacy Act of 1974
- Fair and Accurate Credit Transactions Act of 2003 ('FACTA')
- Video Privacy Protection Act of 1988 ('VPPA')
State Privacy and Data Protection Laws
Three states passed privacy laws: California, Virginia, and Colorado. California passed the California Consumer Privacy Act and then later passed the California Privacy Rights Act of 2020; Virginia passed the Consumer Data Protection Act; Colorado passed the Consumer Data Protection Law.
Law: California Consumer Privacy Act of 2018 (last amended in 2019) ('CCPA')
Regulator: The California Attorney General ('AG')
The California Consumer Privacy Act ('CCPA') took effect January 1, 2020. The CCPA places limitations on collecting and selling consumer personal information and grants rights to consumers concerning their personal data.
The CCPA applies to the processing of personal information of California residents by for-profit businesses that do business in the State of California, collect personal information, and meet any of the following:
- Annual gross revenue in excess of $25 million.
- Buys, receives, sells, or shares for commercial purposes, the personal information of at least 50,000 Californians.
- Derives 50% or more of its annual revenues from selling consumers' personal information.
In November 2020, California voted to enact the California Privacy Rights Act (CPRA), significantly expanding the CCPA when CPRA takes effect on January 1, 2023. The CPRA maintains the core framework of the CCPA while introducing substantive changes inspired by the EU General Data Protection Regulation (GDPR).
Law: Consumer Data Protection Act ('CDPA')
Regulator: The Virginia Attorney General ('AG')
Virginia passed the Consumer Data Protection Act (CDPA), effective January 1, 2023. The CDPA applies to all persons or companies conducting business in Virginia, or those which target their products and services to Virginia residents, and that either:
- control or process the personal data of at least 100,000 Virginia residents; or
- control or process the personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.
The CDPA will not apply to Virginia state agencies, non-profits, institutions of higher education, and entities governed by HIPAA or GLBA.
Law: Senate Bill 21-190 for the Colorado Privacy Act ('CPA')
Regulator: The Colorado Attorney General ('AG')
Colorado became the third state in the United States to pass a privacy law. The Colorado Privacy Act (‘CPA’) provides consumers the rights to opt-out of processing, access personal data, correct personal data, delete personal data, and obtain a copy of their personal data. Like the GDPR, CPA requires controllers and processors to limit the purposes they process data, minimize data, and conduct impact assessments. Colorado’s Attorney General maintains the Colorado Consumer Data Protection Laws FAQ for businesses and government agencies.
Following the invalidation of Privacy Shield by the Court of Justice of the European Union in July 2020, organizations transferring personal information from the EU now rely on other adequate means of transfer, such as Standard Contractual Clauses or Binding Corporate Rules. Further, organizations must verify on a case-by-case basis whether US law ensures adequate data protection. Some organizations also consider consent or other derogations under Article 49 of the GDPR to address adequacy.
Data Protection Authority Focus
Although there is no comprehensive law in the US, the State Attorney Generals and the Federal Trade Commission (‘FTC’) investigate and file suit against companies that encounter a data breach, mislead consumers, expose unnecessary risk to patients, or mispresent its data privacy and protection standards.
In 2020, more than 29 million healthcare records were breached, resulting in a 25% increase year-over-year in healthcare data breaches. There were 642 healthcare data breaches of 500 or more records in 2020, and one breach involved more than 10 million records, while 63 breaches experienced exposure of more than 100,000 records.
In 2019 it was reported that Google and YouTube were fined $170 million for alleged violations of children’s privacy law. Google will pay $134 million and YouTube $34 million to New York. The companies collected personal information in the form of persistent identifiers that are used to track users across the Internet, from viewers of children’s related television channels, without first notifying the parents and getting their consent.
Under Section 5 of the FTC Act of 1914, the FTC takes law enforcement action against companies that violate consumers’ privacy rights. The FTC files suit against companies misleading or failing to protect sensitive consumer information that may have caused a substantial consumer injury. Additionally, the FTC sues for unfair and deceptive trade practices and enforces other federal laws relating to consumers’ privacy and security. The most notable cases that the FTC brought in 2020 and 2021 are Facebook, Kohl’s Department Store, Zoom Video, and Vivint Smart Home.
Despite the absence of federal privacy law, the US states and the federal government continue to expand their enforcement efforts for companies violating consumers' privacy and data protection.
 HIPAA Journal, 2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020, 19 January 2021
 Federal Trade Commission, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children’s Privacy Law, 04 September 2019
 Federal Trade Commission, Protecting America’s Consumers, Privacy and Security Enforcement